When I talk about security I'm talking about intrusion detection and protection. An intrusion-prevention system (IPS) is an inline security device that performs deep-packet inspection to identify and block malicious traffic. IPSs are considered an improvement over intrusion-detection systems (IDS), which are passive devices that simply identify an attack but take no action to block it. IPSs are designed to respond in real time to attacks by dropping data packets deemed malicious.
There several ways that intrusