Preview only show first 10 pages with watermark. For full document please download

Idc - Bayshore Networks

Rating
Date

October 2018
Size

3.5MB
Views

5,996
Categories

Computers & electronics Networking Hardware firewalls

Transcript

USA | Technology Software January 18, 2017 EQUITY RESEARCH AMERICAS Software Cybersecurity Primer - Moderation, But Still Growth for Years to Come Key Takeaway This report launches our coverage of IT Security and details our observations, analyses and conclusions that 1) security will remain a growth market for years, even if not at recent rates, 2) old technologies will persist as new tech is incremental, 3) there's growing demand for vendor consolidation, & 4) changing IT architectures (Cloud) offer both meaningful risk and opportunity. Security Market Growth to Continue, Even if at More Moderate Rates. Security remains a priority for corporations given: 1) the problem isn't fully solved, 2) the assets being secured are dynamic, and 3) the evolving nature of the security products. We expect healthy growth in the sector, with pockets of hyper-growth for segments that address new problems. Old Technologies Never Die. Established security technology markets have not only persisted, but have grown beyond what was anticipated since the threats they combat don’t go away even as new ones arise. These established technologies may be consumed into other markets, but the growth of the aggregate market is likely to remain meaningful for some time to come. The sustainability of these markets may also make them attractive to an increasingly active player on the M&A front - Private Equity. Consolidation Into Platforms. Corporations are overwhelmed with the plethora of seemingly endless technologies required to protect their enterprise and now accept that consolidation of the solution is a legitimate and welcome alternative. Those vendors that can accomplish this as a contiguous platform play or those that can consolidate others’ solutions should benefit. In order to accomplish or even simply pursue this nirvana, vendors have to be willing to break out of their “swim lanes” to address adjacent technology needs. Product Consolidation Leads to Business Consolidation. We believe the purest method of achieving a contiguous IT security solution is to build it from the ground up, as PANW has, and to a lesser degree CHKP. An alternative is to consolidate solutions via M&A, similar to what SYMC is attempting, to speed time to market with a solution that addresses most needs, even if the true integration of components follow. Therefore, we believe we will likely see increased acquisitions of point solutions that are among best-of-breed. Cloud Risk and Opportunity. Enterprises no longer view Security as the primary impediment to consuming cloud-based services, and most expect any lingering concerns to dissipate with time. While Public Cloud will likely increase IT Security consumption, it may suppress economic growth of Security ISVs as some of the market is transitioned to Public Cloud providers, especially for solutions fully contained within Public Clouds. CASBs, WAFs, cloud-based IAM, and perhaps SWGs should benefit from a transition to Cloud based computing, which could benefit SYMC among others. Security Functional Markets Review. We reviewed several security functional markets, including their size, expected growth, vendor market share, key product technology, market evolution, and outlook. Threat intelligence will span all areas. - Network Security ($12.3B; 9% expected CAGR; vendors: CISCO, CHKP, PANW, FTNT) expect functional consolidation into firewalls given unique position in the IT infrastructure. - Endpoint Security ($8.5B; 3%; SYMC, INTC, 4704-JP) - may become more relevant in more distributed cloud architectures and as new technologies supplement traditional ones. - Security Vulnerability Management ($4.7B; 10%; IBM, HPE, SPLK, QLYS) - expect continued strong demand due to increasing attack complexity, gov't. regulation, and IoT. - Identity and Access Management ($5.0B; 8%; IBM, ORCL, CA, CYBR) - expect disruption from Cloud-based solutions, and new opportunities related to massive scale / IoT. - Messaging Security ($2.0B; 2%; CSCO, SYMC, PFPT, 4704-JP, MSFT, MIME) - expect disruption from Cloud-based solutions, with incremental opportunities in adjacent markets, yielding higher growth for some vendors than market rates. John DiFucci * Equity Analyst (212) 284-2196 [email protected] Julian Serafini * Equity Analyst (212) 738-5379 [email protected] Alexander J. Ljubich, CFA * Equity Associate (917) 421-1947 [email protected] Joseph Gallo * Equity Associate (212) 336-7402 [email protected] Zachary Lountzis * Equity Associate (646) 805-5428 [email protected] Howard Ma * Equity Associate (212) 707-6479 [email protected] * Jefferies LLC ^Prior trading day's closing price unless otherwise noted. Please see analyst certifications, important disclosure information, and information regarding the status of non-US analysts on pages 185 to 188 of this report. Technology Software January 18, 2017 EXECUTIVE SUMMARY ........................................................................................................................ 4 Moderation, But Still Growth to Come ............................................................................................. 4 The End of the World as We Know IT (Security) ............................................................................... 5 More on Why the Task of IT Security Has Become More Difficult and Hence, Important? ............... 6 A Question of Scale .......................................................................................................................... 6 Increasingly Complex IT Infrastructure  Increasingly Complex IT Security .................................... 7 High Switching Costs for Security, But Lower Than Other Enterprise Software ................................ 7 Old Soldiers Never Die … Nor do they seem to Fade Away in This Case............................................ 8 Public Cloud both Deflationary and Inflationary to Security ............................................................. 9 Risks to Security ............................................................................................................................. 10 Recommendations for Investor Positioning in Security .................................................................. 11 How to Play Our Coverage Universe............................................................................................... 13 Security Functional Markets Review............................................................................................... 13 How to Consume this Report .......................................................................................................... 14 OVERVIEW OF IT INFRASTRUCTURES AND ASSOCIATED SECURITY REQUIREMENTS............................ 14 Security to Address Today’s Enterprise IT Architecture ....................................................................... 15 Future Architectural Evolution will Require Same for Security ............................................................ 15 PUBLIC CLOUD AND SECURITY ........................................................................................................... 17 Likely Influence of Public Cloud on IT Markets .................................................................................... 17 Likely Influence of Public Cloud on IT Security .................................................................................... 21 SaaS and Security ........................................................................................................................... 21 PaaS/IaaS and Security .................................................................................................................. 21 Appliances: Demand and Revenue Model Implications ................................................................. 22 And Firewalls in General? ............................................................................................................... 23 Who’s Most Affected by Cloud? ..................................................................................................... 23 IT SECURITY TAM .............................................................................................................................. 24 Comments About Currency Effects on Market Growth ................................................................... 24 IT Security Products (Software and Appliances) .................................................................................. 28 Security Hardware Appliances........................................................................................................ 28 Security Software ........................................................................................................................... 28 IT Security Services .............................................................................................................................. 30 NETWORK SECURITY ......................................................................................................................... 31 Network Security Overview ................................................................................................................. 31 Network Security Addressable Market Size ......................................................................................... 32 Representative Vendors and Market Share......................................................................................... 34 Firewall ................................................................................................................................................ 37 What is a firewall? ......................................................................................................................... 37 Evolution of firewalls ...................................................................................................................... 38 Market Size and Potential Growth ................................................................................................. 40 Significant Vendors ........................................................................................................................ 40 Web Application Firewalls (WAF) ........................................................................................................ 42 What is a WAF?.............................................................................................................................. 42 Market Size and Potential Growth ................................................................................................. 43 Significant Vendors ........................................................................................................................ 43 Intrusion Detection and Prevention System (IDS/IPS) ......................................................................... 45 What is an IDS/IPS? ........................................................................................................................ 45 Evolution of IPSs ............................................................................................................................. 45 Market Size and Potential Growth ................................................................................................. 46 Significant Vendors ........................................................................................................................ 46 Web Security ....................................................................................................................................... 48 What is web security? .................................................................................................................... 48 Evolution of web security ............................................................................................................... 49 Market Size and Potential Growth ................................................................................................. 49 Significant Vendors ........................................................................................................................ 50 Next-Generation Firewall (NGFW) ....................................................................................................... 52 Network Security Future / Outlook ..................................................................................................... 54 Summary of Potential Future Outcomes ........................................................................................ 54 Product Consolidation .................................................................................................................... 55 Cloud Access Security Brokers (CASB) ............................................................................................. 57 ENDPOINT SECURITY ......................................................................................................................... 58 Enterprise Endpoint Security .......................................................................................................... 58 Consumer Endpoint Security .......................................................................................................... 59 Total Addressable Market ................................................................................................................... 59 Representative Vendors and Market Share......................................................................................... 62 Enterprise Endpoint Protection Platform (EPP) ................................................................................... 64 What is EPP? .................................................................................................................................. 64 Evolution of EPP ............................................................................................................................. 64 page 2 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 EPP Market Size and Potential Growth .......................................................................................... 65 Primary EPP Vendors ...................................................................................................................... 65 Endpoint Detection and Response (EDR)............................................................................................. 67 What is EDR? .................................................................................................................................. 67 Evolution of EDR ............................................................................................................................. 68 EDR Market Size and Potential Growth .......................................................................................... 68 Primary EDR Vendors ..................................................................................................................... 68 Consumer Security .............................................................................................................................. 70 What is Consumer Endpoint? ......................................................................................................... 70 Evolution of Consumer Endpoint .................................................................................................... 70 Consumer Endpoint Market Size and Potential Growth ................................................................. 71 Primary Consumer Endpoint Vendors ............................................................................................. 72 History and Evolution of Endpoint Security ......................................................................................... 73 Past ................................................................................................................................................ 73 Present ........................................................................................................................................... 73 Traditional or Next Gen? Both ....................................................................................................... 74 Mobile Security – A Real Market with a Monetization Question .................................................... 74 Future / Outlook .................................................................................................................................. 75 SECURITY VULNERABILITY MANAGEMENT......................................................................................... 78 Security Vulnerability Management Addressable Market Size ............................................................ 78 Representative Vendors and Market Share......................................................................................... 79 Security Management ......................................................................................................................... 80 What is security management? ..................................................................................................... 80 Evolution of security management................................................................................................. 81 Market Size and Potential Growth ................................................................................................. 81 Significant Vendors ........................................................................................................................ 81 Vulnerability Assessment .................................................................................................................... 83 What is vulnerability assessment? ................................................................................................. 83 Evolution of vulnerability assessment ............................................................................................ 83 Market Size and Potential Growth ................................................................................................. 84 Significant Vendors ........................................................................................................................ 84 Security Vulnerability Management Future / Outlook ........................................................................ 86 Summary of Potential Future Outcomes ........................................................................................ 86 IDENTITY AND ACCESS MANAGEMENT .............................................................................................. 88 Identity and Access Management Addressable Market Size ............................................................... 88 Representative Vendors and Market Share......................................................................................... 89 Identity and Access Management ....................................................................................................... 90 What is Identity and Access Management? ................................................................................... 90 Evolution of Identity and Access Management .............................................................................. 91 Significant Vendors ........................................................................................................................ 92 Identity and Access Management Future / Outlook ............................................................................ 94 Summary of Potential Future Outcomes ........................................................................................ 94 MESSAGING (EMAIL) SECURITY ......................................................................................................... 96 Total Addressable Market ................................................................................................................... 96 Representative Vendors and Market Share......................................................................................... 98 Secure Email Gateway ......................................................................................................................... 98 What is Secure Email Gateway? ..................................................................................................... 98 Evolution of Secure Email Gateway ................................................................................................ 98 Secure Email Gateway Market Size and Potential Growth ............................................................. 99 Primary Secure Email Gateway Vendors ........................................................................................ 99 Historical Perspective ........................................................................................................................ 101 Past .............................................................................................................................................. 101 Present ......................................................................................................................................... 102 Future / Outlook ................................................................................................................................ 102 KEY COMPETITIVE CATEGORIES ....................................................................................................... 104 APPENDIX A – HISTORY OF IT MALWARE ......................................................................................... 106 APPENDIX B – OSI MODEL ............................................................................................................... 108 APPENDIX C – PUBLIC COMPANY PROFILES ..................................................................................... 110 APPENDIX D – PRIVATE COMPANY PROFILES ................................................................................... 137 APPENDIX E – ACRONYM LIST.......................................................................................................... 183 page 3 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Executive Summary We are formally launching coverage of the IT Security space with this primer, a survey, and three company reports (PANW, CHKP, and SYMC). This report presents our observations, analyses, and conclusions in our attempt to understand the IT Security market from the perspective of the customer (end demand) and how it will likely progress from here. As a result, we believe that 1) IT security will remain a growth market for years to come, even if not at recent rates, 2) legacy technologies will persist as newer ones add incremental functionality, 3) there will be a growing demand for consolidated security platforms, and 4) changing IT architectures (including the migration to cloud) will present meaningful risks, along with opportunities. We also evaluate the total addressable market (TAM), historical and forecast growth, vendors, history, and outlook for both the aggregate security industry and five functional sub-segments (including network, endpoint, SVM, IAM, and email) herein. We summarize several observations, analyses, and conclusions on the state of IT infrastructures and the security requirements to protect them below. This is followed by recommendations for investor positioning in regards to associated requirements for IT security and suggestions on how to play this within our coverage universe with the most exposure to the IT Security space. We conclude this Executive Summary with suggestions on how to consume this report, including the recommendation to also peruse our proprietary survey, “Cybersecurity Survey – From the Source”. Later in this report, we provide greater detail on the specific IT security markets, their respective sizes and expected growth rates, their evolution to date, and likely technological progression from here, in the context of changing enterprise IT architectures. Moderation, But Still Growth to Come We believe that IT Security will remain a growth market for years to come, even if it’s not at the rate experienced in the recent past when corporations less educated on the topic were compelled to obtain as much IT security technology as feasible given the risk to not only business, but also reputation. This approach has proven both unsatisfactory and insufficient, while at the same time, experience has resulted in more sophisticated enterprise customers. The current situation is that IT Security remains a priority for corporations given:  We do not fully solve this very difficult and ever changing problem very well, even with some of the greatest minds of IT working on it.  The need to address the dynamic nature of the assets to be secured.  And similarly, the need to address the dynamic nature of the technologies to secure them, which presumably yield improvements. This should drive material growth in the aggregate security market for the foreseeable future, in our opinion, with meaningful pockets of hyper growth coupled with relatively stable markets for many established technologies. It’s interesting to note that established security technology markets have not only persisted, but have grown beyond what many had anticipated since the threats they combat don’t really go away, even as new ones arise. These established technologies may be consumed into other markets, but the growth of the aggregate market is likely to remain meaningful for some time to come. We understand there are valid reasons to be concerned that the hyper growth of the Security market has played out:  In November 2015 on the 3Q earnings calls, then FireEye CEO Dave DeWalt, a leading industry veteran announce that “after 18 months of elevated, what I call page 4 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 emergency spending on advanced cyber security, we're seeing customers take a more strategic approach to upgrading their security infrastructures.”  The recent Fortinet earnings shortfall didn’t seem to have any good reason behind it.  Palo Alto Networks’ most recent quarter (October) was also disappointing, as was its guidance. Management noted that large customers were taking longer to make purchase decisions, and some were “digesting” the IT security purchases that they had made over the past years. In addition, corporate consumers have become wiser regarding the subject of IT security, and as a result, are less likely to spend at any cost for solutions that may not fulfill the need. However, we believe that there is still too much at stake for this not to remain a very important market, and as such, it will likely see continued material growth. At the same time, we have probably passed the phase when corporate users felt compelled to purchase whatever was available in order to secure their enterprises. There’s now an acknowledgement that the pursuit of that goal is worthwhile, but there is not a silver bullet to solve the problem – and simply opening up the corporate wallet will not satisfy the need. Therefore, we expect continued healthy growth for the aggregate IT Security market, with pockets of hyper growth for segments that address new problems, or address old problems in a more efficient or effective way. However, that growth will likely be at lower rates than we’ve experienced recently, and this is reflected in the 7.6% growth anticipated by the respondents to our IT Security Survey also published today, which is in line with IDC forecasts. However, this is below the 14% market growth on a constant currency basis in 2015. One thing is for sure, this will be a dynamic market, and those topics deemed most important today may not persist in that vein, as new technologies emerge on both the threat and the protection side. The End of the World as We Know IT (Security) Before embarking on where the state of IT Security is and where it is going, we consider where it came from. We provide a narrative on the history of malware in Appendix A. The traditional approach to enterprise protection was to protect three levels of the corporate network architecture: 1) The endpoint 2) The server (which is really just another endpoint) 3) The network The ultimate goal of this approach was to maintain a pristine environment within the enterprise network by establishing a fortress at the network border, and then to backstop this with security on any endpoints that are within these bastion walls (where malware could be introduced within the network), or even those that might be outside the network, but are allowed to connect into it. But recent advances in core foundational computing technologies have yielded a much more dynamic IT infrastructure, which has enabled meaningful progress in two general forms: 1) The adoption of much more distributed architectures associated with trends, such as Cloud computing, SaaS, Service Oriented Architectures (SOA), and others have blurred what was once a well-defined network perimeter. 2) A much greater level of efficiency in solving problems that were too onerous before, including challenges associated with Big Data, Artificial Intelligence, page 5 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Visualization, and others. The increased efficiencies which led to the ability to adequately address these problems have also often led to greater complexity. Both of these developments in turn, have led to increased vulnerabilities that have to be addressed from a security standpoint. More on Why the Task of IT Security Has Become More Difficult and Hence, Important? We have seen dramatic advances in core foundational computing technologies over the last ten to fifteen years. These advances include: much faster and cheaper memory, storage, and processing power; multi-core processors to enable the efficient use of those assets; much faster, cheaper, broader, and near ubiquitous bandwidth. On the back of these advances, we have been able to turn previously imagined logical concepts into reality today because the digital infrastructure of the world can now accommodate them in a way it never could before. These include trends such as Big Data, Cloud, SaaS, Internet of Things, Digital Marketing, etc. With these developments come perturbations in the resulting dynamic IT fabric, yielding new voids and potential vulnerabilities. These become opportunities for those with malicious intent, and therefore, for security vendors who wish to offset harmful objectives. At the same time, those with malicious intent also benefit from these advances in core computing technologies in a perverted way, making malware itself more sophisticated and powerful. This has become a cycle that feeds on itself to yield growth in this sector that we believe will persist for the foreseeable future. A Question of Scale As the boundaries of the network expand beyond the traditional datacenter and become more dynamic and flexible, conventional means of protecting it are no longer sufficient alone. It would be very difficult, if not impossible, to lock down the perimeter of the internet, or that portion that encompasses a broadly distributed enterprise with dynamic boundaries at any given time. Therefore, new technologies must be developed, or at least, modifications of traditional techniques must be made, but even the modifications of existing techniques are essentially new technologies required to address a similar problem, but of massive scale. We can imagine three approaches to this issue, but there very well could be many more: 1) Scaling Down to Scale Out. In order to accommodate a massively scaled system or network, traditional means of locking down the perimeter are no longer valid. One way to approach this is to secure workloads at a much more granular level. This is the idea behind the concept of microsegmentation in the world of server virtualization, where security is addressed at the workload or virtual machine. This is sometimes referred to as securing east-west traffic within an enterprise. 2) Scaling Out to Scale Out. This broadly dispersed enterprise has also given rise to the relevance of securing the endpoint, since the endpoint may define the edge of the network at any given time. There are many vendors that could benefit here, but the public ones are Symantec, TrendMicro, and Sophos. 3) Scaling Up to Scale Out. Another approach is to utilize similar functionalities, but at a much grander scale, and this in itself may require incremental or perhaps entirely new technologies. Networks associated with the Internet of Things (IoT) might utilize such a solution for Identity and Access Management (IAM) for hundreds of thousands, or perhaps even millions of nodes or users, where the definition of user could be very broad, ranging from a person to a page 6 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 machine. Private IAM company ForgeRock is addressing this problem of massive scale. Increasingly Complex IT Infrastructure  Increasingly Complex IT Security With this increasingly complex aggregate IT infrastructure comes a desire, or even a need to simplify the management and protection of it. The integration of all these security technologies into one contiguous solution has become paramount, but is certainly a very difficult endeavor which has yet to be truly achieved. Although this may be difficult, it is surely not impossible, at least for what may be defined as core security functionality, as peripheral requirements emerge and new vendors better address them, only to be consumed into the core over time. The development of many software sectors (whether ERP, ITOM, or others) have exhibited this evolution over time. The difficulty in this task hasn’t stopped vendors from trying, nor should it given the payoff, and at least two general approaches have emerged for this purpose: 1) Provide all security needs from one solution from one vendor – the Platform approach. There are several companies that are relatively well positioned here, though none have achieved ultimate success – yet. For instance, Palo Alto Networks is attempting to provide all security needs as part of a single cohesive platform with the firewall as the core technology, though some of those needs are not fully met as of yet and more technologies likely need to be added. Symantec has many of the required technologies, but not all, and these are not all integrated. Check Point is doing something similar to these two, but probably lies somewhere in between them. 2) Integrate several security products from several vendors into one cohesive solution. This might be accomplished through a security management product vendor, and it was proposed by Symantec’s previous management team, but never accomplished, as the concept of “co-opetition” seemed more a theory than something that could be easily implemented. Just because it’s difficult, doesn’t mean it can’t be done. Perhaps a consultant or even a managed security service provider (MSSP) might accomplish this, though it’s not their current purview and MSSPs have been reluctant to pursue such an approach, as they may not be well equipped to be the one throat to choke as the responsible party for technologies it doesn’t have intimate control over. High Switching Costs for Security, But Lower Than Other Enterprise Software Once a corporation makes a decision to employ a technology to help run its business, the sustainability of that technology in the IT infrastructure of that corporation is very high for several reasons, including:  There’s risk in change, and it’s not likely to happen unless there is an alternative solution that is much cheaper and just as effective, or much more effective. The ideal replacement opportunity is when the performance of an installed technology is lacking, but even then, admission of such would imply that someone made a mistake at one point, which could be career limiting if those same decision makers are still in place.  Oftentimes, it’s also difficult to displace an existing technology given the position of the technology in question at a deep level of the infrastructure. In such a situation, displacement would likely affect many other technologies, again raising risk. Unfortunately, while the switching cost of any enterprise technology is high, it’s lower for most security solutions than it is for other enterprise technology offerings. This is because: page 7 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 1) Some technologies, such as endpoint, are not positioned deep within the infrastructure, thereby having less effect on other systems. In addition, many endpoint technologies are also consumer technologies and as such, they have to be relatively easy to deactivate, which typically makes them similarly so for corporate users. 2) Some technologies, such as firewalls, proxy servers, some SIEM (Security Information and Event Management) and other management solutions, and on premise SEGs (Secure Email Gateways), are typically appliances where the hardware must be replaced every five years or so. This replacement cycle introduces an opportunity to sell another box to the customer, but the downside is that the customer is forced to replace his current solution, and in doing so may (or perhaps should) consider other options. Regardless of these theoretical issues, we believe that the corporate renewal rates for security offerings remain very high, but the elevated risk of displacement relative to software-only solutions is more than just theoretical. In addition, the risk of a higher attrition rate of an appliance model is likely offset by the incremental product refresh revenue that is not a characteristic of a pure software license model where the license typically doesn’t ever have to be purchased again. Old Soldiers Never Die … Nor do they seem to Fade Away in This Case At the same time that new threats have emerged, traditional vulnerabilities remain, even as changes in the aggregate architecture of IT introduces incremental dangers. In other words, these new vulnerabilities don’t necessarily eliminate the old ones, implying that the traditional security technologies are still required. Therefore, all IT security categories have remained at least stable, and surprisingly, most have grown at meaningful rates for a very long time. They may slow as commoditization takes hold, platforms consume adjacent point solution markets, and more efficient distribution leads to lower pricing. But even then, revenue has yet to decline for something like endpoint security (on a constant currency basis), which is perhaps the first security product and is often seen as a saturated market in both the consumer and corporate markets, with commoditization forces affecting both for many years. Endpoint security is still a multi-billion dollar market, and there is discussion of even this category seeing resurgence in growth in the near future for at least the corporate market. We discuss this in more detail later in this report. See Chart 1. page 8 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 1: Security Market Growth By Category in Constant Currency (in 1H16 $ millions) $16,000 Forecast $14,000 $12,000 $10,000 $8,000 $6,000 $4,000 $2,000 $0 2011 2012 2013 2014 2015 2016 2017 2018 Network Security - CC Endpoint Security - CC Identity and Access Management - CC Security and Vulnerability Management - CC Web Security - CC Messaging Security - CC 2019 Other Security Software - CC Source: Jefferies, IDC Worldwide Semiannual Software Tracker (1H16), IDC Worldwide Security Appliance Tracker (2Q16), IDC Worldwide IT Security Products Forecast, 2015-2019 (Dec. 2015, US40709015), IDC Worldwide Endpoint Security Forecast, 20162020 (Oct. 2016, US41825816), IDC Worldwide Identity and Access Management Forecast, 2016-2020 (Aug. 2016, US41644516), IDC Worldwide Network Security Forecast, 2016-2020 (Sept. 2016, US41755616) Note on the derivation of historical constant currency estimates: IDC provides historical constant currency estimates for software based security products. We have applied these same estimates to historical hardware security products in the same respective segments in order to derive a total constant currency estimate for historical security segments. Public Cloud both Deflationary and Inflationary to Security We expect Public Cloud to generally expand the use of information technology (IT) through SMBs, though increased efficiencies may have a suppressive effect to the security market through enterprises. We address these separate end markets herein, along with the impact of SaaS, PaaS, and IaaS, in addition to likely effects on security appliance vendors. Our conclusions are summarized below. SMB Impact. We expect Public Cloud adoption to increase the use of IT, including security by SMBs, as it becomes easier for them to consume technology, whereas they often do not have the resources required (expertise and upfront cost) for on premise solutions. At the same time, we expect much of the technology to be used by SMBs in Public Clouds to be open source solutions provided by Public Cloud vendors, versus proprietary solutions provided by ISVs (Independent Software Vendors). So Public Cloud will likely increase the aggregate SMB consumption and market size of technology, including security, though there will likely be a marked shift from ISVs to Public Cloud vendors. Enterprise Impact. We believe the impact of Public Cloud on the enterprise technology (and security) market is more complex and difficult to predict. We assume the net effect of Public Cloud on security consumption by enterprises will be neutral, while its page 9 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 effect on market size (i.e., revenue) may be negative as some security solutions traditionally provided by ISVs will now be open source technologies provided by Public Cloud vendors (for protection within Public Clouds) in a more cost effective manner. It’s probably not wise to assume Public Cloud will in itself expand the enterprise IT market today since the consumption of IT by enterprises is well developed, though that could very well happen as history indicates that increased efficiency often leads to increased IT employment by enterprises. In a dynamic market for enterprise IT as some workloads migrate to the Cloud, we believe security that exists at the fringe of the Public Cloud environments will continue to be provided by ISVs, but security internal to these environment will certainly be sourced through Public Cloud vendors for SaaS (applications) and perhaps even PaaS and IaaS. The silver lining to this is that security technologies and markets internal to a datacenter (or Cloud) are less developed at this time, and acceptable open source solutions may not exist. In addition, we expect a potentially material impact on the financial models of security hardware appliance vendors (due to a shift to virtual software appliances), though pricing will be the determining factor that remains unclear. Within our coverage universe of stocks with exposure to IT Security markets, we expect Public Cloud will have the following effects, which we discuss in greater detail herein:  Positive: Mimecast  Neutral to Positive: Symantec and Microsoft  Neutral: Varonis and Splunk  Negative to Neutral: CA, Check Point, Oracle, and Palo Alto Networks Risks to Security “Risk” is a term that is closely associated with the concept of Security, but risk to the IT infrastructure, data, identities, and operations of the enterprise. While we are optimistic about the opportunities within the Security sector, we also realize there are very real risks that these opportunities could be derailed along the way. The greatest risk that consumes investors is that posed by the Cloud discussed above and detailed later in this report. We summarize this and identify others:  Cloud (AWS and Azure) Takes Over Security. Public cloud vendors could continue to move up the stack, potentially offering their own security technologies based on open source solutions that are “good enough” even for enterprises. Technologies that specifically operate within a specific public cloud environment (such as firewalls that address East-West traffic) are likely most at risk, but we believe most enterprises will continue to have workloads across multiple cloud vendors, as well as on premise environments for the foreseeable future. As a result, we expect enterprises will seek solutions that span across environments and offer a singular source for monitoring and policy management. A major risk is that native public cloud security features may be enough for small businesses and the least security concerned organizations, but we believe most large organizations will still seek dedicated security solutions. Additionally, we note that many security vendors offer solutions within public cloud, including Check Point and Palo Alto Networks.  The Frenzied Pace of Security Spending Takes More Time to Digest than Expected. As we’ve stated, the hyper growth seen in security has largely been driven by fear of monetary and reputational damage. As the market gains a more rational viewpoint of security provisioning and many organizations realize they’ve purchased more security tools than they know what to do with, page 10 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 this may impede the purchase of new solutions by more than we anticipate, and have a more material adverse impact on go-forward growth than industry analysts and we expect. While we believe there may be some organizations that question their previous over-spending, our conversations and survey work indicate security buyers continue to maintain or grow their spending due to an increasingly sophisticated attack environment, new methods of protection, and changing IT architectures.  Products Completely Solve the Problem(s). There is no “magic bullet” in security to prevent attacks, loss, or damage 100% of the time with 100% efficacy. Therefore, spending should continue to be supported by an increasingly sophisticated attack landscape, and as new methods to combat these threats emerge continually. However, we could envision a hypothetical risk that the security landscape becomes so advanced that a certain solution (or set of solutions) finally fixes all or an important set of security problems, therefore reducing the need for meaningful incremental spending. However, we believe we are very far from this hypothetical scenario today. Recommendations for Investor Positioning in Security With this as backdrop, we attempt to help investors understand the problem of IT security and its solution(s) with the goal of identifying investible trends and appropriate stocks to either buy or avoid. Some observations that should help investors navigate these waters include:  Growth AND Value Opportunities. As noted above, the dynamic security market has introduced new solutions over time, but the old solutions are still relevant, even if their growth subsides. This presents not only opportunities for hyper growth stocks, but also value names. Traditional endpoint and firewall technologies are examples of this. The sustainability of these markets may also make them attractive to an increasingly active player on the M&A front – private equity – for not only value names, but also growth – as we’ve seen with names such as Ping Identity and Return Path (both purchased by Vista Equity Partners), McAfee (partially purchased by TPG), along with Vista’s stake in Raytheon’s Forcepoint, through their Websense contribution. Symantec has traditionally been considered a value name, but that seems to be changing with its new management and Blue Coat solutions. Check Point seems to straddle both growth and value, while Palo Alto Networks is certainly growth, a moniker once assigned to FireEye, but not any longer.  Platform = Product Consolidation. Corporate IT Security Users are overwhelmed with the plethora of seemingly endless technologies required to protect their enterprise and now accept that consolidation of the solution is a legitimate and welcome alternative. Those vendors that can accomplish this as a contiguous platform play or those that can consolidate others’ solutions should benefit. It will be interesting to see how this develops since neither approach has met with much success in fully satisfying the technical requirements yet, though the commercial achievements of Palo Alto Networks in the market is testament to the demand. Very large enterprises with deep pockets and more expertise are less worried about this, but mid-sized enterprises and below certainly see this as compelling today. In order to accomplish or even simply pursue this nirvana, vendors have to be willing to break out of their “swim lanes” to address adjacent technology needs. The pursuit of endpoint technologies by Check Point and Palo Alto Networks are examples of this, as is Symantec’s acquisition of Blue Coat. All three appear well positioned to provide such a holistic solution. page 11 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017  Product Consolidation  Business Consolidation. If the quest for a contiguous solution is paramount today, we believe the purest method of achieving this is to build it from the ground up, and names like Palo Alto Networks have espoused such a philosophy, as has Check Point to some degree. However, it may be more efficient to consolidate solutions via M&A, similar to what Symantec is attempting, which may speed time to market with a solution that addresses most needs, even if the true integration of its components follow. Therefore, we believe we will likely see increased acquisitions of point solutions that are among best-of-breed, such as public companies, CyberArk, Imperva, Qualys, Varonis (though they provide a platform, their security focus is on internal threats), along with Proofpoint, and Mimecast that both provide more than a point solution, but focus primarily on email security, continuity and archiving.  The Impediment to Cloud Becomes Opportunity. Security in the Cloud is still a topic of discussion, but is no longer the restrictive force that enterprises point to as the impediment to consuming more cloud-based services. Even those that still have current concerns believe those issues will dissipate with time, as dictated in our survey results. Technologies such as CASBs (Cloud Access Security Brokers), WAFs (Web Application Firewalls), cloud-based IAM, and perhaps SWGs (Secure Web Gateways, also referred to as Proxies) should benefit from the transition to Cloud based computing. We profile several private companies that address these needs in the profiles of Appendix D, but public vendors that have either developed or purchased associated technologies include: Symantec (purchased CASB and cloud based proxy server provider, Blue Coat), IBM (homegrown CASB solution), Microsoft (purchased CASB vendor Adallom), Cisco (purchased CASB CloudLock recently), and Oracle (recently purchased CASB, Palerra). However, the adoption of Cloud does bring real risk to some current IT Security vendors, which we detail above and later in this report.  As the Scope of Security Expands, the Focus Contracts … The boundaries of the enterprise are less defined than they’ve ever been and they’re likely to become even more dynamic and dispersed over time. This will require new solutions that focus on east-west traffic (i.e., traffic within a network, however that is defined) versus north-south traffic (i.e., traffic from inside a network to outside it, and vice versa). Companies addressing microsegmentation, or attempting to secure an application at the more granular application level should benefit. VMware is one such company with its NSX offering, along with Cisco and its ACI (Application Centric Infrastructure) offering, as well as private companies Illumio, vArmour, and CloudPassage.  … And Massively Proliferates Beyond Our Norm. Cloud based trends, such as the Internet of Things (IoT), will require security solutions that can massively scale to hundreds of thousands, or even millions of users, where a user can also be defined in many different ways. This will require new solutions that can handle this scale, such as the massively scalable Identity and Access Management provided by ForgeRock. We believe that we’re still at a very early stage of the development of this opportunity.  The Dynamic Endpoint is not an Oxymoron. Enterprise/corporate endpoint remains a very large market, and while traditional signature-based protection may not grow, it’s also not likely to decline materially any time soon, as new endpoint technologies are often used to complement these traditional methods. However, the consolidation of these technologies will likely occur into super page 12 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 solutions, and while point solutions may still see success for now, close partnerships or even closer mergers will likely prevail in this market. There will likely be value plays in endpoint for vendors that focus primarily on traditional signature based technologies, as evidenced by the price recently paid by private equity firm TPG for McAfee (2.0x TTM Revenue), but those that can provide incremental next generation functionality will probably see outsized growth that may surprise some investors. Next generation vendors are largely private and include: Carbon Black, Cylance, Malwarebytes, Bromium, CrowdStrike, and SentinelOne. Symantec enjoys incumbency of the traditional market and is accumulating a suite of next generation technologies primarily through internal development, but execution will be key for this name. How to Play Our Coverage Universe Chart 2 lists our coverage of cybersecurity companies, including our ratings and price targets. Commensurate with this report, we are launching coverage of Palo Alto Networks (PANW, Hold), while “re-launching” our coverage of Check Point (CHKP, Buy) and Symantec (SYMC, Hold) – three of the largest pure-play security vendors. We also cover Mimecast (MIME, Buy), a provider of SaaS-delivered email security, archiving, and continuity – see our initiation dated December 14, 2015, Initiating at Buy: Important Asset at Significant Valuation Dislocation. Additionally, we cover Splunk (SPLK, Buy) and Varonis (VRNS, Buy), which are not security vendors per se, but address important security use cases through their solution sets. Chart 2: Jefferies’ Software Cybersecurity Coverage Price Price Target % Upside /(Downside) Buy $90.71 $118 30% MIME Buy $21.17 $29 37% Splunk SPLK Buy $56.42 $81 44% Varonis VRNS Buy $29.10 $36 24% Palo Alto Networks PANW Hold $138.48 $153 10% Symantec SYMC Hold $26.14 $27 3% Name Ticker Rating Check Point Software CHKP Mimecast Source: Jefferies Security Functional Markets Review We reviewed several security functional markets herein, including their size, expected growth, vendor market share, key product technology, market evolution, and outlook as summarized below. We expect threat intelligence will span all of these functional areas.  Network Security ($12.3 billion market size; 9% expected CAGR; vendors include CSCO, CHKP, PANW, FTNT). Expect functional consolidation into firewalls given a unique position in the IT infrastructure.  Endpoint Security ($8.5 billion market size; 3% expected CAGR; vendors include SYMC, INTC, 4704-JP). Enterprise endpoint security may become more relevant in more distributed cloud architectures and as new technologies that address zero day attacks, detection, and remediation supplement traditional ones. page 13 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017  Security Vulnerability Management ($5.4 billion market size; 10% expected CAGR; vendors include IBM, HPE, SPLK, QLYS). We expect continued strong demand due to increasing attack complexity, government regulation, compliance requirements, and the complexities associated with the impending Internet of Things (IoT) trend.  Identity and Access Management ($5.0 billion market size; 8% expected CAGR; vendors include IBM, ORCL, CA, SYMC, CYBR). We expect significant disruption from Cloud-based solutions, in addition to incremental opportunities related to massive scale needed for more distributed architectures and the expanding definition of a user with IoT.  Messaging Security ($2.0 billion market size; 2% expected CAGR; vendors include SYMC, PFPT, 4704-JP, MSFT, CUDA, MIME). We expect disruption from Cloud-based solutions, with incremental opportunities in adjacent markets (e.g. archiving and continuity), yielding higher growth for some vendors than market rates. How to Consume this Report In this report, we identify the aggregate IT security opportunity and its sub-segments. We also delve more deeply into each sub-segment to assess the likely opportunities and risks for each. We also supplement our analysis with findings from our IT Security Survey, which surveyed 76 IT security buyers across company sizes and geographies, to understand their outlook for spending, buying decisions, demand for protection on various attack vectors, and more. Some of our conclusions from the survey are incorporated into this piece within the section of each particular subject (i.e. survey results on endpoint security are incorporated into the endpoint section). The full survey results, our takeaways, and analysis can be found in our report titled, “Cybersecurity Survey – From the Source”. We highlight that all market size or historical revenue estimates in this report are on an as-reported basis and not in constant currency, while forecasts are largely on a constant currency basis. If constant currency estimates are used, it will be explicitly highlighted. Currency translation has had a materially negative impact on reported numbers over the last several years, especially in 2015, which saw security technology grow 6% on a reported basis, but was equivalent to 14% growth on a constant currency basis. Finally, we typically reference public companies where applicable in discussion on certain functional technologies, but in some instances, there are none, or they are large organizations that may provide the functionality as a very small component of the whole. We also provide public and private company profiles at the end of this report in Appendices C and D, respectively. These profiles describe the respective technologies that each company provides, along with certain other organizational information. Overview of IT Infrastructures and Associated Security Requirements We provide the following two illustrations of the Information Technology used by enterprises (and consumers) today and potentially, tomorrow, and the required IT security to protect these respective IT infrastructures and users. This is followed by the aggregate market size of IT security and its various components (software, hardware, and services) and a brief discussion of each. We later provide detailed discussion and analysis page 14 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 of the major functional areas of security (i.e., network, endpoint, security vulnerability management, identity and access management, and messaging security). Security to Address Today’s Enterprise IT Architecture Chart 3 depicts an IT infrastructure that might be used by enterprises today. The majority of IT assets may reside within the secured perimeter of an on-premise datacenter, even if that datacenter encompasses an intranet within that perimeter. Even today, there are assets and services that reside outside these bastion walls, where much more is likely to migrate over time. See Chart 4. Between the on-premise datacenter and the Internet sits a demilitarized zone where technology safeguards are placed to ensure the security of the datacenter/network. Chart 3: Today's Network Security Landscape CloudBased IAM SaaS SaaS Solution I/PaaS Solution Extranet FIREWALL REGIONAL OFFICE 1 Internal Network WEB SERVER Demilitarized Zone (DMZ) E-MAIL SERVER ENDPOINT ACCESS POLICY MANAGER E-MAIL CONTENT FILTER IDS/IPS VIRTUAL FIREWALL Threat Intel. MOBILE DEVICES WAF Internet FIREWALL DLP DATA CENTER PROXY FIREWALL ANALYTICS / SIEM SANDBOX MOBILE DEVICE MANAGEMENT Trusted Trusted Trusted SaaS SaaS SaaS Solutions Solutions Solutions Trusted Trusted Untrusted SaaS SaaS SaaS Solutions Solutions Solutions REVERSE PROXY REMOTE ACCESS GATEWAY REGIONAL OFFICE 2 REMOTE USERS IAM (incl. PAM) Source: Jefferies Future Architectural Evolution will Require Same for Security Chart 4 depicts a potential future IT architecture of the enterprise, where much more of the IT requirements, either infrastructure or business logic, resides outside the demilitarized zone. Specifically, some of the changes that we illustrate are a reduction in the size of the on-premise data center with the associated functionality moving to cloudbased offerings (including some applications and the associated infrastructure to support page 15 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 them, such as WAFs and email content filters) and a consolidation of security products into Next-Generation Firewalls (including IDS/IPS, proxies, DLP, sandboxes). We also expect that Cloud Access Security Brokers (CASBs), or some equivalent technology will be increasingly utilized by enterprises to monitor and control their connections to SaaS offerings. Lastly, many enterprises today employ a combination of on-premise and cloudbased identity and access management solutions. We expect new deployments to be more likely to consider cloud-based IAM, along with a gradual migration of existing onpremise deployments to the cloud over time; however, Privileged Access Management (PAM) solutions are likely to remain on-premise for the foreseeable future due to their sensitive nature and integration with data centers. Chart 4: Potential Future Network Architecture CloudBased IAM CASB Extranet FIREWALL REGIONAL OFFICE 1 Internal Network Demilitarized Zone (DMZ) REMOTE ACCESS GATEWAY Internet FIREWALL DATA CENTER EAST-WEST FIREWALL ANALYTICS / SIEM VIRTUAL WAF Trusted Trusted Trusted SaaS SaaS SaaS Solutions Solutions Solutions MOBILE DEVICES ENDPOINT ACCESS POLICY MANAGER VIRTUAL FIREWALL Threat Intel. SaaS SaaS Solution I/PaaS Solution MOBILE DEVICE MANAGEMENT CASB CONSOLIDATED FIREWALL (INCL. IDS/IPS, SANDBOX, FILTERING, ETC.) REGIONAL OFFICE 2 Trusted Trusted Untrusted SaaS SaaS SaaS Solutions Solutions Solutions REMOTE USERS PAM Source: Jefferies The world of IT security is very dynamic and is ever shifting, making sizing the market among sub-segments difficult and confusing. For instance, Next Generation Firewalls (NGFWs) provide functionality that has traditionally been defined in markets independent from firewalls, but NGFWs are included in the firewall market without the incremental functionality broken out into other markets. Therefore, the breadth of coverage of NGFW vendors in the aggregate security market may be understated in the current industry taxonomy. We expect the market definitions of the sub-segments of the aggregate security market to be in meaningful flux over the next few years. This also feeds into our observation that corporate consumers are overwhelmed by the supposed requirements to secure their IT infrastructures. We believe most would purchase a cohesive platform from a single provider if that existed today. It seems that we’re well on our way to that end, page 16 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 but there’s probably still some time before that becomes a broad reality, though it likely will. Public Cloud and Security There is a move afoot to put more workloads on Public Clouds, which will result in both inflationary and perhaps deflationary forces on IT spending. Inflationary support will likely come from SMBs, as they consume more IT because they now can, whereas significant efficiencies introduced by the Cloud into enterprise IT spending may result in deflationary pressures. Whether these increased efficiencies, along with improvements in core computing technologies result in a much greater number of workloads and increased spending is unclear at this time. We expect SMBs to favor Public Cloud architectures, raising the risk to existing ISVs (Independent Software Vendors) that cater to this demand base, including that for IT security. Vendors that cater to enterprises should fare much better, as preferred hybrid environments will likely often favor the use of the same technologies in the Cloud that are utilized on premise, though the impact on enterprise software companies’ financial models (including those of enterprise security companies) is uncertain due to time based pricing in the Cloud and the differences between subscription pricing and “product or license plus maintenance” pricing. In considering what the impact of Public Cloud would be on IT Security markets, we realized that we first needed to contemplate the impact on technology in general. We first do this below, followed by our resulting analyses and thoughts of Public Cloud’s ultimate impact on IT Security. Likely Influence of Public Cloud on IT Markets First of all, there is a move afoot to put more workloads on Public Clouds, and this is supported by our proprietary survey, which indicated that a combined 79% of our 76 respondents are either already in the cloud or plan to migrate workloads to the cloud. See Chart 5 and our separate report Cybersecurity Survey – From the Source. While this statement may seem obvious at this time, we believe it important to establish it as premise before determining the impact of Public Cloud on the IT Security space. page 17 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 5: Jefferies IT Security Survey of 76 CIOs/CISOs: Which of the following best describes your organization's plans with respect to migrating workloads from on-premise infrastructure to the cloud? Migrating workloads, but at a gradual pace 51% We are rapidly migrating to the cloud 21% We remain largely on-premise without imminent plans to migrate 21% Not migrating workloads, because we are already predominantly utilizing cloud-based infrastructure 7% Source: Jefferies; n=76 Beyond this basic premise, we believe the following are important tenets in our consideration of the impact of Cloud on aggregate IT Markets (on premise + Public Cloud), and eventually, IT Security. We consider the customer perspective (SMB versus enterprise), along with the type of Public Cloud (SaaS, PaaS, and IaaS), and the likely outcome of vendor distribution as Cloud technologies progress (including offerings from traditional on premise vendors).  SMB Use of Public Cloud Will Increase IT Markets … It’s logical to expect small to medium businesses (SMBs) to increase their use of IT through Public Clouds. Therefore, we expect SMBs to become heavy users of Public Cloud services, with some leveraging the Public Cloud as their exclusive IT resource, other than some endpoint devices used to access the Public Cloud. This is because SMBs may not otherwise have the resources (expertise or upfront funds required) to consume on premise IT. Furthermore, we expect Public Cloud to be supportive of software markets (including IT Security) as SMBs expand their use of IT, similar to how salesforce.com likely increased the size of the Sales Force Automation (SFA) market through much greater consumption of SFA by SMBs. We’d expect the technologies utilized by SMBs in Public Clouds to meet two criteria: (1) it works well enough and (2) it represents the lowest total cost of ownership. As a result, we’d expect technologies that are provided by Cloud vendors (frequently, open source) to often be good enough for SMBs, perhaps pressuring some on premise independent software vendors (ISVs) that cater to SMBs. At the same time, ISVs that provide technologies where Cloud providers have difficulty meeting minimum criteria should benefit significantly.  … While Enterprise Transition to Public Cloud May Suppress IT Markets (with an important caveat). At the same time, enterprise use of IT is well established and our initial inclination is to expect Cloud to result in more efficient IT consumption, but not more consumption, implying less page 18 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 spending on IT by enterprises. This will probably result in a suppressive effect on aggregate IT markets, as enterprises move some applications to the Cloud where the infrastructure is provided by the SaaS provider presumably in a much more efficient fashion over a large number of customers. We also expect enterprises to maintain on premise IT operations since they typically have the resources and it is oftentimes economically advantageous over time to do so. In addition, enterprises will likely expand on premise workloads into Public Clouds to accommodate periodic or seasonal capacity demands, establishing a hybrid infrastructure environment that spans from on premise to the Public Cloud. A primary reason to establish such an architecture is that it is more cost effective than building infrastructure for peak loads on premise, implying less total aggregate IT spending (including that spent by both, customers and Cloud providers). An example of this might be retailers “renting” peak workload capacity around the holiday season, rather than supporting that capacity on premise for the entire year. In such a hybrid environment, which enables the important concept of an “elastic datacenter,” we believe enterprises will likely demand the same specific technology in the Cloud that they are using on premise, especially for technologies that are continuous in their deployment from on premise to Cloud and back. In other words, the specific database for instance, that runs a custom retail application on premise would also be utilized in the Cloud during peak loads or periods.  An important caveat to the assumption that enterprise use of Public Cloud is deflationary to IT spending is that enterprises do not increase the number of workloads they would deploy in the Cloud to more than they would have deployed on premise. We have seen throughout the evolution of IT that new, more efficient paradigms brought new workloads that were previously impossible to deploy or simply so inefficient that it did not make economic sense to deploy them. Shifts from mainframe to client-server architectures saw this, as did a shift from client-server to web-based intranets. We believe we are in the midst of a new dawn in the progression of technology, as advances in core foundational computing technologies (e.g. much faster and cheaper memory, much faster and cheaper compute and storage, much faster, cheaper and near ubiquitous bandwidth, etc.) over the last 10-15 years have enabled the realization of logical concepts that simply would not have been (or could not have been) deployed years ago because the IT infrastructure of the world (e.g. the Internet) could not accommodate them in an efficient fashion. Concepts such as Big Data, Cloud, SaaS, Artificial Intelligence (AI), Digital Marketing, etc. will likely result in incremental workloads that at least partially offset the deflationary effects on IT spending due to the increased efficiencies of Public Cloud.  SaaS (Applications in the Cloud). Relatively simple applications that are less dynamic in that they do not have to adhere to ever changing regulations and custom functions per business, such as SFA, will likely move to the Cloud en masse, for both SMBs and enterprises. However, while SMBs will likely also consume Cloud based solutions for more sophisticated applications, such as Financials, enterprises may be more reticent to do so without some safeguards that they can move these applications back on premise if desired (at least for the time being).  PaaS. SMBs will likely favor Cloud-based custom workloads (PaaS, such as development, test, and deployment of custom applications) and are likely to use page 19 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 more of them because they now can, while enterprises are likely to move these workloads more slowly and in some cases, perhaps never. Enterprise development and test workloads are likely to be moved, but even these will probably demand the same underlying technology that will be utilized in production, or else they’d have to be tested again in the production configuration. The concept of the elastic enterprise described above is a logical progression for enterprises, and in such a scenario, technologies utilized in the Cloud environment will likely mirror those used on premise. We consider two PaaS scenarios below, which will likely have meaningfully different outcomes on ISVs, though both may be negative.  When Production Remains On Premise, Even When Development and Test Moves to Cloud. This will have little impact on test and development spending on workloads that will remain on premise once put into production. Yes, it is presumed that it is cheaper for the enterprise (and less revenue to technology vendors) to move development and test to the Cloud to be consumed only when needed rather than supporting all the required infrastructure perpetually on premise, but at least part of the cost savings should be realized by the efficiency gains by the Cloud provider to operate across numerous customers. In other words, pricing per unit of service by ISVs will determine the impact on ISV financials.  When Production Workloads Will Reside in the Cloud. However, there is greater risk to new custom workloads that will be run in the Cloud in production, as there will be less gravity pulling the infrastructure of these to the traditional infrastructure technologies used on premise, though a commonality across both environments even in this case would likely help to satisfy management challenges.  IaaS. Basic infrastructure workloads, such as storage and compute resources, will be supportive of SaaS and PaaS, but can also supplement on premise workloads. An example of this would be storage resources for disaster recovery, or simple compute resources for development purposes, though this can quickly push into PaaS. It’s logical for SMBs to move to IaaS almost exclusively in many instances, and as described above, to be an inflationary force on aggregate IT spending because now they can more easily consume it.  As Cloud Progresses, it May Shift Vendor Distribution. Some investors may view salesforce.com and its eventual leadership of the customer relationship management (CRM) market as precedent for all new Cloud vendors to dominate their markets, while on premise vendors languish in diminishing relevance. However, while salesforce.com did become the clear leader in CRM over time and Seibel’s influence (standalone and then aggregated with Oracle) did moderate, its revenue actually grew at a 3% CAGR from 2004 to 2013 according to Gartner (Market Share: All Software Markets, Worldwide, 2015) and Siebel filings. Furthermore, more recent examples have not had the same outcome and we believe that in other instances, the dynamics are such that they may favor incumbent technologies, even if they themselves are used in the Cloud. For example, while Workday looked to repeat what salesforce.com did in the Human Capital Management (HCM) market early in its development, Oracle poured ample resources into its own Cloud based HCM solution (Oracle HCM Cloud) to draw close on functionality and provide something that Workday cannot today – the promise of moving seamlessly from on premise to the Cloud and back if desired. This may not be important to SMBs, but it is page 20 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 today to enterprises, and it may become even more important to enterprises in PaaS and IaaS with the concept of the elastic enterprise. Hence, on premise ISVs that cater to SMBs are most at risk, though the risk is still meaningful for those on premise ISVs that cater to enterprises, unless of course, they also provide legitimate Cloud solutions in both cases. Likely Influence of Public Cloud on IT Security The Public Cloud will have meaningful technical and economic ramifications on most areas of Software, including the IT Security market, and this is apparent throughout this report in our discussion on the definition and evolution of the different segments of IT Security. The movement of workloads to Public Cloud environments will require some existing technologies to evolve to accommodate a hybrid environment (e.g. firewalls), but will also encourage the emergence of new solutions to address similar issues with new requirements (e.g. Identity and Access Management) and some entirely new needs (e.g. CASBs and Web Application Firewalls). In addition, such an ecosystem may lead to increased relevance for some existing solutions, such as perhaps endpoint security. This opportunity will continue to be a fertile ground for new successes in IT Security, but will also likely pose significant risks to some incumbents who are slow to accommodate such an environment. Security is considered a component of infrastructure software, and as such, it is often considered at risk in a world that appears to be moving rapidly to an IT architecture centered on Public Cloud. But that sweeping generalization is likely incomplete and is dependent on several factors, including the security technology and the type of Cloud considered, whether Software-as-a-Service (SaaS, i.e. packaged applications) or Platformas-a-Service/Infrastructure-as-a-Service (PaaS/IaaS, i.e. customer application development, test, raw infrastructure services). We explore each of these below, along with expected impact to appliances, and firewalls in particular, in addition to the likely fallout to those most exposed to security in our coverage list. SaaS and Security SaaS solutions include the underlying infrastructure, including security functionality, and most SaaS vendors do not allow incremental security products to be deployed in their Public Clouds by their customers. There are still security needs for such solutions on the fringe of these environments and technologies such as Cloud Access Security Brokers (CASBs) and Identity and Access Management solutions are still very important. It also seems to us that microsegmentation may also be a relevant technology in this situation at some point, but how this evolves is still unclear given the restrictions SaaS providers put on access to their core infrastructures. PaaS/IaaS and Security On the other hand, there is a need for incremental security in a PaaS/IaaS environment by definition. Many solutions can be purchased through the Public Cloud provider, with availability of specific solutions and vendors often driven by customer demand. However, the commoditizing pressure resulting from Public Cloud exists even in something as important as security. In other words, there are solutions provided directly by Public Cloud providers, oftentimes open source offerings that may satisfy basic requirements, (especially for SMBs) at little to no cost. However, enterprises that deploy hybrid environments will likely require the same security technologies that are utilized on premise in the following two scenarios: 1) When a workload spans on premise and Cloud environments, for instance, when seasonal capacity needs are met by Cloud solutions. page 21 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 2) When Cloud based development and test are utilized for workloads that will be put into production on premise. Some enterprises may also wish to utilize the same security technologies in the Cloud that are deployed on premise in order to avoid management challenges across these two environments. However, it’s unclear whether security solutions provided by Cloud providers will be good enough even for some workloads that exist entirely in the Cloud. Using different security vendors for the same functionality in the Cloud versus on premise would likely require two separate management systems that may be difficult to merge, and managing them separately may be incrementally more difficult and expensive. This of course, assumes there is a need for the customer to manage all of this. If the onus of managing workloads that totally reside in the Cloud is put on the Cloud provider, then different solutions may be not only acceptable, but also most efficient. In such a scenario, the same security technologies would be used at the edge or perimeter of both environments, but securing any communications within the Cloud may be provided by the Cloud vendor and would likely differ from that securing communications that reside entirely within the on premise environment. We explore this further below. Appliances: Demand and Revenue Model Implications The delivery mechanism for many parts of IT Security has been hardware appliances, given optimal throughput levels, which can be a limiting factor for many implementations. Hardware appliances are the traditional means of deployment for firewalls, Secure Web Gateways (SWGs), Security Intelligence and Event Management (SIEM) solutions, and Secure Email Gateways (SEGs), among others. However, most vendors also offer virtual appliances, which are essentially software only solutions that can be deployed on generic white box hardware with defined specification requirements. This allows them to accommodate Public Cloud environments. Management capabilities by any particular vendor across both its hardware and virtual appliances should favor incumbents as enterprises move to the Cloud. However, there is always some incremental risk when a decision is made by the customer in considering a new environment. Of the appliances mentioned above, we’d expect technologies that exist on the perimeter to favor incumbents, including firewalls that deal with North-South traffic and SWGs. In addition, we’d expect SIEMs to reside in one place or the other, but with no need for both. Finally, we believe that SEGs are likely more likely to be positioned in a Cloud environment given that is where email enters any corporation (SMB or enterprise) from. However, firewalls that deal with East-West traffic are more at risk. The impact of the Cloud on security will not only impact demand, but will also impact financial models of appliance vendors. Cloud based solutions will be sold as virtual software-only appliances (versus hardware appliances). Hardware appliance vendors will no longer receive the periodic new appliance sales every 4-6 years, but rather a one-time upfront license fee, or in some cases, no specific product sales at all if the virtual appliances are sold on a subscription-only basis. It is also dependent on time, which may be different in Cloud environments. Some Cloud solutions may be purchased on a time basis, only to be charged for the time the product is used, versus maintaining the technology (and cost of it) consistently and indefinitely in on premise environments. How this plays out over time is uncertain and will be different for each situation, since it is dependent on the pricing of the Cloud based solution as compared to the on premise pricing, which may include components of product, license, and maintenance. We would expect appliance vendors to price appropriately so that it is at least neutral to revenue and profit over time, but if Cloud providers’ solutions are deemed good enough in some cases, competitive forces could have a negative effect on pricing. Similar to other areas of infrastructure software, we expect security appliance vendors that have significant exposure to SMBs to be at the greatest risk as their page 22 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 customer base moves to Public Cloud environments en masse where solutions provided by Cloud vendors may be good enough and cheaper. Demand for products from Security vendors focused primarily on enterprise customers will likely fare much better, as enterprise Cloud deployments are likely to be hybrid architectures which favor similar or the same Security technologies across both on premise and Cloud environments in order to simplify management and other requirements. However, a transition of some appliance sales to virtual appliances will have an uncertain effect on the financial models of these companies. The magnitude of this effect will be dependent on specific pricing differences between the two types of equivalent appliances, which may be different for each vendor, or even each product. And Firewalls in General? We specifically consider the implication of Cloud on firewall technologies, given this is the largest security appliance market. As noted above, we expect technologies that deal with North-South traffic (or data flow into and out of a datacenter or Cloud) that are provided by vendors that cater to enterprises to hold up well in a Cloud environment. However, those that deal with East-West traffic will likely be at much greater risk to diminished deployment, as Cloud technologies may be adequate (and included in the price of the infrastructure). Firewalls play in both fields, but the market for east-west traffic protection is much less developed, as compared to that for North-South protection. As such, we would expect this to be a minority of revenue for all firewall vendors, but will nevertheless be meaningful for some. For instance, in our coverage, we would expect Palo Alto Networks to have a greater presence in East-West protection than Check Point, primarily because of a market perception that it does this specific function better. Who’s Most Affected by Cloud? We believe Cloud risks are skewed more towards network security vendors, with roots in firewalls, as these are the functionalities most at threat of being subsumed by public cloud vendors. Other security vendors may be more neutral to a cloud transition (such as endpoint vendors which could even benefit from the transition, but this is still uncertain), and some should even be positive secular beneficiaries of the transition (such as CASB or other cloud security vendors). Therefore, we stress that investors should be discerning on a case-by-case basis of the impact of cloud to individual security markets and vendors. Within our coverage:  Both Palo Alto Networks and Check Point have outsized enterprise exposure, somewhat insulating them from the biggest Cloud risk (SMB exposure), though we expect that Palo Alto Networks probably has more East-West traffic exposure, perhaps subjecting it to more competition from Public Cloud offerings. We discuss these risks in our individual company reports.  Symantec is a potential beneficiary of the cloud migration, as a leader in endpoint security and an early innovator in CASB (through the Blue Coat acquisition), though it has other risks – we also discuss this further in our Symantec report.  Mimecast is another potential beneficiary given its SaaS-based email security platform, which assists in the migration to Microsoft Office 365.  Others in our coverage that are likely net beneficiaries include Varonis and Splunk. Although Varonis deals with security within a datacenter (or presumably a Cloud), we believe this market is significantly underpenetrated at this time, leaving significant greenfield opportunity in on premise environments, even if similar Cloud solutions evolve (which hasn’t happened as of yet). Splunk is primarily used as a SIEM across just about all vendors and environments and page 23 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 can be deployed both on-premise and in the Cloud, positioning it well in either environment.  Microsoft is one of the leading Public Cloud providers and will likely be a net beneficiary, especially since security has not been a significant revenue driver in the past. We believe this to be true primarily because the solutions, frankly, were not “good enough,” though assuming it can adequately protect its own Cloud environment, security will be an implied contributor to any incremental Cloud business, which will help to offset any negative effects from its outsized SMB exposure moving to the Cloud en masse. We should point out that our negative rating on Microsoft has to do with the significant risk we see in a transition of its dominant SMB exposure in infrastructure software to a much more competitive Public Cloud world, along with its profit dependence on the PC ecosystem.  Finally, CA and Oracle are often thought of as legacy vendors in the world of security, especially in Identity and Access Management, which puts them at risk. However, this is likely not a significant revenue contributor to Oracle and it is now also applied to its own Public Cloud, though Oracle Cloud is still in relatively early development, at least for PaaS and IaaS. CA likely has a portion of this applied to mainframe environments, which are less likely to move to the Cloud, and it has recently moved into other burgeoning areas of security, such as Privileged Access Management (PAM) with its Xceedium acquisition. IT Security TAM The IT Security market has material components of software, hardware, and services and was about $71 billion in 2015 and is expected to grow at an 8% CAGR to $94 billion in 2019 according to IDC. See Chart 6. We also provide Chart 7 that indicates the relative size of each security market subsegment and the composition of each in regards to whether it is pure software or appliance (software and hardware) driven. Gartner segments the aggregate market differently in some cases, but it’s largely similar. Gartner sizes the aggregate IT security market at about $79 billion in 2015, growing at an 8% CAGR to $107 billion in 2019. See Chart 8. Comments About Currency Effects on Market Growth Historical estimates in this report are “as-reported” and not adjusted for any currency effects, which seem to have had a large impact in 2015. Please see Charts 6 and 8, which include market growth rates in both reported and constant currency. Future growth rates are all denoted in constant currency, given the difficulty in accurately forecasting currency effects. Note that the market size estimates in Chart 8 are entirely in actual Dollars and future market estimates include some currency effects as anticipated by Gartner. We nonetheless provide both the year-over-year growth rate of these estimates and the constant currency year-over-year growth rates. We estimate that currency effects reduced the 2015 reported growth rate for the IT security products market by 7.9 percentage points, when reviewing IDC data. This implies that the market growth was 11.6% in 2015, acceleration from 8.9% constant currency growth in 2014. For comparison, Gartner estimates that currency effects had an 8.5 percentage point impact on 2015 growth rates for the IT security products market (and a 9.4 point impact on the total security market, which includes services). page 24 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 6: IT Security Products Submarket Classifications — IDC in millions of $ Market/Submarket '11-'15 CAGR 14,737 9.4% 2015 2016E 2017E 2018E 9,251 13.6% 10.8% 4,340 4.6% -4,722 17.2% 20.2% 5,052 8.1% 9.3% 1,912 -0.3% 14.4% 2,071 -6.5% -8.1% 774 -2.4% 2.9% 28,122 8.5% 10,334 11.7% 19.8% 4,188 -3.5% 4.5% 5,392 14.2% 17.5% 5,020 -0.6% 8.7% 1,992 4.2% 11.4% 2,018 -2.6% 2.8% 758 -2.1% 5.7% 29,701 5.6% 11,297 12,366 13,477 9.3% 4,235 9.5% 4,456 9.0% 4,697 9.3% 4,947 N/A 4.2% 1.1% 6,039 5.2% 6,680 5.4% 7,320 5.3% 7,935 12.9% 10.1% 12.0% 5,410 10.6% 5,879 9.6% 6,389 8.4% 6,921 5.4% 8.4% 7.8% 2,099 8.7% 2,219 8.7% 2,345 8.3% 2,474 1.3% 5.6% 5.4% 2,043 5.7% 2,078 5.6% 2,114 5.5% 2,156 -3.4% 1.7% 1.2% 776 1.7% 801 1.7% 826 2.0% 833 0.4% 2.4% 2.4% 31,898 7.4% 3.2% 34,479 8.1% 3.2% 37,167 7.8% 0.8% 40,002 7.6% N/A 7.7% Consumer IT Security (Endpoint) yoy change (%) yoy constant currency change (%) 4,637 -0.4% -- 4,321 -6.8% 1.2% 4,424 4,530 4,639 4,750 N/A 2.4% 2.4% 2.4% 2.4% 2.4% Total IT Security Products yoy change (%) yoy constant currency change (%) 32,759 7.1% 8.9% 34,022 3.9% 11.6% 36,323 39,009 41,806 44,752 5.3% 7.1% 6.8% 7.4% 7.2% 7.0% 6,519 6,910 6.0% 12,470 4.6% 15,815 12.8% 1,361 2.0% 36,556 8.2% 15.9% 7,341 6.2% 13,018 4.4% 17,773 12.4% 1,404 3.2% 39,536 7,812 6.4% 13,604 4.5% 19,862 11.8% 1,450 3.3% 42,727 8,328 6.6% 14,216 4.5% 22,045 11.0% 1,515 4.5% 46,104 8,898 6.8% 14,842 4.4% 24,293 10.2% 1,585 4.6% 49,617 N/A 6.5% N/A 4.4% N/A 11.3% N/A 3.9% N/A 7.9% 8.2% 8.1% 7.9% 7.6% 70,578 75,859 81,737 87,910 94,370 N/A 7.5% 7.5% 7.7% 7.6% 7.3% Network Security yoy change (%) yoy constant currency change (%) Corporate Endpoint Security (Endpoint) yoy change (%) yoy constant currency change (%) Security and Vulnerability Management (SVM) yoy change (%) yoy constant currency change (%) Identity and Access Management (IAM) yoy change (%) yoy constant currency change (%) Web Security yoy change (%) yoy constant currency change (%) Messaging Security yoy change (%) yoy constant currency change (%) Other Security yoy change (%) yoy constant currency change (%) Enterprise IT Security Products yoy change (%) Consulting yoy change (%) Professional Integration Security Services yoy change (%) Managed Security Services yoy change (%) Education & Training yoy change (%) IT Security Services yoy change (%) yoy constant currency change (%) Total Worldwide IT Security 11,921 14,014 1,334 33,789 66,547 yoy change (%) yoy constant currency change (%) 2019E '15-'19 CAGR 9.3% 2014 6.1% 13.8% Source: IDC IT Security Products Forecast, 2015-2019 (Dec. 2015), IDC Worldwide Network Security Forecast, 2016–2020 (Sept. 2016), IDC Worldwide Endpoint Security Forecast, 2016–2020 (Oct. 2016), IDC Worldwide Security and Vulnerability Management Forecast, 2015–2019 (Oct. 2015), IDC Worldwide Identity and Access Management Forecast, 2016–2020 (Aug. 2016), IDC Worldwide Web Security Forecast, 2015–2019 (Sept. 2015), IDC Worldwide Messaging Security Forecast, 2015–2019 (Sept. 2015) Note 1: For constant currency estimates, assumes the same currency effects from the IDC software tracker are applied to the IDC hardware tracker data for their respective categories. IDC does not provide constant currency data for hardware. Note 2: For the constant currency estimates, the historical SVM constant currency calculation is missing some SVM hardware (specifically SIEM appliances), which we estimate at $920 million in 2015 Note 3: We have applied the same currency impacts from the IT security products to IT services in order to derive a total IT security impact. page 25 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 7: 2016E Worldwide IT Security Products Markets Forecast — IDC Network Security Endpoint Security Security and Vulnerability Management Identity and Access Management Web Security Messaging Security Other Security $11.3B $8.7B $6.0B $5.4B $2.1B $2.0B $0.8B Firewall/ Unified Threat Management* Security Suites Single Sign-On (SSO) Hardware* Hardware* Encryption Toolkits $8.5B $2.3B Security Intelligence and Event Management (SIEM)* $2.1B $2.2B $1.1B $0.6B Intrusion Detection and Prevention (IDP)* $2.5B Server Security Policy and Compliance Authentication Software-as-aService Software-as-aService $0.7B $1.3B $1.8B $0.5B $0.7B Virtual Private Network (VPN)* Proactive Endpoint Risk Management (PERM) $0.5B Forensics and Incident Investigation User Provisioning On-Premise Software On-Premise Software $0.5B $0.8B $0.5B $0.8B Access and Information Protection (AIP) $0.5B Security Device Systems Management $0.5B Privileged Access Antimalware Device Vulnerability Assessment Legacy authentication $0.3B $1.1B $0.1B Consumer Endpoint Security** Application Vulnerability Assessment $4.4B $0.9B Database $0.5B Storage Web Services $0.5B * Black shading denote that hardware appliances represent a significant portion, or all, of revenues in the subsegment. ** Blue shading denotes Consumer IT Security; we assume substantially all consumer security is endpoint protection. Source: IDC IT Security Products Forecast, 2015-2019 (Dec. 2015), IDC Worldwide Network Security Forecast, 2016–2020 (Sept. 2016), IDC Worldwide Endpoint Security Forecast, 2016–2020 (Oct. 2016), IDC Worldwide Security and Vulnerability Management Forecast, 2015–2019 (Oct. 2015), IDC Worldwide Identity and Access Management Forecast, 2016–2020 (Aug. 2016), IDC Worldwide Web Security Forecast, 2015–2019 (Sept. 2015), IDC Worldwide Messaging Security Forecast, 2015–2019 (Sept. 2015) page 26 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 8: Worldwide IT Security Market Size – Gartner Forecast in millions of $ Market/Submarket Identity and Access Management (IAM) yoy change (%) yoy change (CC, %) Web Access Management (WAM) Other Identity Access Management Identity Governance and Administration Infrastructure Protection yoy change (%) yoy change (CC, %) Endpoint Protection Platform (Enterprise) Other Security Software Secure E-mail Gateway Secure Web Gateway Security Information and Event Management (SIEM) Data Loss Prevention (DLP) Security Testing Network Security Equipment yoy change (%) yoy change (CC, %) VPN/Firewall Equipment Intrusion Protection Systems (IPS) Equipment Enterprise IT Security Products yoy change (%) yoy change (CC, %) Consumer IT Security Products (Endpoint) yoy change (%) yoy change (CC, %) Total IT Security Products '15-'19 CAGR 5,468 8.7% 8.2% 8.0% 2014 2015 2016E 2017E 2018E 2019E 3,351 11.2% 12.9% 3,914 8.1% 16.8% 4,278 8.6% 9.3% 4,665 9.4% 9.0% 5,064 8.7% 8.5% 950 880 1,522 1,059 1,110 1,745 1,108 1,285 1,884 1,151 1,462 2,052 1,195 1,637 2,232 1,242 1,796 2,431 4.1% 12.8% 8.6% 13,249 6.8% 8.5% 15,198 6.2% 14.7% 16,246 6.4% 6.9% 17,378 7.3% 7.0% 18,569 7.0% 6.9% 19,926 7.4% 7.3% 7.0% 3,275 3,673 1,440 1,951 1,578 792 540 3,603 4,314 1,532 2,271 1,953 895 630 3,699 4,718 1,559 2,446 2,125 980 719 3,791 5,176 1,579 2,621 2,316 1,074 820 3,882 5,632 1,601 2,807 2,530 1,180 937 3,977 6,178 1,623 3,011 2,768 1,298 1,071 2.5% 9.4% 1.5% 7.3% 9.1% 9.7% 14.2% 9,019 9.3% 10.9% 11,044 13.9% 22.5% 12,358 11.1% 11.9% 13,207 6.9% 6.9% 14,004 6.0% 6.0% 14,671 4.8% 4.8% 7.4% 7,491 1,528 9,353 1,691 10,597 1,761 11,506 1,701 12,406 1,598 13,260 1,411 9.1% -4.4% 25,619 8.2% 9.9% 30,156 9.2% 17.7% 32,882 8.4% 9.0% 35,250 7.4% 7.2% 37,637 6.8% 6.8% 40,066 6.5% 6.5% 7.4% 5,035 -2.0% 0.1% 5,175 -5.9% 2.8% 5,248 1.0% 1.4% 5,320 1.6% 1.4% 5,400 1.4% 1.5% 5,481 1.4% 1.5% 1.4% 6.6% 30,654 35,331 38,130 40,570 43,036 45,546 yoy change (%) 6.4% 6.7% yoy change (CC, %) 8.1% 15.3% 7.3% 7.9% 6.6% 6.4% 6.1% 6.1% 5.9% 5.8% 43,189 9.2% 11.2% 51,587 9.4% 19.4% 56,054 8.6% 8.7% 60,711 8.7% 8.3% 65,947 8.8% 8.6% 71,825 9.0% 8.9% 8.6% 15,559 1,282 13,614 12,734 18,209 1,493 15,955 15,929 19,847 1,560 16,938 17,708 21,413 1,636 17,934 19,728 23,129 1,730 19,026 22,062 25,005 1,827 20,197 24,796 8.3% 5.2% 6.1% 11.7% 7.8% Enterprise IT Security Services yoy change (%) yoy change (CC, %) Consulting Hardware Support Implementation IT Outsourcing (i.e. Managed Security Services) Total IT Security 73,843 86,918 94,183 101,281 108,983 117,371 yoy change (%) 8.0% 8.3% yoy change (CC, %) 9.9% 17.7% 8.1% 8.4% 7.9% 7.5% 7.7% 7.6% 7.8% 7.7% Source: Forecast: Information Security, Worldwide, 2014-2020, 3Q16 Update Source: Jefferies, Gartner Worldwide Information Security Forecast, 2014-2020 (3Q16) Note: All market size estimates are in actual Dollars and future market size estimates include Gartner’s anticipated currency effects. Reported and constant currency growth rates are both from Gartner’s market forecast. page 27 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 We address the super-segments of software, hardware, and services below and then focus on the functional areas of security in the sections that follow, including: network security, endpoint security, security vulnerability management, identity and access management, and messaging security. Finally, we briefly discuss what IDC calls Key Competitive Categories that span several functional markets (but are inclusive in the size of those aggregate markets). IT Security Products (Software and Appliances) Some IT security solutions are typically sold as appliances, or a combination of hardware and software (e.g. firewalls) while others are sold as standalone software products (e.g. endpoint security). The mix of hardware versus software sales for a vendor impacts that particular vendor’s margin profile, while the mix and trend for the overall industry is reflective of customer preferences for on-premise versus cloud-based (e.g. SaaS) solutions. Thus, we believe that it is important to distinguish, or at least be cognizant of, the revenue mix between the two across the major products markets. Security Hardware Appliances Hardware appliances represent approximately 35% of total IT security products revenue, according to IDC. The majority of hardware appliances consist of Network Security products, including NGFWs, “traditional” firewalls, intrusion detection and protection systems, and virtual private networks (VPN). Hardware also includes appliances for secure email gateway, secure web gateway, and security information and event management (SIEM) solutions. IDC estimates IT security appliance revenues at $11.4 billion, and is forecasted to grow at a 7.8% CAGR to $15.4 billion in 2019. See Chart 9 below. Security Software Software represents the remaining 65% of IT security products, and includes revenue recognized under the traditional software license and maintenance, and subscription (including software-as-a-service or SaaS) models. Of the security software products, SaaS represented approximately 17%. Major software markets include endpoint security, identity and access management security, and security and vulnerability management (which includes security information and event management). Smaller markets include messaging security and web security. IDC estimates the security software market at $22.7 billion in 2015, and forecasted it to grow at a 6.9% CAGR to $29.4 billion in 2019. See Chart 9 below. page 28 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 9: Worldwide IT Security, Software vs. Hardware—IDC in millions of $ Market IT Security Software Endpoint Security yoy change (%) Identity and Access Management (IAM) yoy change (%) Security and Vulnerability Management (SVM) yoy change (%) Messaging Security yoy change (%) Network Security yoy change (%) Web Security yoy change (%) Other Security yoy change (%) Total IT Security Software yoy change (%) yoy constant currency change (%) % of Total IT Security Products 2014 2015 2016E 2017E 2018E 2019E 8,977 8,509 -5.2% 5,020 -0.6% 4,472 12.0% 1,419 -4.5% 1,481 13.1% 985 2.5% 785 -1.9% 22,669 0.4% 9.1% 67% 8,659 1.8% 5,410 7.8% 5,018 12.2% 1,430 0.8% 1,648 11.2% 1,047 6.3% 807 2.9% 24,018 8,987 3.8% 5,879 8.7% 5,636 12.3% 1,448 1.3% 1,820 10.5% 1,121 7.1% 840 4.0% 25,731 9,336 3.9% 6,389 8.7% 6,288 11.6% 1,470 1.5% 1,985 9.0% 1,198 6.9% 871 3.8% 27,538 9,697 3.9% 6,921 8.3% 6,932 10.2% 1,497 1.8% 2,143 8.0% 1,272 6.2% 902 3.5% 29,364 5.9% 66% 7.1% 66% 7.0% 66% 6.6% 66% 1,335 17.4% 692 3.5% 593 13.5% 781 11.8% 769 14.5% 230 9.2% 133 4.1% 4,533 1,562 17.0% 716 3.4% 660 11.3% 865 10.8% 871 13.3% 252 9.6% 141 5.3% 5,065 12.3% 18% 11.7% 18% 11.2% 19% 5,052 3,994 1,485 1,310 960 800 22,578 69% IT Security Software as a Service (within total IT Security Software above) Security and Vulnerability Management (SVM) 820 968 1,138 yoy change (%) 18.0% 17.6% Messaging Security 662 646 669 yoy change (%) -2.4% 3.6% Web Security 407 458 522 yoy change (%) 12.6% 14.0% Endpoint Security 555 621 698 yoy change (%) 12.0% 12.4% Identity and Access Management (IAM) 503 582 672 yoy change (%) 15.8% 15.3% Network Security 178 193 210 yoy change (%) 8.5% 8.7% Other Security 127 126 128 yoy change (%) -0.9% 1.7% Total IT Security SaaS 3,252 3,594 4,037 yoy change (%) 10.5% yoy constant currency change (%) 19.3% 12.3% % of Total IT Security Software 14% 16% 17% IT Security Hardware Network Security yoy change (%) Web Security yoy change (%) Messaging Security yoy change (%) Other IT Security Hardware yoy change (%) Total IT Security Hardware yoy change (%) yoy constant currency change (%) % of Total IT Security Products Total IT Security Products 7,941 9,649 9.0% 1,053 4.5% 613 2.4% 990 7.6% 12,305 10,545 9.3% 1,098 4.4% 629 2.6% 1,006 1.6% 13,279 11,492 9.0% 1,147 4.4% 644 2.3% 986 -2.0% 14,269 12,594 9.6% 1,202 4.8% 659 2.3% 934 -5.2% 15,388 31% 8.1% 34% 7.9% 34% 7.5% 34% 7.8% 34% 32,917 34,047 36,323 39,009 41,806 44,752 586 860 10,339 3.3% 8.4% 11.6% 1.4% 9.7% 6.6% 3.5% 6.7% 1,813 17.0% 16.1% 744 3.6% 3.9% 721 12.0% 9.3% 948 11.1% 9.5% 981 13.9% 12.6% 276 9.3% 9.7% 149 4.3% 6.0% 5,631 11.9% 8,852 11.5% 1,008 5.8% 599 2.2% 919 6.9% 11,378 10.1% 18.8% 33% 952 '15-'19 CAGR 9.2% 4.5% 2.4% 0.4% 7.8% 7.1% Source: IDC IT Security Products Forecast, 2015-2019 (December 2015); IDC Worldwide Semiannual Software Tracker, 2H15, May 2016; IDC Worldwide Cloud Hosted Enterprise Security Services (Security as a Service) Forecast, 2015–2019 (July 2015) Note: For constant currency vs reported currency derivation, applied IDC IT Security Software currency impacts to IT Security SaaS and to IT Security Hardware in order to derive constant currency changes. page 29 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 IT Security Services Sales of IT security products are supplemented by IT security services, which consist primarily of security consulting services, security implementation services, and managed (i.e. outsourced) security services. These services are offered mostly by major global consulting firms and telecommunications providers. Standalone IT security vendors offer IT security services to a more limited extent. According to IDC, IT security services revenues totaled an estimated $36.6 billion in 2015, and are projected to grow at an 6.0% CAGR to $49.6 billion in 2019. Alternatively, Gartner sizes total vendor revenues at $46.5 billion in 2015, forecasted to grow at 8.8% CAGR to $65.1 billion in 2019. The main difference between IDC and Gartner’s market size estimates (approximately $12-15 billion) appears to be the scope of professional services that are considered as security consulting services; although the definitions of security consulting services seem largely consistent between the two. Therefore, the differences in underlying methodology are still unclear to us. Chart 10 below forms a summary of IDC and Gartner’s estimates and growth forecasts for the major IT security services markets. Chart 10: Worldwide IT Security Services in millions of $ Market/Submarket IDC Consulting yoy change (%) Professional Integration Security Services yoy change (%) Managed Security Services yoy change (%) Education & Training yoy change (%) IT Security Services yoy change (%) yoy change (CC, %) Gartner Consulting yoy change (CC, %) Hardware Support yoy change (CC, %) Implementation yoy change (CC, %) IT Outsourcing (i.e. Managed Security Services) yoy change (CC, %) Enterprise IT Security Services yoy change (%) yoy change (CC, %) 2014 2015 2016E 2017E 2018E 2019E 6,519 6,910 6.0% 12,470 4.6% 15,815 12.8% 1,361 2.0% 36,556 8.2% 15.9% 7,341 6.2% 13,018 4.4% 17,773 12.4% 1,404 3.2% 39,536 7,812 6.4% 13,604 4.5% 19,862 11.8% 1,450 3.3% 42,727 8,328 6.6% 14,216 4.5% 22,045 11.0% 1,515 4.5% 46,104 8,898 6.8% 14,842 4.4% 24,293 10.2% 1,585 4.6% 49,617 8.2% 8.1% 7.9% 7.6% 16,527 17.0% 1,326 16.5% 14,249 17.2% 14,348 2.8% 46,450 9.4% 19.4% 17,881 9.0% 1,411 4.5% 15,212 6.2% 15,937 1.4% 50,441 8.6% 8.7% 19,386 7.9% 1,496 4.8% 16,184 5.9% 17,783 1.4% 54,848 8.7% 8.3% 21,037 8.0% 1,581 5.7% 17,172 6.1% 19,875 1.5% 59,664 8.8% 8.6% 22,830 8.1% 1,669 5.6% 18,226 6.2% 22,332 1.5% 65,058 9.0% 8.9% 11,921 14,014 1,334 33,789 15,362 1,244 13,337 12,531 42,474 9.2% 11.2% '15-'19 CAGR 6.3% 4.5% 12.0% 3.2% 6.0% 8.4% 5.9% 6.3% 11.7% 8.8% Source: Jefferies, IDC Worldwide Professional Security Services Forecast, 2015-2019 (March 2015), Gartner Worldwide Information Security Forecast, 2014-2020 (3Q16) Note: For IDC constant currency vs reported currency derivation, applied IDC IT Security Software currency impacts to IT Security Services in order to derive constant currency changes. For Gartner constant currency estimates, reported and constant currency growth rates are both from Gartner’s market forecast. While this industry primer is focused on IT security products and functionalities, it is important to highlight managed security services (MSS), which is an important and fastgrowing area of IT security whose business trends and growth rates are tied to the IT page 30 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 security products markets. The MSS market is comprised of security solutions that are outsourced to and managed by MSS providers (MSSP). The MSS market was $15.8 billion in 2015 according to IDC, and projected to grow at an 11.3% CAGR to $24.3 billion in 2019. Gartner estimates a similar $14.3 billion market in 2015, and projected to grow at an 11.7% CAGR to $22.3 billion in 2019. These solutions can be deployed either on the customer’s premises or hosted in an external datacenter (in the MSSP’s datacenter or public/private cloud infrastructure), and can be either a single-tenant and or multitenant/shared solution. Unlike IT security consulting and implementation services, MSS are generally packaged and highly customizable solutions that include identification and analysis of the customer’s security needs, selection of appropriate security products, and ongoing support services, on behalf of the customer. Network Security We delve into the size of the addressable market for network security, and provide an overview on firewalls, Intrusion Detection / Prevention Systems (IDS/IPS), web security systems, and Next-Generation Firewalls. We also provide our thoughts on a potential future for network security products. Some of big changes in this market stem from the introduction of Next Generation Firewalls, which have consolidated the functionalities of a number of standalone security products into a single product/platform. Additionally, these products have increasingly been integrated with threat intelligence feeds, which allow for the reconfiguration of all products in the network and beyond when new threats are detected (assuming they are tied to these feeds). These changes have offered a strong value proposition to IT managers seeking to both simplify their network architectures and secure their networks against increasingly sophisticated and complex attacks. We envision a future where Next Generation Firewalls could continue to add functionality by integrating additional security products or functionality, which were previously standalone. We also envision the need for enterprises to increasingly adopt technologies to secure access to cloud-based services; however we question whether these services will exist on a standalone basis or will be integrated into other security platform offerings (such as Next Generation Firewalls or cloud-based proxy services). Network Security Overview Network security encompasses numerous functions designed to protect networks from vulnerabilities and attacks. As will be explored in subsequent sections, some of the larger markets in this area encompass firewalls, web security systems, and intrusion detection and prevention systems. Many of the technologies in network security are unlikely to remain as independent products longer-term and are instead being subsumed into the functionality of firewalls given that all network traffic passes through firewalls, giving them the “incumbent” advantage in terms of inspecting traffic. For instance, sandboxing functionality, intrusion detection and prevention, etc. are being incorporated into many current Next Generation Firewall (NGFW) offerings. See Chart 11 for a graphical depiction of a typical network today and the landscape of the security products that are often utilized to protect it. Note that this chart is the same as Chart 3 earlier in this report; its inclusion here acknowledges the relevance of network security in overall enterprise security landscape. page 31 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 11: Today's Network Security Landscape CloudBased IAM SaaS SaaS Solution I/PaaS Solution Extranet FIREWALL REGIONAL OFFICE 1 Internal Network WEB SERVER Demilitarized Zone (DMZ) E-MAIL SERVER ENDPOINT ACCESS POLICY MANAGER E-MAIL CONTENT FILTER IDS/IPS VIRTUAL FIREWALL Threat Intel. MOBILE DEVICES WAF Internet FIREWALL DLP DATA CENTER PROXY FIREWALL ANALYTICS / SIEM SANDBOX MOBILE DEVICE MANAGEMENT Trusted Trusted Trusted SaaS SaaS SaaS Solutions Solutions Solutions Trusted Trusted Untrusted SaaS SaaS SaaS Solutions Solutions Solutions REVERSE PROXY REMOTE ACCESS GATEWAY REGIONAL OFFICE 2 REMOTE USERS IAM (incl. PAM) Source: Jefferies Network Security Addressable Market Size In determining the total addressable network security market, we review estimates from industry analysts. We consider estimates from both Gartner and IDC since the nomenclature each uses is often slightly different, but both are used in the market. The estimates broadly agree on market size and growth rate; IDC estimates the 2015 network security market size at $12.3 billion, whereas Gartner estimates it to be $13.3 billion, an approximate 10% difference. IDC estimates a 9% CAGR for the total network security market through 2019, whereas Gartner estimates a 7% CAGR. See Chart 12. page 32 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 12: Network Security Market Size in billions of $ Market/Submarket 2014 2015 2016E 2017E 2018E 2019E 2015-2019 CAGR IDC Web Security (includes DLP) Hardware Software as a service On-premises software yoy change (%) yoy constant currency change (%) % of Total Firewall/UTM yoy change (%) % of Total IDP yoy change (%) % of Total VPN yoy change (%) % of Total Total yoy change (%) yoy constant currency change (%) 1.9 2.0 2.1 2.2 2.3 2.5 6% 1.0 0.4 0.6 1.0 0.5 0.5 4% 11% 16% 1.1 0.5 0.5 1.1 0.6 0.5 1.2 0.6 0.5 1.2 0.7 0.6 5% 12% 1% 6% 16% 6% 15% 6% 15% 6% 14% 14% 17% 6.6 7.6 8.4 9.3 10.4 11.5 59% 15% 62% 11% 63% 11% 64% 11% 65% 11% 67% 11% 2.1 2.2 2.3 2.5 2.6 2.8 19% 7% 20% 6% 21% 6% 22% 6% 23% 6% 25% 0.6 0.5 0.5 0.5 0.5 0.5 5% -9% 4% 1% 4% 1% 5% 1% 5% 1% 5% 11.2 12.3 13.4 14.5 15.8 17.2 11% 11% 10% 18% 9% 9% 9% 9% 9% 7% 6% 1% Gartner Secure Web Gateway (SWG) 2.0 2.3 2.4 2.6 2.8 3.0 yoy change (%) % of Total 18% 16% 21% 8% 22% 7% 24% 7% 26% 7% 27% IPS Equipment 1.5 1.7 1.8 1.7 1.6 1.4 14% 11% 15% 4% 16% -3% 16% -6% 15% -12% 13% 7.5 9.4 10.6 11.5 12.4 13.3 68% 25% 85% 13% 97% 9% 105% 8% 113% 7% 121% 11.0 13.3 14.8 15.8 16.8 17.7 9% 11% 13% 21% 11% 7% 6% 5% yoy change (%) % of Total VPN/Firewall Equipment yoy change (%) % of Total Total yoy change (%) yoy constant currency change (%) -4% 9% 7% Source: Jefferies, Jefferies estimates based on IDC data (IDC Worldwide Network Security Forecast, 2016-2020, Sept. 2016, US41755616; IDC Worldwide Web Security Forecast, 2015-2019, Sept. 2015, 258801), Gartner Worldwide Information Security Forecast, 2014-2020 (3Q16) Note: We derive our IDC estimates based off of historical IDC market data and IDC forecasted CAGRs through 2019. There are several differences in how Gartner and IDC segment the network security market. We detail some of these differences here since both are often quoted during industry discussion. For instance:  IDC’s web security estimate includes network based Data Loss Prevention (DLP) and Web Application Firewalls (WAF), whereas Gartner separates network DLP into a separate market (not included in Chart 12). IDC estimates Web Security to have been a $2.0 billion market in 2015, whereas Gartner’s Secure Web Gateway estimate totals $2.3 billion in 2015. We believe that the web security page 33 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 market estimate is comprised of approximately 7% DLP, 18-20% WAF, with the remainder Secure Web Gateway (SWG). It does not currently include CASBs in this market.  IDC also separates the firewall and VPN segments, whereas Gartner includes them together. IDC estimates the sum of the two segments to be $8.1 billion in 2015, whereas Gartner estimates the segment to be $9.4 billion in 2015. Both IDC and Gartner forecast that the segment will grow at a 9% CAGR through 2019.  The most notable difference between the two estimates is in the Intrusion Prevention market. IDC estimates the 2015 market to be $2.2 billion, growing at a 6% CAGR through 2019. Gartner estimates the 2015 market to be $1.7 billion, declining at a -4% CAGR through 2019. Gartner forecasts that the IDS/IPS market will continue to be absorbed by next generation firewalls being placed at network perimeters, which include many of the same functionalities. While it is difficult to ascertain what drove differences in specific market estimates from IDC and Gartner, forecasts from both indicate that overall network security remains a growing market, with enterprises consistently upgrading their network security products, driven by increased bandwidth requirements and a continuously evolving threat environment. Hereafter, we will use IDC nomenclature and estimates, as their overall segmentation of the security market aligns better with the way we partition the market and for the sake of simplicity in our analyses. Gartner’s estimates also assume that next generation firewalls (NGFWs) will dominate the enterprise market at the expense of other security products, whereas enterprises today still often utilize separate products even when that functionality is included in NGFWs that are also deployed. It is logical that these adjacent functionalities will improve over time and may become entirely consumed by NGFWs, but to assess the market today with that view is probably premature in our view. Representative Vendors and Market Share We look at an aggregate view of the network security space and identify the vendors active in this market. IDC identifies 26 vendors that are active and comprise 83% of the total revenue in the market. While we believe that there are numerous other vendors active in the security market (some identified later in this document), the market remains dominated by a handful of large vendors. The top two vendors alone, Cisco and Check Point, have a 17% and 12% of the market, respectively. Combined, they enjoy a 29% share of the network security market. We observe that these two vendors have been relatively successful in maintaining their market share, even as new competitors have entered the market. Palo Alto Networks and Fortinet have both gained share from others. Donors have primarily been Juniper, and more recently to a lesser extent McAfee. A smaller network security player, FireEye has also gained share over time, but we do not expect that to continue, as many others now provide similar sandboxing technology. See Chart 13 for an evolution of market share in the network security market over time. page 34 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 13: Network Security Market Share Evolution 100% 90% Other 80% Sophos 70% Dell 60% FireEye 50% Juniper McAfee 40% Blue Coat 30% Fortinet 20% Palo Alto Networks 10% Check Point Cisco 2016H1 2015H2 2015H1 2014H2 2014H1 2013H2 2013H1 2012H2 2012H1 2011H2 2011H1 0% Source: Jefferies, IDC Worldwide Security Appliance Tracker (3Q16), IDC Worldwide Semiannual Software Tracker (1H16) The top five vendors have a combined 49% share of the market; , this market remains relatively fragmented. See Chart 14. Chart 14: Network Security Market Share (2015, $12.4B) Cisco 17% Check Point 12% Others 52% Palo Alto Networks 8% Fortinet 7% Blue Coat 4% Source: Jefferies, IDC Worldwide Security Appliance Tracker (2Q16), IDC Worldwide Semiannual Software Tracker (2H15) Delving into the network security market, we can establish market share for the firewall segment (including next generation firewalls), IDS/IPS segment, and the web security segment. Each of the segments has some common vendors, but also a large amount of different vendors that don’t have a meaningful presence in other segments. Cisco appears to be the only vendor with meaningful market share in each segment, although NGFW vendors have products that offer IDS/IPS and web security functionality integrated (e.g. Check Point and Palo Alto Networks). page 35 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 We also note that the Web Application Firewall (WAF) segment does not appear to be tracked separately, though IDC includes WAF as part of its web security estimates. It is therefore difficult to ascertain the market share of individual WAF vendors, although we have attempted to derive WAF market estimates (see subsequent sections on Web Security). In the firewall segment, the top five market share leaders are Check Point, Cisco, Palo Alto Networks, Fortinet, and Juniper. Combined, the five represent 66% of the market. Chart 15: Firewall / Next-Generation Firewall Market Share (2015, $6.9B) Check Point 18% Others 34% Cisco 15% Juniper 6% Palo Alto Networks 15% Fortinet 12% Source: Jefferies, IDC Worldwide Security Appliance Tracker (2Q16) In the IDS/IPS market, Cisco is the leader with a 25% market share. The second largest company in this market is Intel Security / McAfee with a 15% market share. The market is noticeably fragmented compared to other security markets, with “other” companies representing 37% of the market. Many NGFWs include IDS/IPS functionality as a core part of the NGFW, which is not included in this market definition. As a result, NGFW vendors such as Palo Alto Networks and Check Point, among others, are under-represented in this market, though they do provide the same technology. Most noticeably, FireEye is not included in the general IDS/IPS market, although one of its primary product lines is an IPS and sandboxing appliance (its NX platform). IDC tracks FireEye as part of its STAP (Specialized Threat Analysis and Protection) market crosssection. It estimates that FireEye had $197 million in network security revenues in 2015. page 36 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 16: IDS/IPS Market Share (2015, $1.7B) Cisco 25% Others 37% IBM 9% Check Point 4% Hewlett Packard Enterprise 10% McAfee 15% Source: Jefferies, IDC Worldwide Security Appliance Tracker (2Q16) In the Web Security market, Blue Coat leads the market with a 22% share, followed by Forcepoint and Cisco, with a 14% and 11% share, respectively – combined the three companies have 47% of the market. Chart 17: Web Security Market Share (2015, $2.1B) Blue Coat 22% Others 41% Forcepoint 14% Zscaler 7% Cisco 11% McAfee 5% Source: Jefferies, IDC Worldwide Security Appliance Tracker (2Q16), IDC Worldwide Semiannual Software Tracker (2H15) Firewall What is a firewall? Firewalls monitor and control incoming and outgoing network traffic based on a predetermined set of rules. A firewall typically acts as a barrier between a trusted internal network and another outside network that is assumed to not be as secure or trusted. Firewalls are typically available as either network firewalls or host-based firewalls. At one page 37 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 end of the spectrum, a firewall can provide a barrier between an enterprise network and the Internet, or from the other extreme, it can provide a controlled barrier between a PC or server and anything external to it. Network firewalls are available in different form factors; they can come as a software appliance running on general purpose computing hardware or can come as hardwarebased appliances. Host-based firewalls typically come as a software layer on a computer. In addition to its role managing network traffic, firewalls can also provide additional functionality, most commonly by acting as a VPN server for the network it is protecting. Evolution of firewalls The first generation of firewalls was introduced in 1988 as a packet filtering firewall. Nearly all traffic on the Internet today is broken up into packets for transmission from one computer to another, with the IP (Internet Protocol) format being one of the dominant formats. Each packet contains both information to be transported (i.e. the payload) and an address where to transport it to (i.e. the header). The header contains several distinct pieces of information about the packet, such as the size of the data being carried, the source and destination of the packet, how long the packet can take to reach its destination, etc. The concept of such a packet firewall was simple. The firewall was loaded with a set of filters or rules on which types of packets were allowed to pass through it. If an incoming packet matched the permitted set of criteria, it was allowed to pass. Conversely, packets that did not match the set of rules were either silently discarded (“dropped”) or rejected (the firewall sends an error response back to the source). This type of firewall was unaware of the type of traffic that was flowing through it or if the packets it was inspecting were part of an existing traffic stream. This type of firewall merely filtered the packets on an individual basis based on the inspection of each individual packet. The filters were most commonly set up to inspect for a combination of packet source, destination address, protocol, and port (if applicable). When viewing the OSI model of network traffic, packet filtering firewalls only operate on the first three layers of the model (physical, data link, network). See Chart 18 for an illustration of the OSI model and Appendix B for a more detailed discussion. page 38 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 18: OSI Model for Network Layers Layer Function 7 Application 6 Presentation 5 Session 4 Transport 3 End User Layer Program Syntax Layer (i.e. formatting data) Encrypt/decrypt (if needed), encode/decode, etc. Example FTP, HTTP ASCII, JPEG Sync & Send to Ports SQL, SSL End-to-End Connection & Reliability TCP, UDP Network Packets (Logical Addressing) IP, IPsec 2 Data Link Frames (Physical Addressing) Ethernet, MPLS 1 Physical Physical Structure Wireless, xDSL Logical ports Host to host, flow control “Letter”, contains IP address “Envelopes”, MAC address, etc. Physical medium transmission – bits, Volts, etc. Source: Jefferies The second generation of firewalls was developed several years later and was known as “stateful” filters. They extended the firewall’s operations to the fourth layer of the OSI model (the transport layer). They functioned by determining the state of the connections allowed through the firewall. They did so by keeping track of all connections passing through them and determining whether a packet was the start of a new connection, part of an existing connection, or not part of any connection at all (i.e. these firewalls recorded the state of the connection). To illustrate how a stateful firewall functions, a typical connection between two computers using the widely used TCP (Transmission Control Protocol) protocol, with one computer on each side of the firewall, starts with a three way handshake between the computers:  The initial request stems from the computer behind the firewall to the computer outside. This initial request initiates an entry into the firewall’s state table.  If the destination computer outside the firewall returns a packet to set up the requested connection, the firewall updates its state table to reflect it.  The initial host computer will then send an acknowledgement packet to the destination computer. This finalizes the state of the connection as “established” inside the firewall state table. With an established connection, the two computers can then freely communicate with each other through the firewall. Unlike TCP, some other protocols don’t present such a simple process of initiating a connection, and thus make it harder to track a state, presenting challenges for stateful firewalls. In these conditions, the firewall must solely track the state based on the destination address and source of the protocol, which can prove challenging for firewalls to maintain security as it must make numerous assumptions about the nature of the connection. page 39 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 While stateful firewalls also function with a static set of rules similar to packet filtering firewalls, they are more sophisticated in that they can determine connection states and whether packets should be traversing the firewall as part of a connection. The third generation of firewalls, application firewalls, was first developed and became generally available in 1993 under a DARPA contract. Application firewalls are also known as proxy-based or reverse-proxy firewalls. Such a firewall is able to specifically control services or applications traversing it. The key benefit is the ability to “understand” the traffic flowing through and allow or deny traffic based on content; it is built to function on any layer in the OSI model. It can detect whether an unwanted protocol is being sneaked through or whether a protocol is being abused and it can block such traffic. The primary drawback of application firewalls has traditionally been performance, they have not been suited to general firewall applications given the high processing demands and thus stateful inspection firewalls have dominated the landscape for many years. Proxies, which share the same technology as application firewalls are usually used along with stateful firewalls in most IT architectures. Application firewalls also exist in specialized format for a specific kind of network traffic. The most prominent example would be a web application firewall, which serves to protect outside facing web applications. See the subsequent section on Next-Generation Firewalls for details on the ongoing evolution of firewalls into security platforms. Market Size and Potential Growth IDC separates the Firewall/UTM and VPN market. The Firewall/UTM market is forecast to grow from $7.7 billion in 2015 to $10.9 billion (9% CAGR). The VPN market is forecast to be essentially flat, growing from $538 million in 2015 to $555 million in 2019. The VPN and Firewall market are frequently combined given that VPN capabilities are a part of firewall products for many vendors. Combining them, IDC estimates the market to grow from $8.2 billion in 2015 to $11.5 billion in 2019 (9% CAGR). Significant Vendors As previously discussed, most of the revenue in this market segment is generated by several large vendors including Cisco, Check Point, Palo Alto Networks, and Fortinet. There are other vendors active in the market; however, most are also large and established vendors with core competencies in other markets (e.g. other security vendors, routing hardware vendors, etc.). There appear to be few start-up or young companies that are entering the firewall market as an initial market, likely due to the high investments required and the lack of novel approaches. A recent exception was Palo Alto Networks, which has come on strong over the last several years as it started with the unique positioning of the firewall within the network to introduce other security functionality. We highlight the significant firewall vendors below. page 40 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 19: Gartner Enterprise Firewall Magic Quadrant Source: Gartner Magic Quadrant for Enterprise Network Firewalls (May 2016) Below, we have identified a number of significant vendors in the space. The vendors are listed in alphabetical order, with our understanding of each based on our subjective understanding of their capabilities.  Check Point: Network security is part of the company’s core market. It offers numerous firewall solutions that are available in both physical and virtualized form. Its firewall portfolio spans the enterprise to SMB market, and it offers “traditional” and next generation firewalls. Its products can be supplemented with threat intelligence feeds. Check Point is currently the largest firewall vendor and the second largest network security vendor in the market.  Cisco: Cisco is the worldwide leader in networking hardware, with networking security and firewalls being a natural extension to its core expertise. Cisco offers its ASA line of “traditional” firewalls and has recently started offering its Firepower line of firewalls, which represents its next generation offering, which combines its ASA firewalls and Sourcefire IPS products. Cisco is the second largest firewall and largest network security vendor in the market.  Dell: Dell offers its SonicWALL line of firewalls, a next generation firewall available in sizes aimed at SMBs and enterprises. To date, its firewall has primarily been adopted in the SMB markets. page 41 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017  Fortinet: Fortinet offers a series of firewalls targeted at SMBs up to carriers. Its firewalls incorporate custom purpose-built hardware used to improve their throughput performance. It has been focusing on expanding its presence in the enterprise market.  Huawei: Huawei has been shipping firewalls for over a decade and offers a large range of firewalls. Its primary target market has been in the carrier space although it also offers enterprise level products. Huawei’s presence in the market has been geographically limited, primarily to the Asia/Pacific region.  Intel / McAfee: Intel (McAfee) offers a Network Security Platform, network IPS, and Next Generation Firewall. The NGFW is available in a range of models, including virtualized form. Intel is considered a niche player in the enterprise firewall market, according to Gartner.  Juniper: Juniper is shipping several lines of firewalls, including a virtualized version. It also offers firewalls with integrated routing capabilities. Juniper’s core expertise lies in networking and routing hardware. It primarily sells its products in conjunction with its networking hardware and its largest markets are data-centers and mobile service providers where throughput is a driving factor.  Palo Alto Networks: Palo Alto Networks started shipping enterprise firewalls in 2007. Its product line includes a number of models, including a virtualized appliance. The company has expanded to offer an integrated platform approach to security (what is now referred to as NGFW). Palo Alto Networks’ solutions provide modules for endpoint protection, a Cloud Access Security Broker (CASB) service, and intelligence/threat feeds.  Sophos: Sophos offers two firewall product lines, both in physical and virtual form. Its firewall products are primarily focused on small enterprise customers, as it currently lacks some of the management and reporting capabilities enterprises are seeking. Its AWS virtual firewall is considered as one of the leading offerings on the platform, according to Gartner.  TopSec: TopSec is a primarily local firewall vendor in China. It offers a full range of security products, including a next generation firewall. It employs security technologies that it has developed, such as custom ASICs and a secured network OS. The company has strong ties to the Chinese government and telecom operators, leading to a strong presence in those markets.  WatchGuard: WatchGuard offers a line of firewalls targeted at mid-size to large enterprises, the feature set of its products reflects many of the needs of large enterprises. To date, its primary success has been with mid-size enterprises. It offers a NGFW bundle, which includes a cloud-based malware detection system. Web Application Firewalls (WAF) What is a WAF? Web Application Firewalls (WAFs) are a subset of application firewalls; they are specialized towards protecting web applications that reside behind them. Due to their more focused nature, WAFs are commonly deployed in unison with other network technologies such as load balancers, network firewalls, etc. As web applications became more dominant and started to collect data such as personal information and payment information, the need to protect these applications increased in order to meet regulatory requirements. page 42 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 WAFs typically look at every request and response within the web services and look for specific attack signatures or abnormal behavior to the service they protect to try to identify attacks. Rather than broadly protect networks, WAFs possess specific rules to protect from specific vulnerabilities in web facing applications. Some of the most common attacks that they can protect against are cross-site scripting (XSS) attacks, SQL injection attacks, DDoS protection, etc. This market has been questioned by users and investors recently, as other products are integrating WAF functionality as part of a greater product suite for delivering and protecting web facing applications. Notably, Application Delivery Controllers (ADCs) have evolved over the past years to incorporate WAF functionality. ADCs are typically purpose-built networking applications whose function is to improve the performance, security, and resiliency of applications delivered over the web. Given the functionality of ADCs, it is logical that ADCs would be incorporating WAF functionality and thus offering an integrated product to enterprises, rather than requiring enterprises to purchase a separate WAF offering. Market Size and Potential Growth Neither Gartner nor IDC provide estimates for an independent WAF market. IDC includes WAF as part of its web security estimates. IDC estimates the web security market which includes DLP and WAF to be $2.0 billion in 2015, growing to $2.5 billion in 2019 (6% CAGR). We estimate that DLP represents approximately 7%, WAF approximately 18-20%, and Secure Web Gateways the remainder of the web security market. IDC web security estimates do not currently contain Cloud Access Security Broker (CASB) estimates; see subsequent sections on CASBs for a discussion on the topic. This implies a WAF market size of approximately $374 million in 2015, growing to $445 million in 2020 (4% CAGR). See Chart 20. Chart 20: Web Security Market Size Details in billions of $ Market/Submarket Web Security Data Loss Prevention (DLP) % of Total * Web Application Firewall (WAF) % of Total * Secure Web Gateway (SWG) % of Total * Total yoy change (%) yoy constant currency change (%) 2014 2015 2016E 2017E 2018E 2019E 2015-2019 CAGR 6% 2% 1.9 0.1 7% 0.4 19% 1.4 74% 2.0 0.1 7% 0.4 19% 1.5 74% 2.1 0.1 7% 0.4 18% 1.6 75% 2.2 0.1 7% 0.4 18% 1.7 75% 2.3 0.1 6% 0.4 18% 1.8 76% 2.5 0.1 6% 0.4 18% 1.9 76% 1.9 2.0 2.1 2.2 2.3 2.5 6% 14% 4% 11% 6% 6% 6% 6% 6% 4% 6% Source: Jefferies estimates based on IDC data (IDC Worldwide Web Security Forecast, 2015-2019, Sept. 2015, 258801) * Note: IDC does not formally publish a breakdown of market size estimates for the Web Security market; we provide our market estimate for DLP, WAF, and SWG. Significant Vendors We highlight the significant web application firewall vendors below. Imperva’s recent struggles in the market highlight the uncertainty around the future relevance of this market as an independent opportunity, as it appears that WAFs are increasingly being offered as part of a broader product suite built around Application Delivery Controllers. page 43 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 21: Gartner Web Application Firewall Magic Quadrant Source: Gartner Magic Quadrant for Web Application Firewalls (July 2016)  Akamai: Akamai provides a worldwide content delivery network (CDN). As part of its network and cloud security services, it offers a WAF solution. Its management and monitoring tools are also delivered as web portals. The WAF service is delivered with a monthly fee, based on performance and the number of web applications.  Barracuda Networks: Barracuda Networks primarily targets SMBs and offers its WAF appliances in physical form factors, in virtual forms, and as a cloudbased service for Microsoft Azure, Amazon Web Services (AWS), and VMware vCloud Air.  Blue Coat: Blue Coat is a newer entrant to the WAF market. Its primary product lines are centered around proxy servers, which fundamentally use a similar technology to WAFs (application proxies). Blue Coat’s WAF is available as a physical appliance.  Citrix: Citrix provides a WAF offering as either a software option (NetScaler Firewall) or as part of its NetScaler Application Delivery Controller (ADC) suite. Citrix’s hardware appliances are also able to run its WAFs. It also provides a line of virtual appliances. Its products are primarily targeting enterprise customers purchasing a WAF in conjunction with other Citrix products, and typically do not focus on a pure-play security use case. page 44 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017  F5: F5 is an application infrastructure vendor, with a primary focus on ADCs. Their primary WAF offering is a software module for their ADC platform, and is often sold as a bundled product.  Fortinet: Fortinet has been offering its FortiWeb WAF since 2008, along with an ADC and database protection platform. Fortinet is best known for its firewall line of products. FortiWeb is available as a physical or virtual appliance, and can also be obtained on AWS. A FortiWeb subscription also includes IP reputation, antivirus, and security signature updates. It is available in a range of low- to high-end configurations. While its firewall products are broadly employed, its WAF product line is less widely deployed.  Imperva: Imperva is an independent vendor focused on WAFs. Its products are designed to be easily placed behind an ADC in a transparent mode. It also offers a cloud-based WAF that it bundles with other services, such as DDoS (Distributed Denial of Service) mitigation. Its products are available as physical or virtual appliances, as well as on AWS. According to Gartner, Imperva is considered the leader in the WAF market. The company announced on its 2Q16 earnings call that it was exploring strategic alternatives, but on its 3Q16 earnings call confirmed that it plans to remain independent. Intrusion Detection and Prevention System (IDS/IPS) What is an IDS/IPS? An Intrusion Detection System (IDS) automates the process of detecting intrusions, while an Intrusion Prevention System (IPS) has the capabilities of an IDS and also attempts to stop possible incidents. An IPS can identify attacks based on pre-existing signatures or patterns, generate alarms to alert operations staff, and cause routers to terminate connections with the hostile sources. IPSs are available in four different formats:  Host-based (monitors characteristics of that host and events occurring on that host)  Network-based (monitors network traffic for a particular network segment or devices and analyses protocol activity)  Wireless (similar to network-based systems, but applies to wireless protocols instead)  Network behavior analysis (examines threats that generate unusual traffic flows on the networks) Evolution of IPSs Intrusion Detection Systems were introduced in 1986, and initially detected both known types of intrusions (by using a signature-based system) and used statistical data on users and network level data to detect anomalies based on user profiles, host systems, and target systems (i.e. performing statistical anomaly-based detection). These systems then evolved over subsequent years to start learning user patterns and to start looking for anomalies in these patterns. As the statistics-based anomaly detectors were evolved and refined, IDSs started to include expert systems (an artificial intelligence system which enables decision making ability in the appliance). page 45 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 As these systems evolved, they started to implement stateful protocol analysis detection. This enables the systems to detect when protocol states deviated from pre-determined profiles of what was expected from these protocols. When IPSs identify attacks, responses include:  Stopping the attack itself: the IPS can terminate the network connection being used for the attack or block access to the target.  Changing the security environment: the IPS can reconfigure the security controls to disrupt the attack (e.g. alter the firewall to block the attack) or cause the attacked host to patch itself if a known vulnerability is being exploited.  Changing the attack’s content: some IPSs can replace the malicious portions of an attack to make it benign. One of the most common attacks against servers is a Denial of Service (DoS) attack. IPSs are designed to prevent DoS attacks. DoS attacks occur when malicious users send fragments of TCP requests masked as legitimate TCP requests or when they send requests from a bad IP source. The goal is to send as many requests as possible and to overload the server such that it can’t handle the amount of requests it is receiving, essentially overwhelming and shutting down the system. In addition to identifying incidents and supporting response efforts, IPSs have also found other uses in organizations. Some of the most common ones include identifying possible problems with security policies (e.g. an IPS identifies traffic that should have been blocked at the firewall) and documenting existing threats to an organization by logging the frequency and characteristics of attacks. While IPSs have a number of benefits and are frequently employed, they also have a number of drawbacks. The primary ones being that IPSs are processing intensive and can affect network performance, which also leads them to being expensive. Given that IPSs perform a number of statistical analyses, they are susceptible to both false positives (detecting harmless traffic as harmful) and false negatives (missing harmful activities). An excess of false positives leads to the IPSs generating too many alerts for operational security staff, which can lead to the staff being desensitized to, or ignoring the alerts altogether. Market Size and Potential Growth IDC estimates the market to grow from $2.2 billion in 2015 to $2.8 billion in 2019 (6% CAGR). As previously discussed, this segment presents the largest discrepancy between IDC and Gartner estimates for the network security market. We believe that the standalone IPS market is likely to remain a low-growth market, as most networks in need of IPSs already have one, and that there likely is some consolidation of IPS functionality into firewalls taking place in the market. Significant Vendors Most revenue in this market is generated by the large established vendors, there are few pure-play IPS vendors, most security vendors offer IPS products as part of their greater security offerings. The market appears relatively mature with some vendors embedding IPS capabilities in their other products (see the section on Next Generation Firewalls). We highlight the significant IDS/IPS vendors below. page 46 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 22: Gartner Intrusion Prevention System Magic Quadrant Source: Gartner Magic Quadrant for Intrusion Prevention Systems (Nov. 2015) Below, we have identified a number of significant vendors in the space. The vendors are listed in alphabetical order, with our understanding of each based on our subjective understanding of their capabilities.  Check Point: Check Point offers its software blade IPS. The blade is targeted at companies up to enterprise size. IDC reports that Check Point has 4% of the IPS market, while Check Point is the second largest overall network security vendor in the market.  Cisco: Cisco offers its Sourcefire line of IPS appliances. Appliances are available in physical and virtual form-factor. The IPSs are also available as part of Cisco’s ASA line of security appliances and as part of Cisco’s routers. The appliances do not share management consoles with other Cisco security products. Cisco has the largest market share in the IPS market, at 25%.  FireEye: While FireEye may not be tracked in the IDS/IPS market sizing estimates by either Gartner or IDC, we consider it to be highly relevant to the market. FireEye’s NX appliance, available in different sizes and configurations for SMBs and enterprises, features an IPS. Its IPS functions in coordination with its sandbox technology to “detonate” potential attacks in the sandbox. page 47 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017  Hewlett Packard Enterprise (HPE): HPE currently offers its TippingPoint series of products, which it is in the process of divesting to Trend Micro. HPE offers standalone IPS appliances, IPS blades integrated in HPE networking equipment, and an integrated IPS in its enterprise firewall. Gartner assesses that the products are high quality, but not frequently deployed due to HPE’s lack of network security channel / VAR relationships.  Huawei: Huawei offers core networking products and as well as a number of security products, including an IPS, firewalls, DDoS mitigation appliances. It offers a number of IPS appliances; however, its IPS appliances are mainly operated in China, according to Gartner.  IBM: IBM offers its XGS range of IPS products, and its heritage line of GX product line. It also offers a virtual network security platform as a VMware virtual appliance, based on its XGS product line. IBM is the fourth largest IPS vendor with a 9% share of the market.  Intel / McAfee: Intel Security offers a standalone IPS appliance as well as an IPS product as part of its NGFW offering. This latter IPS was acquired by Intel Security, and is a different product than the standalone IPS. Intel Security also offers several virtual IPS appliances. It is the second largest IPS vendor, with 15% market share. Intel is currently divesting 51% of the business to TPG and expects the transaction to close in the second quarter of 2017  NSFOCUS: NSFOCUS offers DDoS mitigation, SWG, WAF, and vulnerability management systems. It also offers managed services on a number of its products.  Radware: Radware previously offered standalone IPS products; however, it now only uses its IPS technology as part of its WAF and DDoS protection offerings.  Wins: Wins offers an IPS system, is primarily focused in the Asian region, and is viewed as a niche player, according to Gartner. Web Security What is web security? Web security refers to a system or appliance that facilitates accessing content on the World Wide Web and provides a degree of anonymity to the user. These systems act to filter out unwanted content and can limit which parts of the Web a user can access. Web security systems are available in different flavors, they can simply act as a filter by preventing users from accessing black-listed URLs or they can be proxy systems. The advantage of employing a proxy over a URL filtering system lies in the security benefits provided. While URL filters simply check web requests against a white- or blacklist, proxies act as the previously described middle-man in the connection. This role allows proxies to block unwanted traffic trying to be “snuck” through the website and to examine the traffic being handled for any malicious content. Proxies are designed such that the user seeking to access a service, such as a website, transparently connects to the proxy. The proxy then evaluates the request, and then performs the request on behalf of the user. By evaluating user requests, proxies have the ability to block or permit user actions. Since proxies operate in a middle-man role between users and end-content, proxies operate at the application layer in networks, and thus have the ability to understand the content traversing them (similar to application firewalls). page 48 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Evolution of web security Proxies were initially invented to add some structure and encapsulation to the internet, which is a distributed system. Implementing a proxy forces all traffic through the proxy, and can thus enable evaluation and monitoring of the traffic. The earliest uses of proxies were to serve as caching proxies. Caching proxies would locally store copies of frequently requested web content in order to improve performance and to enable organizations to reduce their bandwidth usage costs. With the advent of increased bandwidth and cheaper bandwidth costs, the role of proxies became more important in security. With all traffic in organizations flowing through proxies, proxies took on a content filtering role. The most common usage is in ensuring that all Internet traffic conforms to applicable policies. Filtering can take place through a variety of methods such as URL blacklists, keyword filtering, or content type filtering. Content filtering proxies support user authentication and log all user activity and can frequently monitor bandwidth usage by users. Content filtering proxies frequently are connected to Data Loss Prevention (DLP) systems to ensure that data which is restricted from leaving a network does in fact not leave. Additionally, by filtering content, proxies have taken on a security-related role and started filtering malware and malicious traffic that could pose a danger to users or the network. The primary limitation of content filtering proxies is that they are not able to examine encrypted traffic. Sandvine, a vendor that provides a network policy control platform, predicts that up to 70% of internet traffic will be encrypted in 2016. Proxy vendors have started to include the ability to decrypt traffic traversing the proxy; however, it has a meaningful negative impact on system performance or alternatively requires the addition of dedicated decryption appliances to networks in addition to the web proxies. Proxies can also be operated in a reverse proxy role, where they handle incoming traffic to a web server. By operating in this manner, the proxy can mask the origin of the server to incoming users, act as a load balancer, offload the server by caching static content, and act as an additional layer of security for the web server by protecting it from some attacks against the web application itself. At present, web security systems are primarily on-premise, however they are starting to be either complemented or replaced by cloud-based web security systems. Some vendors offer a cloud based system through which enterprises can route their traffic and have these systems perform the same functionality as on-premise appliances. To date, smaller offices or remote offices appear to be the primary adopters of web-based solutions. Market Size and Potential Growth IDC defines the web security market to include DLP and estimates the market size at $2.0 billion in 2015, growing to $2.5 billion in 2019 (6% CAGR). While IDC does not formally publish a breakdown of the three components it includes in web security (Data Loss Prevention, Web Application Firewall, Secure Web Gateway), we have attempted to estimate the size of these components as a percentage of the total web security market. See Chart 23. SWG constitutes the largest part of the market, at approximately 75% of the market. We note that DLP is likely the slowest growing component of the market, growing 2%, and web application firewalls are likely to grow approximately 4% - also below the growth rate of the total market. page 49 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 23: Web Security Market Size Details in billions of $ Market/Submarket Web Security Data Loss Prevention (DLP) % of Total * Web Application Firewall (WAF) % of Total * Secure Web Gateway (SWG) % of Total * Total yoy change (%) yoy constant currency change (%) 2014 2015 2016E 2017E 2018E 2019E 2015-2019 CAGR 6% 2% 1.9 0.1 7% 0.4 19% 1.4 74% 2.0 0.1 7% 0.4 19% 1.5 74% 2.1 0.1 7% 0.4 18% 1.6 75% 2.2 0.1 7% 0.4 18% 1.7 75% 2.3 0.1 6% 0.4 18% 1.8 76% 2.5 0.1 6% 0.4 18% 1.9 76% 1.9 2.0 2.1 2.2 2.3 2.5 6% 14% 4% 11% 6% 6% 6% 6% 6% 4% 6% Source: Jefferies estimates based on IDC data (IDC Worldwide Web Security Forecast, 2015-2019, Sept. 2015, 258801) * Note: IDC does not formally publish a breakdown of market size estimates for the Web Security market; we provide our market estimate for DLP, WAF, and SWG. We view the web security market as being a mature market, with most enterprises requiring a web security solution already having one in place, and some functionality being consumed into other technologies. Significant Vendors The web security is another developed security market, with Blue Coat the largest vendor in the market. There are, however a number of vendors targeting this market with newer cloud-based SWG products (including Blue Coat, which offers both on-premise and cloud-based products, and Zscaler, which only provides cloud-based solutions), attempting to capture a market that has traditionally been largely on-premise. We highlight the significant web security vendors below. page 50 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 24: Gartner Secure Web Gateway Magic Quadrant Source: Gartner Magic Quadrant for Secure Web Gateways (June 2016) Below, we have identified a number of significant vendors in the space. The vendors are listed in alphabetical order, with our understanding of each based on our subjective understanding of their capabilities.  Barracuda Networks: Barracuda offers cost-effective web filtering appliances and a cloud based proxy service. Its products primarily target SMBs and costconscious buyers.  Blue Coat: Blue Coat is the market leader in the SWG space, with 44% market share. It offers its products as physical and virtual appliances, and through a cloud service. Its products are highly scalable and meet the needs of many enterprise environments. It also offers network sandboxing, network forensics, and malware detection appliances.  Check Point: Check Point offers its Next Generation Secure Web Gateway, which performs URL filtering, application control, and antivirus filtering on web downloads. It offers this product in a number of appliances targeting customers from small businesses to enterprises.  Cisco: Cisco offers a broad product line of networking and security products. It offers on-premise SWG products and a cloud-based service; however, it does not offer a hybrid service. The cloud and on-premise products offer different page 51 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 detection capabilities; this is likely due to the products stemming from separate acquisitions. Both product lines cater towards enterprise customers.  Intel / McAfee: McAfee offers SWG appliances and a cloud-based SWG service. With McAfee’s large endpoint product line, it has focused more on implementing proxy solutions on endpoints, rather than a cloud-based approach similar to other competitors.  Sophos: Sophos offers SWG functionality either in the form of a cloud offering, an appliance, or as part of its firewall product. According to Gartner, integration between the three products is lacking and still in development and functionality/capabilities vary between each of the SWG product lines.  Symantec: Symantec offers both a cloud based SWG service and a SWG appliance. Both systems are not integrated together and are separately managed. Its solutions have primarily been targeted towards SMBs rather than enterprises, due to missing some enterprise features.  Trend Micro: Trend Micro offers a series of virtual appliances and a cloud services for its secure web gateway service. Trend Micro also offers an optional sandboxing system for its virtual appliance.  Raytheon Forcepoint / Websense: Websense was combined with Raytheon’s Cyber Products business in May 2015. It offers both cloud- and appliance-based SWG products.  Zscaler: Zscaler offers a cloud-only SWG service. It also offers a DNS-based web filtering service. Its service can apply malware detection to all traffic, including SSL traffic, which it can decrypt. Zscaler’s service is currently the largest cloud SWG service and is co-located with several large cloud providers. Zscaler also offers a cloud-based next-generation firewall, however it likely is more suitable for smaller-scale deployments. Next-Generation Firewall (NGFW) Next Generation Firewalls emerged in the mid-2000s and sought to consolidate the functionality of a multitude of products into one. While enterprises could afford the cost and complexity of a full suite of security products, many SMBs did not have the security budget for a standalone stateful firewall, secure web gateway / web filtering system, IPS, etc. Next Generation Firewalls solved this issue by combining these products into a single solution for a greater value proposition, which in turn led to a simplification in network architecture when implemented. This development not only benefited SMBs, but also large enterprises with satellite offices or branches, where a full suite of standalone security products wasn’t warranted. The specific capabilities and functionality of Next-Generation Firewalls differ for each vendor, however many Next Generation Firewalls include the functionality of firewalls, IDSs / IPSs, sandboxing, visibility and control over applications running on the network, URL filtering, SSL decryption capabilities, and integration with threat intelligence feeds. We do not see any reason why the functionality of NGFWs should not continue to broaden over time and integrate additional features and technologies. Some NGFWs have the capability of running all or nearly all of the aforementioned functions simultaneously, whereas the NGFWs of some vendors, for example, are not capable of simultaneously running the IDS/IPS and application control functionalities or face severe performance shortfalls when running multiple features. We expect that Next Generation Firewalls continue to evolve and improve in performance, which would allow them to continue incorporating additional functionalities of other security products. page 52 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 As Next Generation Firewalls matured, they started to increasingly appeal to enterprises that sought a consolidated security solution. By consolidating these technologies into a single product, Next Generation Firewalls have the ability to operate at the application layer and provide full awareness of applications being run on the network. This consolidation of products also enables a more robust defense against attacks by reducing the amount of coordination between products from different vendors. We recently conducted a survey among IT professionals (please see our note “Cybersecurity Survey – From the Source” for the full survey), and inquired about Next Generation Firewalls among other topics. About 22% of respondents said they use a mix of NGFWs and traditional firewalls, while 20% said they used traditional firewalls supplemented with other technologies. We can assume this latter 20% do not currently use NGFWs. A separate 7% said they do not currently use NGFWs but are evaluating them, while no one selected “We have no plans to use NGFWs in the future”. The latter three categories, totaling 27%, indicate that only 27% of organizations do not employ any kind of NGFW. This could indicate that the trend towards implementing NGFWs as IT security solutions is well understood by IT professionals and that NGFW vendors will have to increasingly focus on replacing other NGFW vendors in the future. See Chart 25. Chart 25: Which of the following best represents your organization's approach to perimeter defense? We use a mix of NGFWs, traditional firewalls, and proxy servers. 37% We use a mix of NGFWs and traditional firewalls 22% We exclusively use traditional firewalls, supplemented with other technologies. 20% We exclusively use NGFWs 9% We do not yet use a NGFW, but plan to in the future 7% We use NGFWs and proxy servers We have no plans to use NGFWs in the future 5% 0% Source: Jefferies, n=76 When asked about their use of traditional versus next generation firewalls, our respondents were relatively evenly distributed across responses. About 24% said they have already or are in the process of replacing their traditional firewalls with NGFWs. About 22% said they will implement NGFWs and will likely reduce the use of traditional firewalls. About 21% say that traditional firewalls meet their perimeter defense needs but may supplement with additional technologies in the future. About 17% said they will use both technologies and keep the usage of traditional firewalls about the same. The final 16% said they believe traditional firewalls will be replaced by NGFWs over time. See Chart 26. page 53 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 With 24% of respondents having fully implemented NGFWs, 21% with no plans for NGFWs and 17% planning to use NGFWs and traditional firewalls at similar rates as today, this indicates that the remainder of the market (38%) remains in flux and likely presents opportunity for displacement of existing vendors as IT architecture are updated for NGFWs. Chart 26: Which of the following best represents your organization's plans regarding traditional firewalls? We have already replaced or are in the process of replacing our traditional firewalls with NGFWs. 24% Traditional firewalls meet our perimeter defense needs, so we plan to continue to use them for the foreseeable future, but may supplement them with incremental technology when needed. 21% We will implement NGFWs, but will continue to use traditional firewalls at a reduced rate as compared to today. 21% We will implement NGFWs, but will continue to use traditional firewalls at a similar rate as today. Traditional firewalls will likely be replaced by NGFWs over time. 17% 16% Source: Jefferies, n=76 Network Security Future / Outlook Summary of Potential Future Outcomes We highlight some potential futures drivers and/or tailwinds to the individual network security markets components. At a high-level, we believe that there will be a continued trend towards solutions able to both provide a platform approach to network security to meet the needs of security practitioners and for network security solutions to become increasingly “intelligent” – be it by operating at Layer 7 in the network stack or by being powered by global intelligence feeds that rapidly update solutions based on threats detected by any customer of the vendors employed. page 54 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 27: Potential Headwinds and Tailwinds for the Network Security Market   Shift to cloud reduces importance of enterprise data-center, leading to less emphasis on enterprise firewalls  Increase in externally facing application and services drives WAF market growth  Continued integration of WAF functionality in load balancers, application delivery controllers, and cloud services  Enterprises reject integrated / next-generation firewalls, instead preferring stand-alone appliances  Cloud offerings cost effectively open up market for SMBs and satellite offices  Replacement through integrated offerings Move of enterprise data-center to the cloud reduces importance of monitoring enterprise networks Replacement through integrated offerings  IPS Web Security Potential Headwinds Next-generation firewalls drive market growth Cloud adoption drives demand for virtual firewalls WAF Firewall Potential Tailwinds   Source: Jefferies Product Consolidation One of the greater discussions in the security market revolves around the consolidation of security products with a single vendor versus maintaining a suite of products from different vendors. Some security professionals prefer having a suite of products from separate vendors believing that it protects from a common flaw or vulnerability in a vendor’s architecture. Additionally, it helps them avoid being fully dependent upon a single vendor for their security needs. Other professionals prefer to have the convenience of a combined system, preferring the ability to have a single responsible vendor and believing that the better integration will lead to an improved security posture. This integration enables security products to seamlessly reconfigure or update themselves when new threats are detected, reducing the amount of time that an attacker has to attack the various “surfaces” of a network. Regardless of preference, Next Generation Firewalls have been highly disruptive to the market place, with nearly every traditional firewall vendor now offering a Next Generation Firewall product. However, the level to which these devices are truly integrated versus being a multitude of products “sewn” together varies greatly by vendor. The network security market appears to increasingly be moving towards integrated / platform security offerings. Integrated solutions are increasingly coupled with threat intelligence data feeds, which enable products to be continuously updated for any ongoing attacks worldwide. Similar to the next generation firewalls, the threat intelligence feeds vary greatly by vendor, from some feeds not providing much more than regular security updates to some providing in depth details on the attacks and threats. Please see the Threat Intelligence section for more details on this market segment. page 55 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Organizations seem to be increasingly recognizing the benefit of integrated nextgeneration offerings. Apart from the intelligence feeds, they also offer improved coordination and updating of products to attacks. Specifically, when a firewall detects an attack, it has the ability to update the remaining security products to also block that attack (e.g. by updating the endpoints, reconfiguring other firewalls on the same network, etc.). This orchestration of security products is increasingly in demand by security professionals, as it reduces the amount of time that an attacker can potentially penetrate a network. We can envision a future network architecture as outlined in Chart 28 below. Specifically, some of the changes that we illustrate are a reduction in the size of the on-premise data center with the associated functionality moving to cloud-based offerings (including some applications and the associated infrastructure to support them, such as WAFs and email content filters) and a consolidation of security products into Next-Generation Firewalls (including IDS/IPS, proxies, DLP, sandboxes). We also expect that Cloud Access Security Brokers (CASBs), or some equivalent technology will be increasingly utilized by enterprises to monitor and control their connections to SaaS offerings. See the subsequent section for information on CASBs. Lastly, many enterprises today employ a combination of on-premise and cloud-based identity and access management solutions. We expect new deployments to be more likely to consider cloud-based IAM, along with a gradual migration of existing on-premise deployments to the cloud over time; however, Privileged Access Management (PAM) solutions are likely to remain on-premise for the foreseeable future due to their sensitive nature and integration with data centers. Note that this chart is the same as Chart 4 earlier in this report; its inclusion here acknowledges the relevance of network security in overall enterprise security landscape. Chart 28: Potential Future Network Architecture CloudBased IAM CASB Extranet FIREWALL REGIONAL OFFICE 1 Internal Network Demilitarized Zone (DMZ) REMOTE ACCESS GATEWAY Internet FIREWALL DATA CENTER EAST-WEST FIREWALL ANALYTICS / SIEM VIRTUAL WAF Trusted Trusted Trusted SaaS SaaS SaaS Solutions Solutions Solutions MOBILE DEVICES ENDPOINT ACCESS POLICY MANAGER VIRTUAL FIREWALL Threat Intel. SaaS SaaS Solution I/PaaS Solution MOBILE DEVICE MANAGEMENT CASB CONSOLIDATED FIREWALL (INCL. IDS/IPS, SANDBOX, FILTERING, ETC.) REGIONAL OFFICE 2 Trusted Trusted Untrusted SaaS SaaS SaaS Solutions Solutions Solutions REMOTE USERS PAM Source: Jefferies page 56 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Cloud Access Security Brokers (CASB) The CASB market is still nascent; CASBs serve to monitor usage of and provide security for users of cloud-based services, in particular SaaS applications. They enable enterprises to maintain centralized control over multiple cloud services that would normally require individual management. These services typically reside in-line between users and cloud services; they monitor cloud usage, can secure connections to the cloud services, and encrypt data stored in the cloud. IDC calls these services Cloud Security Gateways, whereas Gartner refers to them as Cloud Access Security Brokers (CASB). Chart 29 displays the approximate market size; IDC estimates the market at $0.2 billion in 2015 and we estimate it will grow to $0.5 billion in 2019 (25% CAGR). Chart 29: Cloud Security Gateway Market Size Estimate Market Cloud Security Gateways * Total ($ millions) 0.2 0.3 0.3 0.4 0.5 CAGR (15-19) 24.7% 0.2 0.3 0.3 0.4 0.5 24.7% 2015 2016 2017 2018 2019 Source: Jefferies estimates based on IDC data * Note: Neither IDC nor Gartner formally publish market size estimates for the Cloud Security Gateway market; we provide our market estimate. According to Gartner, CASBs have to-date been focused on protecting individual SaaS applications, in particular those that are widely used across industry verticals (e.g. ERP, HCM, productivity, etc.). They have been less focused on supporting IaaS and PaaS services. We expect that in order to remain relevant in the market, CASB services will have to fully support IaaS and PaaS since it appears that most enterprises are increasingly using these services as part of their IT architectures. Some of the benefits of employing a CASB service include:  Shadow IT visibility: CASBs enable the discovery of unsanctioned IT/cloud applications.  Compliance: CASBs can monitor data for data residency issues and compliance with any regulations or standards.  Data security: CASBs can implement data-centric security policies, such as monitoring or limiting access to certain data as well as quarantining, auditing, deleting, or encryption data.  Threat protection: CASBs also prevent access to cloud-based services by devices, users, or applications that should not have such access for various security and compliance reasons. As businesses increasingly adopt cloud-based services and CASB services mature, we expect businesses to increasingly adopt these services for both security and compliance purposes. One of the broader recent trends in this market is that many of the standalone providers of CASB services have been acquired by larger IT security vendors or large software companies. This leads us to the logical conclusion that CASB services are likely to become part of platform offerings of various companies in the security market, rather than remain as standalone offerings in the marketplace. Acquisitions in this space include: Palo Alto Networks’ acquisition of CirroSecure in 2015, Cisco’s recent acquisition of CloudLock, page 57 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Symantec’s recent Blue Coat acquisition, Microsoft’s recent acquisition of Adallom, Oracle’s recent acquisition of Palerra, etc. Alternatively, some vendors are also starting to offer cloud-based proxy services, potentially supplanting the need for on-premise appliances. These services enable users to route all of their traffic to a cloud service, before performing the filtering and inspection of the traffic prior to sending it on to its destination. We can foresee that these cloudbased proxies (or Secure Web Gateways) could incorporate CASB functionalities given their similar architectures and locations in the network topology. We can also envision these services incorporating some Identity and Access Management (IAM) functionalities in the future to enable users to seamlessly authenticate into cloud services. See our subsequent section on Identity and Access Management for more details. Endpoint Security Endpoint security is one of the largest cybersecurity markets, with about $8-9 billion in spending annually, with about half of it allocated to corporate users and the other half to consumers. We provide a brief summary of each below, after which we provide further analysis of the TAM for, representative vendors of, sub-markets within, history of, and outlook for the endpoint security market. Enterprise Endpoint Security Within the market for enterprise endpoint security, the historical approach has been to protect against known or signature-based threats on PCs and servers. The landscape has increased substantially in complexity, as mobile devices and IoT has grown, and the sophistication and velocity of attacks continues to intensify. We believe traditional signature-based protection will continue to be important to most organizations, while newer security methods to protect against zero-day or unknown threats will grow in adoption to supplement these traditional technologies. Additionally, we believe companies will look beyond endpoint protection to the next wave of enterprise endpoint security opportunities, including the response to early detection of malicious activity and remediation once a breach has occurred. These solutions are often called Endpoint Detection and Response (EDR). We note that throughout this report and through our coverage of the space, as we discuss “next generation” or “advanced” endpoint security, we are referring to both the protection against zero-day attacks as well as EDR functionality. In Chart 30, we offer a depiction of the enterprise endpoint security solutions today, as well as some of the functionalities they provide. In this diagram, we note the maturity of each functionality, with signature-based protection the most mature and widely-adopted market. Zero-day protection has been around for some time, but we believe still has runway for further adoption. EDR is a relatively nascent and fast growing market. Within EDR, remediation is the most uncommon functionality of vendors at this time, but solutions are continually being developed and refined. We discuss these dynamics in further detail in the “Endpoint Protection Platform (EPP)” and “Endpoint Detection and Response (EDR)” sections within. page 58 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 30: Landscape of Endpoint Security Solutions Most Mature Least Mature “Traditional” Endpoint Detection & Response Detect Contain Exploit Prevention Zero-Day AI/ Machine Learning Signature-Based Behavioral Endpoint Protection Most Mature Investigate Remediate Least Mature Next Generation / Advanced Source: Jefferies Consumer Endpoint Security The current consumer endpoint market faces a number of challenges, including leverage to a challenging consumer PC market and the lack of a clear mobile monetization strategy. However, we note that consumer endpoint remains a large market that we do not expect to go away any time soon. Additionally, we note the consumer market has a number of potential catalysts for growth including the development of mobile monetization strategies and security of at-home IoT devices. Total Addressable Market To understand the size and growth dynamics of the endpoint security market, we evaluate a number of industry analyst estimates, particularly those of IDC and Gartner. Both divide the endpoint market into consumer and enterprise/corporate. The consumer market is estimated to at $4.3 billion in 2015 by IDC and $4.6s billion by Gartner. The enterprise/corporate market is estimated to be $4.2 billion by IDC and we estimate it to be about $3.4 billion according to Gartner. Our Gartner estimate takes their reported numbers for the Endpoint Protection Platform (EPP) market and adds $225 million, which is the Gartner’s estimate of the size of the Endpoint Detection and Response (EDR) market, which we assume is entirely corporate in nature. We provide a summary of these estimates below in Chart 31. One assumption that we assert throughout this analysis is that substantially all of consumer security is endpoint. page 59 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 31: Industry Analyst Market Size Estimates (2015) $, millions IDC Gartner $Δ Consumer 4,321 4,640 -320 Enterprise/Corporate * 4,188 3,426 762 Total Endpoint * 8,509 8,067 442 9 9 0 Total Security Source: Jefferies, Jefferies estimates based on IDC data (IDC Semiannual Software Tracker, 2015H2), Gartner (Gartner Forecast: Information Security, Worldwide, 2014-2020, 3Q16 Update) * We estimate Gartner’s total enterprise endpoint market by adding $225 million for Endpoint Detection and Response (EDR) to the company’s Endpoint Protection Platform (EPP) market of $3.2 billion IDC estimates the endpoint security market to be an $8.5 billion market in 2015, comprised about 51%/49% Consumer/Enterprise. We estimate 2015-2019 CAGRs of 2% for Consumer, 4% for Enterprise, and 3% for the combined Endpoint security market. We use these forecast growth rates to calculate market size estimates from 2016 to 2019. See Chart 32. Gartner estimates the endpoint security market to be an $7.8 billion market (excluding EDR) in 2015, growing at a 2% CAGR through 2019. Of the endpoint security market, Consumer comprised about 59% of the market, with Enterprise comprising the remaining 41%. Consumer is estimated to be a $4.6 billion market in 2015 growing at a 1% CAGR through 2019. The Endpoint Protection Platform (EPP) market, which is all enterprise, is estimated to be a $3.2 billion market growing at a 3% CAGR through 2019. We note that Gartner’s EPP market estimates exclude the standalone Endpoint Detection and Response (EDR) market, which Gartner estimates at $225 million in 2015 and believes will grow in double digits. See a summary of Gartner’s market data in Chart 32, below. We note that both IDC and Gartner estimate reported declines of the endpoint market in 2015, of -5% and -4%, respectively. However, we note significant foreign currency headwinds in the year, of about 8% to IDC estimates and about 10% to Gartner estimates. Therefore, on a constant currency basis, the total endpoint market grew about 3% according to IDC and about 6% according to Gartner, in 2015. IDC’s 2015 constant currency growth estimate is in-line with forecast growth, while Gartner’s 2015 constant currency growth is above forecasts for the next few years. IDC further segments the Corporate market into 5 sub-segments. We note each subsegment below, and in parenthesis provide our understanding of approximate market size and high level expectations for growth over the next few years. We highlight these sub-segments of IDC’s Corporate endpoint security market for informational purposes. However, we note that we do not discuss these sub-segments further in the report, as we focus on our and Gartner’s sub-segment definitions for product, market share, and vendor analysis. 1. Security Suites ($2 billion, slightly above market growth): IDC describes this market as including multiple endpoint security tools in a single centrally managed package. These suites usually include antivirus, antispyware, desktop firewall, and host intrusion prevention. We understand this market to be page 60 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 analogous to what’s often referred to as Endpoint Protection Platforms (EPP) by Gartner. 2. Server Security ($800 million, slightly above market growth): These solutions are meant to protect the operating system of servers, by providing antimalware, desktop firewall, and host intrusion detection and prevention designed to maintain the integrity of servers. They are usually more robust than desktop solutions and available for a broader array of operating systems. A further submarket includes protection for hypervisors and virtual servers. 3. Access and Information Protection “AIP” ($600 million, slightly above market growth): These solutions perform encryption, device control, application control, data leak prevention, and/or network access control for PCs. 4. Proactive Endpoint Risk Management “PERM” ($400 million, about market growth): PERM solutions automate or semi-automate the enforcement of security policy and configuration management on endpoints, and can be completed with or without an agent. 5. Antimalware ($200 million, single-digit declines): Antimalware software includes antivirus and antispyware protection. It includes both signature based and other technologies. While this is the smallest of the sub-segments, we believe that what IDC calls Security Suites also includes antimalware. Therefore, this subsegment comprises only stand-alone antimalware solutions. Chart 32: Endpoint Security Market $, billion 2011 2012 2013 2014 2015 2016E 2017E 2018E 2019E 4.6 4.3 -7% 1% 51% 4.2 -4% 4.4 2% 2% 50% 4.4 4% 4.5 2% 2% 50% 4.6 4% 4.6 2% 2% 49% 4.8 4% 4.8 2% 2% 49% 5.0 4% 4% 49% 4% 50% 4% 50% 4% 51% 4% 51% 20152019 CAGR IDC: Consumer Endpoint yoy change (%) yoy constant currency change (%) % of Endpoint Security Corporate Endpoint yoy change (%) 52% 4.3 yoy constant currency change (%) % of Endpoint Security Total Endpoint Security yoy change (%) yoy constant currency change (%) 48% 8.0 8.4 5% 2% 4% 8.7 3% 9.0 3% 8.5 -5% 3% 8.8 3% 3% 9.1 3% 3% 9.4 3% 3% 9.7 3% 3% 3% 5.0 4.9 -1% 1% 61% 3.2 4.6 -6% 3% 59% 3.2 4.7 1% 1% 59% 3.3 4.8 2% 1% 58% 3.4 4.8 1% 1% 58% 3.5 4.9 1% 1% 58% 3.6 1% -2% 0% 39% 0% 10% 41% 3% 3% 41% 3.0% 2.5% 42% 2.4% 2.4% 42% 2.4% 2.5% 42% 8.1 -2% 0% 7.8 -4% 6% 8.0 2% 2% 8.2 2% 2% 8.3 2% 2% 8.5 2% 2% Gartner: Consumer yoy change (%) yoy constant currency change (%) % of Endpoint Security Endpoint Protection Platform (Enterprise) 3.3 yoy change (%) yoy constant currency change (%) % of Endpoint Security Total Endpoint Security yoy change (%) yoy constant currency change (%) 8.3 3% 2% Source: Jefferies, Jefferies estimates based on IDC data IDC (Semiannual Software Tracker, 2016H1; Worldwide Endpoint Security Forecast, 2015–2019: The Influence of Specialized Threat Detection, Oct 2015); Gartner (Gartner Forecast: Information Security, Worldwide, 2014-2020, 3Q16 Update) Note: We derive our IDC estimates based off of historical IDC market data and IDC forecasted CAGRs through 2019. We take IDC’s Consumer security market estimate of $4.3 billion in 2015 and assume it grows at a 2% CAGR through 2019. We take IDC’s Corporate Endpoint security market estimate of $4.2 billion in 2015 and assume it grows at a 4% CAGR through 2019. page 61 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Representative Vendors and Market Share When viewing vendors in the endpoint security space, we consider the aggregate endpoint market, but also segment this into separate consumer and corporate endpoint opportunities. We do believe there are some technological synergies to offering both consumer and endpoint solutions, through leveraging the threat intelligence gained in both networks, for instance. However, the products, go-to-market strategies, and the underlying customers of consumer and enterprise solutions are substantially different, and therefore justify separate evaluation. We use Gartner estimates for market share, as Gartner segments its share data into separate consumer and enterprise/corporate sub-segments. In contrast, IDC’s market share data is aggregated for the entire endpoint security market. We think it is important to view the consumer and enterprise/corporate markets separately, since the dynamics of these markets are very different, as are sometimes the vendors that compete within them. Gartner identifies 18 endpoint security vendors, although we believe there to exist many more. However, market share is dominated by a handful of vendors. Symantec leads the market with 32% market share, while the top three vendors hold 59%, the top 5 have 81%, and the top 10 have 86% market share. See Chart 33. In this section, what we call “Enterprise” is depicted by Gartner’s “Endpoint Protection Platform (EPP)” market. This is the large majority of the endpoint market, but likely excludes standalone “Endpoint Detection and Response (EDR)” vendors. EDR is a part of advanced/next gen endpoint functionality. While many of the larger endpoint security vendors have EDR solutions in market or in development, the majority of this market is still dominated by standalone vendors. Gartner estimated the EDR market to be about $225 million in 2015. This market is fragmented and relatively young; therefore there is little granular vendor share information for it. We discuss both the EPP and EDR markets in greater detail within. page 62 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 33: Vendor Market Share, Sorted by Total Endpoint Market Share Consumer Enterprise* Total 2015 Rev ($M) Mkt Share 2015 Rev ($M) Mkt Share 2015 Rev ($M) Mkt Share Symantec Intel/McAfee 1,826 698 39% 15% 649 617 20% 19% 2,475 1,315 32% 17% Trend Micro Avast** Kaspersky Eset 300 568 398 168 6% 12% 9% 4% 520 66 222 286 16% 2% 7% 9% 820 634 619 454 10% 8% 8% 6% Sophos IBM F-Secure Kingsoft 104 109 0% 0% 2% 2% 169 149 40 6 5% 5% 1% 0% 169 149 144 115 2% 2% 2% 1% Webroot Malwarebytes*** Bitdefender Panda Security AhnLab 76 NA 64 31 4 2% NA 1% 1% 0% 31 NA 33 63 60 1% NA 1% 2% 2% 107 100 97 94 64 1% 1% 1% 1% 1% 39 28 22 19 1% 1% 1% 1% 39 28 22 19 1% 0% 0% 0% 182 3,201 6% 100% 377 7,842 5% 100% Vendor Check Point LANDesk Heat Software Microsoft Other Total 295 4,640 6% 100% Source: Jefferies, Gartner (Market Share, Software Security, Worldwide, 2015) * The Enterprise market depicted is what Gartner terms Endpoint Protection Platform (EPP) ** Avast’s acquisition of AVG Technologies closed September 30, 2016. Therefore, we combine Gartner’s reported market share of Avast and AVG into Avast. ***Malwarebytes reported a $100 million revenue run rate in December 2015. The company did not disclose Enterprise/Corporate mix. Within the consumer market, Symantec has 39% market share, followed by Intel/McAfee with 15%. This is a somewhat consolidated market, with the top five vendors holding 77% share, and the top ten holding 91%. See Chart 34. Symantec is also the leader in the corporate endpoint market with 20% market share, but is followed more closely by Intel which has 19% market share. The market is slightly more fragmented than consumer, with the top five vendors holding 72% market share and the top ten holding 87%. See Chart 35. page 63 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 34: Consumer Security Software Market Share, 2015 F-Secure 2% Chart 35: Enterprise Endpoint Protection Platform Market Share, 2015 Bitdefender 1% Check Point Bitdefender 1% Webroot 1% 1% AhnLab Webroot 2% Kingsoft Eset 2% Others 7% Panda Security 2% 4% Trend Micro 7% Symantec 39% Kaspersky 9% 2% F-Secure 1% Avast* 2% Symantec 20% IBM 5% Sophos 6% Avast* 12% Intel/McAfee 15% Kaspersky 7% Source: Jefferies, Gartner (Market Share, Software Security, Worldwide, 2015) * Avast’s acquisition of AVG Technologies closed September 30, 2016. Therefore, we combine Gartner’s reported market share of Avast and AVG into Avast. Others 8% Intel/McAfee 19% Eset 9% Trend Micro 16% Source: Jefferies, Gartner (Market Share, Software Security, Worldwide, 2015) * Avast’s acquisition of AVG Technologies closed September 30, 2016. Therefore, we combine Gartner’s reported market share of Avast and AVG into Avast. Enterprise Endpoint Protection Platform (EPP) What is EPP? EPP converges endpoint device security functionality into a single product, and tends to include: 1) anti-malware, 2) personal firewall, and 3) port and device control. Other functionality sometimes included in EPP systems includes vulnerability assessment, application control, enterprise mobility management (EMM), memory protection, behavioral monitoring of application code, file encryption, and endpoint data loss prevention (DLP). Features of EPP tend to be centrally managed and (ideally) integrated by shared policies. EPP can include both “traditional” signature-based protection methods and advanced/net generation methods for unknown or “zero-day” attack protection. Evolution of EPP The first antivirus utilities were available in 1987, with John McAfee starting his business in 1989 to protect both hardware and software. Earlier forms of antivirus software protected PCs and servers. However, the market today has developed the ability to include mobile devices and address increasingly distributed architectures. Early antivirus was simpler to manage given the relative containment of corporate architectures where most computing needs consisted of local PCs (and mainframes or servers) used by employees onsite within the company’s network perimeter. But today, with the advent of cloud deployments and an increasingly mobile workforce, the perimeter has become less defined and corporations have more devices to manage, making endpoint management and security more challenging for organizations. EPP is a relatively mature market, but has recently added new methods of protection for unknown or “zero-day” attacks. This increased distribution of the network and the addition of advanced protection has increased the importance and acumen of endpoint protection, respectively. Endpoint Detection and Response (EDR) is an extension of this advanced protection, as it not only protects against attack, but also attempts to detect malicious activity before an attack occurs, and then remediates the damage once an endpoint is compromised. We cover EDR in the following page 64 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 section. We define advanced/next generation endpoint security broadly as including both unknown/zero-day endpoint protection and EDR solutions. EPP Market Size and Potential Growth Gartner estimates the enterprise EPP market to be about $3.2 billion in 2015, and forecasts growth of 2% CAGR to 2019. EPP is largely considered the large incumbent market within corporate endpoint security. We do not expect EPP to exhibit strong growth as it is a highly penetrated and mature market, though what an EPP consists of will likely continue to evolve. However, we don’t believe this market should see significant declines as it will remain a cornerstone “check the box” functionality for enterprises. Primary EPP Vendors As can be seen in Chart 35 above, the top five Enterprise EPP vendors hold about 72% of the market’s share: Symantec with 20%, Intel/McAfee with 19%, Trend Micro with 16%, Eset with 9%, and Kaspersky with 7%. The “Leaders” in the EPP market, according to Gartner’s Magic Quadrant for Endpoint Protection Platform, are primarily those with the greatest market share. Symantec, Trend Micro, Intel/McAfee, Kaspersky, and Sophos are in the Leaders quadrant in the most recent publication – see Chart 36. Chart 36: Gartner Magic Quadrant for Endpoint Protection Platforms Source: Gartner Magic Quadrant for Endpoint Protection Platforms, February 2016 page 65 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 We’ve identified a number of significant vendors below, and provided more detail for several. They are sorted in alphabetical order, and we provide further information of notable vendors and/or covered companies based on our subjective understanding.  Bitdefender. Bitdefender generates the majority of revenue from consumers, but is narrowing the gap with enterprise. The enterprise solution is considered best equipped for SMBs (rather than for large enterprises).  Check Point. While the company’s core is network security, it entered the EPP market in 2004 with the acquisition of ZoneAlarm. One of the advantages of Check Point’s endpoint platform is strong integration between endpoint threat prevention and forensics with network-based detection. In August 2015, the company launched Mobile Threat Prevention, a mobile security offering for the enterprise. While the product is relatively new and the market is still nascent, management believes protecting mobile vulnerabilities will be important for the future.  Cylance. The company attempts to replace traditional signature database approaches found in traditional antivirus products. The method uses a machine learning algorithm to inspect file attributes to determine the probability a file is malicious. It can detect both new threats and new variants of known threats. While Cylance can theoretically replace traditional signature based anti-malware products, we believe it is also used in conjunction with such solutions today.  Eset. The company offers an effective and lightweight antimalware solution. It has a substantial installed base in EMEA and a rapidly growing presence in North America.  F-Secure. F-Secure’s business solutions are targeted for SMBs seeking a costefficient solution with low administrative needs.  IBM. IBM’s EPP solution is built on the foundation of its client management tool platform, and repackages Trend Micro’s core anti-malware engine.  Intel/McAfee. Intel (formerly McAfee) holds the second largest market share, behind Symantec. The company offers a broad portfolio of security solutions, and has integrated core endpoint security into a common endpoint agent. The company’s policy management and reporting framework is considered a leading feature within its security suite. On September 7, 2016, Intel announced that its security division was to be spun out to create a standalone McAfee company. The newly formed company, 51% owned by TPG and 49% owned by Intel, is valued at about $4.2 billion.  Kaspersky Lab. Kaspersky offers good malware detection, as well as other strong product features, such as virtual server support and integrated application control and vulnerability analysis. The company has demonstrated a rapidly growing global market share.  Microsoft. Microsoft tends to be reliant on signature based detection methods and lacks some features found in other security solutions such as application control. Due to tight integration with the company’s other products, Microsoft is considered a reasonable solution for very Windows-centric organizations.  Panda Security. Panda is quickly developing its cloud-based EPP, and offers EPP, email, web gateway, and PC management through a cloud-based console. SMBs are the best suited for this platform. page 66 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017  Qihoo 360. Qihoo offers the most popular consumer antivirus in China, and has recently started to branch into the enterprise market in China. The company does have plans for global expansion.  SentinelOne. SentinelOne focused on behavior-based detection, and includes EDR-type functionality in its core platform.  Sophos. Sophos sells exclusively to businesses. The company is focused on the mid-market, offering a consolidated network and endpoint solution.  Symantec. Symantec is the leading EPP vendor, with about 20% market share. Symantec Endpoint Protection has an extensive set of layered defense capabilities. With a large installed base and broad product portfolio, Symantec integrates, correlates, and prioritizes endpoint protection, email security, and ATP protection. Symantec released version 14 of its flagship endpoint security on product, SEP (Symantec Endpoint Protection) in November 2016. This release added AI and machine learning capabilities, as well as exploit mitigation, in order to expand the ability to protect against zero-day attacks. Symantec also has a separate EDR solution, ATP (Advanced Threat Protection), which was released in December 2015, and is meant to detect and remediate advanced threats.  Trend Micro. Trend Micro is the third largest EPP vendor, behind Symantec and Intel. The company has invested in the areas of application control, vulnerability detection and shielding, and EDR. The company is a leader in addressing the needs of the data center.  Webroot. Webroot takes a behavior-based approach that uses cloud databases, which allows the EPP client to remain small and fast. Endpoint Detection and Response (EDR) What is EDR? EDR involves detecting, investigating, and mitigating suspicious activities and issues on hosts and endpoints. It is a more nascent market than EPP, but an emerging and logical next progression from it. Gartner describes EDR solutions as having four key capabilities, below. However, due to the nascent stage of this market, not all vendors have all four capabilities in full. 1. Detect security incidents, often by monitoring endpoint activities and objects, and by evaluating policy violations. 2. Contain the incident at the endpoint, so that network traffic or process execution can be remotely controlled. 3. Investigate security incidents. This function should include a historical timeline of all primary endpoint events to determine both the technical changes that occurred and the business effect. 4. Remediate endpoints to a pre-infection state. Ideally, the solution should remove malicious files and repair any changes. Remediation is the least mature function of the EDR tools. Most just focus on containing or quarantining the threat. One of the most critical EDR capabilities is the ability to detect sophisticated hidden threats. Algorithmic techniques (such as machine learning) can detect unknown malware or attack techniques without comparing it to a database of known bad artifacts. These techniques are based on a computational method that leverages known good and bad page 67 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 characteristics to identify such in an active system, rather than comparing code to a list of known malware. Evolution of EDR EDR is a relatively new technology. Many EPP vendors are beginning to incorporate EDR as the next logical step in securing organizations beyond just protection. As more organizations understand and accept that some malware is likely to get to the endpoint regardless of how good their EPP system is, they will likely seek EDR solutions to better detect, respond, and potentially remediate the attack. Potential buyers of EDR solutions are largely looking to augment EPP, not replace it. EPP can provide the blocking and prevention capabilities, and EDR can provide rapid detection and response capabilities. Gartner expects that by 2018, 80% of “Leaders” and “Visionaries” in the EPP market will include EDR capabilities, up from 45% in 2016. EDR Market Size and Potential Growth Gartner estimates that the EDR market generated $225 million in revenue in 2015, and that it has reached a revenue run-rate of about $498 million exiting 2016. Given that the 2015 full-year and 2016 run-rate revenue estimates are apples-to-oranges, the simply calculated 121% year-over-year growth is overstated. Regardless however, it is clear this market is in hyper-growth. We note that Gartner believes (and we agree) that growth of the EDR market is likely to slow (they predict by 2019) as EDR becomes subsumed into EPP platforms rather than remaining what is today a largely standalone market. This trend could benefit Symantec as a platform for endpoint solutions, across EPP and EDR. We note that EDR is not included in Gartner’s Enterprise Software tracker. We believe Gartner does not include it because it is a relatively small and new market. However, we believe it offers potential upside to analyst growth forecasts. Primary EDR Vendors Most revenue is generated by established vendors, such as FireEye. Additionally, there are a number of dedicated startup vendors, which are smaller than their legacy peers but often growing very quickly. Trend Micro, Symantec, McAfee, Kaspersky Lab and Check Point all either have products in the market or beta projects in the works that should be available in the near future. We note that Gartner has yet to estimate market share or individual vendor revenue generated in the market. We’ve identified a number of significant vendors below, and provided more detail on several. They are sorted in alphabetical order, and we provide further information of notable vendors and/or covered companies based on our subjective understanding.  Bit9 and Carbon Black. In 2014, Bit9 acquired Carbon Black, which is a dedicated EDR tool. The endpoint sensor continuously records and sends all execution events, memory events, file and registry modifications, and more to a centralized management console to analyze. Customizable pattern detection helps defend against ongoing and new attacks. Remediation and containment methods include banning of executables, network isolation, process termination and software updating.  Bromium. Bromium focuses on blocking exploits of commonly vulnerable applications via isolation, but does not yet provide remediation for malicious processes. Bromium Endpoint Protection automatically creates hardwareisolated micro-VMs that secure every user task—such as visiting a web page, downloading a document, or opening an email attachment. Each task runs in its own micro-VM, and all micro-VMs are separated from each other, and from the trusted enterprise network. As a result, if an attack occurs, it is already isolated since all tasks are isolated by definition. If the task is deemed safe, then it is free to transact and interact with the environment. page 68 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017  Check Point. Endpoint operations are stored and analyzed in real time on the individual endpoint. Detection capability includes botnet detection, delivery of unknown files, and antimalware engine used in EPP. Containment actions can terminate and quarantine and block malicious processes. Remediation can quarantine endpoints and delete files.  Cisco. Cisco’s EDR solution records significant endpoint operations continuously and stores log data in the cloud or on-premise, for use in IOC (Indicator of Compromise) detection or investigation.  CrowdStrike. CrowdStrike has a cloud repository for a continuous stream of suspect endpoint event data. Detection is based on multiple techniques including behavioral analysis. Remediation is limited to network containment of infected endpoints. The company offers a global threat intelligence subscription service.  Cynet. Cynet offers an optional malware detonation sandbox. Endpoint data collection is agented or agentless. The company offers a 24/7 SOC (Security Operations Center) to perform deeper analysis.  Digital Guardian. Formerly Verdasys, Digital Guardian is best known for data protection/DLP, but it also offers EDR functionality as either an on-premise deployment or as a service.  FireEye. Part of the FireEye Endpoint Threat Prevention platform was developed by Mandiant consultants for use during an incident response or compromise assessment. An agent can quarantine the system from the network, but other remediation is not yet available.  Malwarebytes. Malwarebytes is best known as a lightweight remediation tool to remove threats, both in the enterprise and consumer markets. Malwarebytes’ EDR solution proactively scans for and remediates malware. Malwarebytes Breach Remediation is engineered to integrate seamlessly into existing security stacks. Beyond EDR, the company has a significantly broader portfolio of solutions, including consumer antivirus and enterprise endpoint protection from both signature-based and signature-less threats.  LightCyber. The company was founded by former Israeli Defense Forces staff. The solution is focused on detecting behavioral anomalies. The management server is assisted with a cloud data intelligence feed and cloud file sandbox.  Panda. Panda, an established EPP vendor, entered the EDR market in 2014 with Adaptive Defense, which is designed to work with Panda’s and competitors’ EPP offerings. A monitoring agent feeds telemetry data to a cloud-based monitoring service, and most files are categorized as good or bad within 24 hours. Basic remediation is available, such as file deletion.  RSA. The Enterprise Compromise Assessment Tool (RSA ECAT) comes from RSA’s 2012 acquisition of Silicium. ECAT consists of an analyst console, distributed servers for data collection, a database, and endpoint agents.  SentinelOne. SentinelOne’s EDR method is behavior detection, including memory exploitation, augmented by cloud process analysis. Its bundled memory exploit prevention capability adds preventative capabilities to its EDR offering. page 69 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017  Symantec. Symantec’s EDR solution, called Advanced Threat Protection (ATP), was released in December 2015. The network gateway provides a sandbox system, and files on the networks can be inspected in the Symantec cloud. Containment actions are limited to quarantining suspect processes and remediation is limited to Symantec’s Power Eraser for known malicious objects. As discussed in the EPP section, SEP 14 was released in November to add AI/machine learning functionality to Symantec’s core EPP offering. While SEP protects against zero-day attacks, it also integrates with ATP, Symantec’s EDR solution.  Tanium. Tanium is best known as an IT operations support tool. EDR capabilities are delivered through a combination of Tanium Endpoint Platform, with add-on modules for Tanium Incident Response and more. Agents store historical event information and can be rapidly retrieved or queried. Containment and remediation capabilities are extensive, including quarantine, kill processes, remove files, and change registry keys.  Tripwire. Tripwire is an established vendor in large enterprise configuration and vulnerability management, file integrity monitoring, and log management. Detection capability is driven by unauthorized system state changes that are then analyzed using internal or partner IOCs, anomaly detection, and behavior. Containment includes kill processes, deleting files, and network isolation.  Trend Micro. Trend Micro was the first of the established EPP vendors to offer an EDR solution. The Endpoint Sensor records endpoint activity and is used to aid investigation of alerts generated by the Network Monitor, but there are no detect capabilities outside of the network sensor alerts. Remediation and containment actions are limited to isolating an endpoint using firewall policy, quarantine, and block process execution.  Verint Systems. Verint is an established vendor for EDR, forensics, and analytics in the government sector, and is expanding into the enterprise market. Metadata and recorded packets are sent to aggregators that perform decoding and correlation. Detection includes file analysis, IOC detection, and network traffic behavior. Containment and remediation are limited to quarantine or delete files or send commands to other tools. Consumer Security What is Consumer Endpoint? While the consumer security market may be slightly broader than just endpoint, for the purposes of our research we assume consumer security is substantially all endpoint security – encompassing personal computers (PCs), mobile, and tablet protection. The majority of consumer protection comes from antivirus, which is a program or set of programs that are designed to prevent, search for, detect, and remove software viruses, and other malicious software like worms, trojans, adware, and more. This has expanded through the years to include: personal firewall, anti-phishing, parental controls, and even cloud storage in some cases. Evolution of Consumer Endpoint While the demands of the consumer PC user can be substantially different than those of the enterprise user, the evolution of consumer endpoint products has followed a similar path. Today’s consumer products offer solutions to stop zero-day or unknown attacks, and many now incorporate intelligence networks. For instance, Norton (Symantec) customers have the option to join the Norton Community, which helps Symantec gain page 70 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 intelligence on the threats consumers encounter, around the world. This benefits both consumers and corporations. The consumption of consumer antivirus has transitioned over time. Originally, antivirus software was purchased on CDs at brick and mortar stores as well as through OEM agreements with PC manufacturers. While these channels still do exist, the purchase of antivirus software has increasingly transitioned to online channels and subscription-based payments. While mobile phones and tablets are consumer endpoints, there has yet to be a wellestablished market or method for monetization. While the PC market developed with consumers purchasing antivirus software, mobile and tablet devices have not had the same progression. Consumers are used to downloading many apps for free, and have therefore resisted the concept of purchasing antivirus software on these devices. Thus, “freemium” offerings have emerged in which consumers can download free or near-free security apps onto their devices. Furthermore, many people do not use any security software at all on their mobile devices. The monetization of mobile device security remains a large question mark given it is a nascent market that has yet to see significant success. However, it is a large potential opportunity given the huge number of mobile devices in use today, which could offset a potential decline in PC usage. Some vendors have begun to test mobile monetization methods, including Symantec which is now partnering with an Indian telecom company which bundles Symantec protection into customer data plans. If successful, the company may roll out the program to other markets. This is similar to the approach pioneered by CA in the early 2000s and embraced by McAfee early, to offer “free” PC protection through Internet Service Providers (ISPs) such as Comcast and Roadrunner. The user received a free subscription to PC protection, which was paid for by the ISP at much lower corporate rates than consumer prices. The original purpose of this from the ISP’s perspective was to reduce churn, but it also reduced service costs from those customers with up-to-date endpoint protection. The original purpose for the vendor that was the instigator in this approach, CA, was to enter the large consumer market that it had difficulty doing without the same name brand as Norton and McAfee. We believe this provided a significant commoditizing influence on the consumer endpoint market, as it also opened the door to others, such as McAfee. As the clear leader in the market, Symantec did not embrace this approach until much later. Another potential but nascent opportunity for the consumer endpoint market is the internet of things (IoT). As consumers adopt connected devices in their homes, these could become potential new attack vectors. While it is not clear how security vendors might capitalize on this trend, this is a potential theme that could help to offset PC softness. Consumer Endpoint Market Size and Potential Growth IDC estimates that the Consumer Endpoint market was a $4.3 billion market in 2015, representing about 51% of the endpoint market and about 12% of the total security market – see Chart 37. IDC expects this market to grow at a 2% CAGR through 2019. page 71 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 37: 2015 Consumer Endpoint Market Share of Total Security Market Consumer Endpoint 4,321 12% Source: IDC, Jefferies This market is often considered a sleepy category, not expected to grow substantially, dominated by large legacy vendors (eg. Symantec and Intel/McAfee), and plagued by a structurally challenged consumer PC market. While we do not disagree that this category should not be expected to be a substantial grower, we note it is a sizable market that makes up a substantial portion of the total security market and it has trended higher (on a constant currency basis) for years. Additionally, it tends to be a very profitable business for some vendors. For instance, in Symantec’s FY16, Consumer security represented 46% of the company’s revenue but 91% of operating income. Enterprise security comprised the remaining 54% and 9%, respectively. Additionally, while we do not disagree that the consumer endpoint market should be a slow grower (or even perhaps display no to negative growth at some point), we believe it will remain a sizable market and not disappear anytime in the foreseeable future. In addition, given its size new players can disrupt the market and grow for years as they gain share. Primary Consumer Endpoint Vendors As a relatively mature market, consumer endpoint is dominated by a number of legacy security vendors, with few recent upstarts (with Malwarebytes perhaps the one notable exception). Symantec, Intel, Avast/AVG, Kaspersky, and Trend Micro are the market share leaders – see Chart 34 above. We’ve identified a number of significant vendors below, and provided more detail for several. They are sorted in alphabetical order, and we provide further information of notable vendors and/or covered companies based on our subjective understanding.  Avast. On July 7, 2016, it was announced that Avast was to purchase AVG Technologies for $1.3 billion. The deal closed in September 2016. We believe both Avast and AVG will be run as separate brands for now, but expect more efficiencies to materialize over time. Avast offers free antivirus on both PCs and mobile. Avast Pro Antivirus 2016 gives the same effective protection found in the free edition along with a hardened browser, DNS protection, and sandboxing. AVG offers a free version of its antivirus for PC and mobile. Beyond the free edition, AVG paid antivirus adds an online shield and file encryption.  Intel/McAfee. Intel offers three paid versions of its software, which include 24/7 support. A single subscription lets the user install protection on every Windows, Mac OS, Android, and iOS device owned. On September 7, 2016, Intel announced that its security division was to be spun out to create a page 72 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 standalone McAfee company. The newly formed company, 51% owned by TPG and 49% owned by Intel, is valued at about $4.2 billion.  Kaspersky. Kaspersky offers three paid versions of its consumer security product. The Internet and Total packages include tablet, smartphone, and Windows and Mac security.  Malwarebytes. Malwarebytes is best known as a lightweight remediation tool to remove threats, both in the enterprise and consumer markets. Malwarebytes offers a free version of its anti-malware. The premium version shields a consumer’s system from exploit attacks, including zero-day attacks. Malwarebytes is most differentiated for offering remediation tools, which most vendors do not.  Symantec. The largest consumer and corporate endpoint security vendor, Symantec’s Norton consumer security offers a suite of protection across Windows, Mac OS, Android, and iOS devices. As one of the largest security vendors, the company leverages one of the largest global civilian intelligence networks to identify threats quickly.  Trend Micro. Trend Micro offers protection across PC, Mac, Android, and iOS. The company reports that it blocks 250+ million threats per day. Ransomware protection is a new feature. History and Evolution of Endpoint Security Past The endpoint protection environment of yesterday was significantly simpler. PCs and servers were the only endpoint, and the environment was well-defined within the corporation’s perimeter (or consumer’s home PC). The main protection methods were to employ signature-based antivirus, which would watch processes and compare any signs of attack to a list of known malicious malware. In the earlier days of malware this method made sense because the attacks were much fewer and less sophisticated. In today’s world of increasingly distributed architecture and much more and increasingly sophisticated attacks, this approach is no longer sufficient by itself. Present Endpoint solutions have advanced beyond signature-based or “known” threat protection and started to implement several other systems to protect against unknown or “zero-day” attacks, usually through behavioral-based analysis. Behavioral techniques seek to establish a behavioral fingerprint for the malware at run-time and detect both known and unknown malware. We believe the adoption of unknown malware protection will continue, but is well-understood by the market and IT security buyers. We believe the next wave of incremental endpoint security protection will come from endpoint detection and response (EDR), which we cover further in the following Future/Outlook section. We define advanced/next generation endpoint security broadly as including both unknown/zero-day endpoint protection and EDR solutions. Another technique that can be combined with behavioral detection is a sandbox environment that permits the program to run in a virtual environment, logging the action of the program. The anti-malware engine then checks the logs and attempts to determine if the program is malicious or not. If it isn’t malicious, the program is then run in the production environment. Some anti-malware programs have also started implementing data mining techniques to classify the behavior of files given a set of features in the file being run. page 73 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Many of the systems in current anti-malware programs are designed to intercept malware that is unknown, given that the environment has changed from being required to intercept known viruses to one where malware is developed in a targeted fashion at specific enterprises. Traditional or Next Gen? Both A key investor question when evaluating the endpoint security space, is if and to what extent next gen/advanced endpoint security could replace traditional solutions, or be incremental protection. Based on our proprietary survey of 76 CIOs/CISOs, we conclude that most organizations will continue to use “traditional” antivirus to some extent, with 87% of respondents planning to continue the use of traditional antivirus within their organizations. About 20% plan to exclusively use traditional antivirus, 37% plan to supplement traditional protection with next gen solutions, and 30% plan to replace some (and keep some) traditional endpoint protection with next gen solutions. Only the remaining 13% of respondents said they are looking at advanced / next generation solutions to replace traditional protection on all or most endpoints. See the results of this question in Chart 38, and see our full survey results and analysis in our note “Cybersecurity Survey – From the Source”. Chart 38: Which of the following statements best describes your organization's plans for signature-based antivirus at the endpoint? We will continue to use "traditional" antivirus on all (or most) endpoints in the organization for the foreseeable future, but will supplement this with incremental next generation / advanced threat technologies 37% We are evaluating the use of next generation / advanced threat protection solutions to replace traditional endpoint security on some endpoints 30% We will continue to exclusively use "traditional" antivirus on all (or most) endpoints in the organization. We are evaluating the use of next generation / advanced threat protection solutions to replace traditional endpoint security on most (or all) endpoints 20% 13% Source: Jefferies, n=76 Mobile Security – A Real Market with a Monetization Question While mobile devices (smartphones and tablets) have been embraced by both consumers and corporations, there has yet to emerge a clear approach to securing them or to page 74 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 monetizing the security of them. Consumers tend to either not have any security on their mobile devices or download “freemium” software. In an “app” world, consumers are not used to having to pay to download apps or pay for continued subscriptions. We note some vendors, such as Symantec, are starting pilot programs to bundle consumer mobile security with telco data plans, but it is unclear yet whether this will become a broader monetization strategy. Within the enterprise, mobile device security is still nascent, with few monetizing the opportunity. Check Point is a notable vendor pushing into this category, which the company believes will increase in importance given the inevitability of a large-scale attack via mobile devices. Mobile creates numerous security challenges, ranging from the sheer number of devices to the diversity of vendors and platforms. The first impact is perhaps the most obvious: Enterprise users increasingly connect to corporate networks through Bring-Your-OwnDevice (BYOD) policies with multiple devices that are frequently employee-owned and therefore not necessarily secure. IT departments are challenged by the sheer number of devices and operating systems (particularly release versions), employees’ downloading of potentially compromised applications, and the short lifecycle of many of these devices. Matters are further complicated by users’ jailbreaking, or unlocking, of device operating systems. Future / Outlook The market has been pivoting from the sole function of endpoint protection, which seeks to guard the endpoint from malware and cyber-attacks, to methods to detect malicious activity before an attack, analyze it, and remediate once an endpoint has been compromised. Much of this transition is based on many organizations’ acceptance that current protection methods are inefficient to keep malicious intent out of the endpoint, and these often vulnerable attack vectors will likely be penetrated at some point. EDR capabilities have emerged from this theme, including newer upstarts (i.e. CrowdStrike, Bromium), as well as new product features from legacy vendors (i.e. Symantec, Trend Micro). A key catalyst to get companies to look toward detection and response methods has been large and high-profile attacks over the past few years, such as Target, Home Depot, and Sony. Traditional AV solutions were missing attacks because they were only able to catch known signature-based threats. Additionally, many traditional AV systems are heavy and onerous to endpoint performance. Therefore, the market is moving toward more lightweight products, such as sensors, that sit at the kernel and run as an operating system service. We believe incident response (IR) and remediation may provide a new wave of enterprise endpoint security opportunities. One key driver of this trend is a potential reduction of inefficiencies related to man hours to run manual investigation and remediation processes. We found one source that mentioned it taking 40 man hours for a skilled analyst to complete a single system investigation, while an efficient technology could take minutes to an hour. Some market participants have noted the possibility of a “renaissance” in endpoint security as cloud adoption leads to more distributed architectures – thus changing the definition and vulnerabilities of the network perimeter, and perhaps increasing the importance of the endpoint itself. We believe this argument is logical as more and more corporate architectures include endpoints (PCs and mobile devices) connected to SaaS apps via the internet. However, we think that similar to most transitions, this will be gradual and take time. We note that this trend, if true, would just benefit the corporate/enterprise endpoint market and not consumer. page 75 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Based on our proprietary survey of 76 CIOs/CISOs, it seems the idea that endpoint security becomes more important in the transition to cloud has merit, but is also not fullysupported by all security buyers. When asked about how the cloud changes the way respondents think about securing their organizations, the most-chosen response (respondents could chose multiple) was “Securing endpoint devices becomes more important”, with 55% of respondents. While this was a popular selection, we note there remains 45% that don’t seem to support the idea behind the endpoint renaissance. See the results of this question in Chart 39, and see our full survey results and analysis in our note “Cybersecurity Survey – From the Source”. We believe the concept of a resurgence in endpoint security demand makes a lot of sense from a technical perspective, and is supported by our survey results. However, we believe it’s unclear whether or not this trend will impact the overall economics of the endpoint market, or how it will affect the associated vendors.  Other potential beneficiaries of the cloud migration, such as CASB and microsegmentation, are newer technologies with a long runway of potential adoption. In contrast, endpoint security is a large and mature market, with existing adoption across organizations of all sizes globally. While newer technologies like endpoint detection and response (EDR) are nascent and growing quickly, these technologies may not be deployed by all organizations, most of which already employ basic endpoint protection.  Additionally, as some vendors add incremental functionality, some of these will be layered into existing products, without an uplift to customer spending. For instance, Symantec Endpoint Protection (SEP) is layering in further behavioral engines to protect against unknown attacks, without an increase in price or need to purchase a new solution. Symantec’s Advanced Threat Protection (ATP) is a separate product to address EDR, which could be a beneficiary of the resurgence in endpoint demand, but we note this advanced functionality may not be as widely adopted as the broader endpoint security market.  Lastly, we’ve seen calls for resurgence of certain markets in the past that have turned out to be narrow opportunities that closed before they became very material. The endpoint market was an example years ago when industry analysts called for continued double digit growth of the market… which turned out to be optimistic as commoditizing forces prevailed. This call for an endpoint resurgence could be different as new technologies take hold, but we believe it is too soon to call one way or the other. Again, we do believe the idea has merit, but it is too early to tell if and to what extent the endpoint market will benefit economically, and which vendors might be significant beneficiaries of this opportunity. page 76 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 39: How, if at all, does the cloud change the way you think about the security of your organization? Respondents could select multiple items 55% 42% 32% 29% 5% Securing endpoint devices become more important Network security becomes less relevant CASB (Cloud Access Security Next generation IT architectures Broker) solutions should be that allow micro-segmentation employed to manage access to increase the security of the SaaS solutions organization DLP becomes more necessary Source: Jefferies; n=76 Security of mobile devices remains relatively nascent, and could act as a catalyst if companies are able to establish a way to monetize this market. In the corporate environment, there is no clear standard of protecting devices, although multiple products are on the market. We believe there is some confusion in the market around what mobile device security is. We believe many companies believe they already have a solution deployed, but are likely using more of a mobile device management (MDM) solution, rather than true security. Many MDM suites have some security-like features, like provisioning and data protection, including encryption. However, these solutions do not have full security features such as scanning for malware. On the consumer side, many people use no security solution or are employing a freemium solution. Some security vendors are piloting monetization programs of bundling security features with data plans. But we note it is too soon to tell if this strategy will work longer-term. Another potential catalyst that we believe is even further down the pipeline is the internet of things (IoT), in both industrial (corporate) and consumer applications. Gartner estimates that the total IoT security market will reach $840.5 million by 2020, growing at a 24% 2013 to 2020 CAGR. While this could be a significant opportunity, we note it is in very early stages and it is unclear how it will unfold. See Chart 40 for a comprehensive list of potential tailwinds and headwinds for the space, in our view. page 77 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Consumer Chart 40: Potential Headwinds and Tailwinds for the Endpoint Security Market Potential Tailwinds Potential Headwinds    Decline of the PC market Free and freemium mobile / tablet offerings   Saturation of traditional antivirus Move to SaaS applications causes greater need for security in an around the app, not at the endpoint Nascent and uncertain mobile market   Enterprise    Monetization of mobile through carrier partnerships Rebound in the PC market IoT opens new market opportunities Distributed IT architecture and move to the cloud increases the importance of the endpoint Detection, response, and remediation offer a wave of growth IoT (industrial, vending machines, cars, etc.)  Source: Jefferies Security Vulnerability Management We delve into the size of the addressable market for security vulnerability management, and provide an overview on the security management and vulnerability assessment segments. We also provide our thoughts on a potential future for the security vulnerability management market. We believe that demand for products in the security vulnerability management space will remain robust in the future. With attacks becoming increasingly complex and harder to detect, we expect sustained demand for both SIEM (Security Information and Event Management) and forensics solutions. These products offer the capability to detect complex attacks and to reconstruct the history of attacks by analyzing the data from a large number of security systems. Additionally, countries are increasingly introducing regulations that require organizations to both detect and publicly report cyber intrusions in a timely fashion (e.g. new European Union breach reporting requirements being enforced in 2018). Such legislation will likely encourage organizations to focus on improving their breach detection capabilities, which could prove to be a tailwind for security vulnerability management vendors. Finally, as “IOT devices” become increasingly widespread and awareness of the security threats posed by these devices increases, it could lead to increased demand for vulnerability testing solutions for these devices in order to secure them from potential attacks. Security Vulnerability Management Addressable Market Size We reviewed market sizing estimates from both IDC and Gartner. Both companies define the market differently, with IDC taking a much broader and more granular perspective of the market. IDC defines security management and vulnerability assessment submarkets, each with several segments. Gartner simply defines Security Information and Event page 78 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Management (SIEM), which is one of the IDC submarkets, and security testing, which is also included in IDC’s vulnerability assessment submarket. Consequently, they both size the market differently, with IDC defining a $5.4 billion market in 2015, growing to a $7.9 billion market in 2019 (10% CAGR). Gartner sizes the market as $2.6 billion in 2015, growing to a $3.8 billion market in 2019 (10% CAGR). The only consistency between the two estimates is the comparable growth rate for the overall market. See Chart 41. Chart 41: Security Vulnerability Management Market Size in billions of $ Market/Submarket 2014 IDC Security management Security Information and Event Management (SIEM) Forensics and incident investigation Policy and compliance Security device systems management yoy change (%) % of Total Vulnerability assessment Device Application yoy change (%) % of Total 3.4 1.7 0.4 1.1 0.2 71% 1.4 0.8 0.6 29% Total yoy change (%) yoy constant currency change (%) Gartner Security Information and Event Management (SIEM) yoy change (%) % of Total Security testing yoy change (%) % of Total Total yoy change (%) yoy constant currency change (%) 2015 2016E 2017E 2018E 2019E 3.7 1.9 0.5 1.2 0.1 10% 68% 1.7 0.9 0.8 25% 32% 4.0 2.1 0.5 1.3 0.1 8% 67% 1.9 1.1 0.9 14% 33% 4.3 2.2 0.6 1.4 0.1 8% 66% 2.2 1.2 1.0 14% 34% 4.7 2.4 0.6 1.5 0.1 8% 65% 2.5 1.4 1.1 14% 35% 5.1 2.6 0.7 1.7 0.1 8% 64% 2.9 1.6 1.2 14% 36% 2015–2019 CAGR 8% 8% 10% 9% -5% 14% 15% 13% 4.7 5.4 5.9 6.5 7.2 7.9 17% 20% 14% 18% 10% 10% 10% 10% 10% 1.6 2.0 24% 76% 0.6 17% 24% 2.1 9% 75% 0.7 14% 25% 2.3 9% 74% 0.8 14% 26% 2.5 9% 73% 0.9 14% 27% 2.8 9% 72% 1.1 14% 28% 9% 2.1 2.6 2.8 3.1 3.5 3.8 14% 15% 14% 22% 10% 10% 11% 11% 75% 0.5 25% 14% 10% Source: Jefferies, Jefferies estimates based on IDC data (IDC Worldwide Security and Vulnerability Management Forecast, 20152019, Oct. 2015, 259615), Gartner Worldwide Information Security Forecast, 2014-2020 (3Q16) Note: We derive our IDC estimates based off of historical IDC market data and IDC forecasted CAGRs through 2019. IDC’s security management submarket definition includes the following segments: security information and event management, forensics and incident investigation, policy and compliance, security device systems management – the latter three are not accounted for by Gartner. Similarly, IDC’s vulnerability assessment separates the submarket into two segments: device and application, whereas Gartner simply defines a security testing submarket. IDC’s approach is more granular and also estimates a larger submarket than Gartner – more than double the size. page 79 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 We will use IDC market estimates going forward as they are both more comprehensive and provide greater granularity. Representative Vendors and Market Share Looking at an aggregate view of the security vulnerability management market, we identify the vendors active in this market. IDC identifies 51 active vendors in the market, in addition to “others”. The market appears to be highly fragmented, with the top-3 vendors holding 29% of the market, and the top-10 holding 49% of the market. The top-3 vendors are IBM (14% share), HPE (8% share), and EMC (7% share). On the other end of the market “others” control 64% of the market. These market share figures imply a highly fragmented market with no dominant vendor. See Chart 42 for a list of vendors and their respective shares of the market. Chart 42: Security Vulnerability Management Market Share (2015, $4.5B) IBM 14% Hewlett Packard Enterprise 8% EMC 7% Splunk 4% Others 64% Qualys 3% Source: Jefferies, IDC Worldwide Semiannual Software Tracker (2H15) Security Management What is security management? Security management encompasses products that enable organizations to create security policies, measure and report on security posture, and allow for correcting security shortcomings. Security management is comprised of four segments: 1) Security Information and Event Management (SIEM). SIEM is the biggest segment of this submarket at 52% of security management and 35% of the total security and vulnerability management market. SIEM products aggregate data from a multitude of sources and attempt to identify patterns that signal attacks, intrusions, failures, etc. They do this by correlating alerts and logs from the various products deployed in the organization. 2) Forensics and Incident Investigation. Forensics and incident investigation systems capture and store network and device data and identify the effects of network exploits, data theft, and security policy violations. Many of these products can also historically recreate how specific events occurred. Malware page 80 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 forensics tools can also deconstruct malware in order to determine their functionality. 3) Policy and Compliance. Policy and compliance encompasses systems that can create, measure, and report on security policies and regulatory compliance. These systems can establish corporate wide policies, distribute these policies, and provide audit information. These systems function by measuring a baseline configuration that devices are supposed to adhere to, and can report on when devices are not adhering to the policies. Security and compliance policy enforcement is frequently handled by endpoint security products. Many endpoint products integrate with centralized policy management systems, which in turn dictate the security policies to the endpoint (e.g. how often to scan the endpoints, which settings and permissions to adjust and enforce in various software programs on the endpoint, etc.). 4) Security Device Systems Management. Security device systems management encompasses products that manage systems and report on the status of security products (e.g. firewalls, web security systems, etc.). These products can also be used to manage device policies and to monitor the health of security systems. Evolution of security management Prior to the advent of security management software, much of the work in this area was manual in nature. Security officers provided log aggregation across disparate systems, simplistic event data correlation, and log storage. They only relied on known threat signatures to detect attacks. This limited their ability to detect any zero-day attacks. As virus outbreaks, phishing campaigns, and other malicious attacks became more prevalent, risk managers and auditors called for the implementation of Continuous Controls Monitoring, which as the name implies, requires continuous monitoring of systems and data to detect compliance and risk issues. This led to an evolution of many of the initial SIEM systems to provide more reporting capabilities. Many systems focused primarily on the collection of logs from security appliances and software, and on compliance reporting. As breaches became more public and organizations became more reliant on the reliability and availability of IT systems, it became increasingly important for them to perform rootcause analyses of breaches and failures on their systems. This required systems to be able to provide additional data in a timely fashion in regards to auditing the process that resulted in the unwanted result, and led to further advancement in SIEM systems. Today, many SIEM systems have the ability to determine user behavior across a multitude of systems (e.g. desktop, mobile, etc.) and feature capabilities such as deep packet inspection to determine user activities. Among some of the capabilities they possess, they collect, store, normalize, correlate, and analyze data from numerous security and network devices in order to provide security intelligence and a baseline of typical network behavior. These systems support compliance & audit through their ability to gather data, testing and reporting, and log data retention for compliance testing, incident response, and forensic investigations. Market Size and Potential Growth IDC estimates the market to grow from $3.7 billion in 2015 to $5.1 billion in 2019 (8% CAGR). We estimate that this market is likely to continue its strong growth, as demand for products that can detect attacks and analyze the consequences of attacks are likely to remain in demand. page 81 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Significant Vendors Gartner publishes a Magic Quadrant for the Security Information and Event Management (SIEM) segment, but not for the aggregate security management market. See Chart 43. Chart 43: SIEM Magic Quadrant Source: Jefferies, Gartner Magic Quadrant for Security Information and Event Management (July 2015) We list some of notable vendors in this space, they include:  AlienVault: AlienVault offers a Unified Security Management (USM) solution that includes SIEM, vulnerability assessment, asset discovery, network and host intrusion detection, and file integrity monitoring. According to Gartner, one of the advantages with AlienVault lies in the integration of its products, which may be attractive to its primary target, the mid-market, even if it is not considered best-of-breed across all functions.  EMC (RSA): EMC offers a Security Analytics platform, which provides visibility from log, full network packet, NetFlow, and endpoint data capture. The platform is available as either a physical or virtual appliance for data acquisition. EMC also offers a cloud-based system, that provides correlation rules, reports, and threat intelligence feeds.  HP: HP’s ArcSight SIEM product is available in software format for enterprises and in a pre-configured appliance format for the midmarket. It provides log data collection and user behavior analytics, along with a full set of SIEM page 82 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 capabilities. According to Gartner, one of the downsides of the offering is that it is more complex than other solutions from competing vendors.  IBM Security: IBM’s QRadar platform offers SIEM software, log management, vulnerability management, risk management, network traffic collection, and forensics. It is available as an appliance, a virtual appliance, or as a SaaS offering.  Intel Security / McAfee: Intel Security’s McAfee Enterprise Security Manager combines its Enterprise Security Manager, Event Receiver, and Enterprise Log Manager into a single offering. A number of add-ons exist such as Advanced Correlation Engine, Database Event Monitor, Application Data Monitor, and Global Threat Intelligence. One of the downsides of Intel Security’s products is that they require integration with other Intel Security products (such as ePolicy Orchestrator) to be able to use the full functionality of the SIEM product.  LogRhythm: LogRhythm offers a SIEM solution in software or appliance format. It consists of several unified components, such as an Event Manager, Log Manager, AI engine, and a console. LogRhythm also offers network forensic capabilities via its Network Monitor solution. Its offerings are strongly integrated and well suited for customers looking for an integrated combination of capabilities.  Splunk: Splunk Enterprise and Splunk Cloud provide search, alerting, real-time correlation and a query language that supports visualization. Splunk is used for log management, analytics, monitoring, and search and correlation. It can be deployed on-premise, in a public or private cloud, as a SaaS offering, or in a hybrid combination. Splunk also offers Splunk Enterprise Security, which acts as a SIEM solution and is designed to address emerging security threats. Splunk is also used for log management and analytics in non-security activities. Vulnerability Assessment What is vulnerability assessment? Vulnerability assessment products can scan devices and the software on them for known security vulnerabilities and configuration settings that can be exploited. Some vulnerability assessment products also have the ability to test for unknown vulnerabilities by mimicking common attack profiles to see if devices or software can be penetrated. Vulnerability assessment is comprised of two segments: device vulnerability assessment and application scanners. Device vulnerability assessment systems are either network- or host-based scanners that search a device for security vulnerabilities. These devices can have either credentialed access to devices or an uncredentialed view. Credentialed access enables a deep dive scan into the device to find known vulnerabilities, whereas uncredentialed access will provide the point-of-view of a hacker and will simulate attacks to see if the device can be exploited. Application scanners are designed to test applications for their robustness or ability to resist attacks. They avoid doing general vulnerability checks and instead focus on vulnerabilities associated with direct interaction with applications as well as database or web application vulnerabilities. They can either perform dynamic testing on deployed applications or static testing on application source code. Evolution of vulnerability assessment With the emergence of e-commerce and the increase in break-ins into corporate computer systems in the late 90s and early 2000s, companies increased spending on IT security products to protect themselves. Some of the initial attacks such as Cross Site page 83 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Scripting (XSS) or SQL injection raised awareness of security vulnerabilities. In 2001, the Open Web Application Security Project (OWASP) was formed with the goal of raising security awareness and promoting best practices. In 2004, the Payment Card Industry (PCI) Standards Council released its first Data Security Standard (DSS), which outlined minimum security standards for businesses that process credit card data. The need to validate compliance with the standard increased the need, and therefore availability and affordability of vulnerability scanning solutions. One of the techniques that emerged for companies when designing their security systems was the self-administration of vulnerability assessments in order to discover exposures before potential attackers could and to highlight the overall security posture of the enterprise. Vulnerability assessments can be conducted at different levels, such as at the network level or the application level, among others. At the network level, assessments are conducted to determine whether there exist any misconfigurations or unexpected points of entry to the network. A secondary benefit of network level vulnerability assessments is the mapping of the network and the updating of an existing detailed network map or the initial creation one. At the application level, many enterprises have adopted application security testing (AST) solutions that are offered either as tools or as subscription services depending upon the vendor. AST entails products and services designed to analyze and test applications for security vulnerabilities. There exist multiple approaches to AST, they include:  SAST (Static AST): SAST entails analyzing an application’s source, bytecode, or binary code for vulnerabilities at the programming or test life cycle phases.  DAST (Dynamic AST): DAST entails analyzing applications in their dynamic, running state during testing or operations. It simulates attacks against applications and analyzes the application’s reaction, determining whether it is vulnerable.  IAST (Interactive AST): IAST combines parts of SAST and DAST. It is typically implemented as an agent within the test runtime environment that observes attacks and identifies vulnerabilities.  Mobile AST: Mobile AST uses a combination of SAST and DAST to discover malicious or risky actions that mobile applications may be taking that are unknown to the user. According to Gartner, DAST is the most adopted by enterprises, followed by SAST while IAST and mobile AST have only recently emerged on the marketplace. Market Size and Potential Growth IDC estimates the market to grow from $1.7 billion in 2015 to $2.9 billion in 2019 (14% CAGR). We estimate that this market is likely to continue its strong growth, as demand for products that can aid in protecting from and in detecting vulnerabilities are likely to remain in high demand. This market is the strongest growing submarket of the total SVM market. Significant Vendors Gartner publishes a magic quadrant for application security testing, which is part of the vulnerability assessment submarket. See Chart 44. page 84 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 44: Application Security Testing Magic Quadrant Source: Jefferies, Gartner Magic Quadrant for Application Security Testing (Aug. 2015) We list some of notable vendors in this space, they include:  HPE: HPE offers SAST, DAST, and IAST products and services, under its Fortify brand. Its offering is regarded as one of the leaders in the market, according to Gartner. HP’s SAST product is recognized as having support for the most programming languages on the market.  IBM: IBM’s security testing solution is primarily comprised of SAST and DAST offerings, although the company has been expanding into IAST and mobile AST. IBM also offers a broad portfolio of security technologies that encompass many other areas. Thanks to the breadth of IBM’s security offerings, it can appeal to enterprises that are seeking to reduce or to consolidate the amount of vendors they depend upon.  Qualys: Qualys offers cloud-based security services; it offers DAST-as-a-service capabilities, Web Application Scanning (WAS) services among its broader offerings. According to Gartner, Qualys’ offering is considered a low-cost offering, one that is frequently supplemented with other competitive offerings.  Synopsys: Synopsys offers static code analysis, dynamic code testing, and IAST products through its 2014 acquisition of Coverity. Its IAST product also provides vulnerability detection capabilities. Its products are targeted at page 85 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 enterprises. Its primary markets have been in EMEA and consequently its exposure to North America is slightly more limited.  Veracode: Veracode offers both SAST and DAST capabilities as cloud-based services. Veracode pioneered the analysis of binary code, which doesn’t require the source code for testing. Its services also include a mobile AST offering, and it has analysis capabilities to detect vulnerable open source components being used.  WhiteHat Security: WhiteHat Security offers DAST-as-a-service and also offers a SAST service using an on-premise appliance. Both services are highly scalable and offer broad integration with Web Application Firewalls (WAFs). The company also offers a number of capabilities to help customers focus not only on vulnerabilities, but also on building security programs to manage risks. Security Vulnerability Management Future / Outlook Summary of Potential Future Outcomes We believe that demand for products in the security vulnerability management space will remain robust in the future. With attacks becoming increasingly complex and harder to detect, we expect this to sustain demand for both SIEM and forensics solutions, as these products are offering the capability to detect complex attacks and to reconstruct the history of attacks. Additionally, as industries continue to offer new customer facing software solutions, demand for vulnerability testing systems is likely to persist. As many jurisdictions are starting to implement laws that require disclosures in the event of breaches, we expect enterprises to focus on remediating potential vulnerabilities in their applications, driving the need to vulnerability testing solutions. We recently conducted a survey of IT professional (see our note “Cybersecurity Survey – From the Source” for the full survey), and inquired about their opinions on SIEM systems. When asked about their current use of a security information and event management (SIEM) solutions, the top response (with 32%) was that they have a solution but that it is not fully integrated into all of the respondent’s security solutions. The second highest response (with 20%) was that they have a solution but it is manual and/or difficult to use. Another 16% said they don’t have a SIEM system but would like one given the resources, while 11% are actively evaluating solutions. Only 14% said they have a solution and are satisfied with its functionality and automation. And only 8% of respondents said they are not actively evaluating a solution. See Chart 45. We believe these results indicate that 1) there is ample demand for SIEM solutions, and 2) of those that do currently implement SIEM solutions, they wish for greater integration and automation. We have heard anecdotally from many security vendors that they are continuing to increase their integrations with SIEM systems. page 86 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 45: Which of the following best represents your organizations' current SIEM/event management solution? We currently use a solution but it is not fully integrated to all my security products 32% We currently use a solution but it continues to be too manual and/or difficult to use 20% Do not currently have one, but would like to given the resources 16% We currently use a solution and I am satisfied with its functionality and automation 14% We are actively evaluating solutions 11% No imminent plans for one 8% Source: Jefferies, n=76 We highlight some potential futures drivers and/or tailwinds to the Security Vulnerability Management market. Chart 46: Potential Headwinds and Tailwinds for the Security Vulnerability Management Market Potential Tailwinds Security Management   Vulnerability Assessment   New regulations requiring public disclosure of breaches leads organizations to focus more on detecting attacks Increasingly complex attacks require more SIEM software to detect them New regulations requiring public disclosure of breaches leads to a continued focus on securing applications Emergence of IOT could lead to a new class of applications previously not exposed to security threats requiring vulnerability assessments Potential Headwinds  Other security products in security architecture implement ability to correlate data from the entire security stack, reducing the need for third party security management suites  Vulnerability assessment products or functionality could become integrated with existing security management suites, reducing the need for standalone products Source: Jefferies page 87 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Identity and Access Management We delve into the size of the addressable market for identity and access management (IAM), and provide an overview on the various segments of the market. We also provide our thoughts on a potential future for the identity and access management market. The industry is facing dramatic change as a number of cloud-only IAM vendors have emerged and are successfully offering IAM products for both cloud and on-premise systems. These players could potentially disrupt a number of the on-premise IAM vendors, as they offer a number of the benefits of cloud software over on-premise solutions (e.g. single code base, regularly updated code, easily maintained, etc.). We believe that cloud-based solutions could be highly impactful to the industry and open up new use cases for IAM systems such as providing information on identified users (e.g. their identity, their location, what applications they are using, etc.). Longer term, we expect the need for massively scalable IAM solutions to accommodate the requirements of IoT (Internet of Things) networks, where identities will expand beyond employees to customers and other human participants, and beyond humans to devices and other entities, such as perhaps applications. Identity and Access Management Addressable Market Size We reviewed market sizing estimates from both IDC and Gartner, which define the market differently, with IDC taking a much broader perspective of the market. IDC defines a number of segments for IAM whereas Gartner defines fewer segments. IDC defines a $5.0 billion market in 2015, growing to a $6.9 billion market in 2019 (8% CAGR). Gartner sizes the market at $3.9 billion in 2015, growing to a $5.5 billion market in 2019 (9% CAGR). Both market estimates are relatively consistent in terms of overall market growth, even if the composition of IDC’s market definition is more comprehensive. See Chart 47. Chart 47: Identity and Access Management Market Size in billions of $ Market/Submarket 2014 IDC Identity and Access Management (IAM) Single sign-on Authentication Provisioning Privileged Access Legacy Authentication 5.1 2.1 1.6 0.8 0.4 0.2 Total yoy change (%) yoy constant currency change (%) Gartner Identity Access Management (IAM) Web Access Management Other Identity Access Management Identity Governance and Administration Total yoy change (%) yoy constant currency change (%) 2015 2016E 2017E 2018E 2019E 2015–2019 CAGR 5.0 2.0 1.6 0.8 0.4 0.2 5.4 2.2 1.8 0.8 0.5 0.1 5.9 2.4 1.9 0.8 0.5 0.1 6.4 2.7 2.1 0.9 0.6 0.1 6.9 2.9 2.3 0.9 0.6 0.1 8% 9% 9% 5% 10% -5% 5.1 5.0 5.4 5.9 6.4 6.9 8% 9% -1% 9% 8% 8% 8% 8% 8% 3.4 0.9 0.9 1.5 3.9 1.1 1.1 1.7 4.3 1.1 1.3 1.9 4.7 1.2 1.5 2.1 5.1 1.2 1.6 2.2 5.5 1.2 1.8 2.4 9% 4% 13% 9% 3.4 3.9 4.3 4.7 5.1 5.5 11% 13% 8% 17% 9% 9% 9% 8% 9% Source: Jefferies, Jefferies estimates based on IDC data (IDC Worldwide Identity and Access Management Forecast, 2016-2020, Aug. 2016, US41644516), Gartner Worldwide Information Security Forecast, 2014-2020 (3Q16) Note: We derive our IDC estimates based off of historical IDC market data and IDC forecasted CAGRs through 2019. page 88 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 IDC’s identity and access management segments include: single sign-on, authentication, provisioning, privileged access, and legacy authentication. This segmentation appears more granular than Gartner’s web access management, other identity access management, and identity governance and administration. We will use IDC market estimates going forward as they are both more comprehensive and provide greater granularity. Neither IDC nor Gartner track the market in terms of onpremise versus cloud solutions. While cloud solutions are likely still a small part of the market, we believe that this typically represents new vendors that could become more disruptive to existing vendors with only on-premise solutions. Notably, some of the cloud-based solutions are multitenant offerings, which carry many of the similar benefits to cloud-based applications (such greater ease of deployment, customers on a single version, consistent updates and integrations with third party-services, etc.). Alternatively, some vendors are also developing IAM products that can cater to users with hundreds of thousands or millions of nodes and frequently feature a consumer or customer focus. Such systems enable enterprises to tie all of their customers into the IAM system and manage the customers’ access to various products. The emerging trend for the Internet of Things (IoT) could be a significant catalyst for such solutions. Representative Vendors and Market Share IDC identifies 48 active vendors in the market, in addition to “others”. The market appears to be highly fragmented, with the top-3 vendors holding 30% of the market, and the top-10 holding 66% of the market. The top-3 vendors are IBM (10% share), EMC (10% share), and Oracle (10% share). On the other end of the market “others” control 52% of the market. See Chart 48 for a list of vendors and their respective shares of the market. Notably, some of the cloud based vendors such as Okta and Ping Identity, are not being tracked by IDC, nor are some of the emerging vendors such as ForgeRock. We view this as a glaring omission at this time given the move to more distributed architectures, including Cloud, and the logical placement of such solutions as a Cloudbased service. Additionally, we believe such solutions have gained enough scale to have been included at this time. For comparison purposes, Gartner estimates that Ping Identity and ForgeRock generated $53 million and $50 million in 2015 revenue, respectively. This would give each of these vendors approximately 1% of the market. It also does not track Okta. page 89 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 48: Identity and Access Management Market Share (2015, $5.0B) IBM 10% EMC 10% Oracle 10% Others 52% Gemalto 9% CA Technologies 9% Source: Jefferies, IDC Worldwide Semiannual Software Tracker (2H15) Identity and Access Management What is Identity and Access Management? Identity and Access Management is the security discipline that “enables the right individuals to access the right resources at the right times and for the right reasons”, according to Gartner. It addresses the need to ensure appropriate access to resources across IT systems and to meet compliance requirements. Identity and Access Management encompasses products that enable organizations to manage the identities and entitlements of people and information, and the relationship between them. It is comprised of five segments as defined by IDC: Single sign-on, Authentication, Provisioning, Privileged access, and Legacy authentication. The two biggest segments of this market are single sign-on, followed by authentication. See Chart 49. Chart 49: Identity and Access Management Relative Market Sizes (2015) Privileged Access; 9% Provisioning; 15% Legacy Authentication; 3% Single sign-on; 41% Authentication; 32% Source: Jefferies, IDC Worldwide Identity and Access Management Forecast, 20162020 (Aug. 2016, US41644516) page 90 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Authentication is the process through which a user presents sufficient credentials that are compared to those on file in a data store of authorized users’ information. If the credentials match, the user is allowed access to an application system or to a particular resource. Once users are authenticated, a session is created and referred to during the interaction between the user and application system – until the user logs off or the session is terminated. Typically, authentication is performed by username and password, although other methods are available (e.g. biometrics, etc.). Single sign-on involves centrally managing and maintaining the session of a user so that an already authenticated user need not logon again when accessing another application or service governed by the same authentication framework. Converse to single sign-on, there also exist single sign-off capabilities, so that a user logging off of a system has his access to all systems terminated. With the nature of single sign-on providing access to a multitude of resources once initially authenticated, it increases risk in the case credentials are misused or available to other people. Single sign-on typically requires an increased focus on protecting user credentials. The remaining three segments of provisioning, privileged access, and legacy authentication together account for approximately 26% of the total market. Provisioning covers the process of creating (i.e. provisioning) and of removing (i.e. deprovisioning) identities / accounts of users. Many provisioning systems include the ability to provision / de-provision accounts based on set of rules or job roles, maintain detailed audit information, and feature the ability to incrementally modify an account’s entitlements after creation based on new policies and changes in the business or job. Privileged access management is a subset of identity management that focused on the special requirements of “powerful” accounts with the IT infrastructure of an enterprise (e.g. administrator accounts, accounts with higher permission levels, etc.). Many enterprises use privileged access management systems to help meet compliance requirements and to prevent internal data breaches through the use of privileged accounts. Such systems typically limit the number of users that may access a system with privileged credentials and sometimes impose a time limit. This results in not only active sign in, but also active (rather than passive) “check out” of the access allowed via the privileged account. The passwords can only be used during short periods of time to perform a required action before they have to be checked-in to the privileged access management system again. All use of the passwords is fully logged and monitored. Legacy authentication, as the name implies, includes legacy technologies that were commonly used in mainframe environments. This includes technologies such as RACF (Resource Access Control Facility introduced by IBM in 1976), ACF2 (Access Control Facility 2 introduced in 1978). Evolution of Identity and Access Management When PCs became mainstream, many users did not have any need to authenticate themselves to the system – they could simply boot up and use the system immediately. In business environments, it became important to identify users on computers, primarily to determine accountability in the event of a system being misused. While separate accounts in a business environment could accomplish that, it would be easy for users to use other users’ accounts if they didn’t have to prove their identities (which happened frequently). Thus the need was born for users to provide credentials to prove that they were really the owner of the account they were using. The use of passwords or secret codes clearly predates computers. The use of passwords was a logical and easy way to authenticate computer users. The problems with passwords page 91 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 and PINs are relatively well known – if passwords are short and simple, they are easy to either guess or crack, whereas long and complex passwords are frequently difficult for users to remember. This problem still persists today. The need for improved authentication led to a concept called multi-factor authentication, which involves providing different types of information. The types of information that can be provided / tested are categorized by type:  Type 1: “something you know”, such as a password or personal identification number (PIN)  Type 2: “something you have”, such as an ATM card or smart card  Type 3: “something you are”, such as a fingerprint or retina scan Obviously, the use of more than one type of authentication lends additional credence to the authentication process. Multifactor authentication is frequently used in settings requiring greater security (i.e. private banking, sensitive industries, etc.). Most users of IT systems have a multitude of different identities – different sets of user names and passwords. Users have one set of identities for home computers, one set for work computers, another set for websites, online commerce sites, etc. Similarly in an enterprise environment, users have a need to log onto their individual computers, servers, HCM systems, etc. With so many sets of identities to remember, the risk becomes that users re-use the same passwords for multiple systems in order to remember them. The risk is that once one set of credentials is compromised, all of the users’ accounts are also at risk. One of the ways to alleviate the need for users to remember a multitude of credentials was through single sign-on: such a system would enable users to log on once and gain access to multiple systems. The single sign-on system manages the authentication into the various systems the user requires access to. Such systems are frequently deployed in corporate environments where users only need to log on to the network once to have access to all of the various resources they are entitled to. One of the drawbacks of most identity and access management systems is that they do not have special management or controls for privileged identities (e.g., those of administrators). Illicit use of the identities of these uniquely positioned users could do even more serious harm to an organization. Privileged Identity Management (PIM) systems began to emerge around the year 2000 to combat hackers who frequently attempted to gain access to privileged identities on systems. PIM systems have a different (nearly opposite) set of requirements compared to IAM systems. PIM systems manage access to all systems in a network but have few identities to manage, while IAM systems typically manage a very broad user base with more limited access to network systems. In addition, PIM systems typically manage already existing credentials and control the access to those credentials over short time periods, while IAM systems are designed for the creation (and deletion) of credentials and entitlements. The framework for PIM systems is that an administrator typically checks out the privileged credential, and must document why it is being checked out. All use of the credential is monitored and logged, and if the credential isn’t being used as intended, the PIM system can block its usage or issue alerts. Significant Vendors Gartner publishes a Magic Quadrant for the Identity and Access Management as a Service market (IDaaS). Gartner defines the market as IDaaS vendors primarily delivering a cloudbased service in a multitenant or dedicated and hosted delivery model, which explains the page 92 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 lack of the vendors with primarily on-premise products. The fact that this is the part of the market that Gartner chose to issue a Magic Quadrant on speaks to the increasing relevance and momentum of this market, beyond on premise solutions. See Chart 50. Chart 50: Identity and Access Management as a Service Magic Quadrant Source: Jefferies, Gartner Magic Quadrant for Identity and Access Management as a Service, Worldwide (June 2016) We list some of notable vendors in this space, they include:  Centrify: Centrify offers a web-centric IDaaS, enterprise mobility management, and privileged access management solutions. The IDaaS offering provides web application single sign-on as well as password vaulting.  Microsoft: Microsoft offers its Azure Active Directory Premium solution, which includes Azure Multi-Factor Authentication and Identity Manager. The latter can also we used with customers’ on-premise systems. The company also offers an enterprise mobility suite and rights management product.  Okta: Okta’s offering is delivered in multitenant fashion and features some onpremise components for system connectors. It offers basic identity administration and provisioning, access management for web-architected applications, password vaulting and reporting.  Ping Identity: Ping Identity offers a multitenant web-centric solution, targeted towards large enterprises. The company offers several on-premise bridge components for customers. Ping also supports proxy access to internal web application and APIs for enterprises. page 93 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017  SailPoint: SailPoint offers cloud-based access request and provisioning, access certification, password management, authentication and Single Sign-On. The company’s architecture is multitenant and can deliver services completely in the cloud, and it can be bridged to enterprise environments to support on-premises applications. One of the company’s focuses is on data access governance, enabling the company’s products to be used for audit and breach remediation.  Salesforce: The company offers its Salesforce Identity service as part of its PaaS offering. It also offers an on-premise bridge component. The product is primarily targeted at existing Salesforce users. Identity and Access Management Future / Outlook Summary of Potential Future Outcomes We believe that demand for identity and access management products will remain robust in the future. With enterprise users employing an increasing amount of different systems, the need for systems to manage user identities (rather than requiring users to remember additional sets of credentials) will drive demand in IAM products. The industry is also facing meaningful change as a number of cloud-only IAM vendors have emerged and are successfully offering IAM products for both cloud and on-premise systems. These players could potentially disrupt a number of the on-premise IAM vendors, as they offer a number of the benefits of cloud software over on-premise solutions (e.g. single code base, regularly updated code, easily maintained, etc.). Finally, we expect the need for massively scalable IAM solutions to become more apparent as trends associated with the IoT gather steam. In such systems identities will expand beyond employees to customers and other human participants, and beyond humans to devices and other entities, such as perhaps applications. We recently conducted a survey of IT professional (see our note “Cybersecurity Survey – From the Source” for full survey results), and we asked them as to whether they employed on-premise, cloud, or a combination for their IAM needs. 40% of respondents said they use an on-premise solution, 30% said they use both on-premise and cloud/SaaS, 17% said they use a cloud/SaaS solution, and 13% said they use an on-premise solution but with plans to migrate to cloud/SaaS. See Chart 51. We believe these results point to ample opportunity and demand for cloud/SaaS based IAM solutions. page 94 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 51: Which of the following best represents the type of solution you use for identity and access management? Currently use on-premise, but with plans to migrate to cloud/SaaS 13% A cloud/SaaS solution 17% An on-premise solution 40% Both onpremise and cloud/SaaS 30% Source: Jefferies, n=76 We highlight some potential futures drivers and/or tailwinds to the Security Vulnerability Management market. Chart 52: Potential Headwinds and Tailwinds for the Identity and Access Management Market Potential Tailwinds IAM    Increasing usage of cloud applications could lead to enterprises increasing demand for IAM solutions supporting single sign-on for on-premise and cloud applications Emerging cloud IAM solutions could lead to a transition in the market towards such solutions over on-premise solutions Increasing use of mobile applications could drive greater need for IAM solutions supporting mobility Potential Headwinds    IAM solutions may not be fully integrated with all applications in use with enterprises, thus limiting their use A mix of cloud and on-premise applications can pose challenges or require lengthy integrations for some IAM solutions in the market Potential integration of IAM functionalities into greater cloudbased security platforms, such as cloud-based proxies Source: Jefferies page 95 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Messaging (Email) Security Messaging security, which we estimate is about 95% comprised of email, is about a $2 billion market, with about 70% of spending on software and the remaining 30% on hardware. The market is moving more toward SaaS-based solutions from legacy onpremise systems. Additionally, the market may be supported by more sophisticated attack methods (e.g. phishing and ransomware), the transition to the cloud, and expansion into adjacent markets. While this may be a slow growing market (2% CAGR), we believe some cloud-based vendors can grow at much greater rates given their unique position in the IT fabric and ability to provide other adjacent services beyond messaging security, such as archiving and continuity. Total Addressable Market The market for messaging security is largely dominated by email, which continues to be the primary method of business communications for organizations of all sizes worldwide. However, the broader messaging landscape also includes instant messaging services (e.g. Skype and Lync) and other collaboration software. IDC sizes the 2015 Messaging Security market at about $2.0 billion total, which is comprised of about $1.4 billion of software spending and $599 million in hardware spend. We will focus the majority of this section of the report on email security, given email is by far the majority of the messaging security market, and email continues to be the primary and mission-critical communication workflow for organizations of all sizes worldwide. We recognize that other messaging and collaboration services could present both a risk to email (although we don’t think any time in the near future) and also an opportunity for email security vendors to expand into adjacencies. While IDC identifies little growth in email security, with most organizations employing some level of this functionality, it nevertheless has been a dynamic market with new Cloud based solutions that are more strategically positioned taking share from on premise offerings. IDC forecasts the messaging security software market to grow from $1.4 billion in 2015, at a 2% CAGR, to $1.5 billion in 2019, with the SaaS component of this market growing at a 4% CAGR and the on-premise software market declining at 1%. The hardware market is forecast to grow from $599 million in 2015 at a 2% CAGR to $659 in 2019. See Chart 53. While we recognize that the market is fairly established at this time, we note a number of catalysts that could drive high-than-expected growth for some players:  Increased sophistication of email attacks. The sophistication of attackers has improved recently, with large-scale ransomware and CEO fraud/whaling making headlines, and therefore causing significant reputational and financial damage to the target organizations. With these attacks happening primarily over email, we believe companies will be more conscious of their email security and therefore more willing to spend on this vector.  New protections. Basic functionality, such as spam filtering and basic antiphishing protection is highly penetrated and a saturated market. However, some forms of advanced threat protection and new features are still relatively nascent, offered by a fewer number of vendors, and just starting to be adopted. We think newer forms of protection, such as URL protection, sandboxing, weaponized attachment protection, data loss prevention (DLP), and email encryption, will increase in adoption and therefore drive growth of the overall market.  New methods of communication. As collaboration systems, such as Slack, Sharepoint (Microsoft), and Glip (RingCentral), gain traction within page 96 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 organizations, these will represent new attack vectors and therefore opportunities for security vendors to address organizations’ security needs. We don’t believe that all vendors will address these new communication avenues, but do expect newer innovators (MIME, PFPT) to address them over time.  Transition to the cloud. Organizations continue to move their email servers from on-premise (mostly Microsoft Exchange) to the cloud (mostly Microsoft Office 365). This transition has created new decision points for organizations as they look to secure new email infrastructure, and often seek cloud-based solutions that will seamlessly layer on top of new cloud infrastructure. While this may not drive overall industry growth, we believe it will be a driver of growth for cloud-based and innovative email security vendors, at the expense of market share from legacy incumbents.  Expansion into adjacent markets. Additionally, vendors can expand into market adjacencies, to further integrate email/messaging workflows and enhance compliance and reporting. Email archiving is an obvious adjacency, as email security vendors are already ingesting the email traffic, and can therefore build archive, reporting, and discovery capabilities around this ingestion. Additionally, some vendors offer “continuity” solutions which ensure uptime even when the email vendor (often O365) or server experiences an outage. Again, because the email security vendor is ingesting the traffic, they are able to continue to deliver and receive emails for the customer, even when the email provider is down. As email is often a mission-critical operation for many businesses, and email servers and third party providers such as Microsoft do have periodic outages, this continuity offering can be quite powerful. We note that both Proofpoint and Mimecast currently offer archiving and continuity solutions. Additionally, we expect them and others to continually evaluate market adjacencies for expansion. Chart 53: Email Security Market $, billions 20152011 2012 2013 Software 2014 1.5 Hardware yoy change (%) % of Messaging Security Total Messaging Security yoy change (%) yoy constant currency change (%) 2018E 2019E 2019 1.5 CAGR 1% 1.4 1.4 1.5 1% 1% 2% 2% 70% 0.6 70% 0.7 70% 0.7 70% 0.7 69% 0.7 -2% 4% 3% 3% 4% 32% 0.8 32% 0.8 33% 0.8 33% 0.8 34% 0.8 34% 0.8 40% -6% 38% -2% 37% -1% 36% 0% 36% 0% 35% 0.6 0.6 0.6 0.6 0.6 0.7 28% 2% 30% 2% 30% 3% 30% 2% 30% 2% 31% yoy change (%) yoy change (%) % of Software 2017E 1.4 72% 0.7 % of Software On-Premise Software 2016E -4% yoy change (%) % of Messaging Security SaaS 2015 2.3 2.3 2.2 2.1 2.0 2.0 2.1 2.1 2.2 -100% 1% -5% -7% -3% 1% 2% 2% 2% 3% -4% -8% 3% 1% 2% 2% 2% 4% -1% 2% 2% Source: Jefferies, Jefferies estimates based on IDC data (Worldwide Messaging Security Forecast, 2015–2019: Protecting Against New Threats; IDC Semiannual Software Tracker, 2015H2; IDC WW Security Appliance Tracker, Sept 2015) Note: We assume the Software market was about 70% of the total market in 2015 and will grow at about 1% CAGR through 2019. Within Software, assume the on-premise market was about 55% of the software market in 2015 and will decline at about 1% CAGR through 2019. page 97 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Representative Vendors and Market Share The majority of the market for email security continues to be held by incumbent legacy vendors, though innovators are certainly impacting the market. Many legacy vendors acquired their email security solutions, which have often been “cash cowed” and not developed extensively. Many of them are on-premise solutions, although some have transitioned to single-tenant hosted solutions and/or limited SaaS deployments. Cisco is the market share leader with about 22% share, followed by Symantec with about 17% share. Proofpoint, the third largest market share holder at 17%, has been an innovator in the market, offering advanced threat solutions. We also highlight Mimecast as an innovator, which offers advanced threat protection, and we believe is taking share from incumbents. Mimecast differs from Proofpoint in that it has a global customer base, addresses clients across the size spectrum, and has been built organically from a multitenant cloud architecture. See Charts 54 and 55 for summaries of vendor market share. Chart 54: Email Security Vendor Market Share Chart 55: Secure Email Gateway Market Share, 2015 2015 Rev Mkt ($M) Share Cisco Symantec 312 238 22% 17% Proofpoint Trend Micro 198 96 14% 7% Forcepoint 2% Microsoft Barracuda Intel 91 79 72 6% 6% 5% Sophos 2% Mimecast Sophos 45 30 3% 2% Forcepoint F-Secure 21 16 1% 1% Axway Eset 14 13 1% 1% 9 7 1% 1% 4 154 0% 11% 1,398 100% Vendor Webroot Trustwave Panda Security Other Total Source: Jefferies, Gartner (Market Share, Software Security, Worldwide, 2015) Others 16% Mimecast 3% Intel 5% Barracuda 6% Microsoft 6% Trend Micro 7% Cisco 22% Symantec 17% Proofpoint 14% Source: Jefferies, Gartner (Market Share, Software Security, Worldwide, 2015) Secure Email Gateway What is Secure Email Gateway? Secure Email Gateway (SEG) is a relatively mature market, which provides message transfer agent functions, including inbound filtering of spam, phishing, and malicious emails. Newer functionality includes outbound data loss prevention (DLP) and email encryption. Evolution of Secure Email Gateway Gartner notes that SEG is a relatively mature market, with close to 100% enterprise adoption. While it is a mature market, we believe email continues to be mission critical to virtually every organization worldwide, and therefore email security is a necessity for the overwhelming majority of organizations. Email security is experiencing renewed interest page 98 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 due largely to an increase in targeted phishing attacks. Gartner believes that through 2020, inbound targeted phishing protection, outbound data loss prevention, and encryption will be the most differentiated critical capabilities for buyers. Secure Email Gateway Market Size and Potential Growth IDC sizes the 2015 Messaging Security market at about $2.0 billion total, which is comprised of about $1.4 billion of software spending and $560 million in hardware spend. Gartner sizes the software Secure Email Gateway (SEG) market at about $911 million in 2015. While IDC’s market of Messaging Security may include some functionality outside of email (ie. chat), we believe it is predominantly (about 95%) email. Therefore, these two markets are comparable. Both IDC and Gartner estimate that the market should grow in the low single digits over the next couple years. We think this growth estimate is reasonable given a relatively mature market. However, we also believe that some individual vendors will experience significantly greater growth given a number of positive catalysts – taking share from legacy vendors, growth of cloud deployments and a move away from on-premise solutions, increased demand for APT (advanced persistent threat) solutions, and positive secular drivers including news of high-level phishing schemes. Primary Secure Email Gateway Vendors Cisco is the SEG market share leader, and Gartner ranks the vendor favorably, particularly for on-premise deployments in larger organizations. Symantec is the next-largest market share holder, but according to some industry analysts such as Gartner, the company has suffered from late-to-market entries into advanced threat protection and poor integration across solutions. Proofpoint has been an innovator in the email security space, is a recognized leader, and has sizable market share. Gartner also ranks Microsoft favorably in its Magic Quadrant for Secure Email Gateways, as it benefits from tight integration of its market-leading email services. See Chart 56 for the most recent Gartner Magic Quadrant for Secure Email Gateways. page 99 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 56: Gartner Magic Quadrant for Secure Email Gateways Source: Gartner Magic Quadrant for Secure Email Gateways, June 2015 We’ve further expanded on a number of significant vendors below, which are sorted in alphabetical order.  Cisco. Gartner notes that Cisco remains the market share leader for on-premise solutions for midsized and large enterprises, but that its market share has declined about 5% since 2010. Cisco offers optional targeted attack protection, time-of-click URL proxy filtering, and file sandboxing powered by ThreatGRID. Cisco focuses primarily on the needs of large enterprises, and does not scale down to SMBs and smaller companies.  Intel Security (McAfee). Intel Security is going through an end-of-life process for its email security products. The revenue opportunity from this end-of-life is estimated to be about $70 to $100 million. Intel has recommended customers migrate to Proofpoint. However, we note that other vendors, including Mimecast, are actively pursuing this as an opportunity.  Proofpoint. Proofpoint has been an innovator in the email security space, through both internal development and acquisitions. It provides Targeted Attack Protection (TAP), URL protection, and attachment sandboxing. Beyond email security, Proofpoint offers continuity, archiving, and other functionality. Enterprise Protection is offered through an on-premise appliance, virtual appliance, or hosted service. Proofpoint is most well-suited for larger page 100 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 companies, but less able to address SMBs and the mid-market. The company is focused primarily on the US market, with less market share and mind share outside of the US.  Microsoft. Microsoft benefits from its dominance in the email market, through Exchange and O365. The company has communicated a commitment to continue development of its security offerings, which were recently augmented with the introduction of advanced threat protection, including sandboxing and URL analysis. While the company has made strides in its security feature set and development, Gartner notes that reference customer satisfaction with spam detection rates remains low, and we understand that advanced threat protection features remain less sophisticated than innovative peers (ie. Proofpoint, Mimecast). Additionally, we note that most companies except for the smallest and least sophisticated will likely seek to diversify their protection and reduce single-vendor dependence, by deploying a third party security vendor to protect email provided by Microsoft products (exchange server or as part of Office 365).  Mimecast. Mimecast has been an innovator in the email security space, offering URL filtering, weaponized attachment protection, and CEO fraud/whaling protection. Beyond security, the company offers archiving and continuity, all integrated in a highly scalable multi-tenant cloud architecture, which has been developed organically. The company is noted for having a strong user experience and tightly integrated system. While the company has a global client base, across all sizes of organizations, it still has relatively low market share in a somewhat crowded market.  Symantec. Symantec is one of the largest SEG vendors by market share. The company has improved its cloud offerings, adding phishing identification and DLP for O365. While it has a large market share, Gartner notes that Symantec rarely appears on large enterprise shortlists, and instead benefits from bundled deals. Additionally, the email security solutions suffer from little integration, and Symantec has been late to market on some advanced threat protection features such as URL filtering and virtual sandboxing. However, we note that Blue Coat offers an advanced threat protection solution within email, called Mail Threat Defense, which was launched in April 2015. Symantec plans to subsume Blue Coat’s email security functionality into its solutions, which should enhance its advanced threat protection. While we believe this integration should improve Symantec’s position in the market, it will take time and will need to be seamlessly integrated in order to directly compete with innovative solutions (such as those from Proofpoint and Mimecast). Historical Perspective Past Email is certainly not a new technology, with the first emails sent around 1965 as little more than a means of copying a file from one user’s directory to another. In 1971, the first network email message was sent. Over the course of the 1970s, the Internet rose as the primary email network and many more message transfer agents (MTAs) were developed in attempt to improve internal email transmission protocols and processes. Spam, or unwanted email, has been traced back to the 1970s, but became more widespread in the 1990s. Earlier forms of email security were originated to filter spam. Today’s systems have become much more sophisticated and more mission critical, not just preventing the annoyance of spam emails, but also protecting the organization and its assets. page 101 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Present The email security market is sometimes considered as a relatively mature and saturated market, in that most enterprises currently employ a solution, resulting in modest market growth. However, it has recently received renewed interest due largely to an increase in targeted phishing attacks. The vendors that have benefited from this trend have been those that offer URL link protection and attachment sandboxing. Many corporations, generally starting with smaller organizations, are transitioning from on-premise solution to cloud deployments (largely Microsoft Exchange to Office 365). The transition has created a decision point in the organization to ensure protection. While some organizations might just utilize MSFT included security functionality, we believe the majority are choosing to protect with a third party vendor. Future / Outlook We believe that email will continue to be the predominate method of corporate communications. Therefore, email will continue to be a primary attack vector, and attacks are expected to increase in sophistication. Furthermore, new messaging and collaboration platforms could be potential new attack vectors, and therefore provide opportunities for email security vendors to expand their scope of protection. While the email security market is largely penetrated with little aggregate growth, we believe many organizations will have to invest in newer methods of protection as new threats emerge and the stakes are higher than ever (potential monetary and reputational loss). While email security may be considered a mature market, we believe there are a number of catalysts to drive the market, including an increasingly sophisticated threat environment, new technologies to combat these threats, and a transition to cloud deployments. We believe our proprietary survey of 76 CIOs/CISOs is confirmation of an increasingly sophisticated threat landscape within email. When asked which attack vector they felt was the most vulnerable today, the most popular response (with 32%) was social engineering, and the third-most-popular response (with 13%) was email. Social engineering involves manipulating people into releasing valuable information or other assets. Given that social engineering often (but not always) happens through email in phishing campaigns and ransomware, we find it interesting that both social engineering and email were selected as top-three vulnerable vectors. This observation reinforces the need for advanced email security, which can protect against things like phishing, whaling (large scale phishing), and ransomware. See the results of this question in Chart 57, and see our full survey results and analysis in our note, “Cybersecurity Survey – From the Source”. page 102 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 57: Of the following, which cybersecurity attack vector do you feel is the most vulnerable today? Internet 8% Network 9% Social engineering 32% Insider attacks 10% Mobile devices 12% Email 13% Endpoint 16% Source: Jefferies; n=76 See Chart 58 for a comprehensive list of potential tailwinds and headwinds for the space, in our view. Chart 58: Potential Headwinds and Tailwinds for the Messaging Security Market Potential Tailwinds Potential Headwinds       New attack methods (ie. Ransomware, CEO fraud/whaling) New technology (URL filtering, sandboxing, DLP) adoption, with expected innovation to come Increasing monetary and reputational risk Migration to cloud/O365 is a catalyst for security decision making Transition from on-premise to cloud deployments is a catalyst for SaaS vendors    A saturated and mature aggregate market New messaging platforms could reduce importance of email Further bundling of security features in O365 could benefit MSFT at the detriment of other vendors Transition from on-premise to cloud deployments is a headwind for on-premise vendors Source: Jefferies page 103 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Key Competitive Categories We also consider key competitive categories within IT security, which we define as products containing technologies and features that span several functional markets. They are frequently designed to at addressing specific enterprise security concerns and are not easily “binned” into single categories. Key competitive categories include:  Specialized Threat Analysis and Protection (STAP): This market contains products that help protect enterprises from more modern and evolving security breaches that are not typically detected by traditional technologies that use signature based detection rules. STAP overlaps the endpoint, messaging, network, security and vulnerability management, and Web functional markets and combines features of security information and event management (SIEM), firewall, and endpoint security. STAP products use a variety of non-signaturebased protection methods including, but not limited to, sandboxing, behavioral analysis, file integrity monitoring, telemetric heuristics, containerization, netflow analysis, and threat intelligence.  Threat Intelligence and Security Services (TISS): Threat intelligence is evidence-based knowledge about existing or emerging menaces or hazards to organizational assets, made up of a collection of technologies, including predictive security, advanced threat defense, real-time threat management, situational risk awareness, and advanced SIEM.  Data Loss Protection (DLP): Data loss protection is aimed at identifying sensitive data within an organization and preventing against the risk of intentional or inadvertent leaks of sensitive data to unauthorized channels. It is projected to be the slowest growing category by IDC, which is surprising given the air-time it is given by vendors. Products span the network, endpoint, web, and messaging security functional markets. They include technologies that inspect and analyze data at rest (stored in on-premise servers or cloud storage, endpoints, and removable media), data in motion over a network, or data in use on an endpoint device. Some data loss protection products include endpoint encryption and secure message encryption features.  Mobile Security: Mobile security products are designed to provide security specifically for devices within mobile environments, including smartphones, tablets, and other devices with mobile operating systems.  Distributed Denial of Service (DDoS) Protection: The Distributed Denial of Service (DDoS) defense market includes solutions that detect and mitigate (distributed) denial-of-service attacks. While DDoS defense features frequently exist in firewalls, IPSs, and other network security products, this market only captures products that are dedicated towards DDoS defense. Products in this market exist in on-premise appliance fashion or in cloud formats (or hybrids). These categories overlap with and represent subsets of the functional markets defined by IDC. For example, data loss protection (DLP) addresses the leaking of an organization’s sensitive information to outside channels. Meanwhile mobile security encompasses the various functional products that ensure protection of mobile devices. See Chart 59 below for market sizes for standalone products within key competitive categories. page 104 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 59: Security Products Markets—Key Competitive Categories in billions of $ '15-'19 CAGR 3.1 19.6% Competitive Market 2014 2015 2016E 2017E 2018E Specialized Threat Analysis and Protection (STAP) yoy change (%) yoy change (CC, %) Boundary Endpoint Internal Network Analysis 0.9 -100% -98% 0.7 0.1 0.1 1.5 2.1 2.5 2.9 65% 1.1 0.2 0.2 36% 1.4 0.4 0.3 19% 1.7 0.5 0.3 14% 1.8 0.6 0.4 10% 2.0 0.7 0.4 15.6% 35.5% 20.1% Threat Intelligence Security Services (TISS) * yoy change (%) yoy change (CC, %) Consulting Managed security services Data feeds and publications 0.9 -100% 1.0 14% 22% 0.2 0.5 0.3 1.2 1.3 1.5 1.6 11.5% 13% 0.3 0.6 0.3 11% 0.3 0.7 0.3 11% 0.4 0.7 0.4 11% 0.4 0.8 0.4 12.5% 10.7% 12.1% Mobile Security yoy change (%) yoy change (CC, %) Mobile Security and Vulnerability Management Mobile Identity and Access Management Mobile Gateway Access and Protection Mobile Information Protection and Control Mobile Threat Management Other Mobile Security 1.5 -100% 2.1 2.4 2.7 3.0 14.1% 19% 0.8 0.4 0.4 0.3 0.2 0.0 15% 0.9 0.5 0.4 0.3 0.3 0.0 12% 1.1 0.5 0.4 0.4 0.3 0.0 10% 1.2 0.6 0.5 0.4 0.3 0.0 18.6% 14.9% 9.6% 13.6% 6.9% 2.4% Data Loss Prevention (DLP) yoy change (%) yoy change (CC, %) Network Endpoint Discovery/datacenter 0.7 -100% 0.8 8% 16% 0.3 0.2 0.3 0.9 0.9 1.0 1.1 8.2% 9% 0.3 0.3 0.3 8% 0.4 0.3 0.3 8% 0.4 0.4 0.3 7% 0.4 0.4 0.3 4.7% 17.1% 3.6% Distributed Denial of Service (DDoS) Prevention yoy change (%) yoy change (CC, %) Products Services 0.6 -100% 0.6 15% 23% 0.3 0.3 0.7 0.8 0.9 1.0 11.8% 14% 0.4 0.4 12% 0.4 0.4 11% 0.4 0.5 10% 0.5 0.5 10.7% 12.9% 5.8 6.9 8.0 8.9 9.8 14.2% 20% 15% 12% 10% 0.2 0.5 0.2 0.5 0.3 0.3 0.2 0.2 0.0 0.3 0.2 0.2 Total 0.3 0.3 4.6 1.8 21% 29% 0.6 0.3 0.3 0.3 0.2 0.0 yoy change (%) 26% yoy change (CC, %) 33% 2019E * Threat Intelligence Security Services (TISS) represent services revenues, and not products. Specialized Threat Analysis and Prevention (STAP) products are related to and often driven by the TISS competitive market, so we include it as related revenue. IDC’s market forecast for TISS is separate and independent of the product forecast. Source: Jefferies estimates based on IDC data (IDC Worldwide Specialized Threat Analysis and Protection Forecast, 2015–2019, May 2015; IDC Worldwide Threat Intelligence Security Services Forecast, 2016–2020, March 2016; IDC Worldwide Mobile Enterprise Security Software Forecast, 2016–2020, April 2016; IDC Worldwide Data Loss Prevention Forecast, 2016–2020, March 2016; IDC Worldwide DDoS Prevention Products and Services Forecast, 2016–2020, August 2016) Note: For constant currency derivation, applied the total IT security software constant currency estimates in order to derive constant currency estimates for the competitive categories. page 105 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Appendix A – History of IT Malware This statement is loaded with meaning: Companies, Boards of Directors, management teams, CIOs, and CISOs all must live in fear of being the target of a determined, persistent IT security attack. And at the same time, these same actors only have to look at the economic and reputational harm done to retailer Target and realize the risks they face in the new world of cybersecurity. We see a series of rapidly changing landscapes across the world of security, ranging from changes in attack vectors, actors, and consequences; to changes in security technologies and philosophies; to a dynamic marketplace that has seen hyper-growth from newer companies alongside healthy and profitable growth from some incumbents. The first computer virus, Creeper, was limited to its native TENEX operating system. Given the lack of widespread internet connectivity in 1971 (ARPANET, one of the earliest packet switched networks and an precursor to today’s Internet, was only introduced in 1969) and its relatively low impact, most industry analysts regard Elk Cloner or Brain as the first computer virus. Teenager Richard Skrenta wrote Elk Cloner as a prank to contaminate his friends’ pirated video games. Elk Cloner was first spotted “in the wild” in 1981, when it targeted Apple II PCs by embedding code into the OS that would then infect unsuspecting users’ floppy disks. Brain was the first virus to target the IBM PC operating system; ironically, Brain was aimed at reining in software piracy rather than spreading malware. Brain was developed in 1986 by Basit and Amjid Farooq Alvi, who were the founders of medical software company Brain Computer Services. The goal was for Brain Computer Services to track pirated companies. The Alvi brothers developed and embedded code that corrupted the boot sector of pirated floppy disks. Users of pirated software were presented with a message providing the Alvi brothers’ contact information and a warning that the user should contact them for the vaccination for the “VIRUS”. Brain spread wide and far, infecting PCs at the University of Delaware and a newspaper in New England. These early viruses were followed by worms (which differ from viruses in that worms replicate themselves, do not require a host, and require activation), Trojan horses (not self-replicating and require activation), and Bots (often used denial of service attacks and then exfiltration of data through communication with an external Command & Control server). Although we are sure that early virus victims saw the attacks as anything but innocuous, the damage from malware and cyber-attacks was fairly minimal (and were not mainstream issues) until 1999 with the launch of the Melissa virus in March of that year. The Melissa virus was released “into the wild” by David L. Smith, then a 34-year old living in Aberdeen, NJ. Victims received an email with a Microsoft Word document attached and a “Here is that document you asked for…don’t show anyone else ;-)”. A macro containing the virus was embedded in the document and was executed upon opening. Melissa then changed the security settings without the user’s knowledge, changed the PC’s registry and the Normal.dot Word document template so it could further propagate itself. While there had been other viruses before, Melissa was notable due to speed and breadth with which it spread (by some accounts affecting 20% of the global PC installed base), the actions taken by infected companies (Microsoft, Intel, and Lucent reportedly were forced to disconnect from the Internet), and perhaps most importantly, for setting the precedent for cybercrime and assessment of economic damages. David L. Smith was arrested and sentenced to 20 months in federal prison and fined $5,000. The US Attorney for the Department of Justice (Chris Christie, now governor of page 106 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 New Jersey) cited $80 million in damage from “disrupting personal computers and computer networks in business and government”. These early viruses were followed by a seemingly endless stream of malware: ILoveYou (2000), an email based virus that is widely regarding as causing billions of dollars in damages; Slammer (2003), commonly cited as the one of the first denial of service attacks as it caused routers to crash due to buffer overflow from bogus packets; Sasser (2004), which exploited Microsoft’s monthly patch program and caused widespread disruption including the cancellation of commercial air flights and the temporary closure of two European financial institutions, among others; and dozens of other viruses, Trojans, and assorted malware. While all malware was damaging to some degree, the Stuxnet virus marked a tectonic shift. Stuxnet is extraordinary on several levels. It is widely regarded as one of the most complex pieces of malware ever seen, with multiple modules that segregated the attack payload (i.e. the virus itself), the execution of the payload file and propagation of additional copies, and a set of code that masked its presence. It was delivered via an infected USB memory stick (similar in delivery method to the Elk Cloner virus). More importantly, although Stuxnet targeted Windows-based PCs, its ultimate target was industrial equipment running Siemens Step 7 software. We believe Stuxnet was the first piece of malware to expressly target non-IT equipment and is widely blamed for critically damaging a significant portion of Iran’s nuclear centrifuges. Lastly, ownership of Stuxnet has never been definitively established, but it is widely viewed as a government-crafted piece of malware, marking the dawn of state-sponsored cyber warfare. More than 30 years have passed From Elk Cloner and Brain to Stuxnet. The motivations of hackers have evolved from “script-kiddies” pranking their friends, to organized cyber criminals stealing personal data, to nation-states engaging in cyber warfare. In conjunction, attack surfaces have increased with the proliferation of PCs, tablets, smartphones, and connected devices in an increasingly interconnected world that every year sees more value created and stored online. The rise of cloud services, SaaS, and hyperscale data centers is changing network and software architectures, creating new challenges for traditional security models. From Skrenta and the Alvi brothers to cyber-warfare, security has grown into a $71 billion market ($34 billion in products and $37 billion in services) and has evolved from an ITdepartment problem to a Board of Directors level focus item and national security issue. page 107 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Appendix B – OSI Model Networking systems can be described by a conceptual model, which partitions the network into several abstract layers, whereby different protocols are layered onto each other. There exist several different conceptual models; the two most important ones are the Internet’s original Department of Defense Four-Layer Model and the internationally standardized Open Systems Interconnections (OSI) model. Chart 60: OSI Model Layer 7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physical Function End User Layer Program Syntax Layer Encrypt/decrypt (if needed), encode/decode, etc. Example HTTP, FTP HTML, JPEG Sync & Send to Ports SQL, SSL TCP TCP, UDP Logical ports Host to host, flow control Packets “Letter”, contains IP address Frames “Envelopes”, MAC address, etc. Physical Structure Physical medium transmission – bits, Volts, etc. IP, IPsec Ethernet, MPLS DOCSIS, DSL Source: Jefferies The OSI model has seven layers, with each layer building upon the other layers beneath it. Layer 1 is the lowest layer upon which the other layers build. Layer 1 (Physical Layer) defines the electrical and physical specifications of the data connection, along with the relationship between a device and a physical transmission medium. This includes pins, voltages, signal timing, etc. Layer 2 (Data Link Layer) is the layer across which data is transferred. It provides the means to transfer data between network entities and is concerned with the delivery of “frames” between devices on a network with unique hardware addresses. Layer 2 is typically used on local networks and defines the connection between two networked devices. Layer 3 (Network Layer) is responsible for forwarding packets of data, including routing them through intermediate routers. In contrast, Layer 2 is responsible for flow control and error checking. The Network Layer represents the means of transferring variable lengths of data from a source to a destination via one or more networks. For example, the assignment of IP addresses to devices occurs at Layer 3. Layer 4 (Transport Layer) provides for host-to-host communication services for applications. It provides services such as a data stream support, reliability, flow control, and multiplexing. This layer is responsible for delivery of data to the appropriate page 108 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 applications on the host computers. Of the widely used TCP/IP model, Layer 4 represents TCP and Layer 3 represents IP. Layer 5 (Session Layer) provides the mechanism for opening and closing sessions between applications. Sessions consist of requests and responses between applications. For example, if a connection is not use for a long period of time, the session-layer protocol can close and re-open it. Layer 6 (Presentation Layer) serves as the “data translator” for the network. It is responsible for delivering and formatting information to the application layer. This layer is also typically responsible for encryption/decryption. For example, encoding images in the JPEG standard is a Layer 6 activity. Layer 7 (Application Layer) is defined as the user interface responsible for displaying received information to the user. Specifically, a web browser or email client is not represented at this layer. Instead the HTTP service used to open web pages or the protocols used by an email client to send and receive email are part of Layer 7. While not part of the standardized OSI model, some industry experts have called for a Layer 8 which would refer to a “user” or “political layer”. Alternatively, it has also been broken down into Layers 8, 9, and 10, referring to individuals, organizations, and governments respectively. page 109 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Appendix C – Public Company Profiles Chart 61: Barracuda Networks Company Facts Ticker: CUDA Founded: 2003 Headquarters: Campbell, CA Website: https://www.barracuda.com/ Employees: 1500 Key Statistics (as of 01/13/2017) Stock Price: $24.21 Market Cap ($M): $1,266 Enterprise Value ($M): $1,076 LTM Revenue: $347M LTM OCF: $63M EV/LTM Revenue: 3.1x Revenue Mix Applia nce 25% Subscri ption 75% Company Description Barracuda Networks offers products for security, data protection, and application delivery. Its security products address network security, web security, web application security, and email security. Key Products / Services Barracuda Networks offers the following security products:  Network security: The company offers its NextGen Firewalls, which are designed to secure networks and improve traffic flow. The firewalls offer application visibility and awareness of user identities to enable access policies for specific users. The products integrate firewalls, intrusion prevention, virtual private networking (VPN), application control, with the option of advanced threat detection.  Web security: Barracuda Networks offers the Web Security Gateway, which enables web filtering policies and protection from web based threats. The company also offers a Web Security Service, which is a cloud-based web security and policy enforcement system.  Web application security: The company offers a Web Application Firewall, which protects applications and websites from breaches by intercepting application-layer attacks. The company also offers its Vulnerability Manager, which is a cloud-based vulnerability scanner that detects vulnerabilities in applications and websites.  Email security: The Email Security product includes spam and virus blocking, anti-phishing, fraud detection, advanced threat detection, denial-of-service prevention, email continuity, encryption and policy management functionality. The company also offers Email Security Service, which is designed for customers with cloud-based email services. Email Security Gateway is available as a physical or virtual appliance for customers requiring an email security gateway on-premise or in the cloud.  Application delivery controllers: Barracuda Networks offers its Load Balancer ADC that optimizes application performance, availability, and security. The service is available as a physical or virtual appliance, or on Microsoft Azure. Key Executives President & CEO: BJ Jenkins CFO: Dustin Griggs Co-Founder, EVP & CMO: Michael Perone Co-Founder, EVP & CTO: Zachary Levow Recent Stock Price Performance (as of 01/13/2017) $30.00 $25.00 $20.00 $15.00 $10.00 $5.00 $0.00 Source: Jefferies, company data, FactSet page 110 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 62: CA Technologies Company Facts Ticker: CA Founded: 1976 Headquarters: New York, NY Website: http://www.ca.com Employees: 11,500 Key Statistics (as of 01/13/2017) Stock Price: $33.09 Market Cap ($M): $13,814 Enterprise Value ($M): $13,310 LTM Revenue: $4.06B LTM OCF: $906M EV/LTM Revenue: 3.3x Revenue Mix Software Fees 11% Pro. Serv. 8% Subscr. & Maint. 81% Company Description CA Technologies provides software solutions enabling customers to plan, develop, manage and secure applications and enterprise environments across distributed, cloud, mobile and mainframe platforms. Key Products / Services As part of its security offerings, CA offers an identity-centric set of products:  Privileged Access Management (PAM): CA acquired Xceedium in F2016, which enabled CA to expand its PAM solutions that enable customers to control and monitor privileged user access and activity.  Identify Management: CA offers a unified solution of user provisioning, user management, and governance for identities throughout their lifecycle.  Advanced Authentication: CA offers risk-based and credential-based authentication enabling customers to comply with regulatory mandates in authenticating employees, partners, and consumers.  Single Sign-On (SSO): CA provides secure single sign-on and flexible access management to web applications on-premise or in the cloud.  Payment Security: CA offers a SaaS-based payment card enrolment and authentication service to help banks protect against fraud. Key Executives CEO: Mike Gregoire Corporate Controller & Interim CFO: Kieran McGrath President & Chief Product Officer: Ayman Sayed EVP & CTO: Otto Berkes EVP & CMO: Lauren Flaherty Recent Stock Price Performance (as of 01/13/2017) $40.00 $35.00 $30.00 $25.00 $20.00 $15.00 $10.00 $5.00 $0.00 Source: Jefferies, company data, FactSet page 111 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 63: Check Point Software Technologies Company Facts Key Statistics (as of 01/13/2017) Ticker: CHKP Stock Price: $90.71 Founded: 1993 Market Cap ($M): $15,600 Headquarters: Tel Aviv, Israel Enterprise Value ($M): $14,369 Website: https://www.checkpoint.com/ LTM Revenue: $1.7B Employees: 3400 LTM OCF: $1.0B EV/LTM Revenue: 8.4x Revenue Mix Product 33% Mainten ance 45% Subscr. 22% Company Description Check Point defines its mission as securing the Internet. Check Point offers a wide range of products and services for IT security. The company offers an extensive portfolio of network security, endpoint security, data security and management solutions. Solutions operate under a unified security architecture that enables end-to-end security with a single line of unified security gateways, and allows a single agent for all endpoint security that can be managed from a single unified management console. Key Products / Services Key products for the company include:  Next Generation Firewalls: Check Point offers firewalls for customers of all sizes (from data centers and enterprises to SMBs to consumer products). The company also offers its appliances in virtual form for cloud deployments.  Next Generation Threat Prevention: The company offers a number of threat prevention products including Sandblast (a sandboxing product), threat prevention appliances and software, threat intelligence services, web security solutions, and DDoS protection products.  Security Management: Check Point offers a number of management solutions, including policy management products, operations and workflow management products, and monitoring and analysis products.  Mobile Security: As part of its mobile security offering, Check Point offers mobile threat prevention and mobile document protection products.  Endpoint Security: Check Point Endpoint Security combines data security, network security, threat prevention technologies and remote access VPN into one package for complete Windows and Mac OS X protection. It includes full disk encryption, media encryption, Capsule Docs, remote access VPN, policy management, and forensics products. Key Executives Founder and CEO: Gil Shwed President: Amnon Bar-Lev CFO & COO: Tal Payne Recent Stock Price Performance (as of 01/13/2017) $100.00 $80.00 $60.00 $40.00 $20.00 $0.00 Source: Jefferies, company data, FactSet page 112 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 64: Cisco Systems Company Facts Ticker: CSCO Founded: 1984 Headquarters: San Jose, CA Website: https://www.cisco.com Employees: 73,700 Key Statistics (as of 01/13/2017) Stock Price: $30.07 Market Cap ($M): $150,794 Enterprise Value ($M): $114,622 LTM Revenue: $48.9B LTM OCF: $13.5B EV/LTM Revenue: 2.3x Revenue Mix Security (HW) 2% Security (SW) 2% Other 96% Company Description Cisco is one of the largest vendors of networking hardware in the world. It designs and sells broad lines of products that it categorizes as Switching, Next-Generation Network (NGN) Routing, Collaboration, Data Center, Wireless, Service Provider Video, Security, and Other Products. Security products span endpoint, the network, and the cloud. Key Products / Services Cisco offers the following security products:  Network: Cisco offers next-generation firewalls (NGFWs) which combine its Firepower IPS and ASA firewall products into one. It also offers its Firepower IPSs and ASA firewalls on a standalone basis.  Data center security: Cisco offers an SSL inspection appliance, which enables the inspection of encrypted traffic. It also offers integrated security solutions in some of its router products (such as the Integrated Service Routers, the ASR 1000 Series Aggregation Services Routers, and the 1000v Series Cloud Services Routers).  Advanced threat protection: Cisco offers a sandboxing and threat intelligence service, Advanced Malware Protection (AMP). AMP is available for endpoints, for network appliances, or for email and web security appliances.  Web and email security: Cisco offers a cloud-based email security solution, on-premise email security appliances, web security appliances, a cloud based web security service, and a Domain Name System (DNS) service.  Access and policy: The company offers identity management solutions, access control systems, and mobile device management systems.  Unified threat management: Cisco offers a number of integrated cloud managed security appliances targeted at SMBs or at branch locations. The appliances feature integrated firewalls, intrusion prevention, VPN capabilities, content filtering, antimalware/anti-phishing capabilities, and high-availability modes.  Advisory, integration, and managed services: Cisco offers managed security services, where the company can manage clients’ security products or host their security products for them. Key Executives CEO: Chuck Robbins CFO: Kelly A. Kramer CTO & SVP Cloud Platforms: Zorawar Biri Singh SVP & Chief Strategy Officer: Hilton Romanski SVP & CMO: Karen Walker Recent Stock Price Performance (as of 01/13/2017) $35.00 $30.00 $25.00 $20.00 $15.00 $10.00 $5.00 $0.00 Source: Jefferies, company data, FactSet page 113 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 65: CyberArk Company Facts Ticker: CYBR Founded: 1999 Headquarters: Petach-Tikva, Israel Website: http://www.cyberark.com/ Employees: 644 Key Statistics (as of 01/13/2017) Stock Price: $52.21 Market Cap ($M): $1,705 Enterprise Value ($M): $1,469 LTM Revenue: $204M LTM OCF: $55M EV/LTM Revenue: 7.2x Revenue Mix Maint. & PS 39% License 61% Company Description CyberArk’s solutions help enterprises prevent attack escalations and meet compliance and audit requirements. The company has more than 45% of the Fortune 100 and 20% of the Global 2000 as customers. Key Products / Services The company offers a Privileged Account Security Solution that enables customers to secure, manage, and monitor privileged account access and activities. It is built on top of the company’s share technology platform. Products consists of:  Enterprise Password Vault: The product provides customers with a tool to manage and protect privileged accounts across an organization, including physical, virtual, or cloud assets.  SSH Key Manager: SSH Key Manager securely stores, rotates, and controls access to SSH keys to prevent unauthorized access to privileged accounts.  Privileged Session Manager: This product protects IT assets, including servers, applications, databases, and hypervisors from malware and provides command-level monitoring and recording of all privileged activity.  Privileged Threat Analytics: This product allows organizations to detect, alert, and respond to anomalous privileged activity while attacks are in progress. It utilizes proprietary algorithms to profile and analyze individual user behavior and creates alerts when abnormal activity is detected.  Application Identity Manager: This product allows for secure, programmatic retrieval of needed credentials only at run-time and based on master policy control and monitoring. This eliminates the need for storing credentials in applications, scripts, or configuration files.  Viewfinity: CyberArk added this product to its portfolio through its acquisition of Viewfinity in 2015. The product removes local administrative privileges for business users, granularly controls IT administrator privileges on Windows Servers based on role, and can elevate privileges when necessary and authorized.  On-Demand Privileges Manager: This product allows customers to limit the breadth of Unix and Linux administrative accounts and can granularly restrict them from performing certain commands and functions. Key Executives Founder, Chairman & CEO: Udi Mokady CFO: Josh Siegel General Manager, EMEA and Asia Pacific & Japan: Chen Bitan CMO: John Worrall Recent Stock Price Performance (as of 01/13/2017) $70.00 $60.00 $50.00 $40.00 $30.00 $20.00 $10.00 $0.00 Source: Jefferies, company data, FactSet page 114 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 66: F5 Networks Company Facts Ticker: FFIV Founded: 1996 Headquarters: Seattle, WA Website: https://f5.com/ Employees: 4200 Key Statistics (as of 01/13/2017) Stock Price: $143.37 Market Cap ($M): $9,340 Enterprise Value ($M): $8,457 LTM Revenue: $2.0B LTM OCF: $711M EV/LTM Revenue: 4.2x Revenue Mix Services 53% Products 47% Company Description F5 Networks provides software-defined application services designed to ensure that applications delivered over IP networks are secured and available to users. The company’s core technology is a full-proxy, programmable, and scalable software platform. Key Products / Services The company offers the following security-related software modules and virtual product editions:  BIG-IP DNS: The DNS service directs users to the closest of best-performing physical, virtual, or cloud environment in order to improve performance and availability of applications.  Advanced Firewall Manager (AFM): AFM is a high-performance firewall designed to ensure that traffic isn’t interrupted under attack. It scales to support millions of concurrent operations per second and utilizes filtering, blacklisting, and built-in threat vectors to identify and mitigate DDoS attacks.  Application Security Manager (ASM): ASM is a web application firewall that provides protection against both generalized and targeted attacks. It combines a positive security model with signature based detection and is designed to prevent zero-day attacks.  Access Policy Manager (APM): APM provides secure, granular, context-aware access to networks and applications while simplifying authentication, authorization, and accounting (AAA) management. The endpoint security service validates client devices, including personal devices used by employees to access corporate applications and data. The company also offers the following security-related subscription services:  Silverline: Silverline is a SaaS platform that allows customers to subscribe to application services running on F5’s hardware in cloud-based points of presence around the globe. Two services are currently available on Silverline: DDoS protection and Web Application Firewall (WAF).  WebSafe and MobileSafe: WebSafe and MobileSafe are software modules that inject code into traffic between a large enterprise and its online customers or clients. The code is transparently downloaded onto the client device and provides real-time protection against malware, phishing, and other cyberthreats, including fraud.  Secure Web Gateway (SWG): The SWG service is part of APM that protects enterprises against both inbound and outbound malware. It integrates with cloud-based threat intelligence provided by Websense.  IP Intelligence: IP Intelligence uses contextual awareness and analysis of traffic and constantly refreshed data from a global threat-sensor network to block threats from a dynamic set of high-risk IP addresses. Key Executives President & CEO: John McAdam EVP & CFO: Andy Reinland EVP & COO: Edward J. Eames EVP & CMO: Ben Gibson EVP of Product & CTO: Ryan Kearny Recent Stock Price Performance (as of 01/13/2017) $160.00 $140.00 $120.00 $100.00 $80.00 $60.00 $40.00 $20.00 $0.00 Source: Jefferies, company data, FactSet page 115 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 67: FireEye Company Facts Ticker: FEYE Founded: 2004 Headquarters: Milpitas, CA Website: https://www.fireeye.com Employees: 3200 Key Statistics (as of 01/13/2017) Stock Price: $13.44 Market Cap ($M): $2,214 Enterprise Value ($M): $2,021 LTM Revenue: $714M LTM OCF: ($12M) EV/LTM Revenue: 2.8x Revenue Mix Pro. Serv. 17% Product 26% Maint. 16% Subscr. 41% Company Description FireEye provides cybersecurity solutions for detecting, preventing, analysing, and resolving cyber-attacks. Its solutions combine virtual-machine technology, threat intelligence, and security expertise in a suite of products and services that reduces customers’ exposure to attacks by enabling accurate detection and rapid response. Key Products / Services FireEye offers the following products:  Threat Prevention Platform: The Threat Prevention Platform includes network threat prevention (NX series), email threat prevention (EX series and ETP), endpoint threat prevention (HX series), file content security (FX series), and mobile threat prevention (MX series) products.  Security Management Products: Security Management includes the Central Management System, which enables unified reporting, configuration, threat intelligence sharing, and management of products from the Threat Prevention Platform.  Security Analysis Products: Security Analysts Products include the Threat Analytics Platform (TAP), which is a cloud-based platform that enables security teams to identify and respond to cyber threats, and the Malware Analysis System (AX series), which provides a secure environment to test, replay, characterize, and document malicious activities.  Security Forensics Products: Security Forensics Products include the Network Forensics Platform (PX series), which capture and index packets at high speed to allow the investigation and resolution of security incidents, the Investigation Analysis System (AI series), which provides a centralized analytics interface to the PX series products, and the Mandiant Intelligent Response (MIR) endpoint forensics product, which enables the remote investigation of endpoints.  Product Subscriptions: FireEye provides a number of threat intelligence subscriptions, including the Dynamics Threat Intelligence Cloud (DTI), Advanced Threat Intelligence (ATI), Advanced Threat Intelligence Plus (ATI+), Email Threat Prevention Attachment/URL Engine, Email Threat Prevention Cloud (ETP), and the Mobile Threat Prevention (MTP).  Security-as-a-Service Offerings: This offering encompasses the company’s FireEye-as-a-Service offering, which includes the Network Security Platform and Endpoint Security Platform, both managed by FireEye’s security experts through its worldwide operations centers.  Customer Support and Consulting Services: These offerings include incident response, compromise assessments, and related consulting services, as well as training and professional services, and customer support and maintenance services. Key Executives CEO: Kevin Mandia President: Travis Reese SVP, CFO & COO: Michael Berry SVP & CTO: Grady Summers SVP & CMO: Kara Wilson Recent Stock Price Performance (as of 01/13/2017) $20.00 $15.00 $10.00 $5.00 $0.00 Source: Jefferies, company data, FactSet page 116 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 68: Fortinet Company Facts Ticker: FTNT Founded: 2000 Headquarters: Sunnyvale, CA Website: https://www.fortinet.com Employees: 4020 Key Statistics (as of 01/13/2017) Stock Price: $32.29 Market Cap ($M): $5,511 Enterprise Value ($M): $4,481 LTM Revenue: $1.2B LTM OCF: $313M EV/LTM Revenue: 3.7x Revenue Mix Service 56% Product 44% Company Description Fortinet provides high performance cybersecurity solutions to a wide variety of enterprises, service providers and government organizations of all sizes across the globe, including a majority of the 2015 Fortune 100. Key Products / Services The company offers the following product lines:  FortiGate: Fortinet offers its FortiGate products in physical or virtual format. The appliances include firewalls, intrusion prevention, anti-malware, VPN, application control, web filtering, anti-spam, and WAN acceleration. All appliances run on the company’s FortiOS operating system, and many appliances include ASICs to accelerate content and network security features.  Management and Analysis Products: The company offers its FortiManager and FortiAnalyzer virtual and physical products as its centralized management, and analytics and reporting systems, respectively.  FortiGuard: The FortiGuard Security Subscription Service delivers new threat detections to FortiGate product end-customers worldwide as new threats are detected. It is provided as a subscription service to clients.  FortiCare: FortiCare includes technical support as well as extended product warranties.  Professional and Training Services: The company also offers professional services to clients, primarily for large implementations, and training services to end-customers and channel partners. Key Executives Founder, Chairman of the Board & CEO: Ken Xie Founder, President & CTO: Michael Xie CFO: Andrew Del Matto Chief Accounting Officer: Keith Jensen Recent Stock Price Performance (as of 01/13/2017) $40.00 $35.00 $30.00 $25.00 $20.00 $15.00 $10.00 $5.00 $0.00 Source: Jefferies, company data, FactSet page 117 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 69: Guidance Software Company Facts Ticker: GUID Founded: 1997 Headquarters: Pasadena, CA Website: www.guidancesoftware.com Employees: 420 Key Statistics (as of 01/13/2017) Stock Price: $7.42 Market Cap ($M): $234 Enterprise Value ($M): $227 LTM Revenue: $109M LTM OCF: ($9M) EV/LTM Revenue: 2.1x Revenue Mix Product 33% Maint. 37% Services 30% Company Description Guidance Software provides forensic security solutions, providing endpoint investigation solutions for cybersecurity, security incident response, e-discovery, data privacy, and forensic analysis. Key Products / Services The company’s products include:  EnCase eDiscovery: EnCase eDiscovery is an enterprise-wide e-discovery solution. It includes capabilities such as legal hold, identification, collection, preservation, processing, first-pass review, and early case assessment review.  EnCase Endpoint Investigator: Endpoint Investigator enables organizations to search, collect, preserve, and analyze data on the servers, desktops, and laptops across their networks.  EnCase Forensic: EnCase Forensic enables forensic practitioners to conduct forensically sound digital data collection and investigations.  EnCase Portable: EnCase Portable is a triage and collection solution delivered on a USB device that allows forensic professionals and non-experts to triage and collect digital evidence in a forensically sound and court-proven manner.  EnCase App Central: EnCase App Central is an online marketplace that allows EnScript developers and investigations professionals to share and discover apps that complement the company’s EnCase products.  EnForce Risk Manager: EnForce Risk Manager allows organizations to implement a proactive approach to information governance, ensuring that sensitive data is identified, classified and remediated. It allows organizations to reduce their potential cyberattack “surface” area.  Tableau Appliances: Tableau appliances includes write blockers, forensic duplicators and storage devices, which are used to acquire forensically sound copies of digital storage devices such as hard disks and solid state drives. The company also provides professional services and training services to customers. Key Executives President & CEO: Patrick Dennis COO & CFO: Barry Plaga CMO: Michael Harris Chief Accounting Officer & VP, Finance: Rasmus Van der Colff Recent Stock Price Performance (as of 01/13/2017) $8.00 $7.00 $6.00 $5.00 $4.00 $3.00 $2.00 $1.00 $0.00 Source: Jefferies, company data, FactSet page 118 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 70: Hewlett Packard Enterprise Company Facts Ticker: HPE Founded: 2015 Headquarters: Palo Alto, CA Website: https://www.hpe.com Employees: 240,000 Key Statistics (as of 01/13/2017) Stock Price: $22.94 Market Cap ($M): $37,875 Enterprise Value ($M): $41,098 LTM Revenue: $50.1B LTM OCF: $5.0B EV/LTM Revenue: 0.8x Revenue Mix Software 6% Other 94% Company Description Hewlett Packard Enterprise (HPE) is a large Information Technology (IT) company offering numerous solutions. It divides its business into an enterprise group, software, enterprise services, financial services, and corporate investments. As part of its software group, the company offers a number of enterprise security solutions. Key Products / Services The company’s security products include:  ArcSight ESM: ArcSight ESM is a comprehensive security information and event management (SIEM) solution that identifies and prioritizes threats in real time.  Security Fortify: Fortify offers end-to-end application security solutions with the flexibility of testing on-premise and ondemand to cover the entire software development lifecycle.  Data Encryption, Key Management and Data Protection: HPE offers advanced data encryption, tokenization and key management solutions that protect sensitive data across enterprise applications, data processing IT, cloud, payments ecosystems, mission critical transactions, storage and big data platforms.  Network Security (Aruba): Through its ownership of Aruba, HPE offers Policy Enforcement Firewalls, Wireless Intrusion Protection solutions, and VPN services, among other network security products.  Security Research: HPE offers vulnerability research and security intelligence information to enterprises. Key Executives President & CEO: Meg Whitman EVP & CFO: Tim Stonesifer EVP, CTO & Director of HP Labs: Martin Fink EVP, Chief Marketing and Communications Officer: Henry Gomez EVP & Chief Customer Officer: John Hinshaw Recent Stock Price Performance (as of 01/13/2017) $30.00 $25.00 $20.00 $15.00 $10.00 $5.00 $0.00 Source: Jefferies, company data, FactSet page 119 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 71: IBM Company Facts Ticker: IBM Founded: 1911 Headquarters: Armonk, NY Website: http://www.ibm.com Employees: 377,000 Key Statistics (as of 01/13/2017) Stock Price: $167.34 Market Cap ($M): $159,696 Enterprise Value ($M): $192,360 LTM Revenue: $80.2B LTM OCF: $18.6B EV/LTM Revenue: 2.4x Revenue Mix APAC 22% Americ as 47% EMEA 31% Company Description IBM is a large multinational IT services provider; it offers integrated solutions and products that leverage: data, information technology, industry expertise and business processes, and a broad ecosystem of partners and alliances. IBM offers IBM Security, which brings advanced technologies in fraud and threat protection, identity and access management, application and data security, mobile and cloud security to clients. Key Products / Services As part of IBM Security, it offers the following product groups:  Mobile: IBM Mobile Security enables enterprises to protect devices, have secure content and collaboration, to safeguard application data, to manage access and fraud, and to extend security intelligence.  Identity and Access Management: IBM’s identity and access management solutions enable the safeguarding to mobile, cloud, and social accesses, prevention of insider threats, cloud integration, and the delivery of identity intelligence.  Endpoint Protection: IBM’s BigFix products enable the securing of endpoints through continuous monitoring and enforcement of compliance with security, regulatory, and operational policies.  Network Protection: IBM’s network security software and solutions provide advanced threat protection and real-time threat intelligence to aid in securing network infrastructure.  Mainframe Security: IBM’s mainframe security solutions are designed to simplify mainframe security administration, enforce security policy, automate auditing, detect threats and enhance security intelligence.  Application Security: Application security testing products provide pre-emptive protection to enhance mobile and web application security, and protect applications from malicious use.  Data Security: IBM’s Security Guardium product line offers a data protection platform that enables security teams to protect sensitive data from internal and external threats.  Security Intelligence and Operations: IBM’s QRadar line of products provides security information and event management (SIEM), log management, configuration management, vulnerability management, risk management, incident forensics and behavioral analysis and anomaly detection capabilities.  Advanced Fraud Protection: IBM’s Security Trusteer products deliver an intelligence-based, cybercrime prevention platform that helps prevent fraud, improve customer experiences, reduce operational impact and utilize a global intelligence service.  Cloud: IBM’s cloud security products include Cloud Security Enforcer to monitor and enforce cloud application policies, cloud identity and access management, and Security AppScan to improve application security. Key Executives Chairman, President, and CEO: Ginni Rometty SVP & CFO: Martin Schroeter Recent Stock Price Performance (as of 01/13/2017) $200.00 $150.00 $100.00 $50.00 $0.00 Source: Jefferies, company data, FactSet page 120 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 72: Imperva Company Facts Ticker: IMPV Founded: 2002 Headquarters: Redwood Shores, CA Website: https://www.imperva.com Employees: 1027 Key Statistics (as of 01/13/2017) Stock Price: $40.65 Market Cap ($M): $1,309 Enterprise Value ($M): $1,050 LTM Revenue: $259M LTM OCF: $22M EV/LTM Revenue: 4.1x Revenue Mix Product 36% Services 64% Company Description Imperva provides data and application security solutions that protect business-critical information both in the cloud and on-premise from cyber attacks and internal threats. The company’s solutions also aid with compliance with data protection regulations and mandates and enforce policies, entitlements, and audit controls. As of 2015, the company had over 4800 customers in over 100 countries. Key Products / Services Notable products from the company include:  Web Application Security: The company offers its SecureSphere web application firewall (WAF) to protect web facing applications from attacks. It also offers the ThreatRadar threat intelligence service which combines Imperva and crowdsourced data to maintain the effectiveness of the WAF. It also offers Incapsula, a cloud-based application delivery service.  DDoS Protection: As part of the Incapsula service, Imperva offers a cloud-based DDoS protection service for websites and web applications, infrastructure DDoS protection that protects infrastructure elements from DDoS attacks, and name server DDoS protection that also protects domain name system (DNS) servers from DDoS attacks.  Breach Prevention: Imperva offers CounterBreach, which monitors and protects data. It employs machine learning to develop behavioral baselines for users and flags potential deviations.  File Security: The company offers several products under its SecureSphere line that enable users to meet compliance requirements with detailed audit trails of file activity, perform real-time monitoring of files, manage user rights for files, control access to SharePoint servers, and control Active Directory activity.  Data Security: Imperva offers its SecureSphere platform, which includes database firewalls, database activity monitoring, and database assessments. These systems enable customers to protect their data.  Cloud Security: The company offers the previously discussed Skyfence product and Skyfence, a cloud-access security broker service, which enables visibility and control over cloud applications. Key Executives President, CEO, Chairman: Anthony Bettencourt CFO: Terry Schmid CMO: Kim DeCarlis Chief Revenue Officer: Michael D. Mooney CTO: Amichai Shulman Recent Stock Price Performance (as of 01/13/2017) $70.00 $60.00 $50.00 $40.00 $30.00 $20.00 $10.00 $0.00 Source: Jefferies, company data, FactSet page 121 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 73: Intel (McAfee) Company Facts Ticker: INTC Founded: 1968 Headquarters: Santa Clara, CA Website: http://www.intel.com Employees: 95,000 Key Statistics (as of 01/13/2017) Stock Price: $36.79 Market Cap ($M): $173,969 Enterprise Value ($M): $184,702 LTM Revenue: $57.9B LTM OCF: $19.1B EV/LTM Revenue: 3.2x Revenue Mix Security 4% Other 96% Company Description McAfee offers solutions and services to help secure critical systems and networks; it offers security products for consumers and businesses of all sizes. McAfee is owned by Intel, which is in the process of divesting a 51% stake to TPG Key Products / Services Some of McAfee’s key products include:  Data Protection & Encryption: McAfee Complete Data Protection Suites and McAfee Data Loss Prevention (DLP) solutions provide multilayered protection for data on the network, in the cloud, or at the endpoint. Encryption options include full drive encryption or management of native encryption. Data protection solutions are fully integrated with McAfee ePolicy Orchestrator software, in order to unify data security management.  Database Security: Database security software provides visibility into the overall database landscape and the corresponding security posture, fully aligns database security policy administration practices, and maintains regulatory compliance. Solutions are also integrated with the McAfee ePolicy Orchestrator management console.  Endpoint Protection: Endpoint security solutions are centrally managed and defend against the full threat spectrum from zero-day exploits to advanced targeted attacks, protecting Windows, Macs, and Linux systems.  Network Security: Network security solutions include network intrusion prevention and advanced sandboxing detection.  Security Management: Security management solutions deliver integration between McAfee ePolicy Orchestrator software and other security solutions. This integration enables visibility across any on premises or hosted desktop, network, or server.  Server Security: Server security solutions protect servers in physical or virtual environments, on premises, or in the cloud. Server security solutions are centrally managed via the McAfee ePolicy Orchestrator console.  SIEM: Security information and event management (SIEM) solution brings event, threat, and risk data together to provide security intelligence, rapid incident response, seamless log management, and compliance reporting.  Web Security: Web security solutions enable secure web connectivity for every device, user, and location, protecting organizations against sophisticated threats. Web security offers web filtering, content inspection, antivirus, zero-day antimalware, SSL inspection, and data loss prevention (DLP). Solution available on-premises, as a cloud service, or as a hybrid. Key Executives (McAfee) SVP & General Manager, Intel Security Group: Christopher Young Corporate VP, Intel Security Group & General Manager, Corporate Products: Brian Dye Corporate VP, Intel Security Group & General Manager, Consumer Business Unit: John Giamatteo Intel Fellow, Intel Security Group CTO: Steve Grobman Corporate VP, Intel Security Group & Intel Security Group Global Sales: Scott Lovett Recent Stock Price Performance (as of 01/13/2017) $50.00 $40.00 $30.00 $20.00 $10.00 $0.00 Source: Jefferies, company data, FactSet page 122 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 74: Microsoft Company Facts Ticker: MSFT Founded: 1975 Headquarters: Redmond, WA Website: https://www.microsoft.com Employees: 114,000 Key Statistics (as of 01/13/2017) Stock Price: $62.70 Market Cap ($M): $486,815 Enterprise Value ($M): $425,605 LTM Revenue: $84.8B LTM OCF: $36.3B EV/LTM Revenue: 5.0x Revenue Mix Person. Comput 43% Prod. & Bus. 29% Intel. Cloud 28% Company Description Microsoft develops, licenses, and supports a wide range of software products, services, and devices, including operating systems, cross-device productivity applications, server applications, business solution applications, desktop and server management tools, software development tools, video games, and training and certification of system integrators and developers. Key Products / Services Microsoft offers several security products:  Advanced Threat Analytics: ATA is an on-premises platform that helps protect enterprises from advanced targeted attacks by automatically analyzing, learning, and identifying normal and abnormal entity (user, devices, and resources) behavior.  Cloud App Security: Cloud App Security provides visibility, controls, and protection for cloud applications.  Windows Defender: Windows Defender is built into the latest versions of Windows and helps guard PCs against viruses and other malware.  Windows Defender Advanced Threat Protection (ATP): This product helps enterprise customers detect, investigate, and respond to advanced and targeted attacks on their networks.  Device Guard: Device Guard is designed to harden a computer system against malware. Its focus is on preventing malicious code from running by ensuring only known good code can run.  Credential Guard: Credential Guard aims to isolate and harden key system and user secrets against compromise, helping to minimize the impact and breadth of an attack in the event that malicious code is already running via a local or network based vectors.  Enterprise Mobility + Security: This product includes Azure Active Directory, which provides secure single sign-on to cloud and on-premises applications including Microsoft Office 365 and numerous non-Microsoft SaaS applications. It also includes Advanced Threat Analytics, Information Protection (protection of data and files shared internally or externally), Cloud App Security, and Intune.  Azure Security Center: Azure Security Center provides a central view of the security state of Azure resources. It enables the verification of appropriate security controls and their configuration. Key Executives CEO: Satya Nadella EVP & CFO: Amy Hood EVP & CMO: Chris Capossela Recent Stock Price Performance (as of 01/13/2017) $70.00 $60.00 $50.00 $40.00 $30.00 $20.00 $10.00 $0.00 Source: Jefferies, company data, FactSet page 123 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 75: Mimecast Company Facts Ticker: MIME Founded: 2003 Headquarters: London, UK Website: http://www.mimecast.com Employees: 700 Key Statistics (as of 01/13/2017) Stock Price: $21.17 Market Cap ($M): $1,106 Enterprise Value ($M): $1,000 LTM Revenue: $160M LTM OCF: $29M EV/LTM Revenue: 6.3x Revenue Mix South Africa 16% Other 2% United States 43% UK 39% Company Description Mimecast provides next generation cloud security and risk management services for corporate information and email. Key Products / Services The company’s solutions include:  Mimecast Email Security: Mimecast Email Security service provides comprehensive email security. It prevents spam, viruses, advanced threats, bulk mail and defined content from reaching inboxes, and protects the security and integrity of outbound email communications. The company offers the following security services:  Targeted threat protection: Targeted threat protection protects organizations against advanced and highly targeted attacks, and provides a threat dashboard and notification system with real-time data. Some of the products it includes are URL Protect (protection from malicious links in emails), Attachment Protect (sandboxing to check email attachments), Impersonation Protect (protection from social engineering attacks).  Secure messaging: Secure Messaging is a secure and private channel to share sensitive information with external contacts via email without the need for additional client or desktop software. Sensitive information is retained within the Mimecast cloud service in order to strengthen information security, data governance and compliance.  Large file send: Large File Send enables PC and Mac users to send and receive large files directly from their email client. It protects attachments in line with security and content policies by utilizing encryption, optional access key and custom expiration dates.  Data leak prevention: Data leak prevention enables policies using keywords, pattern matching, file hashes and dictionaries to actively scan all email communications including file attachments to stop data leakage and support compliance.  Mimecast mailbox continuity: Email continuity protects email and data against the threat of downtime as a result of system failure, natural disasters and the impact of planned maintenance, system upgrades, and migrations.  Mimecast enterprise information archiving: This product consolidates into one store all inbound, outbound and internal email, files and instant messaging in a perpetual, indexed and secure archive. The company also offers Cloud archive for files (consolidation of files from network shares), Cloud archive for Lync (retention of Microsoft Lync conversations), and Archive power tools (a series of advanced archiving tools). The company also offers its products in a number of service bundles to address customer requirements for a combination of services. Key Executives CEO: Peter Bauer CFO: Peter Campbell CTO: Neil Murray COO: Ed Jennings Recent Stock Price Performance (as of 01/13/2017) $25.00 $20.00 $15.00 $10.00 $5.00 $0.00 Source: Jefferies, company data, FactSet page 124 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 76: NetScout Systems Company Facts Ticker: NTCT Founded: 1984 Headquarters: Westford, MA Website: http://www.netscout.com/ Employees: 3140 Key Statistics (as of 01/13/2017) Stock Price: $32.60 Market Cap ($M): $2,949 Enterprise Value ($M): $2,954 LTM Revenue: $1.1B LTM OCF: $142M EV/LTM Revenue: 2.6x Revenue Mix Services 35% Product 65% Company Description NetScout Systems provides real-time operational intelligence and performance analytics for service assurance and cyber security solutions that are primarily used in service provider, enterprise, and government networks. Key Products / Services The company offers a number of service assurance, and network analysis and troubleshooting products. The cybersecurity solutions it offers are as follows:  DDoS Protection: NetScout provides security solutions that enable service providers and enterprises to protect their networks against DDoS attacks. Its DDoS solutions span on-premise offerings and cloud-based capabilities to meet customer needs.  Advanced Threat Detection: NetScout’s Spectrum product combines the company’s network visibility products with advanced threat detection, enabling enterprises to identify and investigate advanced threat campaigns that present risks to the integrity of their networks. Key Executives Founder, President & CEO: Anil Singhal CFO: Jean Bua COO: Michael Szabados Recent Stock Price Performance (as of 01/13/2017) $35.00 $30.00 $25.00 $20.00 $15.00 $10.00 $5.00 $0.00 Source: Jefferies, company data, FactSet page 125 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 77: Oracle Company Facts Ticker: ORCL Founded: 1977 Headquarters: Redwood Shores, CA Website: https://www.oracle.com Employees: 136,000 Key Statistics (as of 01/13/2017) Stock Price: $39.26 Market Cap ($M): $160,938 Enterprise Value ($M): $157,059 LTM Revenue: $37.2B LTM OCF: $14.2B EV/LTM Revenue: 4.2x Revenue Mix Services 9% Hardwar e 12% SW & Cloud 79% Company Description Oracle provides products and services that address all aspects of corporate information technology (IT) environments; applications, platforms, and infrastructure. As part of its products, Oracle offers a number of security products. Key Products / Services Oracle’s security products include:  Oracle Advanced Security: Oracle Advanced Security enables the encryption and redaction (display masking) of application data, such as credit cards, social security numbers, or personally identifiable information (PII).  Oracle Database Vault: Oracle Database Vault protects application data from being accessed by privileged database users and can also help discover Oracle Database runtime privileges without disruption.  Oracle Data Masking and Subsetting: This product helps organizations comply with data privacy and protection mandates that restrict the use of actual customer data. It allows sensitive information such as credit card or social security numbers to be replaced with realistic values, allowing production data to be used for nonproduction purposes.  Oracle Audit Vault and Database Firewall: This product monitors Oracle and non-Oracle database traffic to detect and block threats, as well as improves compliance reporting by consolidating audit data from databases, operating systems, directories, and other sources.  Oracle Identity Management: Oracle Identity Management is designed to enable customers to manage internal and external users, to secure corporate information from potential software threats, and to streamline compliance initiatives.  Oracle Mobile Security: Oracle Mobile Security offers an enterprise mobility management solution that includes mobile device management (MDM), mobile application management (MAM), mobile content management (MCM), and mobile identity. Key Executives CEO: Mark Hurd CEO: Safra Catz Executive Chairman of the Board & CTO: Larry Ellison President, Product Development: Thomas Kurian Recent Stock Price Performance (as of 01/13/2017) $50.00 $40.00 $30.00 $20.00 $10.00 $0.00 Source: Jefferies, company data, FactSet page 126 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 78: Palo Alto Networks Company Facts Ticker: PANW Founded: 2005 Headquarters: Santa Clara, CA Website: https://www.paloaltonetworks.com/ Employees: 3800 Key Statistics (as of 01/13/2017) Stock Price: $138.48 Market Cap ($M): $12,502 Enterprise Value ($M): $11,680 LTM Revenue: $1.5B LTM OCF: $715M EV/LTM Revenue: 7.9x Revenue Mix Mainten ance 25% Product 49% Subscr. 26% Company Description Palo Alto Networks allows enterprises, service providers, and government entities to secure their organizations by safely enabling applications running on their networks and by preventing breaches that stem from targeted cyber attacks. The company’s platform uses a traffic classification engine that identifies network traffic by application, user, and content and provides consistent security across the network, endpoint, and cloud. It consists of three major elements: Next-Generation Firewall, Advanced Endpoint Protection, and the Threat Intelligence Cloud. Key Products / Services Key products for the company include:  Firewall Appliances: Firewall appliances incorporate the company’s PAN-OS operating system and come with the same set of features ensuring consistent operation across the entire product line. These features include: App-ID, User-ID, site-to-site VPN, remote access Secure Sockets Layer (“SSL”) VPN, and Quality-of-Service (“QoS”). Firewall appliances are available in a physical or virtual form factor.  Panorama: Panorama is the company’s centralized security management solution for global control of all of appliances deployed on an end-customer’s network as a virtual or physical appliance. Panorama is used for centralized policy management, device management, software licensing and updates, centralized logging and reporting, and log storage.  Virtual System Upgrades: Virtual System Upgrades are available as extensions to the Virtual System capacity that ships with the company’s physical appliances. Virtual Systems provide a mechanism to support multiple distinct security policies and administrative access for tenants on the same hardware device.  Subscription services: The company offer a number of subscription services as part of its platform. Of the subscription services, Threat Prevention Subscription, URL Filtering Subscription, WildFire Subscription, and GlobalProtect Subscription are sold as options to firewall appliances, whereas the others are sold on a per-user or per-endpoint basis. The unattached subscription services are VM-Series firewalls, Traps endpoint protection, AutoFocus (cloud-based threat intelligence service), and Aperture (a CASB service).  Support and Maintenance: The company offers different levels of support to end-customers and channel partners. Channel partners operating a Palo Alto Networks Authorized Support Center typically deliver level-one and level-two support.  Professional Services: Professional services are primarily delivered through the company’s authorized channel partners and include on-location, hands-on experts who plan, design, and deploy effective security solutions tailored to meet specific endcustomer requirements Key Executives Chairman and CEO: Mark McLaughlin Founder and CTO: Nir Zuk President: Mark Anderson CFO & EVP: Steffan Tomlinson CMO & EVP: René Bonvanie CSO: Rick Howard Founder: Rajiv Batra Recent Stock Price Performance (as of 01/13/2017) $200.00 $150.00 $100.00 $50.00 $0.00 Source: Jefferies, company data, FactSet page 127 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 79: Proofpoint Company Facts Ticker: PFPT Founded: 2002 Headquarters: Sunnyvale, CA Website: https://www.proofpoint.com Employees: 1200 Key Statistics (as of 01/13/2017) Stock Price: $81.89 Market Cap ($M): $3,445 Enterprise Value ($M): $3,394 LTM Revenue: $344M LTM OCF: $61M EV/LTM Revenue: 9.9x Revenue Mix Hardwar e 3% Subscrip tion 97% Company Description Proofpoint is a security-as-a-service provider that enables large and mid-sized organizations worldwide to defend, protect, archive and govern their most sensitive data Key Products / Services The company’s solutions include:  Enterprise Protection: Enterprise Protection is the company’s communications and collaboration security suite designed to protect customers’ messaging infrastructure from outside threats, including spam, phishing, unpredictable email volumes, and malware.  Information Protection: Information Protection is the company’s data loss prevention, encryption, and compliance solution to defend against leaks of confidential information. It is also designed to help with compliance with US, international, and industry specific data protection regulations.  Enterprise Archive: Enterprise Archive is designed to ensure accurate enforcement of data governance, data retention, and supervision policies and mandates. It is also designed to provide cost-effective litigation support through discovery and active legal-hold management.  Social Media Security & Compliance: The company’s Social Media Security & Compliance solution enables customers to protect their online brand presence and social media communication infrastructure. It automatically identifies and remediates fraudulent social media accounts, account hacks, and content that contains malware, spam, and abusive language.  Essentials: Essentials is the company’s security-as-a-service and compliance solutions designed for distribution across managed service providers and security resellers. Capabilities include inbound email filtering to block spam and malware, outbound filtering, email continuity, targeted attack protection, and email archiving. Key Executives CEO: Gary Steele CFO: Paul Auvil CTO: Marcel Depaolis Recent Stock Price Performance (as of 01/13/2017) $100.00 $80.00 $60.00 $40.00 $20.00 $0.00 Source: Jefferies, company data, FactSet page 128 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 80: Qualys Company Facts Ticker: QLYS Founded: 1999 Headquarters: Redwood City, CA Website: https://www.qualys.com Employees: 510 Key Statistics (as of 01/13/2017) Stock Price: $34.15 Market Cap ($M): $1,185 Enterprise Value ($M): $975 LTM Revenue: $190M LTM OCF: $79M EV/LTM Revenue: 5.1x Revenue Mix Foreign 30% U.S. 70% Company Description Qualys provides cloud-based security and compliance solutions that enable organizations to identify security risks to their IT infrastructures, protect their IT systems and applications from cyber-attacks and achieve compliance with internal policies and external regulations. Key Products / Services Qualys’ Cloud Platform consists of a suite of IT security and compliance solutions, they include:  Vulnerability Management: Vulnerability Management (VM) automates network auditing and vulnerability management across an organization, including network discovery and mapping, asset management, vulnerability reporting, and remediation tracking.  Policy Compliance: Policy Compliance (PC) allows customers to analyze and collect configuration and access control information from networked devices and web applications and automatically maps this information to internal policies and external regulations in order to document compliance. It does not require the use of software agents.  PCI Compliance: PCI Compliance provides organizations that store cardholder data an automated solution to verify and document compliance with PCI DSS.  Web Application Scanning: Web Application Scanning (WAS) allows customers to discover, catalog, and scan a large number of web applications. Qualys WAS scans and analyzes custom web applications and identifies vulnerabilities that threaten underlying databases or bypass access controls.  Malware Detection: Malware Detection (MDS) utilizes behavioral and static analysis to provide organizations with the ability to scan, identify and remove malware infections from their websites.  Web Application Firewall: Web Application Firewall (WAF) is a cloud-based WAF solution. It is designed to protect web applications from attack vectors by enhancing default web application configurations and virtual patching. It also improves website performance by reducing page load times and optimizing bandwidth.  SECURE Seal: SECURE Seal helps organizations demonstrate to their online customers that they maintain a proactive security program. Websites that scan for malware, network and web application vulnerabilities, and validate SSL certificates can display a Qualys SECURE Seal on their websites. Key Executives Chairman & CEO: Philippe Courtot CFO: Melissa Fisher Chief Product Officer: Sumedh Thakar Chief Commercial Officer: Amer Deeba Recent Stock Price Performance (as of 01/13/2017) $50.00 $40.00 $30.00 $20.00 $10.00 $0.00 Source: Jefferies, company data, FactSet page 129 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 81: Rapid7 Company Facts Ticker: RPD Founded: 2000 Headquarters: Boston, MA Website: https://www.rapid7.com Employees: 750 Key Statistics (as of 01/13/2017) Stock Price: $13.11 Market Cap ($M): $541 Enterprise Value ($M): $454 LTM Revenue: $145M LTM OCF: $2M EV/LTM Revenue: $3.1x Revenue Mix Pro. Serv. 18% Mainten ance 24% Products 58% Company Description Rapid7 is a provider of security data and analytics solutions that enable organizations to implement an active, analytics driven approach to cyber-security. The company offers a security data and analytics platform, which it refers to as the Rapid7 Insight Platform. Key Products / Services Rapid7 offers the following products:  Nexpose: Nexpose enables customers to assess and remediate their overall exposure to cyber risk across their IT environments. It analyses vulnerabilities, detects misconfigurations, and determines the effectiveness of controls across an IT environment.  Metasploit: Metasploit a penetration test product, which was developed on an open source framework. It can be used to safely simulate attacks on an organization’s network in order to uncover vulnerabilities and assess the effectiveness of an organization’s existing defences, security control, and mitigation efforts.  AppSpider: AppSpider is a dynamic application security testing solution that continuously analyses web applications for security vulnerabilities. Key features include a “universal translator” that enables the analysis of complex applications, customized attack simulation, scanning automation, live vulnerability reports and attack replay, and continuous site monitoring.  InsightUBA: InsightUBA is a cloud-based offering that enables customers to detect intruders, reducing the probability that an incident turns into a breach.  InsightIDR: InsightIDR combines behavioral analytics and search with contextual data collection to help detect stealthy attacks. The company also offers several managed services, including Analytics Response, which provides customers with threat detection, and Incident Response Services, which provides customers access to Rapid7’s security experts. Key Executives President & CEO: Corey E. Thomas CFO: Steven Gatoff Chief Product Officer: Lee Weiner Co-Founder & CTO: Tas Giakouminakis COO: Andrew Burton Recent Stock Price Performance (as of 01/13/2017) $25.00 $20.00 $15.00 $10.00 $5.00 $0.00 Source: Jefferies, company data, FactSet page 130 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 82: Raytheon (Forcepoint) Company Facts Ticker: RTN Founded: 1922 Headquarters: Waltham. MA Website: http://www.raytheon.com/ Employees: 61,000 Key Statistics (as of 01/13/2017) Stock Price: $145.99 Market Cap ($M): $42,767 Enterprise Value ($M): $45,663 LTM Revenue: $24.2B LTM OCF: $2.5B EV/LTM Revenue: 1.9x Revenue Mix Security 2% Other 98% Company Description Raytheon specializes in the defense and government markets worldwide. It operates through a number of business segments; Forcepoint, one of the segments, addresses the cybersecurity market. It was created in 2015 through a joint venture with Vista Equity Partners, where Raytheon combined Websense with its existing Raytheon Cyber Products business. Key Products / Services TRITON is the security platform that integrates Forcepoint’s web, email, and data security technologies into a unified architecture. At the core of the architecture lies the Advanced Classification Engine, which analyses inbound and outbound web and email traffic. Forcepoint has the following product families and related services:  Network Security (NS): This product provides NGFW software and hardware solutions that focus on high-availability, centralized management of large networks and protection from evasion techniques. It provides proxy-based firewall software and hardware solutions.  SureView (SV): The SV suite of products spans analytics, insider threat, advanced threat protection and Linux security. SV delivers end-to-end visibility, context and the understanding of human and information technology actions required for enterprises and governments to take action and manage risk.  Federal Solutions (FS): Forcepoint provides the High Speed Guard (HSG) product to government customers, which enables highly complex, bi-directional, automated data transfers between multiple domains, specializing in real-time streaming video.  Wed Security and Filtering Solutions (WSFS): WSFS prevents unmanaged employee Web use and access to Web sites identified as security risks. These products are deployed in conjunction with an organization's network gateway platform (such as a proxy server or firewall) and apply pre-determined policies to Web content classified in more than 95 categories in Forcepoint's master database.  Hardware and Appliances (HA): HA provides a mix of commercial-off-the-shelf hardware along with optimized appliances consisting of V-Series appliances that consolidate multiple security functions in a single hardware platform and X-Series appliances that deliver large enterprises real-time data-aware defenses against malware and intellectual property theft.  Professional Services (PS): PS provides consulting services of certified engineers. Key Executives (Forecpoint) CEO: Matthew P. Moynahan CFO: Matthew T. Santangelo Chief Strategy Officer & President, Federal Division: Edward Hammersla Recent Stock Price Performance (as of 01/13/2017) $160.00 $140.00 $120.00 $100.00 $80.00 $60.00 $40.00 $20.00 $0.00 Source: Jefferies, company data, FactSet page 131 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 83: Splunk Company Facts Ticker: SPLK Founded: 2003 Headquarters: San Francisco, CA Website: https://www.splunk.com/ Employees: 1700 Key Statistics (as of 01/13/2017) Stock Price: $56.42 Market Cap ($M): $7,642 Enterprise Value ($M): $6,615 LTM Revenue: $864M LTM OCF: $176M EV/LTM Revenue: 7.7x Revenue Mix Maint. & Serv. 42% License 58% Company Description Splunk provides software solutions that enable organizations to gain real-time operational intelligence by harnessing the value of their data. Its offerings enable users to collect, index, search, explore, monitor and analyze data regardless of format or source. Key Products / Services The company’s products include:  Splunk Enterprise: Splunk Enterprise is the company’s flagship product. it is a machine data platform, comprised of collection, indexing, search, reporting, analysis, alerting, monitoring and data management capabilities. It can collect and index hundreds of terabytes of machine data daily, irrespective of format or source, and performs dynamic schema creation on the fly, enabling users to run queries on data without having to define or understand the structure of the data prior to collection and indexing.  Splunk Cloud: Splunk Cloud delivers the core functionalities of Splunk Enterprise as a scalable cloud service. Splunk Cloud can be used solely as a cloud service or via a hybrid approach that spans cloud and on-premises environments, in which a single Splunk interface can search both on-premises Splunk Enterprise instances as well as Splunk Cloud instances.  Splunk Light: Splunk Light provides log search and analysis that is designed, priced, and packaged for small IT environments. The daily indexing volume is limited as compared to Splunk Enterprise. Splunk Light collects, indexes, monitors, reports and alerts on a customer’s log data in real time.  Hunk: Splunk Analytics for Hadoop (Hunk), is designed for interactively exploring, analysing, and visualizing data stored in Hadoop and Amazon S3. Hunk includes a full-featured analytics stack and leverages the company’s schema-on-the-fly and machine data fabric technologies.  Premium solutions: The company offers a number of purpose-built solutions that address key customer needs. These include Splunk Enterprise Security, Splunk User Behavior Analytics, and Splunk IT Service Intelligence. Key Executives President & CEO: Doug Merritt SVP & CFO: David Conte CTO: Snehal Antani SVP & CMO: Steven Sommer Chief Strategy Officer: Stephen Sorkin Chief Revenue Officer: Susan St. Ledger Recent Stock Price Performance (as of 01/13/2017) $70.00 $60.00 $50.00 $40.00 $30.00 $20.00 $10.00 $0.00 Source: Jefferies, company data, FactSet page 132 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 84: Symantec Company Facts Ticker: SYMC Founded: 1982 Headquarters: Sunnyvale, CA Website: https://www.symantec.com/ Employees: 12,000 Key Statistics (as of 01/13/2017) Stock Price: $26.14 Market Cap ($M): $16,022 Enterprise Value ($M): $17,579 LTM Revenue: $2.4B LTM OCF: ($355M) EV/LTM Revenue: 7.3x Revenue Mix Consu mer 56% Enterpr ise 44% Company Description Symantec is a global cybersecurity company, which operates one of the world’s largest cyber intelligence networks. The company helps companies, governments, and individuals secure their data wherever it resides. Symantec operates in two segments: Consumer Security and Enterprise Security. Key Products / Services The company’s products include:  Symantec Endpoint Protection (SEP): SEP is a comprehensive endpoint security solution. Historically it has been focused on signature-based protection, but Symantec has been continually adding next generation functionality to protect against zeroday or unknown attacks. A new version of SEP, version 14, was launched in November 2016, and added AI/machine learning and exploit prevention functionality.  Advanced Threat Protection (ATP): Launched in December 2015, ATP is Symantec’s EDR (Endpoint Detection and Response) solution. ATP is meant to detect and remediate advanced threats, while not requiring the deployment of a new endpoint agent. The network gateway provides a sandbox system, and files on the networks can be inspected in the Symantec cloud.  Data Loss Prevention (DLP): Protects vital information by performing local scanning and real-time monitoring, finding and protecting confidential unstructured data by scanning network file shares, databases, and other enterprise data repositories, and monitoring and protecting data in motion, including sensitive data sent via email, web, and network protocols.  Secure Email Gateway: Defends email perimeter against spam, malware, and targeted attacks with content filtering, data loss prevention, and encryption.  Managed Security Services: Experts monitor security alerts and correlate attacks with the global threat landscape.  SSL Certificates: Protects websites with up to 256-bit encryption and a recognized mark of trust.  Norton Security: Consumer-focused antivirus across desktop and mobile.  On-Premise Secure Web Gateway (SWG) (Blue Coat): Sits in between users and their interactions with the internet to identify malicious payloads and to control sensitive content.  Cloud Delivered SWG (Blue Coat). Similar functionality to the On-Premise SWG, yet delivered as a cloud-based service.  CloudSOC/Cloud Access Security Broker (CASB) (Blue Coat): Enables companies to confidently leverage cloud applications and services while staying safe, secure and compliant. It provides visibility into shadow IT, governance over data in cloud apps, and protection against threats targeting cloud accounts.  SSL Visibility (Blue Coat): SSL Visibility offers complete visibility and control of encrypted traffic without requiring the rearchitecture of network infrastructure. Key Executives CEO: Greg Clark President & COO: Michael Fey EVP & CFO: Nicholas Noviello CTO: Hugh Thompson Recent Stock Price Performance (as of 01/13/2017) $30.00 $25.00 $20.00 $15.00 $10.00 $5.00 $0.00 Source: Jefferies, company data, FactSet page 133 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 85: Trend Micro Company Facts Ticker: 4704 (Tokyo Stock Exchange) Founded: 1988 Headquarters: Irving / Las Colinas, TX Website: http://www.trendmicro.com Employees: 5200 Key Statistics (as of 01/13/2017) Stock Price: ¥4,315 Market Cap ($M): $5,211 Enterprise Value ($M): $3,807 LTM Revenue: $1.1B LTM OCF: $257M EV/LTM Revenue: 3.4x Revenue Mix Consu mer 33% Enterpr ise 67% Company Description Trend Micro offers security products for home users, SMBs, and enterprises. It offers endpoint, mobile device, network, and cloud protection, in addition to threat activity information. It is one of the top-5 security vendors worldwide and best known for its endpoint products. Key Products / Services Its products are segmented into the following groups:  Home & Home Office: At this level, Trend Micro offers web protection and privacy tools, anti-virus software, password management software, and mobile security products for both Android and iOS. It also offers a number of premium support services, including 24/7 assistance, premium installations, virus and spyware removal, and PC health checks.  Small Business: For the SMB market, the company provides endpoint products, which include ransomware protection, antivirus, antispam, web security, and data protection. It also offers a number of premium support services.  Enterprise: Its enterprises offering includes protection for servers and applications in physical, virtual, or cloud format: its Deep Security Platform is available as software license, as-a-service, or through AWS or Azure. The Deep Security Platform provides server and virtual desktop protection. It includes anti-malware, IPS, and firewall functionality, and also provides monitoring of logs. The company also offers a centralized management and reporting platform as well as standard and premium support services. Lastly, the company also offers a security intelligence service that provides updates, analysis, and information on the latest threats and security trends. Key Executives CEO & Co-Founder: Eva Chen CFO: Mahendra Negi President & COO: Wael Mohamed Chairman & Founder: Steve Chang Chief Culture Officer & Co-Founder: Jenny Chang Recent Stock Price Performance (as of 01/13/2017) ¥6,000 ¥5,000 ¥4,000 ¥3,000 ¥2,000 ¥1,000 ¥0 Source: Jefferies, company data, FactSet page 134 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 86: Varonis Company Facts Ticker: VRNS Founded: 2005 Headquarters: New York, NY Website: https://www.varonis.com Employees: 1042 Key Statistics (as of 01/13/2017) Stock Price: $29.10 Market Cap ($M): $743 Enterprise Value ($M): $631 LTM Revenue: $154M LTM OCF: $6M EV/LTM Revenue: 4.1x Revenue Mix Maint. 44% License 56% Company Description Varonis provides a software platform that allows enterprises to analyze, secure, manage, and better utilize their unstructured data. The company specializes in human-generated data, a type of unstructured data that includes an enterprise’s spreadsheets, word processing documents, presentations, audio files, video files, emails, text messages and any other data created by employees. Key Products / Services The company’s products include:  DatAdvantage: DatAdvantage is the company’s flagship product, it captures, aggregates, normalizes and analyzes data access event for users on Windows and UNIX/Linux servers, storage devices, email systems and Intranet servers, without requiring native operating system auditing functionalities.  DataPrivilege: DataPrivilege provides a self-service web portal that allows users to request access to data necessary for their business functions, and owners to grant access without IT intervention.  IDU Classification Framework: The IDU Classification Framework identifies and tags data based on criteria set in multiple metadata dimensions, and provides business and IT personnel with actionable intelligence about this data, including a prioritized list of folders and files containing the most sensitive data and with the most inadequate permissions.  Data Transport Engine: Data Transport Engine unifies the manipulation of data and metadata, translating business decisions and instructions into technical commands such as data migration or archiving.  DatAnywhere: DatAnywhere allows users to seamlessly collaborate with other users that still use traditional common internet file system shares via mapped drives or universal naming convention paths.  DatAnswers: DatAnswers indexes files as they are created and changed without requiring continual scanning, filters out results users should not see based on the recommendations engine and classification results found by the IDU Classification Framework, and ranks results using analysis of data usage. Key Executives CEO, President, Co-Founder, Chairman of the Board: Yaki Faitelson CFO: Gili Iohan CTO & Co-Founder: Ohad Korkus Recent Stock Price Performance (as of 01/13/2017) $35.00 $30.00 $25.00 $20.00 $15.00 $10.00 $5.00 $0.00 Source: Jefferies, company data, FactSet page 135 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 87: Verisign Company Facts Ticker: VRSN Founded: 1995 Headquarters: Reston, VA Website: https://www.verisign.com/ Employees: 1020 Key Statistics (as of 01/13/2017) Stock Price: $80.80 Market Cap ($M): $8,471 Enterprise Value ($M): $8,576 LTM Revenue: $1.1B LTM OCF: $661M EV/LTM Revenue: 7.6x Revenue Mix Pro. Serv. 18% Mainten ance 24% Products 58% Company Description Verisign is a global provider of domain name registry services and Internet security, enabling Internet navigation for many of the world’s most recognized domain names and providing protection for websites and enterprises worldwide. Key Products / Services Verisign’s security services is comprised of three services:  iDefense: iDefense provides 24/7 access to cyber intelligence related to vulnerabilities, malicious code, and global threats. It enables customers to improve vulnerability management, incident response, fraud mitigation, and proactive mitigation of the particular threats targeting their industry or global operations. iDefense is available either through a platform or through a set of APIs.  Managed DNS Services: Managed DNS Services is a hosting service that delivers DNS (Domain Name System) resolution. It provides DNS availability through a globally distributed, cloud-based DNS infrastructure. It also provides full support for DNSSEC (DNS Security Extensions) compliance features and geo-location traffic routing capabilities. DNSSEC is designed to improve DNS infrastructure from man-in-the-middle attacks.  DDoS Protection Services: DDoS Protection Services provides monitoring and mitigation services against DDoS attacks. Customers pay a subscription fee for the product that varies based on customer network requirements. Key Executives President, CEO & Chairman of the Board: D. James Bidzos EVP & CFO: George Kilguss III EVP & COO: Todd Strubbe SVP & CTO: Dr. Burt Kaliski, Jr. SVP & Chief Security Officer: Danny McPherson Recent Stock Price Performance (as of 01/13/2017) $100.00 $80.00 $60.00 $40.00 $20.00 $0.00 Source: Jefferies, company data, FactSet page 136 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Appendix D – Private Company Profiles Chart 88: Alert Logic Company Facts Founded: 2002 Headquarters: Houston, TX Website: http://www.alertlogic.com Employees: 501-1000 (per LinkedIn) Estimate Annual Revenue: $100M run rate as of 1Q16 Investors Welsh, Carson, Anderson & Stowe Covera Ventures Mercury Fund OCA Ventures Company Description Alert Logic provides Security-as-a-Service solutions for customers of public cloud (AWS, Azure) and managed service providers, as well as customers using traditional data centers. Key Products / Services Alert Logic provides Security-as-a-Service for cloud, on-premises, and hybrid infrastructures, delivering deep security insight and continuous protection for customers at a lower cost than traditional security solutions. Fully managed by an international team of experts, the Alert Logic Security-as-a-Service solution provides network, system, and web application protection immediately, wherever customer IT infrastructure resides. Alert Logic partners with leading cloud platforms and hosting providers to protect nearly 4,000 organizations worldwide. Built for cloud scale and employing Alert Logic's proprietary threat intelligence technology, the Company's patented platform stores petabytes of data, analyses over 450 million events and identifies over 60,000 security incidents each month. The Company’s managed service model includes monitoring from its 24x7 Security Operations Centers (SOCs) which detect, investigate, and escalate threats to customer data anywhere in the world in 15 minutes or less. Alert Logic solutions include integrated intrusion detection, vulnerability scanning, log management and web application protection – delivered via its cloud-native platform – designed flexibly to protect data and network infrastructure in any environment including cloud-based Amazon Web Services (AWS) and Azure. Alert Logic offers the flexibility to protect customer data across all environments – cloud, on-premises and hybrid – and offers complete security visibility and threat protection delivered in a SaaS model allowing customers to increase workloads and branch into new computing environments without adding staff. Alert Logic’s data repository, big data analytics, and internal threat science teams allow its security engineers insight into new threats as they unfold while minimizing time wasted through false positives. Alert Logic’s Cloud Insight Solution is a cloud-native vulnerability and configuration management solution for cloud customers. Alert Logic is an Advanced Technology Partner in the Amazon Web Services Partner Network and available in Amazon’s AWS Marketplace. Key Executives Gray Hall: President and CEO Misha Govshteyn: Co-Founder and SVP, Product Management & Product Marketing John Karnes: CFO Dave Colesante: COO Greg Davis: EVP of Worldwide Sales Ben Matheson: CMO Tom Veronie: CIO Board of Directors Gray Hall: Chairman, President, and CEO Tony de Nicola: Co-President, Welsh Carson Mike Donovan: General Partner, Welsh Carson Jim Lewandowski: Previously SVP, Rackspace and SVP, McAfee Raymond Ranelli: Senior Operating Executive, Welsh Carson Steve Munford: Previously CEO, Sophos Source: Jefferies, company data page 137 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 89: AlienVault Company Facts Founded: 2007 Headquarters: San Mateo, CA Website: http://www.alienvault.com Employees: approx. 300 Estimate Annual Revenue: N/A Investors Trident Capital Kleiner Perkins Caufield & Byers GGV Capital Correlation Ventures Intel Capital Jackson Square Ventures Top Tier Capital Partners Institutional Venture Partners Adara Ventures Company Description AlienVault provides a cybersecurity threat detection platform leveraging crowd-sourced threat intelligence. Key Products / Services The AlienVault Unified Security Management (USM) platform provides five security capabilities in a single console: asset discovery, behavioral monitoring, vulnerability assessment, SIEM (correlations and analysis), and threat detection (IDS, file integrity monitoring). The USM is available as a hardware or virtual appliance for on-premise deployments, as well as via the cloud through AWS and others. AlienVault manages the Open Threat Exchange (OTX), a crowd-sourced platform that provides open access to a global community of threat researchers and security professionals. It delivers community-generated threat data, enables collaborative research, and automates the process of updating security infrastructure with threat data. OTX enables anyone in the security community to actively discuss, research, validate, and share the latest threat data, trends, and techniques, strengthening customers’ defenses while helping others do the same. The company actively supports an open source SIEM project named Open Source Security Information and Event Management (OSSIM). OSSIM leverages the AlienVault Open Threat Exchange by allowing users to both contribute and receive real-time information about malicious hosts. Key Executives Barmak Meftah: President and CEO Brian Robins: CFO Roger Thornton: CTO Justin Endres: SVP Worldwide Sales Andy Johnson: SVP Business Development Jaime Blasco: VP and Chief Scientist Rita Selvaggi: CMO Board of Directors J. Alberto Yepez: Chairman and Managing Director, Trident Capital Ted Schlein: Managing Director, KPCB Barmak Meftah: President and CEO Glenn Solomon: Partner, GGV Capital Alberto Gomez: Managing Partner, Adara General Peter Pace: USMC (Ret.), Former Chairman of the Joint Chiefs of Staff, U.S. Armed Forces Kenneth Goldman: CFO, Yahoo John M. Jack: Board Partner, Andreessen Horowitz Source: Jefferies, company data page 138 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 90: Authentic8 Company Facts Founded: 2010 Headquarters: Mountain View, CA Website: http://www.authentic8.com Employees: 11-50 (per LinkedIn) Estimate Annual Revenue: N/A Investors Foundry Group Merus Capital Company Description Founded in 2010 by principals from Postini, Authentic8 aims to redefine how the browser is used to access web data. Its flagship product, Silo, is a cloud-based secure browser. Authentic8 provides a cloud-based container designed for secure, controlled access to web applications. Key Products / Services Silo creates an insulation layer between the user and the web, keeping all web code isolated in a contained environment but delivering an encrypted display of the browser session. Silo also helps manage login credentials, access controls and data use policies. The Silo browser is built fresh at session start, and destroyed at session end, ensuring that users remain secure, compliant, and anonymous online. Around this core idea of insulation, Silo is built with a suite of policy and identity management controls. These controls allow IT to move beyond the confines of a one-size fits all browser and to configure Silo uniquely for different use cases; e.g. the off-network personal browser for employees, or the ringfenced work browser for only accessing business apps. Whatever the use case, admins have the flexibility to build their browser profiles from a simple set of policy primitives such as site navigation restrictions, file transfer capabilities, copy/paste and print actions, machine access rights, individual and group password management and many more. Key Executives Scott Petry: Co-founder and CEO Ramesh Rajagopal: Co-founder and President Les Dunston: Head of Operations Drew Paik: Head of Marketing Board of Directors Peter Hsing: General Partner, Merus Capital Ryan McIntyre: Managing Director and Co-founder, Foundry Group Ramesh Rajagopal: Co-founder and President Scott Petry: Co-founder and CEO Source: Jefferies, company data, Crunchbase page 139 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 91: Avira Holding Company Facts Founded: 1986 Headquarters: Tettnang, Germany Website: http://www.avira.com Employees: approx. 500 Estimate Annual Revenue: N/A Investors N/A Company Description Avira develops and supports security solutions for consumer and SMB use. The company primarily offers professional solutions for cross-system protection of networks on various levels, which include products for PCs, Macs, Android and iOS devices, file, mail, and Web servers. Key Products / Services Avira's products for home users/consumers include Avira Antivirus Pro, software that provides anti-malware and privacy protection to internet users; Avira Internet Security Suite that provides antivirus, antispam, and phishing prevention features; Avira Antivirus Security, which provides a suite of tools to lock out unauthorized access, help recover a lost or stolen phone, and cut off unwanted calls and texts; Avira System Speedup, a module that includes a set of tools to clear out PC clutter; antivirus solutions for Mac computers; and social network protection solutions. The company’s products for businesses (SMBs) include various client/server protection solutions, including Professional Security that provides anti-malware and cloud-based updates with real-time threat intelligence; Avira Antivirus for Endpoint which includes protection for servers; and Avira Antivirus for Small Business which includes email security features in addition to those from lowertiered products. Key Executives Travis Witteveen: CEO Andreas Flach: VP, Products and Services Michael Silbermann: CFO Philipp Wolf: EVP, Protection Labs Matthias Ollig: EVP, Cloud Services and Infrastructure Jochen Gassner: EVP, Customer Advocacy Mario Fassbender: EVP, Marketing and Online Sales Board of Directors N/A Source: Jefferies, company data page 140 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 92: Balabit Company Facts Founded: 2000 Headquarters: New York, NY Website: http://www.balabit.com Employees: 240 Estimated Annual Revenue: N/A Investors C5 Capital Company Description Balabit is a provider of contextual security technologies with the mission of preventing data breaches without constraining business. Its Contextual Security Intelligence™ platform protects organizations in real-time from threats posed by the misuse of high risk and privileged accounts. Solutions include reliable system and application Log Management with context enriched data ingestion, Privileged User Monitoring and User Behavior Analytics. Founded in 2000, Balabit has a proven track record, with 23 Fortune 100 customers and more than 1,000,000 corporate users worldwide. Key Products / Services Blindspotter™ is a monitoring tool that maps and profiles user behavior to reveal human risk. It integrates a variety of contextual information in addition to logs, processes them using various unique algorithms, and offers a wide range of outputs from warnings to automatic interventions. Blindspotter™ is an advanced component of the Contextual Security Intelligence Suite. Shell Control Box (SCB) is a user monitoring appliance that controls privileged access to remote IT systems, records activities in searchable, movie-like audit trails, and prevents malicious actions. SCB is a quickly deployable enterprise device, completely independent from clients and servers - integrating seamlessly into existing networks. SCB is a core component of the Contextual Security Intelligence Suite. Syslog-ng is the trusted log management infrastructure for hundreds of thousands of users worldwide. Organizations use syslog-ng to reliably and securely collect, process and store log messages from across their IT environments. Key Executives Zoltán Györkő: Co-founder and Chief Executive Officer Balázs Scheidler: Co-founder and Chief Technology Officer Board of Directors Not public Source: Jefferies, company data page 141 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 93: Bayshore Networks Company Facts Founded: 2012 Headquarters: Bethesda, MD Website: http://www.bayshorenetworks.com Employees: less than 100 Estimate Annual Revenue: less than $10M Investors Series A Financing May 2016 by Trident Capital Cybersecurity and existing angel investors. Company Description Bayshore Networks is a cybersecurity company for the Industrial Internet of Things. The company’s Bayshore IT/OT Gateway software enables industrial applications and data, providing companies with visibility into their Operational Technologies, safely and securely protecting industrial applications, networks, machines and workers. The software deploys from the cloud, as a virtual machine, or onpremise as a hardware appliance. Bayshore has strategic alliances with technology companies including BAE Systems, Cisco Systems, SAP and VMware. Key Products / Services The Bayshore IT/OT Gateway connects OT data to industrial applications. It provides IT with visibility into OT processes, applications and data. It prevents disruptions and enhances operational efficiency and continuity. The Gateway’s patented policy engine provides deep, granular filtration of OT data and application content and automatic transformation and interpretation of OT data into advanced analytics. The Gateway delivers value in the following areas:  It ensures employee safety in production zones. Bayshore safety policy (tailored by each customer) is automatically generated and easily enforced.  With Bayshore’s extensive industrial domain knowledge, it provides IT with complete visibility into operations and access to analytics.  It supports all popular industrial protocols and easily adapts to proprietary protocols. Bayshore Pallaton is the policy creation and enforcement software engine inside the Bayshore Gateways. Pallaton augments the Bayshore appliances in IT and OT networks because it can inspect and filter industrial protocols and applications down to the machine transaction level. Pallaton is based on XML, which means it can rapidly adapt to new and proprietary protocols. This extensibility represents a significant advantage in industrial settings – SCADA controls alone encompass hundreds of different protocols. Pallaton uses a predicate-based language, which means it’s easy to create new policies or customize existing policies. In industrial settings it is typically used to create and enforce security, operational and safety policies. Key Executives Michael Dager, CEO Bob Lam, Co-Founder, VP Finance & Corp Dev Francis Cianfrocca, Founder & Chief Scientist Board of Directors Francis Cianfrocca, Chairman Alberto Yepez John McNulty Source: Jefferies, company data page 142 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 94: BeyondTrust Company Facts Founded: 1985 Headquarters: Phoenix, AZ Website: http://www.beyondtrust.com Employees: 375 Estimate Annual Revenue: approx. $125M Investors Veritas Capital Management Company Description The BeyondTrust PowerBroker Privileged Access Management Platform is an integrated solution to provide control and visibility over all privileged accounts and users. By uniting capabilities that many alternative providers offer as disjointed tools, the PowerBroker platform simplifies deployments, reduces costs, improves system security, and reduces privilege risks. The PowerBroker platform is unified by a common discovery, reporting, threat analytics, and management interface. Key Products / Services PowerBroker Enterprise Password Security Solution  Discovers, manages and monitors all privileged accounts and SSH keys in any asset or application  Reveals application and asset vulnerabilities before granting privileged access  Monitors privileged sessions in real-time, providing true dual control  Analyzes, records and reports on privileged password, user and account behavior  Leverages integrated privileged threat analytics for better decision making PowerBroker Endpoint Least Privilege Solution  Removes excessive rights, elevating privileges to applications, not users  Uses rules to blacklist, whitelist and greylist applications without managing a massive database of signatures  Provides risk visibility into applications targeted for privilege elevation  Discovers, manages and monitors privileged passwords automatically  Analyzes, records and reports on privileged password, user and account behavior PowerBroker Server Privilege Management Solution  Provides fine grained policy controls over what privileged Windows, Unix and Linux users can do once they are logged on  Discovers, manages and monitors root and admin passwords and SSH keys automatically  Enables single sign-on and simplified policy  Provides risk visibility into applications targeted for privilege elevation  Analyzes, records and reports on privileged password, user and account behavior PowerBroker Auditing & Security Suite  Audits any changes to Active Directory objects, File Systems, Exchange and SQL, and alerts to those changes  Provides rollback and restore of any Active Directory changes or deletions, and backup and restore of Group Policy  Delivers entitlement reporting, ensuring that users have access to only the resources they need to do their jobs  Centralizes distributed audit data, providing more capabilities than native tools and a unified view of changes Retina Enterprise Vulnerability Management Solution  Delivers reporting and analytics that provide relevant and actionable data to prioritize and remediate vulnerabilities  Ensures zero-gap coverage of all devices enterprise-wide, including network, web, mobile, cloud and virtual infrastructure  Addresses all phases of vulnerability management – from assessment and remediation, to endpoint protection and PAM Key Executives Kevin Hickey: President & CEO Maurice Heiblum: COO Bryce Hancock: CFO Brad Hibbert: CTO Board of Directors Daniel Sugar: Veritas Capital Management Hugh Evans: Veritas Capital Management Ronald Sugar: former Northrop Grumman Chairman and CEO Source: Jefferies, company data page 143 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 95: Bitdefender Company Facts Founded: 2001 Headquarters: Bucharest, Romania Website: http://www.bitdefender.com Employees: 1100 Estimate Annual Revenue: N/A Investors N/A Company Description Bitdefender provides antivirus and antispyware software for consumers and SMBs, and enterprises across 150 countries. Applications include web protection, cloud antispam, firewall, vulnerability scanner, parental controls, file encryption, device antitheft, and backup software for corporate and home users. Key Products / Services Bitdefender's products are organized by consumer and corporate end markets. For consumers, the Total Security Multi-Device is a security suite that protects Windows, Mac and Android devices through machine-learning technologies to improve malware detection and enhance proactive security; the Family Pack offers privacy protection through parental control, device anti-theft, safe online banking and shopping, and password management tools; for Windows-based computers, Bitdefender Total Security, Bitdefender Internet Security, Bitdefender Antivirus Plus offer protection to end-users through anti-phishing and antispam modules, firewall, and anti-virus protection; and for Android users Bitdefender Mobile Security provides cloud-based antimalware and antitheft features. The company also provides free tools with simpler consumer features, such as Antivirus Free Edition, QuickScan, and Adware Removal. For corporate environments, Bitdefender provides a next generation Endpoint security solution called GravityZone, a business solution that can be installed on premise or cloud hosted by Bitdefender. GravityZone can provide advanced security for physical, hybrid cloud and mobile enterprise networks. The Bitdefender Business Portfolio includes 3 GravityZone security packages:  GravityZone Business Security bundle allows small customers to protect physical and virtual desktop and servers, combining security with simple centralized management. The solution is available on premise or as a cloud service.  GravityZone Advanced Business Security offers the same services as Business Security but also includes security services for protecting Microsoft Exchange servers and Mobile devices. It includes Smart Central Scan, allowing Security admins to offload antimalware processes to a centralized scanning server in order to lower the resource consumption on protected systems. The solution is also available as an on premise installation or as a cloud service.  GravityZone Enterprise Security is available only on premise and provides security services for protecting physical and virtual desktops and servers, Microsoft Exchange mail servers and mobile devices.  GravityZone Security for Virtualized Environments (SVE) is the security flagship module delivered within GravityZone Enterprise Security. It employs a vendor agnostic architecture with the ability to support any hypervisor, whether natively integrated or standalone. SVE leverages multiple techniques to achieve deduplication. An AWS module is also available to extend endpoint security tools for Amazon web services.  GravityZone Security for MSSPs: The company also provides a full commercial security portfolio tailored to meet Managed Service Providers business models. Key Executives Florin Talpes: CEO Bogdan Irina: COO Niculae Dinca: CFO Bogdan Dumitru: CTO Viorel Canja: Head of Antimalware and Antispam Labs Ion Radoslovescu: Chief Process Officer Rares Stefan: Chief Strategy Officer Board of Directors N/A Source: Jefferies, company data page 144 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 96: Bitglass Company Facts Founded: 2013 Headquarters: Campbell, CA Website: http://www.bitglass.com Employees: 70 (per LinkedIn) Estimate Annual Revenue: N/A Investors NEA Norwest Venture Partners Singtel Innov8 Company Description Bitglass is a Cloud Access Security Broker - cloud-hosted software that act as a control point to secure cloud services - that delivers security technologies beyond the network perimeter to deliver total data protection for the enterprise in the cloud, at access, on mobile devices, or on the network. Key Products / Services Bitglass offers five editions of its cloud-based security platform: Breach Discovery, API, Mobile, Standard, and Enterprise. All five editions are licensed in a per-user subscription service. Breach Discovery features include cloud-based risk reporting with dynamic threat analysis and malicious destination reporting. The API solution, geared towards enterprise IT admins of services such as Box, Office 365, Salesforce, and Servicenow manages data at rest in the cloud, via activity alerts and audit logging, analytics, external sharing control, and data recovery management. The Mobile Edition is an agentless replacement for traditional MDM, delivering security and control of data downloaded to BYOD without the need for software agents that invade user privacy and are difficult to deploy. Bitglass' Standard Edition includes API and Mobile Edition, adding inline real-time DLP and control of data downloaded or uploaded from managed and unmanaged devices. Standard Edition includes AJAX-VM technology, uniquely enabling real-time inline control from any device without the need for software agents or configuration. Bitglass Enterprise Edition further adds private cloud/on-premise deployment options and searchable encryption technology, to satisfy data-residency and compliance requirements in regulated industries. Key Executives Nat Kausik: CEO Anurag Kahol: CTO Anoop Bhattacharjya: Chief Scientist Rich Campagna: SVP of Products and Marketing Chris Chan: SVP of Engineering Andrew Urushima: SVP of Finance Dean Hickman-Smith: SVP World Wide Field Operations Board of Directors Nat Kausik: CEO, Bitglass Matthew Howard: Norwest Venture Partners Forest Baskett, Ph.D: New Enterprise Associates Scott Sandell: New Enterprise Associates Source: Jefferies, company data page 145 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 97: Bromium Company Facts Founded: 2010 Headquarters: Cupertino, CA Website: https://www.bromium.com Employees: 190 Estimate Annual Revenue: N/A Investors AH Capital Management Ignition Venture Partners Highland Capital Partners Intel Capital Meritech Capital Partners Lightspeed Management Company Description Bromium has been an innovator in next generation enterprise security by turning the organization's largest liability – endpoints and servers – into their defense through Virtualization-Based Security™. As a Gartner-recognized “Cool Vendor,” Bromium is a disruptive security vendor to existing endpoint security by leveraging a combination of patented hardware-enforced isolation and a distributed machine-learning Sensor Network to protect across all major threat vectors and attack types. Unlike traditional security technologies, such as antivirus or sandboxing, that rely on ineffective detection techniques, Bromium automatically learns and adapts to new attacks and instantly shares threat intelligence to eliminate the impact of malware. The result is malware threat protection and increased ROI as Bromium eliminates the need for other security investments. Key Products / Services The Bromium platform uses virtualization-based security and isolation technology to dramatically decrease attack surfaces and contain threats online or offline inside micro-VMs in an easy-to-deploy and quick time-to-value platform. Each endpoint protected by Bromium is part of the Sensor Network that performs threat analysis and instantly shares indicators of compromise with the rest of the network for faster time to resolution. SOC teams are able to perform detailed analysis with the full kill chain analysis and visualization garnered from each micro-VM. The Bromium platform integrates with the Bromium Threat Cloud where correlation of known bad and good is performed. Threat intelligence is collected and shared with all customers to accelerate attack response time. Key Executives Gregory Webb, PhD: CEO Ian Pratt, PhD: President and SVP, Worldwide Engineering Simon A. Crosby, PhD: CTO Rahul Kashyap: Chief Security Architect & SVP, Security Gavin Hill: VP, Product Management & Marketing Jennifer Carole: VP Marketing Jan Kang: VP Legal and HR Earl Charles: Chief Financial Officer Board of Directors Peter Levine: AH Capital Management Frank Artale: Ignition Partners Peter Bell: Highland Capital Partners Rob Ward: Meritech Gregory Webb: Bromium Ian Pratt: Bromium Source: Jefferies, company data page 146 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 98: Carbon Black Company Facts Founded: 2002 Headquarters: Waltham, MA Website: http://www.carbonblack.com Employees: 700+ Estimate Annual Revenue: $70M+ (FYE Dec. 2015) Investors Atlas Venture (Accomplice) Highland Capital Partners Kleiner Perkins Caufield Byers .406 Ventures Sequoia Capital Blackstone Paul Capital Partners Company Description Carbon Black delivers a complete endpoint security platform. The company enables organizations to defend their endpoints by combining continuous, real-time visibility into every computer; real-time signature-less threat detection; incident response that combines a recorded history with live remediation; and prevention that is proactive and customizable. Key Products / Services The Cb Endpoint Security Platform helps organizations of all sizes replace ineffective antivirus, lock down endpoints and critical systems, and arm incident response teams with the most advanced tools to hunt down threats. The platform comprises three technologies: Cb Defense, Cb Response and Cb Protection. Each of these offerings are powered by the Cb Collective Defense Cloud:  Cb Defense is a next-generation anti-virus solution for desktops, laptops, and servers that protects computers from the full spectrum of modern cyber-attacks. Using a combination of endpoint and cloud-based technologies, its deep analytic approach inspects files and identifies malicious behavior to block both malware and increasingly common malware-less attacks that exploit memory and scripting languages like PowerShell.  Cb Response is an IR and threat hunting solution that continuously records and captures all threat activity enabling customers to hunt threats in real time, visualize the complete attack kill chain, and then respond and remediate attacks, quickly.  Cb Protection provides an application control solution for enterprise endpoints and critical systems. With Cb Protection, IT, compliance, infrastructure, and security teams establish automated software execution controls and protection policies that safeguard corporate and customer data. Cb Protection works with existing software distribution systems and reputation services to automate approval of trusted software and eliminate whitelist management. The Cb Endpoint Security Platform incorporates the Cb Collective Defense Cloud, which provides an assessment of what’s safe and what’s not in an environment based on the most complete endpoint data. This next-generation attack analytics engine crunches big data related to attacks, threats, behaviors, and change, with the singular purpose of identifying malicious activity. Raw endpoint data is continuously streamed from over 7 million computers protected by Carbon Black products, where it is enhanced with threat intelligence from dozens of sources including Carbon Black’s customer and partner base. Key Executives Patrick Morley: President and CEO Tom Barsi: VP, Business Development Roman Brozyna: Chief Information Security Officer Ed Filippine: EVP, Worldwide Sales Mark Sullivan: CFO Scott Lundgren: VP, Engineering Michael Viscuso: CTO Board of Directors Patrick Morley: President and CEO Maria Cirino: Co-founder and Managing Partner, .406 Ventures Jeff Fagnan: Founder of Accomplice Ron Nordin: Serial entrepreneur and investor; former CEO, SQA; Partner, Atlas Venture Joe Tibbetts: Senior VP and CFO, Sapient Paul Maeder: Founding Partner, Highland Capital Partners Tony Zingale: Executive Chairman, Jive Software Source: Jefferies, company data page 147 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 99: Centrify Corporation Company Facts Founded: 2004 Headquarters: Santa Clara, CA Website: http://www.centrify.com Employees: 450 (2014) Estimate Annual Revenue: $65M (2014) Investors Accel Partners Mayfield Fund Jackson Square Invesco Private Capital Index Ventures DoCoMo Capital Fortinet Samsung Ventures America Company Description Centrify Corp. provides identity management software solutions. It provides cloud-based identity-as-a-service (IDaaS) that allows programs to manage multiple identities through computer networks and cloud computing environments. Key Products / Services The firm’s products secure enterprise identities against cyberthreats that target today’s hybrid IT environment of cloud, mobile and onpremises. The Centrify Identity Platform protects against the leading point of attack used in data breaches ― compromised credentials — by securing an enterprise’s internal and external users as well as its privileged accounts. Centrify delivers stronger security, continuous compliance and enhanced user productivity through single sign-on, multi-factor authentication, mobile and Mac management, privileged access security and session monitoring. Centrify Identity Service improves end-user productivity and secures access to cloud, mobile, and on-premises apps via single sign-on, user provisioning and multi-factor authentication. Manage apps, mobile devices, and Macs via Active Directory, LDAP or cloud identity stores. Centrify Privilege Service combines shared account password management with the ability to securely manage and audit access by internal and outsourced IT. Net result is increased security when sharing privileged accounts, simplified compliance and secure remote access to on-premises and cloud-based infrastructure. Centrify Server Suite combines comprehensive bridging of Linux and UNIX systems to Active Directory with powerful privilege management and session monitoring across Windows, Linux and UNIX systems. Net result is increased security, improved compliance and comprehensive reporting and auditing. Key Executives Tom Kemp: CEO Tim Steinkopf: CFO Paul Moore: CTO Adam Au: SVP, Engineering Bill Mann: SVP, Products Gary Taggart: SVP, Worldwide Sales Rhonda Shantz: CMO Rashmi Garde: GC Board of Directors Tom Kemp: Centrify Robin Vasan: Mayfield Fund Arthur Patterson: Accel Pete Solvik: Jackson Square Ventures Murray Demo: Atlassian Brian NeSmith: Arctic Wolf Networks Christy Wyatt: Dtex Systems Source: Jefferies, company data page 148 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 100: ClearDATA Networks Company Facts Ticker: 2012 Founded: Austin, TX Headquarters: http://www.cleardata.com Website: 142 Employees: N/A Investors Excel Medical Ventures Merck Global Health Innovation Norwest Venture Partners Flare Capital Partners Heritage Group HLM Venture Partners Evan Hackel Jeffrey H. Margolis, CPA Company Description ClearDATA is a healthcare exclusive, HITRUST CSF-certified managed cloud company. More than 350,000 healthcare professionals trust the ClearDATA HIPAA-compliant cloud to safeguard their patient data and power their critical applications. The ClearDATA Dynamic Cloud Platform combines advanced monitoring and automation with the most comprehensive Business Associates Agreement (BAA) in the industry. This ensures health IT organizations, and the technology providers that support them, are adhering to the highest standards in privacy, security, and compliance. Key Products / Services The ClearDATA Dynamic Cloud Platform for AWS automates the deployment of advanced security and compliance services to simplify the management of AWS environments. This helps to ensure healthcare IT organizations are meeting the highest standards in PHI security and HIPAA/HITECH regulatory requirements.       Easily Support Changing Workloads: The platform aligns the customer's technology environments with modern cloud services, easily enabling the capabilities needed to support rapidly changing workloads, including big data analytics, population health, coordinated care and collaborative research. Dynamic Cloud Platform is built to automate the services needed to control an AWS environment. This includes adding more than 30 different services from Anti-virus to Intrusion Detection systems. It doesn’t obscure the AWS infrastructure API’s or control systems. This means that all native and third-party AWS tools continue to function. Automatically Detects Changes: The platform automatically detects changes made within an AWS account and responds to those changes. The response can be anything from alerting ClearDATA managed services to attaching security tools to a newly created instance. Finally, these services are not simply automated. When using platform, ClearDATA includes the associated software licenses and related services as part of each solution. Purposeful BAA makes it easy: Built exclusively for healthcare organizations, and the technology vendors that support them, Responsive Platform is backed by a comprehensive BAA to mitigate risk and protect the customer's organization. As healthcare security and compliance experts, ClearDATA provides a purposeful BAA that ensures full coverage. The customer doesn't need a separate BAA from Amazon Web Services (AWS). Three levels of performance are offered to fit anyone, from a private practice or small application developer to enterprise healthcare. Each is delivered and with the same healthcare critical support. Key Executives Darin Brannin: President/CEO Chris Bowen: Chief Information Security Officer Matt Ferrari: Chief Technology Officer Aaron Barfoot: Chief Financial Officer Pat Cathey: Chief Revenue Officer Board of Directors Darin Brannan: ClearDATA Robert B. Abbott, MBA: Norwest Venture Partners Joseph B. Volpe, III: Merck Global Health Innovation Caleb M. Winder, MBA: Excel Medical Ventures W. Paul Wallace, MBA: Heritage Group Vincent Fabiani: HLM Venture Partners Source: Jefferies, company data page 149 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 101: Cloudflare Company Facts Founded: 2010 Headquarters: San Francisco, CA Website: http://www.cloudflare.com Employees: 350 Estimated Annual Revenue: N/A Investors Baidu CapitalG Fidelity Investments Greenspring Associates Microsoft Accelerator New Enterprise Associates Pelion Venture Partners Qualcomm Ventures Summer@Highland Union Square Ventures Venrock Company Description Cloudflare is a web application performance and security company dedicated to giving web administrators the tools to protect their sites against a wide range of attacks. Its products can be grouped into separate categories: Performance, Security, Reliability, and Analytics. Today the company runs one of the world’s largest networks that powers more than 10 trillion requests per month, which is nearly 10 percent of all Internet requests for more than 2.5 billion people worldwide. Key Products / Services Performance: Cloudflare offers a CDN service, which moves content physically closer to users; website optimization to enable optimal website technologies; DNS services to speed up the resolution of domain names; SSL encryptions and dedicated certificates; and load balancing to improve reliability of Internet facing sites. Security: Cloudflare offers a number of security services, which operate at the edge of the network. They include DDoS protection, Web Application Firewalls (WAF), registrar services for domain names, the ability to control traffic, SSL, and dedicated SSL certificates. Reliability: Cloudflare operates a large edge network to ensure that servers are spread around the world closest to users in order to ensure reliability. The company also offers DNS services, a China network to optimize connections to mainland China, and offers a flatrate pricing structure on bandwidth costs in order to ensure predictability for customers. Insights: Cloudflare estimates that over 10% of Internet requests pass through its network. The company offers detailed worldwide logs to enterprise customers, identifies threats, and provides customizable rulesets to control traffic. Key Executives Matthew Prince: Co-Founder & CEO Lee Holloway: Co-Founder & Lead Engineer Michelle Zatlyn: Co-Founder John Graham-Cumming: CTO Board of Directors Carl Ledbetter: Pelion Venture Partners Scott Sandell: Managing General Partner, New Enterprise Associates Matthew Prince: Co-founder & CEO, Cloudflare Michelle Zatlyn: Co-founder, Cloudflare Source: Jefferies, company data page 150 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 102: Contrast Security Company Facts Founded: 2014 Headquarters: Palo Alto, CA Website: https://www.contrastsecurity.com/ Employees: 45-60 Estimated Annual Revenue: N/A Investors Acero Capital General Catalyst Partners Company Description Contrast Security is a provider of security technology that enables software applications to protect themselves against cyberattacks. Contrast's deep security instrumentation enables highly accurate analysis and always-on protection of an entire application portfolio, without disruptive scanning or expensive security experts. Contrast has intelligent agents that work actively inside applications to prevent data breaches, defeat hackers and secure the entire enterprise. Key Products / Services Contrast Assess deploys an intelligent agent that instruments the application with smart sensors to analyze code in real time from within the application. This results in continuous security where nearly all false positives are eliminated. The other component of Contrast Security is Contrast Protect, a Runtime Application Self-Protection (RASP) product. RASP products like Contrast Protect enable applications to protect themselves against attack. By defending from within the application itself, Contrast Protect has an inherent information advantage over legacy Web Application Firewalls (WAF), Intrusion Protection Systems (IPS) and Intrusion Detection Systems (IDS) products. Traditionally, Web Application Firewalls have attempted to block attacks at the perimeter, without any knowledge about the applications they are protecting. Advantages of Contrast Protect:  Monitors threats and protects from within each application  Moves and scales with each application  Provides accurate attack visibility and blocking  Won’t inadvertently stop legitimate business Contrast Protect uses deep security instrumentation to gain insight into exactly how attacks behave with the goal of providing better insight and increased effectiveness at protecting applications. Key Executives Alan P. Naumann: Chairman of the Board, President & CEO Jeff Williams: Co-founder and Chief Technology Officer Arshan Dabirsiaghi: Co-founder, Chief Scientist Board of Directors Alan P. Naumann: CEO, Contrast Security Jeff Williams: CTO, Contrast Security John Jack: Board Member Rami Elkhatib: General Partner, Acero Capital Steve Herrod: General Catalyst Brian Chess: Board Advisor Source: Jefferies, company data page 151 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 103: Core Security Technologies Company Facts Founded: 1996 Headquarters: Roswell, GA Website: http://www.coresecurity.com Employees: N/A Estimate Annual Revenue: N/A Investors K1 Capital (Private Equity Firm) Company Description Core Security provides threat-aware, identity, access and vulnerability management solutions that provide actionable intelligence and context needed to manage security risks across the enterprise. Solutions include multi-factor authentication, provisioning, Identity Governance and Administration (IGA), Identity and Access Intelligence (IAI), and Vulnerability Management (VM). The combination of these solutions provides context and shared intelligence through analytics, giving customers a more comprehensive view of their security posture so they can make better security remediation decisions and maintain compliance. Key Products / Services Actionable Insight Platform: Adds intelligence to transform mountains of data into useful and actionable information. The Actionable Insight Platform breaks down the walls of traditional cyber-security into a comprehensive view of an organization’s access, devices on the network, and vulnerabilities. It prioritizes those risks, allowing customers to focus on critical risks and efficiently use time and resources. Vulnerability Management: Core Security provides a comprehensive set of vulnerability management solutions that help by simulating and validating what an adversary would do to reach most critical business assets. Products in this portfolio include Core Impact and Core Vulnerability Management. Identity and Access Management: Core Security provides a comprehensive suite of identity management and access governance solutions that help organizations minimize risk, streamline operations, and reduce cost. Solutions in this portfolio include Core Access Insight, Core Access Assurance Suite, Core Password, Core Access, Core Provisioning, Core Compliance, Core Privileged Access Management (PAM) Core Network Insight: Core Network Insight is an advanced threat detection system built on nearly a decade of scientific research and big data visibility. It automatically and accurately identifies hidden infections in real time on live traffic. When Core Network Insight confirms a device is infected by advanced persistent threats or malware, it terminates criminal communications and presents a full case of evidence, prioritized by risk – thus, no more chasing False Positives. Core Network Insight delivers actionable information about known and unknown threats regardless of the infection’s source, entry vector or OS of the device. It arms responders with definitive evidence so they can rapidly prevent loss on high-risk devices while blocking activity on the rest. Key Executives David Earhart, Chief Executive Officer Chris Papadakis, Chief Operating Officer Curtis Cain, Chief Financial Officer Ron Wilson, Sr., VP, Global Sales & Customer Success Venkat Rajaji, Sr. VP, Marketing Chris Sullivan, General Manager, Intelligence/Analytics Board of Directors K1 Capital (Private Equity Firm) Source: Jefferies, company data page 152 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 104: CounterTack Company Facts Founded: 2007 Headquarters: Waltham, MA Website: http://www.countertack.com Employees: 50-100 Estimate Annual Revenue: approx. $30-40M Investors Fairhaven Capital Management Alcatel-Lucent EDB Investments Mitsui & Co. Ten Eleven Ventures ManTech International Corp. The Goldman Sachs Group Razor’s Edge Ventures Siemens Venture Capital Arsenal Venture Partners VMWare Company Description CounterTack is a provider of real-time, Big Data endpoint detection and response technology for the enterprise. It provides visibility and context around operating system and binary behaviors to detect zero-days attacks, rootkits, targeted malware and advanced persistent threats, enabling customers to improve incident response and advanced threat detection. Key Products / Services Sentinel is a comprehensive, Big Data endpoint detection and response (EDR) solution that can scale enterprise-wide so teams can operationalize the continuous monitoring of workstation, laptop, and server endpoints. Its goal is to enable teams to condense incident investigation cycles and prioritize the management of threats. Sentinel is CounterTack's flagship product that delivers context and visibility to customers around endpoint threats with the ability to dynamically detect attacks faster and prevent the execution of advanced threats. Responder PRO is a physical memory and automated malware analysis solution designed to analyze malware code binaries on a single machine. Responder PRO allows incident response professionals to collect and analyze critical threat intelligence that can be found in physical memory including chat sessions, registry keys, encryption keys, and socket information. Active Defense hunts malware, enabling security teams at enterprise and mid-sized businesses rapidly and accurately assess the impact of malware and automatically respond to infections across their endpoint environments. The product is powered by CounterTack's Digital DNA technology, which allows operators to hunt malware with a comprehensive suite of forensics tools. Customers can also choose to analyze physical memory using with the Memdump feature, use runtime scanning for virtualized environments or execute faster scans without the reliance on disk-based physical memory dumps. Service Offerings: In addition to its suite of EDR and incident response solutions, CounterTack offers the following set of services:  CounterTack Health Check. This risk assessment provides customers with detailed information needed to improve their risk posture by assessing endpoints for the presence of suspicious code and communications.  Incident Response and Triage. This managed service includes risk assessment via security scans, the monitoring of security controls, and incident response and resolution.  Data Breach Response. This managed service can be delivered remotely or onsite for the forensics investigation of an incident, and offers risk assessment. Key Executives Neal Creighton: CEO Jim Bandanza: Chief Revenue and Operating Officer Jim Harrison: CFO Michael Davis: CTO Raj Dodhiawala: SVP Product Management & Engineering Tom Bain: VP Sales and Global Marketing Mike Deskewies: VP, Strategic Accounts William Ronca III: VP, International Sales John Adams: CounterTack Fellow Board of Directors William J. Fallon (Chairman of Board): retired four-star Admiral, Founder of William J. Fallon & Associates Neal Creighton: CEO, CounterTack Paul L. Ciriello: Fairhaven Capital Christopher Boies: Partner, Boies, Schiller & Flexner LLP Alen Capalik: Founder and Chief Architect Alex Doll: Founder/Managing Partner, Ten Eleven Ventures Source: Jefferies, company data page 153 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 105: CrowdStrike Holdings Company Facts Founded: 2011 Headquarters: Irvine, CA Website: http://www.crowdstrike.com Employees: 450 Estimate Annual Revenue: $100M Investors Warburg Pincus LLC Accel Partners LLC Google Capital Rackspace Hosting, Inc. Company Description CrowdStrike provides next-generation endpoint protection, threat intelligence and response services. CrowdStrike’s core technology, the CrowdStrike Falcon platform, stops breaches by preventing and responding to all types of attacks – both malware and malwarefree. CrowdStrike has revolutionized endpoint protection by unifying three crucial elements: next-generation antivirus, endpoint detection and response (EDR), and a 24/7 managed hunting service —delivered via the cloud in a single lightweight sensor. Falcon uses the CrowdStrike Threat Graph to analyze and correlate billions of events in real time, providing complete protection and fivesecond visibility across all endpoints. The company offers threat prevention with its combination of signature-less machine learning and behavioral-based analytics. Key Products / Services Falcon Host provides next-generation endpoint security solution that combines machine learning/artificial intelligence, Indicators-ofAttack (IoAs), and exploit mitigation technologies to provide superior threat protection at the endpoint. It combines next-gen antivirus (AV) with endpoint protection and response (EDR) delivered via a single lightweight agent. In addition to Falcon Host, customers can invest in Falcon Overwatch -- a managed hunting service, staffed by cyber intrusion detection analysts and investigators, that augment a customer’s resources, to help them stop breaches. CrowdStrike’s Falcon Intelligence is a subscription service that provides strategic, customized and actionable intelligence to customers. CrowdStrike’s global Intelligence team tracks all adversaries — nation-state, criminal, hacktivist, and activist — providing detailed technical and strategic analysis to help customers understand adversary motives, anticipate their actions, and prevent them from causing damage. Falcon DNS identifies and blocks malicious DNS callbacks to protect customer networks from sophisticated adversaries and targeted attacks. Falcon DNS identifies infected endpoints and blocks domains of malicious websites before they can damage customers’ environments. CrowdStrike Services delivers services needed to defend against and respond to security incidents. CrowdStrike’s Incident Response services allow customers to quickly determine the scope of an attack and immediately start to remediate it to resume business operations faster. Proactive pre-incident services are provided to allow customers to anticipate threats, prepare their networks and improve the ability of a security teak to prevent damage from cyber-attacks. Key Executives George Kurtz: Co-Founder, President & CEO Dmitri Alperovitch: Co-Founder & CTO Burt W. Podbere: CFO Coin Black: CIO Johanna Flower: Chief Marketing Officer Scott Fuselier: Vice President, Worldwide Sales Shawn Henry: President, CrowdStrike Services Rod Murchison: Vice President Product Management Steven Chabinsky: General Council & Chief Risk Officer Amol Kulkarni: PhD: Vice President, Engineering Board of Directors Gerhard Watzinger: Chairman of the Board, CrowdStrike George Kurtz: President & CEO, CrowdStrike Joseph P. Landy, MBA: Co-Chief Executive Officer, Warburg Pincus & Co Cary J. Davis, MBA: Managing Director, Warburg Pincus & Co. Dennis J. O'Leary, MBA, CPA: Encore Financial Partners Sameer Gandhi, MBA: Partner Accel Partners Joe Sexton, CrowdStrike BOD member Source: Jefferies, company data page 154 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 106: Cylance Company Facts Founded: 2012 Headquarters: Irvine, CA Website: http://www.cylance.com Employees: 750+ Estimated Annual Revenue: N/A Investors Blackstone Group LP Capital One Growth Ventures Citi Ventures Dell Ventures DFJ Venture Capital Draper Nexus Venture Partners Fairhaven Capital Partners Founders Equity Partners Insight Venture Partners KKR & Co. LP Khosla Ventures TenEleven Ventures Thomvest Ventures Company Description Cylance offers a preventive cybersecurity solution that stops over 99.9% of advanced threats and malware at one of the most vulnerable points: the endpoint. Applying an artificial intelligence approach, the Cylance endpoint security solution, CylancePROTECT, analyzes the DNA of code prior to its execution on the endpoint to find and prevent threats, while using a fraction of the system resources associated with endpoint anti-virus and detect and respond solutions that are widely deployed in enterprises today. Key Products / Services Protect Description: CylancePROTECT leverages artificial intelligence to detect and prevent malware from executing on corporate endpoint computers in real time. This "next generation antivirus solution" CylancePROTECT stops over 99% of advanced threats and malware, exceeding the sub-50% efficacy rates generally achieved by traditional antivirus-based endpoint security solutions. CylancePROTECT does not employ virus definition databases or signatures, is proactive rather than reactive, does not require a persistent cloud connection to protect endpoints, and consumes a fraction of the memory and processing resources of traditional solutions. The Cylance Professional Services domain has a deep cybersecurity expertise, with expert offerings specific to Incident Response, Compromise Assessments, Penetration Testing, Industrial Control Systems (ICS), Critical Infrastructure and Key Resources (CIKR), and custom services. Key Executives Stuart McClure: President, CEO Ryan Permeh: Chief Scientist Glenn Chisholm, MBA: CTO Malcolm Harkins, MBA: Chief Information Security and Trust Officer Nicholas Warner: SVP Global Sales Braden Russell, MBA: SVP, Product Development & Engineering Corey White: VP, Professional Services Jon Miller: Chief Research Officer Board of Directors Stuart McClure: Cylance Art Coviello: Former Chairman & CEO RSA Security Alexander P. Doll: TenEleven Ventures Patrick Heim: Dropbox Mark Bailey: DFJ Venture Capital Alex Weiss: Clearsky Power & Technology Fund Bruce Armstrong: Khosla Ventures Hiro Rio Maeda: Draper Nexus Jim Goldinger: Fairhaven Capital Partners Dave Johnson: Blackstone Group LP Source: Jefferies, company data page 155 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 107: DigiCert Company Facts Founded: 2003 Headquarters: Lehi, UT Website: http://www.digicert.com Employees: 201-500 (per LinkedIn) Estimate Annual Revenue: approx. $100 million Investors Thoma Bravo (majority investor) TA Associates (minority investor) Company Description DigiCert is a global security solutions provider of trusted identity for a connected economy. DigiCert offers authentication, encryption and signing for websites via SSL/TLS certificates and for IoT device identity with a scalable platform to provision certificates and simplify certificate management. Key Products / Services DigiCert provides trusted identity solutions for scalable web and Internet of Things (IoT) security with authentication, encryption, and digital signing for some of the world’s largest brands. The company’s platform accommodates high-volume SSL/TLS certificate deployments and automates certificate lifecycle management to ease administrative burden. DigiCert provides in-house expertise and a multi-functional platform to help organizations of any size build a custom, effective security infrastructure. DigiCert provides Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate authorities. DigiCert offers a variety of SSL certificate options regardless of server type, number of servers, or number of domains an organization needs secured. The company's WildCard Plus SSL certificates secure an entire domain using SANS technology and come with an Unlimited Server License. DigiCert is one of only two trusted Certificate Authorities to provide digital certificates used in the WiFi Alliance’s Release 2 of its Wi-Fi CERTIFIED Passpoint program. The company's SecureWifi Certificates authenticate and encrypt online signup servers compliant with Release 2 of its Wi-Fi CERTIFIED Passpoint program. DigiCert also provides EV Code Signing Certificates integrated with Microsoft’s SmartScreen Application Reputation services that enable software publishers gain immediate reputation in IE 9, IE 10 and Windows 8. Programs signed with an EV Code Signing Certificate can immediately establish reputation even if no prior reputation exists for their file or for them as a publisher. DigiCert provides a centralizing platform for Managed PKI (Public Key Infrastructure), named CertCentral, which allows organizations that require a large volume of SSL certificates to take control of all phases of SSL certificate lifecycle management – including issuing new certificates and reissuing, replacing, and revoking existing SSL certificates, monitoring certificates issued for their domains, inspecting certificates for proper configuration, remediating any weak points, and other features, all available on-demand through automation. Finally, DigiCert offers a number of tools, including the DigiCert Certificate Inspector, DigiCert Certificate Utility, SSL Discovery Tool, SHA-1 Sunset Tool, Always-on SSL Checker, and other offerings that help simplify and automate key functions of the certificate lifecycle management process. Key Executives John Merrill: CEO Flavio Martins: COO Michael Olson: CFO Dan Timpson: Chief Technology Officer Jason Sabin: Chief Security Officer Board of Directors N/A Source: Jefferies, company data, Gartner page 156 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 108: Digital Guardian Company Facts Founded: 2002 Headquarters: Waltham, MA Website: https://www.digitalguardian.com Employees: approx. 360 Estimate Annual Revenue: approx. $50M Investors AWM Investment Co. Fairhaven Capital Management GE Asset Management Loring, Wolcott & Coolidge Fiduciary Advisors Freya Fanning & Co. Mass Mutual Ventures LLC Siemens Financial Services Brookline Venture Partners Theodore G. Johnson Thomas B. Hallowell Christopher J. Ainley Company Description Digital Guardian, Inc. provides data security software and enterprise wide information protection solutions. The firm's use case coverage includes insider threat prevention, privileged user monitoring and control, personal data protection for compliance with PCI, GLBA, HIPAA and many others, intellectual property protection, mobile data protection, cyber threat detection and prevention and ediscovery and forensics. Digital Guardian offers an on-premise solution, cloud-based managed service, or hybrid solution. Key Products / Services Digital Guardian Data Visibility and Control enables enterprises to understand where their PII, PCI, PHI data are located and how they're being used. It also provides real-time visibility of all data movement and transmission; protects endpoints from threats discovered at the network layer; enforces device encryption policies; and allows for control and management of removable devices. Digital Guardian Data Loss Prevention stops sensitive data from getting out of the organization. DLP enables full content inspection and context awareness for data, users, and events, allowing the enterprise to automatically prompt or block a user activity depending on the context and log and audit the event for forensic analysis. DLP policies can be enforced across emails or files moved to removable storage, or cloud storage; allows for protection policies with fine-grained to controls to filter between wanted and unwanted actions; and allows for access permissions and encryption methods for a wide range of devices. Digital Guardian Advanced Threat Protection offers real-time protection of sensitive enterprise data from attacks and breaches. Users can set rules for critical alerts; view correlated events and individual alerts to increase visibility of an attack; automate collection of artifacts to reduce response time and enhance the ability to stop an attack in progress; see all systems that are at risk or infected with Digital Guardian’s automated binary analysis. Digital Guardian offers a suite of add-on modules, including: Advanced File Encryption Module, Advanced Mail Encryption Module, Investigation Module, Memory Forensics Module, Network Agents Module, and User Driven Classification Module. Key Executives Kenneth R. Levine: President & CEO Edward Durkin: CFO Douglas Bailey: Chief Strategy Officer Constance Stack: Chief Marketing Officer David Karp: SVP, Chief Product Officer Mark Menke: Chief Technology Officer Dwayne A. Carson: Chief Architect and Co-Founder Board of Directors Paul Ciriello: Managing General Partner, Fairhaven Capital Partners Hugh L. Warren: Professional Trustee, Loring, Wolcott & Coolidge Anandh Hari: Managing Director ‒ Private Equity, GE Asset Management David Stienes: Partner, LLR Partners Thomas Naughton: Adjunct Associate Professor and the Executive Director of the Center for Private Equity & Entrepreneurship at the Tuck School of Business Source: Jefferies, company data page 157 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 109: Endgame Company Facts Founded: 2008 Headquarters: Arlington, VA Website: http://www.endgame.com/ Employees: 140 Estimated Annual Revenue: approx. $18M Investors Bessemer Venture Partners Paladin Capital Group Columbia Capital Kleiner Perkins Caufield & Byers Edgemore Capital Top Tier Capital Partners TechOperators Company Description Endgame is an endpoint security platform that enables enterprises to close the protection gap against advanced adversaries by preventing advanced attacks and detecting and eliminating resident attacks. Endgame transforms security operations teams and incident responders from crime scene investigators into hunters that prevent damage and loss, and dramatically reduces the time and cost associated with incident response and compromise assessment. The company’s IOC-independent platform covers the entire kill chain, leveraging machine learning and data science to uncover, in real-time, unique attacks that evade traditional defenses and respond precisely without disrupting normal business operations. Key Products / Services Platform: Earliest Prevention, Instant Detection:  Endgame prevents pre-exploitation from zero-days attacks, attacker techniques such as process injection, credential theft and permission theft, without relying on prior threat intelligence, before damage and loss occur.  Endgame detects signature-less malware using unsupervised machine learning models, adversary persistence by identifying uncommon source paths, suspicious processes, etc.  Endgame responds to known and never-before-seen adversaries with precision thread-level response with zero business disruption. Services: Accenture and HPE  Endgame and Accenture launched a 24/7 hunting-as-a-service solution to help enterprises identify and surgically remove known and never-before-seen threats that have evaded traditional security methods.  HPE and Endgame partner to streamline detection and response to advanced threats that bypass traditional security controls. Endgame’s endpoint detection and response solution coordinates with HPE Arcsight’s security management application to stop advanced attacks before they cause damage and loss. Key Executives Nathaniel Fick: CEO Mark Snell: CFO Jamie Butler: CTO Board of Directors Chris Darby: President and CEO, In-Q-Tel David Cowan: Bessemer Venture Partners Arun Gupta: Columbia Capital Lt. Gen. Kenneth A. Minihan (Ret): Managing Director, Paladin Capital Group Thomas E. Noonan: Operating Partner, TechOperators Ted Schlein: General Partner, Kleiner Perkins Caufield & Byers Source: Jefferies, company data page 158 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 110: Fidelis Company Facts Founded: 2002 Headquarters: Bethesda, MD Website: http://www.fidelissecurity.com/ Employees: 300 Estimated Annual Revenue: $70M Investors Marlin Equity Partners Company Description Fidelis Cybersecurity provides advanced threat defense products and next-generation intrusion prevention systems (IPS) that provide visibility and control over the entire threat life cycle. Key Products / Services Fidelis has two primary products, which are tightly integrated: Fidelis Network and Fidelis Endpoint. Fidelis Network is an integrated Next-Generation Intrusion Prevention System that provides continuous protection across the enterprise. It includes: advanced malware protection (detection, prevention, automated threat intelligence), network security analytics (metadata stored on every network transaction, analysis, visualization, reporting, and customized alerts), data theft protection (DLP, intellectual property protections, content visibility, data profiling, and alerts). Fidelis Network is focused on real-time detection and prevention through network traffic and payload analysis. Components of the Fidelis Network solution include a web-based management console, network sensors (across inbound/outbound network traffic, email, and web), network security analytics, and an assessment incident response platform. Fidelis Endpoint is an endpoint detection and response (EDR) product that is tightly integrated with Fidelis Network. It identifies compromised endpoints and automates investigation by harvesting rich system metadata from endpoints, correlating against Fidelis’ intelligence, threat reputation services and third-party threat intelligence feeds to identify which endpoints are compromised. When compromised endpoints are identified, the product enables automatic remediation. In addition to Deployment/Configuration Services, Fidelis also provides Security Consulting Services that include Incident Response, Compromise Assessments, Security Readiness Assessments and Litigation Support. Key Executives Peter G. George: President & CEO Richard Darer: CFO Kurt Bertone: CTO David Macey: SVP, Worldwide Sales Mike Buratowski: SVP Cybersecurity Services Michael Evans: CMO Board of Directors Robin Pederson: Chairman Source: Jefferies, company data page 159 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 111: ForeScout Company Facts Founded: 2000 Headquarters: Campbell, CA Website: http://www.forescout.com/ Employees: 700+ Estimated Annual Revenue: $100M+ Investors Accel Partners Amadeus Capital Meritech Capital Partners Pitango Venture Capital Wellington Management Company Description ForeScout Technologies is an IoT security company that offers the ability to see devices the instant they connect to the network, control them and orchestrate information sharing and operation among disparate security tools. Key Products / Services ForeScout CounterACT is a physical or virtual security solution that dynamically identifies and evaluates devices, users and applications the instant they connect to the network. Because CounterACT doesn’t require agents, it works with devices—managed and unmanaged, known and unknown, PC and mobile, embedded and virtual. CounterACT quickly determines the user, owner, operating system, device configuration, software, services, patch state and the presence of security agents. Next, it provides remediation, control and continuous monitoring of these devices as they come and go from the network. CounterACT can be deployed locally or in distributed environments and centrally managed with CounterACT Enterprise Manager. Key Executives Michael DeCesare: CEO and President Christopher Harms: CFO Oded Comay: Co-Founder and CTO Pedro Abreu: Chief Strategy Officer Rob Greer: CMO & SVP Products Board of Directors Hezy Yeshurun: Chairman of the Board & Co-Founder David DeWalt: Vice Chairman of the Board Michael DeCesare: President and CEO, ForeScout Richard Anton: Director, Amadeus Capital Partners Limited James Beer: EVP & CFO, McKesson T. Kent Elliott: Former CEO, ForeScout Theresia Gouw: Managing Director, Aspect Ventures Mark Jensen: Former partner, Deloitte & Touche LLP Rami Kalish: Managing Director, Founder, Pitango Venture Capital Enrique Salem: Managing Director, Bain Capital Ventures Source: Jefferies, company data page 160 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 112: ForgeRock Company Facts Founded: 2010 Headquarters: San Francisco, CA Website: http://www.forgerock.com/ Employees: N/A Estimated Annual Revenue: N/A Investors Accel Partners CrossContinentalVentures Foundation Capital Meritech Capital Partners Company Description ForgeRock develops open source identity management solutions for enterprise and government organizations. It offers its products through the ForgeRock Identity Platform, which includes Access Management, Identity Management, Directory Services, and Identity Gateway. Key Products / Services User-Managed Access (UMA), built from the OpenAM and OpenIG open source projects, enables customers and employees to determine who and what gets access to personal data, for how long, and under what circumstances. Users can monitor and manage sharing preferences through a central console. Identity Management, built from the OpenIDM open source project, allows management of the complete identity lifecycle of users, devices, and things. From identity to device registration, provisioning, synchronization, and reconciliation, it enables users and customers to move between devices. Directory Services, built from the OpenDJ open source project, a high-performance, web-scale directory systems, can deliver throughput up to tens-of-thousands of logins per second. Identity Gateway, built from the OpenIG open source project, provides a flexible policy enforcement point to support existing environments while migrating towards modern, standards-based platforms. Key Executives Mike Ellis: CEO John Fernandez: CFO Lasse Andresen: Co-Founder & CTO Robert Humphrey: CMO Board of Directors Bruce Golden: Accel Partners Paul Madera: Meritech Capital Partners Source: Jefferies, company data page 161 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 113: HyTrust Company Facts Founded: 2007 Headquarters: Mountain View, CA Website: http://www.hytrust.com/ Employees: approx. 100 Estimated Annual Revenue: approx.. $25M Investors AITV Cisco Epic Ventures Fortinet Granite Ventures Intel In-Q-Tel Trident Capital Vanedge Capital Partners VMware Company Description HyTrust’s mission is to make private, public and hybrid cloud infrastructure more trustworthy for enterprises, service providers and government agencies. HyTrust provides solutions that automate security controls for software-defined computing, networking and storage workloads to achieve the highest levels of visibility, granular policy control and data protection. HyTrust customers benefit from being able to accelerate cloud and virtualization cost savings while improving their security posture by automating and enforcing security policies in real time, adapting quickly to compliance requirements, and preventing unplanned outages. Key Products / Services HyTrust CloudControl is the offers advanced role and object based access controls, forensic logging, policy enforcement and hypervisor hardening for the software-defined-data center (SDDC). These key capabilities allow organizations to automate security and compliance requirements mandated by a broad range of industry standards including PCI-DSS, HIPAA, NIST, SOX, etc. Because HyTrust CloudControl is deployed as a transparent proxy between vSphere privileged users and all management interfaces to the virtual infrastructure, it can seamlessly intercept and log all administrative requests and enforce advanced role and resource based policies that protect workloads from accidental or malicious privileged user misuse. HyTrust DataControl offers powerful, data-at-rest encryption with integrated key management to secure virtual workloads and their data throughout their lifecycle – from deployment and migration to sanctioned decommission. HyTrust DataControl is easy to deploy and manage and can run in any type of cloud environment whether it be private, public, or hybrid. It also supports the highest levels of availability by offering the ability to rekey workloads without taking applications offline. HyTrust DataControl can be deployed as a physical or virtual appliance in any cloud environment and is comprised of three key components: 1) Key Controller, 2) Policy Engine, and 3) Policy Agent. Administrators can configure or modify encryption policies via the Policy Engine, which in turn collects the rules for the Key Controller. The Key Controller ensures that the Policy Agent within the workload executes on these policies by managing the key creation, rotation and decommissioning process. Key Executives John De Santis: Chairman and CEO Eric Chiu: Co-Founder and President Mercedes Caprara: CFO Hemma Prafullchandra: CTO and EVP of Products Ashwin Krishnan: SVP of Product Management and Strategy Fred Kost: Senior Vice President of Marketing Board of Directors John De Santis: Chairman and CEO Eric Chiu: Co-Founder and President Brian Nugent: General Partner, AITV Alberto Yepez: Managing Director, Trident Capital Stan Meresman: Independent Director Standish O'Grady: Managing Director, Granite Ventures Source: Jefferies, company data page 162 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 114: Illumio Company Facts Founded: 2013 Headquarters: Sunnyvale, CA Website: http://www.illumio.com/ Employees: 160 Estimated Annual Revenue: >$10M (estimate) Investors Andreessen Horowitz General Catalyst Formation 8 BlackRock Funds Accel Partners Data Collective John W. Thompson Marc Benioff Jerry Yang Company Description Illumio offers a data center and cloud security platform that provides visibility into application traffic, dynamically segments applications, and provides encryption without relying on the infrastructure. Key Products / Services Illumio’s Adaptive Security Platform (ASP) delivers the optimal security for applications and workloads running in data centers, public and private clouds, and it continuously adapts by dynamically incorporating changes derived from automation and directly from each host. This enables both the securing of east-west traffic on networks as well as the segmentation of applications in data center and cloud environments. Key Executives Andrew Rubin: CEO and Founder Remo Canessa: CFO PJ Kirner: CTO and Founder Alan S. Cohen: Chief Commercial Officer Board of Directors Andrew Rubin: CEO and Founder, Illumio Alan S. Cohen: Chief Commercial Officer, Illumio Steve Herrod: Managing Director, General Catalyst Partners John M. Jack: Board Partner, Andreessen Horowitz Joe Lonsdale: Founder and Managing Partner, Formation 8 John W. Thompson: Chairman of the Board, Microsoft Source: Jefferies, company data page 163 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 115: Invincea Company Facts Founded: 2006 Headquarters: Fairfax, VA Website: http://www.invincea.com Employees: 51-200 (per LinkedIn) Estimate Annual Revenue: N/A Investors Dell Grotech Ventures Harbert Growth Partners New Atlantic Ventures Company Description Invincea provides advanced malware threat detection, prevention, and pre-breach forensic intelligence for over 25,000 customers and 3 million active users. Key Products / Services Invincea Endpoint enables organizations to contain, identify, and control both known and unknown threats. By running users’ most vulnerable applications in a secure virtual container, Invincea prevents attackers from leveraging zero-day exploits and executing malicious code, even previously unknown or file-less malware. This protects end user systems against spear-phishing, web drive-by downloads, Java and Flash exploits, watering hole attacks and much more. Invincea Endpoint containerizes applications that are exploited via spear-phishing and web browsing – browsers (Internet Explorer, Chrome, Firefox), browser plug-ins (Java, Flash, Silverlight, QuickTime, Acrobat Reader), stand-alone Adobe Acrobat / Reader, Office applications (Word, Excel, PowerPoint) and more. Working with Invincea Management, Invincea Endpoint also enables end user systems to serve as a distributed sensor network, identifying existing compromised machines throughout customers’ networks. It automatically analyzes suspicious programs, leveraging Invincea’s cloud-based Cynomix technology for cyber genome analysis. Invincea Endpoint then performs granular escalated controls, allowing security teams to quarantine, study and eradicate infections enterprise-wise. Cynomix is an advanced malware analysis technology that works with Invincea Endpoint to identify previously unknown malware running within a network. Backed by four years of DARPA-funded development, Cynomix is a cloud-based service that analyzes suspicious programs for malicious indicators, using patent-pending cyber genome analysis technology. Cynomix provides rich information to determine if the program is likely malicious, based on the similarity of its unique genetic markers to those in known malware families. Cynomix uses machine learning and crowdsourced analysis to identify malware that many other solutions miss. Key Executives Anup Ghosh: Founder and CEO Norm Laudermilch: COO Dana Mariano: CFO Dan Lowden: CMO Christopher Day: CISO Kathie Miley: EVP Worldwide Sales Alan Keister: VP Engineering Chris Greamo: EVP Invincea Labs Board of Directors Mike Daniels (Chairman): Former Chairman and CEO, Network Solutions Amit Yoran: President, RSA, the Security Division of EMC Amit Mital: Independent Tom Roberts: Harbert Growth Partners John Backus: Founder and Managing Partner, New Atlantic Ventures Steve Fredrick: General Partner, Grotech Ventures Anup Ghosh: Founder and Chief Executive Officer, Invincea Source: Jefferies, company data page 164 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 116: LogRhythm Company Facts Founded: 2003 Headquarters: Boulder, CO Website: http://www.logrhythm.com/ Employees: >550 Estimated Annual Revenue: >$100M Investors Access Venture Fund Adams Street Partners Croghan Investments Delta-v Capital EDB Investments Exclusive Ventures Grotech Ventures High Country Venture Riverwood Capital Siemens Venture Capital Silver Lake Waterman The Colorado Impact Fund Company Description LogRhythm is a global provider of Security Intelligence solutions. Key Products / Services LogRhythm provides security intelligence and analytics, empowering organizations around the globe to rapidly detect, respond to and neutralize damaging cyber threats. The company’s platform uniquely combines next-generation SIEM, log management, network and endpoint monitoring, and advanced behavioral analytics in a unified Threat Lifecyle Management solution. In addition to protecting customers from the risks associated with cyber threats, LogRhythm provides compliance automation and assurance, and enhanced IT intelligence. Key Executives Andy Grolnick: Chairman, President & CEO Chris Petersen: CTO, SVP Customer Care & Founder Mark Vellequette: CFO Mike Reagan: CMO Phil Villella: Chief Scientist & Founder Bill Smith: SVP Worldwide Field Operations Chris Brazdziunas: VP Products Matt Winter: VP Corporate & Business Development Board of Directors Karen Blasing: Independent Director Jeff Diehl: Partner, Adams Street Partners Andy Grolnick: Chairman, President, CEO, LogRhythm Todd Headley: Independent Director Robert Lentz: President, Cyber Security Strategies Frank Mendicino: Managing Director, Access Venture Fund Jeff Parks: Founder & General Partner, Riverwood Capital Chris Petersen: CTO, SVP Customer Care & Co-Founder, LogRhythm Dick Williams: President and CEO, Webroot Source: Jefferies, company data page 165 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 117: Lookout Company Facts Founded: 2007 Headquarters: San Francisco, CA Website: http://www.lookout.com Employees: approx. 330 Estimate Annual Revenue: N/A Investors Accel Partners, Andreessen Horowitz, Bezos Expeditions, Goldman Sachs, Index Ventures, Khosla Ventures, Mithril, Morgan Stanley, Qualcomm, Deutsche Telekom, T Rowe Price, Trilogy Partnership, Wellington Management Company Description Lookout is a mobile security provider. Key Products / Services Lookout offers a range of solutions powered by the Lookout Security Cloud that allows individuals and enterprises to protect their devices, applications and data:  Lookout Personal – Safeguards individual iOS and Android devices and data against viruses, malware, loss, and theft.  Lookout Mobile Endpoint Security – Enables enterprises to secure personal and corporate iOS and Android devices against app, device, and network-based threats while providing control over data leakage.  Lookout App Security – Analyzes apps for public and private enterprise app stores to detect malware and suspicious behaviors.  Lookout Threat Intelligence – Helps enterprises track emerging threats through app analysis and behavior profiling from Lookout’s unique dataset of mobile code. Key Executives Jim Dolce: CEO John Hering: Co-founder & Executive Chairman Mark Nasiff: COO & CFO Kevin Mahaffey: Co-founder & CTO Aaron Cockerill: Chief Strategy Officer Amit Gupta: VP of Engineering Santosh Krishnan: Chief Product Officer Board of Directors Jim Dolce: CEO John Hering: Co-founder & Executive Chairman Jeff Jordan: AH Capital Management Kevin Hartz: Founder of Eventbrite Michelangelo Volpi: Index Venture Management Ping Li: Accel Partners Kevin Mahaffey: Co-founder & CTO Source: Jefferies, company data page 166 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 118: Malwarebytes Company Facts Founded: 2008 Headquarters: Santa Clara, CA Website: https://www.malwarebytes.com Employees: approx. 450 Estimate Annual Revenue: approx. $100M (FYE16) Investors Highland Capital Partners Fidelity Investments Company Description Malwarebytes provides anti-malware and security solutions to both businesses and consumers. The firm specializes in malware remediation, exploit mitigation and employs multi-layer security solutions at the endpoint. Key Products / Services Breach Remediation Tool: Portable application that allows for the removal of malware once detected over the network without device installation. This solution discovers new and undetected malware and remediates by removing all traces of infection and related artifacts. Anti-Malware for Business: Provides both detection and remediation of malware for business enterprises of both small and large sizes. The technology protects against threats before other products have identified them. If endpoint detection fails, remediation technology will remove any infections. Anti-Exploit for Business: Malware protection that proactively defends against attacks by shielding browsers and other application vulnerabilities thus warding off potential threats. Four layers work together to block exploits instantly. In the first stage of the attack, anti-exploit prevents shell code execution. In the second stage, it stops memory calls, sandbox escapes, and memory mitigation. Endpoint Security: The combination of Anti-Malware for Business and Anti-Exploit for Business thus offering a complete platform solution. This solution combines multiple layers of advanced threat defense into one endpoint protection platform. Key Executives Marcin Kleczynski: CEO & Director Mark Harris: CFO Rebecca Kline: CMO Bruce Harrison: VP, Research Mark Patton: VP, Engineering Thomas Miller: SVP, Sales Pedro Bustamante: VP, Technology Fernando Francisco: VP, Corporate Development & Strategy Justin Dolly: CISO Board of Directors Marcin Kleczynski: CEO, Malwarebytes Gary Steele: CEO, Proofpoint Alex Eckelberry: COO, AutoLoop Corey Mulloy: Partner, Highland Capital Partners Doug Swanson: Partner, Zipline Scientific Consulting Brooke Seawell: Venture Partner, NEA Justin Somaini: Chief Security Officer, SAP Source: Jefferies, company data page 167 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 119: Menlo Security Company Facts Founded: 2013 Headquarters: Menlo Park, CA Website: http://www.menlosecurity.com Employees: approx. 100 Estimate Annual Revenue: N/A Investors General Catalyst Partners Osage University Partners Sutter Hill Ventures Company Description Menlo Security protects organizations from cyber-attack by eliminating the threat of malware from Web, documents and email. Menlo Security's cloud based Isolation Platform easily scales to provide comprehensive protection across organizations of any size without requiring end point software or impacting end user experience. Key Products / Services Isolation Platform: The platform is the foundation for all other services as it provides a scalable, secure and easy to integrate architecture that eliminates the threat of malware for web, documents and email in either a private or public cloud instances. Web Isolation Service: Protects enterprises from cyber-attacks by isolating web content; allowing only malware-free rendering data to be sent to the end user. The process is seamless with no perceivable latency or impact to end-user experience, allowing IT administrators to set policies to segment and isolate vulnerable sites lowering the risk of attacks. The service works across any device, operating system or browser type. Doc Isolation Service: Enables the safe rendering of common enterprise document types, including PDF, Word Excel, and PowerPoint in the cloud and away from endpoints where malware can be eliminated before reaching the end users device. Phishing Isolation Service: Eliminates credential theft and drive-by exploits caused by email attacks. By integrating Menlo's cloud-based Phishing Isolation with existing mail server infrastructure such as Exchange, Gmail, and Office 365, all email links can be transformed to pass through the Menlo Security Isolation Platform. When users click on an email link, they are 100% isolated from all malware threats, including ransomware. Websites can also be rendered in a read-only mode which prevents individuals from entering sensitive information into malicious web forms. Through the isolation of web sessions, phishing isolation prevents malware from reaching the end user as well as neutralizes phishing threats by not allowing users to enter credentials and other data into un-vetted sites. The service also allows administrators to insert customizable time-of-click messages that help reinforce anti-phishing awareness training. Key Executives Amir Ben-Efraim: CEO Poornima DeBolle: CPO Kowsik Guruswamy: CTO Todd Vender: VP Engineering Peter Lunk: VP Marketing, Gautam Altekar: Co-Founder and Chief Architect, Lennart van den Ende: VP Worldwide Systems Engineering, Doug Schultz: VP Sales Americas and Asia Pacific, Paul Davis: VP Sales Europe Middle East & Africa Board of Directors Amir Ben-Efraim: Co-Founder and CEO Stefan Dyckerhoff: Managing Director, Sutter Hill Ventures Tom Gillis: CEO, Bracket Computing Dr. Steve Herrod: Managing Director, General Catalyst Partners Source: Jefferies, company data page 168 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 120: Netskope Company Facts Founded: 2012 Headquarters: Los Altos, CA Website: http://www.netskope.com Employees: 300+ Estimate Annual Revenue: $10M+ Investors Iconiq Capital Accel Partners Lightspeed Venture Partners Social + Capital Partnership Company Description Netskope is a Cloud Access Security Broker (CASB). Netskope enables IT security professionals to govern and secure the usage of SaaS, IaaS, PaaS - both sanctioned and unsanctioned - across devices remotely while ensuring that all data is secure. Key Products / Services Netskope Advanced Discovery: Enables cloud monitoring in order to detect and quantify risk in applications or users in the business enterprise. Netskope Active Platform: Cloud analytics platform that details app usage and allows for the control of data access. Netskope SecureCloud: An on-premises version of Netskope's cloud-based platform for organizations with extraordinary compliance requirements that need to store all data on site. Netskope Cloud DLP: Incorporate DLP into your contextual policies. The Netskope Active Platform supports more than 3,000 data identifiers and 500 file types, custom regular expressions, proximity analysis, international support using double-byte characters, fingerprinting, and exact match to protect and prevent loss of PII, PCI, PHI, source code, and other sensitive content. Netskope Threat Protection: Protect against a host of cloud threats including malware and insider threats with cloud malware and threat capabilities that combines threat intelligence, static and dynamic malware analysis, prioritized analysis, and remediation of threats that may originate from—or be further propagated by—cloud apps. Featured Applications: Netskope's policy controls can be applied to sanctioned apps like Office 365, Google G Suite, Salesforce.com, Box, Dropbox, Slack, ServiceNow and Egnyte, along with all unsanctioned apps (commonly known as Shadow IT). Key Executives Sanjay Beri: CEO Ravi Ithal: Chief Architect Krishna Narayanaswamy: Chief Scientist Abhay Kulkarni: VP Engineering Bobby Shoker: VP Finance & Accounting Board of Directors Sanjay Beri, CEO, Netskope Eric Wolford, Partner, Accel Partners Enrique Salem: Prior CEO, Symantec Mamoon Hamid, General Partner, The Social+Capital Partnership, Arif Janmohamed, Partner, Lightspeed Ventures Partners Source: Jefferies, company data page 169 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 121: Okta Company Facts Founded: 2009 Headquarters: San Francisco, CA Website: https://www.okta.com Employees: 630 (2015) Estimated Annual Revenue: N/A Investors Andreessen Horowitz Greylock partners Khosla Ventures Sequoia Capital Company Description Okta is an integrated identity management and mobility management service that securely and simply connects people to any technology, anytime, anywhere, and from any device. Key Products / Services Identity Management: Provides a scalable solution enabling the integration of apps as well as the management and authentication of cloud users. Adaptive Multi-factor Authentication: a comprehensive authentication solution providing access management across the enterprise while allowing the integration of applications and network infrastructure. Mobility Management: Secure platform allowing enterprises to easily manage its devices and applications from one central location. Identity Platform: Integrated platform that allows for the management and authentication of passwords for user profiles and connectivity needs. Key Executives Todd McKinnon: CEO & Co-Founder Frederic Kerrest: COO & Co-Founder Bill Losch: CFO Charles Race: President Worldwide Field Operations Eric Berg: Chief Product Officer Hector Aguilar: SVP Engineering & CTO Board of Directors Todd McKinnon: CEO & Co-Founder Frederic Kerrest: COO & Co-Founder Ben Horowitz: Partner, Andreessen Horowitz Aneel Bhusri: Co-CEO, Workday Inc. Pat Grady: Partner, Sequoia Capital Michelle Wilson: Board Member Mike Kourey: CFO, Medallia Source: Jefferies, company data page 170 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 122: Palantir Company Facts Founded: 2004 Headquarters: Palo Alto, CA Website: https://www.palantir.com Employees: approx. 2000 Estimated Annual Revenue: approx. $450M (2013) Investors Kenneth Langone Stanley Druckenmiller In-Q-Tel Tiger Global Management Founders Fund Company Description Palantir Technologies provides a scalable solution for the analysis, integration, and security of data all while using a user friendly interface. Key Products / Services Palantir Gotham: Simple drag and drop user interface that allows for the secure integration of several unstructured data sources providing simpler analytics. Key Executives Alexander Karp: CEO Board of Directors Peter Thiel: Chairman of the Board Source: Jefferies, company data page 171 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 123: Ping Identity Company Facts Founded: 2002 Headquarters: Boulder, CO Website: https://www.pingidentity.com Employees: 353 (Oct. 2015) Estimate Annual Revenue: N/A Investors KKR DFJ Growth W Capital Partners Appian Ventures General Catalyst Partners Ten Eleven Ventures SAP Ventures Volition Partners Triangle Peak Partners Company Description Ping Identity provides Identity Defined Security for the borderless enterprise, allowing employees, customers, and partners access to the applications they need. Ping Identity protects over one billion identities worldwide in order to ensure secure and seamless access to permitted resources. Ping has over half of the Fortune 100 as customers. Key Products / Services Ping Identity solves complex identity security challenges for large enterprises with its Identity Defined Security platform which addresses three primary use cases:  Employees, who require secure enterprise access to a wide variety of apps from any location, using any device.  Partners, who need access to the partner portal and to manage their own user identities, which improves security and minimizes overhead.  Customers, who demand a more fluid user experience that’s balanced with secure multi-channel access from anywhere to all apps and APIs. Key Executives Andre Durand: CEO Patrick Harding: CTO Michael Sullivan: CFO Brian Bell, CMO Dave Packer, SVP Field Operations Board of Directors Andre Durand: Chairman and CEO Herald Chen: Co-Head of Technology, KKR Alex Doll: Partner, Ten Eleven Ventures Blake Heston: Principal, W capital Partners David Orfao: Managing Director, General Catalyst Partners Source: Jefferies, company data page 172 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 124: Pulse Secure Company Facts Founded: 2014 Headquarters: San Jose, CA Website: https://www.pulsesecure.net Employees: approx. 500 Estimate Annual Revenue: N/A Investors Siris Capital Company Description Pulse Secure is focused on delivering secure access solutions for people, devices, things and services. Key Products / Services Pulse Connect Secure: Mobile VPN to enable secure access from any device to enterprise apps and services in the datacenter or cloud. Pulse Workspace: Pulse Workspace provides application controls, workspace management, device insight and security, data protection, employee privacy protection, email configuration, and pre-app SSL VPN for employee devices. Pulse Policy Secure: Pulse Policy Secure is a Network Access Control (NAC) that enables network visibility, automatic device onboarding, compliance with regulatory requirements, and contextual access control. Pulse One: Pulse One provides streamlined access management of enterprise services and apps in the data center and cloud. Pulse Appliances: The Pulse Secure Appliances deliver SSL VPN connectivity or network access control (NAC) via a single highperformance platform. Key Executives Sudhakar Ramakrishna: CEO Jeffrey C. Key: SVP and CFO David Goldschlag: SVP of Strategy and CTO Younus Aftab: VP of Product Doug Erickson: VP of Partner Sales Melissa Knotts: VP of Human Resources Andreas Kock: VP or Corporate Development and Planning Phil Montgomery: VP of Marketing Payum Moussavi: VP of WW Customer Success Chris Stoddard: VP of Sales Board of Directors Alfred Zollar: Chairman of the Board Sudhakar Ramakrishna: CEO Nawaf Bitar: Director Merle Gilmore: Director Andrew Monshaw: Director Michael Seedman: Director Source: Jefferies, company data page 173 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 125: Redseal Networks Company Facts Founded: 2004 Headquarters: Sunnyvale, CA Website: https://redseal.co Employees: 100-250 Estimate Annual Revenue: $30M+ Investors Venrock LFV Management Sutter Hill Ventures Icon Ventures OVP Venture Partners Math Venture Partners Olympic Financial Pallasite Ventures RBC Capital Partners Tyco Ventures Ray A. Rothrock (CEO, RedSeal) In-Q-Tel DRW Venture Capital Company Description RedSeal provides a cybersecurity analytics platform for building digitally resilient organizations. The company’s platform adds value to existing network devices by working with them and building a network model to provide situational awareness. With this, customers can understand the state of their networks, measure resilience, verify compliance, and accelerate incident response. Key Products / Services RedSeal's analytics platform creates a model of the customer's actual network by examining device configurations, scanner data, vulnerability databases, and host information, including virtual parts of the network. RedSeal identifies all traffic paths into and throughout the network, allowing for the identification of security risks in network configuration, testing during network changes, containment of breaches by pinpointing necessary actions, and compliance with regulatory standards. Key Executives Ray A. Rothrock: Chairman and CEO Robert H. Finley: CFO Mike Lloyd: CTO Julie Parrish: CMO Sundar Raj: VP, Product Development Kurt Van Etten: VP, Product Management Hom Bahmanyar: VP, Engineering Steve Timmerman: VP, Business Development Gordon Adams: EVP, Chief Revenue Officer Board of Directors Ray A. Rothrock: Chairman and CEO Tench Coxe: Managing Director, Sutter Hill Ventures Daryll Fogal: CTO, Tyco International Bill Funcannon: Managing Director, OVP Partners Steve Goldberg: Partner, Venrock Joe Horowitz: Managing General Partner, Icon Ventures Rhonda MacLean: CEO, MacLean Risk Partners, LLC Kevin P. Mosher: EVP, Worldwide Field Operations at Delphix Corp. Pete Sinclair: Managing Director, Leapfrog Ventures Source: Jefferies, company data page 174 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 126: SailPoint Technologies Company Facts Founded: 2005 Headquarters: Austin, TX Website: https://www.sailpoint.com Employees: 600+ Estimate Annual Revenue: approx. $125M Investors Thoma Bravo Kevin Cunningham (President & Founder) Mark McClain (CEO & Founder) Company Description SailPoint Technologies is a provider of identity and access management solutions that enable enterprises to securely manage user access from any device to data and applications residing in the datacenter, on mobile devices, and in the cloud. Key Products / Services IdentityIQ is an on-premise identity governance solution that enables enterprises to monitor and control user access to applications running on any enterprise device. Product features include automated access certification, self-service access request, password management, automated provisioning activities for user access changes, a governance platform, identity intelligence, and enterprise integration. IdentityNow is a cloud-based identity and access management solution that delivers single sign-on, password management, provisioning, and access certification services for cloud, mobile, and on-premises applications. Key Executives Mark McClain: CEO and Founder Kevin Cunningham: President & Founder Darren Rolls: CTO J. Cameron McMartin: CFO Juliette Rizkallah: CMO Howard Greenfield: SVP of Global Sales Dave Hendrix: SVP, Client Services Dave Hildebrand: SVP, Engineering Joe Gottlieb: SVP, Corporate Development Board of Directors Orlando Bravo: Managing Partner, Thomas Bravo Mark McClain: CEO & Founder, SailPoint Technologies Kevin Cunningham: President & Founder, SailPoint Technologies Source: Jefferies, company data page 175 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 127: Sumo Logic Company Facts Founded: 2010 Headquarters: Redwood City, CA Website: http://www.sumologic.com Employees: >250 Estimate Annual Revenue: N/A Investors Sutter Hill Ventures Greylock Partners Sequoia Capital Institutional Venture Partners Glynn Capital Management Shlomo Kramer Accel Partners DFJ Growth Tenaya Capital Company Description Sumo Logic, Inc. offers a secure, cloud-native analytics service, delivering real-time, continuous intelligence across an organization's entire infrastructure and application stack. With Sumo Logic, organizations can monitor the service delivery and performance of their infrastructure to ensure services are available and performing at the highest levels that serve the business and its users. With Sumo Logic, organizations gain operational visibility across their entire infrastructure or application stack, surfacing both knowns and unknowns. They gain the ability to operate and innovate in the cloud with security and confidence, where insights become opportunities to improve application performance and customer experiences. Key Products / Services Sumo Logic is a cloud-native service that delivers continuous intelligence so organizations can monitor the service delivery and performance of their infrastructure to ensure services are available and performing at the highest levels that serve the business and its users. With Sumo Logic, organizations gain operational visibility across their entire infrastructure or application stack, surfacing both knowns and unknowns. They gain the ability to operate and innovate in the cloud with security and confidence, where insights become opportunities to improve application performance and customer experiences. Sumo Logic helps enterprises simplify and maintain continuous compliance by transforming separate, reactive, and manual processes to integrated, proactive and automated ones. Organizations using Sumo Logic easily meet compliance deadlines, resulting in reduced security risk and improved brand protection. In addition, potential security breaches and new threat patterns are quickly identified, enabling security teams to focus on strategic initiatives and innovation. Sumo Logic's applications for Compliance and Security include: PCI Compliance Log Analyzer, Cisco Log Analyzer, Hyperguard Log Analyzer, OSSEC Log Analyzer, and Palo Alto Networks Log Analyzer. Key Executives Ramin Sayar: President & CEO Christian Beedgen: Co-Founder & CTO Steve Fitz: Chief Revenue Officer Bruno Kurtic: Founding VP of Product and Strategy Aaron Feigin: VP of Corporate Marketing & Communications Rick Hasselman: VP of Finance Matt Handler: VP of Worldwide Channels and Alliances Shea Kelly: VP of People Sandeep Khanna: VP of Engineering Suku Krishnaraj: VP of Marketing Ben Kwon: VP of Sales & Business Operations Dean Thomas: VP of Customer Success Board of Directors Joseph Ansanelli: Partner, Greylock Partners Mike Speiser: Managing Director, Sutter Hill Ventures Christian Beedgen: Founder & CTO Ramin Sayar: President & CEO John McMahon: Independent Board Member (former SVP of Worldwide Sales & Services at BMC Software) Source: Jefferies, company data page 176 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 128: Tanium Company Facts Founded: 2007 Headquarters: Emeryville, CA Website: http://www.tanium.com Employees: approx. 450 Estimated Annual Billings: $200M Investors Andreessen Horowitz TPG Capital Management Institutional Venture Partners T. Rowe Price Associates Franklin Templeton Investments Geodesic Partners Company Description Tanium gives the world’s largest enterprises and government organizations the power to secure, control and manage millions of endpoints across the enterprise. Serving as the “central nervous system” for enterprises, Tanium empowers security and IT operations teams to ask questions about the state of every endpoint across the enterprise in plain English, retrieve data on their current state and execute change as necessary, all within seconds. Tanium enables organizations to have complete and accurate information on the state of endpoints at all times to more effectively protect against modern day threats and realize cost efficiency in IT operations. Key Products / Services Tanium offers the following products:  Tanium Core Platform enables IT and security teams to secure and manage endpoints through instantaneous visibility coupled with the ability to take action at enterprise scale within seconds. The core of the Tanium Platform is its patented communications architecture which enables users to ask a question in plain English, know what is happening across all endpoints in their current and historical state, and take necessary actions such as deploying patches or quarantining a machine.  Tanium Comply improves security hygiene and regulatory compliance by transforming security configuration checks and vulnerability scanning from a labor-intensive, unreliable activity to get enterprise-wide results to one that can be performed on-demand.  Tanium Discover finds unmanaged assets within the enterprise environment, and allows security and IT teams to directly take actions necessary to review, secure and gain control of these assets.  Tanium Incident Response delivers a broad set of capabilities to hunt, contain, and remediate threats and vulnerabilities with speed and scalability.  Tanium IOC Detect enables security professionals to consolidate threat intelligence data from multiple sources and detect complex indicators of compromise (IOC) across any network regardless of scale in seconds.  Tanium Patch enables IT professionals to customize patch workflows with up-to-the-second endpoint visibility and control with just a single server regardless of network scale.  Tanium Protect delivers policies and actions to manage native operating-system protections at enterprise-scale – thus reducing the cost and complexity of endpoint security. Combined with Tanium IOC Detect, Protect empowers customers to seamlessly move from investigating their environment to taking proactive action to protect against threats.  Tanium Trace helps incident response teams take an initial lead, quickly search, filter and visualize forensic data, and piece together the story about what happened on an endpoint in a given point in time. By monitoring the Windows kernel for system activity and continuously recording forensic evidence, Tanium Trace not only expedites analysis of a single endpoint, but also leverages the same data to identify compromised systems enterprise-wide in seconds. Key Executives David Hindawi: Co-Founder and Chairman Orion Hindawi: Co-Founder and CEO Eric Brown: CFO & COO Scott Rubin: CMO David Damato: Chief Security Officer Anirma Gupta: General Counsel Board of Directors David Hindawi: Co-Founder and Chairman, Tanium Orion Hindawi: Co-Founder and CEO, Tanium Ben Horowitz: Andreessen Horowitz Bryan M. Taylor: Director, IMS Health Holdings Nathan Brill: CEO, EP Executive Press Jonathan Chadwick: Former CFO/COO of VMW Source: Jefferies, company data page 177 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 129: Telesign Company Facts Founded: 2005 Headquarters: Marina del Rey, CA Website: http://www.telesign.com Employees: approx. 250 to 300 Estimate Annual Revenue: N/A Investors Adams Street Partners March Capital Partners Summit Partners Telstra Company Description TeleSign Mobile Identity solutions address the full spectrum of account security—registration, access, usage and recovery—to help prevent fraud and reduce risk, while streamlining the user experience to increase adoption, retention and trust. Key Products / Services Verification API: TeleSign delivers phone-based verification and two-factor authentication (2FA) using a time-based, one-time passcode sent over SMS or via voice call to provide an extra layer of account security. Mobile SDKs: TeleSign provides mobile app developers with robust, lightweight software development kits (SDKs) to streamline the new account verification process and easily build two-factor authentication (2FA) into mobile apps. Data & Analytics APIs: TeleSign delivers real-time security intelligence, data and analytics on phone numbers around the world to enable greater assurance and security against fraudulent activity. Key Executives Aled Miles: CEO Charles McColgan: CTO Matt Hardy: CFO Matt Camassa: Chief Revenue Officer Board of Directors Greg Goldfarb: Managing Director, Summit Partners Sam Gonen: Co-founder, Curious Minds David Gonen: Co-Founder, Curious Minds Terry Kramer: Distinguished Visitor, UCLA Robin Murray: Partner, Adams Street Partners Gerhard Watzinger: Former EVP of Corporate Strategy, Intel Jaimie Montgomery (Advisor): Managing Director, March Capital Partners Source: Jefferies, company data page 178 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 130: Tenable Network Company Facts Founded: 2002 Headquarters: Columbia, MD Website: http://www.tenable.com Employees: N/A Estimate Annual Revenue: N/A Investors Accel Partners Insight Venture Partners Company Description Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk and ensure compliance. Key Products / Services Nessus (Vulnerability Management): The world's most widely deployed vulnerability management solution, available in the cloud or on-premises. Nessus identifies weaknesses via vulnerability detection, patch and configuration auditing, security policy violations, and malware detection. Nessus offers PCI ASV scanning, dashboards, and role-based sharing of resources. SecurityCenter (Vulnerability Analytics): Consolidates and evaluates vulnerability data across the enterprise, illustrating vulnerability trends over time, and helping organizations measure their vulnerability/patch management effectiveness. It provides customizable dashboards and Assurance Report Cards. SecurityCenter Continuous View (Continuous Monitoring): Provides total visibility of an organization’s security posture across its entire IT infrastructure, actionable insight into prioritized weaknesses, and continuous assurance that security and compliance are aligned with organizational goals. It identifies exploitable weaknesses that create the highest risk. Key Executives Jack Huffard: President & COO Renaud Deraison: Chief Technology Officer Steve Vintz: CFO Mike Kirby: SVP, Worldwide Sales Board of Directors Ron Gula: Chairman Jack Huffard: President & COO Ping Li: Accel Partners John Locke: Accel Partners Richard Wells: Insight Venture Partners Matt Gatto: Insight Venture Partners Source: Jefferies, company data page 179 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 131: ThreatMetrix Company Facts Founded: 2005 Headquarters: San Jose, CA Website: http://www.threatmetrix.com Employees: approx. 200 Estimate Annual Revenue: approx. $125M Investors Adams Street Capital August Capital CM Capital Tenaya Capital USVP Company Description ThreatMetrix offers cloud-based fraud prevention platform that leverages a proprietary Digital Identity Network to inspect digital transactions across applications, devices, and locations in real time. ThreatMetrix enables businesses to authenticate user logins, verify new accounts, and authorize payments and transactions and without relying on traditional forms of personally identifiable information. Key Products / Services ThreatMetrix's Fraud Prevention solution provides:  Real-time fraud decisioning  CNP fraud prevention for mobile and web  Customer account takeover protection  ID assessment from dynamic non-reg data  Behavioral analytics for fraud detection  Real-time trust analytics  Forensics and visualization  Case and workflow management ThreatMetrix's Fraud Prevention solution provides:  Passive authentication for mobile and web  Context based decisioning  Machine learning for optimal challenges  Flexible step up authentication orchestration  Flexible API for contextual decisioning  Capture and share feedback via trust tags  Compliance assurance  Real-time workforce authentication Key Executives Reed Taussig: President & CEO Alisdair Faulkner: CPO Armen Najarian: CMO Frank Teruel: CFO Phil Steffora: CISO Andreas Baumhof: CTO Pascal Podvin: SVP, Field Operations John Lindner: VP of Sales, America Stephen Topliss: VP, Services & Support ThreatMetrix's Fraud Prevention solution provides:  BOT and Remote Access Trojan Detection  Proxy and VPN Detection  Session hijacking  Identity Spoofing  Browser Wiping/Device Wiping  Mobile Application Vulnerabilities  Malware  Man in the Middle  Social Engineering / Attacks  Insider Threat ThreatMetrix profiles tens of millions of users and their devices daily, and regularly processes hundreds of millions of logins, payments, and other transactions. The Global Trust Intelligence Network is the repository for this wealth of data. Board of Directors Reed Taussig: President & CEO, ThreatMetrix Mark Gill: Partner, Talu Ventures Richard Lewis: General Partner, U.S. Venture Partners Vivek Mehra: Partner, August Capital Mike Zappert, Adams Street Partners Rhonda MacLean: Founder & CEO, MacLean Risk Partners Steven Boutelle: Lieutenant General, U.S. Army (retired) David Jones: Co-Founder, Entreprneur Source: Jefferies, company data page 180 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 132: Thycotic Company Facts Founded: 1996 Headquarters: Washington, DC Website: http://www.thycotic.com/ Employees: 69 Estimated Annual Revenue: $15M Investors Insight Venture Partners Company Description Thycotic prevents cyberattacks by securing passwords, protecting endpoints, and control access. Key Products / Services Secret Server allows organizations to manage and protect privileged passwords in a centralized repository, available on premise or in the cloud. It allows permissioned users secure access to passwords and other privileged information. Secret Server is available in different versions for different organizational sizes. Password Reset Software enables users in organizations to independently reset their passwords. Privilege Manager for Windows is an endpoint protection and access control solution. Using a simple policy driven system, Privilege Manager for Windows allows organizations to implement a number of different solutions for meeting their security requirements, such as: Application Whitelisting, blacklisting, and graylisting; Application Sandboxing / Isolation; Least Privilege Policy; Application Privilege Elevation; Endpoint Grouping; and Endpoint Monitoring and Logging. Privilege Manager for UNIX provides SUPM on UNIX endpoints with SSH Command Whitelisting. Key Executives James Legg: President & CEO Kathy Moore: CFO Jonathan Cogley: Founder & CTO Steve Kahan: CMO Board of Directors Mike Triplett: Managing Director, Insight Venture Partners Philip Vorobeychik: Senior Associate, Insight Venture Partners Source: Jefferies, company data page 181 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Chart 133: vArmour Networks Company Facts Founded: 2011 Headquarters: Mountain View, CA Website: http://www.varmour.com Employees: approx. 150 Estimate Annual Revenue: approx. $40M Investors Highland Capital Partners Draper Nexus Ventures Menlo Ventures Vanedge Capital Columbus Nova Technology Partners Work-Bench Redline Capital Allegis Capital Telstra Company Description vArmour is a data center and cloud security company that delivers software-based segmentation and micro-segmentation to protect critical applications and workloads with the industry’s first distributed security system. The vArmour DSS Distributed Security System is deployed across the world’s largest banks, telecom service providers, government agencies, healthcare providers, and retailers. Partnering with companies including AWS, Cisco, HPE and VMware, vArmour builds security into modern infrastructures with a simple and scalable approach that drives agility and operational efficiency. Key Products / Services vArmour delivers software-based segmentation and micro-segmentation to protect critical applications and workloads with the industry’s first distributed security system (DSS). vArmour DSS is architected to scale security across multi-clouds with deep insight and control of individual workloads. vArmour DSS moves security controls that were traditionally at the perimeter down next to each asset and independent of the underlying infrastructure. Security travels with the workload, wherever it resides, across virtual, cloud, and physical real estate, increasing visibility, security, and operational efficiency. vArmour DSS enables security for data centers and cloud in four different ways:  Segmentation operational and performance-efficient separation across shared cloud infrastructure to improve compliance, reduce attack surfaces, and separate environment.  Continuous Monitoring visibility into unseen network, application and user traffic for east-west visibility, network forensics and cloud migration planning, without data sampling or using host-based systems.  Deception a simple, scalable, and secure cyber deception solution to help organizations defend networks, detect threats, and streamline incident response.  Cloud Security automated and orchestrated application-layer security policy with 100% API-driven architecture to build security in, enable DevOps, and manage security across clouds. The vArmour DSS Distributed Security System is deployed across the world’s largest banks, telecom service providers, government agencies, healthcare providers, and retailers. Key Executives Timothy Eades: Chairman & CEO Roger Lian: Co-Founder & VP of Engineering Michael Shieh: Co-Founder & CTO Marc Woolward: CTO Julia Tran: VP of People Operations Eva Tsai: VP of Marketing & Business Operations Keith Stewart: VP of Strategic Markets & Business Development Demetrios Lazarikos: Chief Information Security Officer Mark Weatherford: SVP of Chief Cybersecurity Strategist Tony Paterra: VP of Product Management Board of Directors Timothy Eades: Chairman & CEO, vArmour Roger Lian: Co-Founder & VP of Engineering, vArmour Corey Mulloy: General Partner, Highland Capital Partners Lane Bess: Former COO of Zscaler & former CEO of Palo Alto Networks David B. Stevens: Co-Founder & former CEO of Palo Alto Networks Pravin Vazirani: Partner, Menlo Ventures Mohsen Moazami: General Partner, Nova Technology Partners Meg McCarthy: EVP of Operations, Aetna Gary Moore: Former President and COO, Cisco Source: Jefferies, company data page 182 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Appendix E – Acronym List APM – Access Policy Manager APT – Advanced Persistent Threat ATP – Advanced Threat Protection CASB – Cloud Access Security Broker CSG – Cloud Security Gateway DDoS – Distributed Denial of Service DLP – Data Loss Prevention DoS – Denial of Service EDR – Endpoint Detection and Response EPP – Endpoint Protection Platform ERP – Enterprise Resource Planning IaaS – Infrastructure as a Service IAM – Identity and Access Management IDP – Intrusion Detection and Prevention IDS – Intrusion Detection System IOC – Indicator of Compromise IoT – Internet of Things IP – Internet Protocol IPS – Intrusion Prevention System IR – Incident Response ITOM – IT Operations Management MSS – Managed Security Services MSSP – Managed Security Services Provider NGFW – Next Generation Firewall OSI – Open Systems Interconnection PaaS – Platform as a Service PAM – Privileged Access Management PIM – Privileged Identity Management PIN – Personal Identification Number SaaS – Software as a Service SEG – Secure Email Gateway page 183 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 SIEM – Security Information and Event Management SOA – Service Oriented Architecture SSH – Secure Shell SSL – Secure Sockets Layer SVM – Security Vulnerability Management SWG – Secure Web Gateway TCP – Transmission Control Protocol UTM – Unified Threat Management VPN – Virtual Private Network WAF – Web Application Firewall page 184 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Analyst Certification: I, John DiFucci, certify that all of the views expressed in this research report accurately reflect my personal views about the subject security(ies) and subject company(ies). I also certify that no part of my compensation was, is, or will be, directly or indirectly, related to the specific recommendations or views expressed in this research report. I, Julian Serafini, certify that all of the views expressed in this research report accurately reflect my personal views about the subject security(ies) and subject company(ies). I also certify that no part of my compensation was, is, or will be, directly or indirectly, related to the specific recommendations or views expressed in this research report. I, Alexander J. Ljubich, CFA, certify that all of the views expressed in this research report accurately reflect my personal views about the subject security(ies) and subject company(ies). I also certify that no part of my compensation was, is, or will be, directly or indirectly, related to the specific recommendations or views expressed in this research report. I, Joseph Gallo, certify that all of the views expressed in this research report accurately reflect my personal views about the subject security(ies) and subject company(ies). I also certify that no part of my compensation was, is, or will be, directly or indirectly, related to the specific recommendations or views expressed in this research report. I, Zachary Lountzis, certify that all of the views expressed in this research report accurately reflect my personal views about the subject security(ies) and subject company(ies). I also certify that no part of my compensation was, is, or will be, directly or indirectly, related to the specific recommendations or views expressed in this research report. I, Howard Ma, certify that all of the views expressed in this research report accurately reflect my personal views about the subject security(ies) and subject company(ies). I also certify that no part of my compensation was, is, or will be, directly or indirectly, related to the specific recommendations or views expressed in this research report. As is the case with all Jefferies employees, the analyst(s) responsible for the coverage of the financial instruments discussed in this report receives compensation based in part on the overall performance of the firm, including investment banking income. We seek to update our research as appropriate, but various regulations may prevent us from doing so. Aside from certain industry reports published on a periodic basis, the large majority of reports are published at irregular intervals as appropriate in the analyst's judgement. Investment Recommendation Record (Article 3(1)e and Article 7 of MAR) Recommendation Published Recommendation Distributed , 00:02 ET. January 18, 2017 , 00:03 ET. January 18, 2017 Company Specific Disclosures For Important Disclosure information on companies recommended in this report, please visit our website at https://javatar.bluematrix.com/sellside/ Disclosures.action or call 212.284.2300. Explanation of Jefferies Ratings Buy - Describes securities that we expect to provide a total return (price appreciation plus yield) of 15% or more within a 12-month period. Hold - Describes securities that we expect to provide a total return (price appreciation plus yield) of plus 15% or minus 10% within a 12-month period. Underperform - Describes securities that we expect to provide a total return (price appreciation plus yield) of minus 10% or less within a 12-month period. The expected total return (price appreciation plus yield) for Buy rated securities with an average security price consistently below $10 is 20% or more within a 12-month period as these companies are typically more volatile than the overall stock market. For Hold rated securities with an average security price consistently below $10, the expected total return (price appreciation plus yield) is plus or minus 20% within a 12-month period. For Underperform rated securities with an average security price consistently below $10, the expected total return (price appreciation plus yield) is minus 20% or less within a 12-month period. NR - The investment rating and price target have been temporarily suspended. Such suspensions are in compliance with applicable regulations and/ or Jefferies policies. CS - Coverage Suspended. Jefferies has suspended coverage of this company. NC - Not covered. Jefferies does not cover this company. Restricted - Describes issuers where, in conjunction with Jefferies engagement in certain transactions, company policy or applicable securities regulations prohibit certain types of communications, including investment recommendations. Monitor - Describes securities whose company fundamentals and financials are being monitored, and for which no financial projections or opinions on the investment merits of the company are provided. Valuation Methodology Jefferies' methodology for assigning ratings may include the following: market capitalization, maturity, growth/value, volatility and expected total return over the next 12 months. The price targets are based on several methodologies, which may include, but are not restricted to, analyses of market risk, growth rate, revenue stream, discounted cash flow (DCF), EBITDA, EPS, cash flow (CF), free cash flow (FCF), EV/EBITDA, P/E, PE/growth, P/CF, P/FCF, premium (discount)/average group EV/EBITDA, premium (discount)/average group P/E, sum of the parts, net asset value, dividend returns, and return on equity (ROE) over the next 12 months. Jefferies Franchise Picks page 185 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Jefferies Franchise Picks include stock selections from among the best stock ideas from our equity analysts over a 12 month period. Stock selection is based on fundamental analysis and may take into account other factors such as analyst conviction, differentiated analysis, a favorable risk/reward ratio and investment themes that Jefferies analysts are recommending. Jefferies Franchise Picks will include only Buy rated stocks and the number can vary depending on analyst recommendations for inclusion. Stocks will be added as new opportunities arise and removed when the reason for inclusion changes, the stock has met its desired return, if it is no longer rated Buy and/or if it triggers a stop loss. Stocks having 120 day volatility in the bottom quartile of S&P stocks will continue to have a 15% stop loss, and the remainder will have a 20% stop. Franchise Picks are not intended to represent a recommended portfolio of stocks and is not sector based, but we may note where we believe a Pick falls within an investment style such as growth or value. Risks which may impede the achievement of our Price Target This report was prepared for general circulation and does not provide investment recommendations specific to individual investors. As such, the financial instruments discussed in this report may not be suitable for all investors and investors must make their own investment decisions based upon their specific investment objectives and financial situation utilizing their own financial advisors as they deem necessary. Past performance of the financial instruments recommended in this report should not be taken as an indication or guarantee of future results. The price, value of, and income from, any of the financial instruments mentioned in this report can rise as well as fall and may be affected by changes in economic, financial and political factors. If a financial instrument is denominated in a currency other than the investor's home currency, a change in exchange rates may adversely affect the price of, value of, or income derived from the financial instrument described in this report. In addition, investors in securities such as ADRs, whose values are affected by the currency of the underlying security, effectively assume currency risk. Other Companies Mentioned in This Report • Booz Allen Hamilton (BAH: $35.80, BUY) • CA Technologies (CA: $32.80, BUY) • Check Point Software Technologies Ltd. (CHKP: $90.39, BUY) • Cisco Systems, Inc. (CSCO: $29.99, BUY) • Citrix Systems, Inc. (CTXS: $90.90, UNDERPERFORM) • F5 Networks, Inc. (FFIV: $141.63, HOLD) • Fortinet (FTNT: $31.70, BUY) • Hewlett Packard Enterprise Company (HPE: $22.69, BUY) • Intel Corporation (INTC: $36.80, BUY) • International Business Machines (IBM: $167.89, UNDERPERFORM) • Juniper, Inc. (JNPR: $27.41, HOLD) • Microsoft Corporation (MSFT: $62.53, UNDERPERFORM) • Mimecast Limited (MIME: $20.92, BUY) • Oracle Corporation (ORCL: $39.10, BUY) • Palo Alto Networks (PANW: $138.45, HOLD) • Radware Ltd. (RDWR: $14.52, BUY) • Raytheon Company (RTN: $145.10, BUY) • Splunk (SPLK: $53.30, BUY) • Symantec Corp. (SYMC: $26.20, HOLD) • Trend Micro Incorporated (4704 JP: ¥4,220, HOLD) • Varonis Systems, Inc. (VRNS: $29.20, BUY) • VMware, Inc. (VMW: $81.49, BUY) For Important Disclosure information on companies recommended in this report, please visit our website at https://javatar.bluematrix.com/sellside/ Disclosures.action or call 212.284.2300. Distribution of Ratings IB Serv./Past 12 Mos. Rating Count Percent Count Percent BUY HOLD UNDERPERFORM 1099 884 174 50.95% 40.98% 8.07% 324 175 17 29.48% 19.80% 9.77% page 186 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 Other Important Disclosures Jefferies does and seeks to do business with companies covered in its research reports. As a result, investors should be aware that Jefferies may have a conflict of interest that could affect the objectivity of this report. Investors should consider this report as only a single factor in making their investment decision. Jefferies Equity Research refers to research reports produced by analysts employed by one of the following Jefferies Group LLC (“Jefferies”) group companies: United States: Jefferies LLC which is an SEC registered firm and a member of FINRA. United Kingdom: Jefferies International Limited, which is authorized and regulated by the Financial Conduct Authority; registered in England and Wales No. 1978621; registered office: Vintners Place, 68 Upper Thames Street, London EC4V 3BJ; telephone +44 (0)20 7029 8000; facsimile +44 (0)20 7029 8010. Hong Kong: Jefferies Hong Kong Limited, which is licensed by the Securities and Futures Commission of Hong Kong with CE number ATS546; located at Suite 2201, 22nd Floor, Cheung Kong Center, 2 Queen’s Road Central, Hong Kong. Singapore: Jefferies Singapore Limited, which is licensed by the Monetary Authority of Singapore; located at 80 Raffles Place #15-20, UOB Plaza 2, Singapore 048624, telephone: +65 6551 3950. Japan: Jefferies (Japan) Limited, Tokyo Branch, which is a securities company registered by the Financial Services Agency of Japan and is a member of the Japan Securities Dealers Association; located at Hibiya Marine Bldg, 3F, 1-5-1 Yuraku-cho, Chiyoda-ku, Tokyo 100-0006; telephone +813 5251 6100; facsimile +813 5251 6101. India: Jefferies India Private Limited (CIN - U74140MH2007PTC200509), which is licensed by the Securities and Exchange Board of India as a Merchant Banker (INM000011443), Research Analyst (INH000000701) and a Stock Broker with Bombay Stock Exchange Limited (INB011491033) and National Stock Exchange of India Limited (INB231491037) in the Capital Market Segment; located at 42/43, 2 North Avenue, Maker Maxity, Bandra-Kurla Complex, Bandra (East) Mumbai 400 051, India; Tel +91 22 4356 6000. This material has been prepared by Jefferies employing appropriate expertise, and in the belief that it is fair and not misleading. The information set forth herein was obtained from sources believed to be reliable, but has not been independently verified by Jefferies. Therefore, except for any obligation under applicable rules we do not guarantee its accuracy. Additional and supporting information is available upon request. Unless prohibited by the provisions of Regulation S of the U.S. Securities Act of 1933, this material is distributed in the United States ("US"), by Jefferies LLC, a US-registered broker-dealer, which accepts responsibility for its contents in accordance with the provisions of Rule 15a-6, under the US Securities Exchange Act of 1934. Transactions by or on behalf of any US person may only be effected through Jefferies LLC. In the United Kingdom and European Economic Area this report is issued and/or approved for distribution by Jefferies International Limited and is intended for use only by persons who have, or have been assessed as having, suitable professional experience and expertise, or by persons to whom it can be otherwise lawfully distributed. Jefferies International Limited Equity Research personnel are separated from other business groups and are not under their supervision or control. Jefferies International Limited has implemented policies to (i) address conflicts of interest related to the preparation, content and distribution of research reports, public appearances, and interactions between research analysts and those outside of the research department; (ii) ensure that research analysts are insulated from the review, pressure, or oversight by persons engaged in investment banking services activities or other persons who might be biased in their judgment or supervision; and (iii) promote objective and reliable research that reflects the truly held opinions of research analysts and prevents the use of research reports or research analysts to manipulate or condition the market or improperly favor the interests of the Jefferies International Limited or a current or prospective customer or class of customers. Jefferies International Limited may allow its analysts to undertake private consultancy work. Jefferies International Limited’s conflicts management policy sets out the arrangements Jefferies International Limited employs to manage any potential conflicts of interest that may arise as a result of such consultancy work. Jefferies International Ltd, its affiliates or subsidiaries, may make a market or provide liquidity in the financial instruments referred to in this investment recommendation. For Canadian investors, this material is intended for use only by professional or institutional investors. None of the investments or investment services mentioned or described herein is available to other persons or to anyone in Canada who is not a "Designated Institution" as defined by the Securities Act (Ontario). In Singapore, Jefferies Singapore Limited is regulated by the Monetary Authority of Singapore. For investors in the Republic of Singapore, this material is provided by Jefferies Singapore Limited pursuant to Regulation 32C of the Financial Advisers Regulations. The material contained in this document is intended solely for accredited, expert or institutional investors, as defined under the Securities and Futures Act (Cap. 289 of Singapore). If there are any matters arising from, or in connection with this material, please contact Jefferies Singapore Limited, located at 80 Raffles Place #15-20, UOB Plaza 2, Singapore 048624, telephone: +65 6551 3950. In Japan this material is issued and distributed by Jefferies (Japan) Limited to institutional investors only. In Hong Kong, this report is issued and approved by Jefferies Hong Kong Limited and is intended for use only by professional investors as defined in the Hong Kong Securities and Futures Ordinance and its subsidiary legislation. In the Republic of China (Taiwan), this report should not be distributed. The research in relation to this report is conducted outside the PRC. This report does not constitute an offer to sell or the solicitation of an offer to buy any securities in the PRC. PRC investors shall have the relevant qualifications to invest in such securities and shall be responsible for obtaining all relevant approvals, licenses, verifications and/or registrations from the relevant governmental authorities themselves. In India this report is made available by Jefferies India Private Limited. In Australia this information is issued solely by Jefferies International Limited and is directed solely at wholesale clients within the meaning of the Corporations Act 2001 of Australia (the "Act") in connection with their consideration of any investment or investment service that is the subject of this document. Any offer or issue that is the subject of this document does not require, and this document is not, a disclosure document or product disclosure statement within the meaning of the Act. Jefferies International Limited is authorised and regulated by the Financial Conduct Authority under the laws of the United Kingdom, which differ from Australian laws. Jefferies International Limited has obtained relief under Australian Securities and Investments Commission Class Order 03/1099, which conditionally exempts it from holding an Australian financial services licence under the Act in respect of the provision of certain financial services to wholesale clients. Recipients of this document in any other jurisdictions should inform themselves about and observe any applicable legal requirements in relation to the receipt of this document. This report is not an offer or solicitation of an offer to buy or sell any security or derivative instrument, or to make any investment. Any opinion or estimate constitutes the preparer's best judgment as of the date of preparation, and is subject to change without notice. Jefferies assumes no obligation to maintain or update this report based on subsequent information and events. Jefferies, its associates or affiliates, and its respective officers, directors, and employees may have long or short positions in, or may buy or sell any of the securities, derivative instruments or other investments mentioned or described herein, either as agent or as principal for their own account. Upon request Jefferies may provide specialized research products or services to certain customers focusing on the prospects for individual covered stocks as compared to other covered stocks over varying time horizons or under differing market conditions. While the views expressed in these situations may not always be directionally consistent with the long-term views page 187 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected] Technology Software January 18, 2017 expressed in the analyst's published research, the analyst has a reasonable basis and any inconsistencies can be reasonably explained. This material does not constitute a personal recommendation or take into account the particular investment objectives, financial situations, or needs of individual clients. Clients should consider whether any advice or recommendation in this report is suitable for their particular circumstances and, if appropriate, seek professional advice, including tax advice. The price and value of the investments referred to herein and the income from them may fluctuate. Past performance is not a guide to future performance, future returns are not guaranteed, and a loss of original capital may occur. Fluctuations in exchange rates could have adverse effects on the value or price of, or income derived from, certain investments. This report has been prepared independently of any issuer of securities mentioned herein and not in connection with any proposed offering of securities or as agent of any issuer of securities. None of Jefferies, any of its affiliates or its research analysts has any authority whatsoever to make any representations or warranty on behalf of the issuer(s). Jefferies policy prohibits research personnel from disclosing a recommendation, investment rating, or investment thesis for review by an issuer prior to the publication of a research report containing such rating, recommendation or investment thesis. Any comments or statements made herein are those of the author(s) and may differ from the views of Jefferies. This report may contain information obtained from third parties, including ratings from credit ratings agencies such as Standard & Poor’s. Reproduction and distribution of third party content in any form is prohibited except with the prior written permission of the related third party. Third party content providers do not guarantee the accuracy, completeness, timeliness or availability of any information, including ratings, and are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, or for the results obtained from the use of such content. Third party content providers give no express or implied warranties, including, but not limited to, any warranties of merchantability or fitness for a particular purpose or use. Third party content providers shall not be liable for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including lost income or profits and opportunity costs) in connection with any use of their content, including ratings. Credit ratings are statements of opinions and are not statements of fact or recommendations to purchase, hold or sell securities. They do not address the suitability of securities or the suitability of securities for investment purposes, and should not be relied on as investment advice. Jefferies research reports are disseminated and available primarily electronically, and, in some cases, in printed form. Electronic research is simultaneously available to all clients. This report or any portion hereof may not be reprinted, sold or redistributed without the written consent of Jefferies. Neither Jefferies nor any officer nor employee of Jefferies accepts any liability whatsoever for any direct, indirect or consequential damages or losses arising from any use of this report or its contents. For Important Disclosure information, please visit our website at https://javatar.bluematrix.com/sellside/Disclosures.action or call 1.888.JEFFERIES © 2017 Jefferies Group LLC page 188 of 188 Please see important disclosure information on pages 185 - 188 of this report. John DiFucci, Equity Analyst, (212) 284-2196, [email protected]

Idc - Bayshore Networks

Rating

Date

Size

Views

Categories

Share

Transcript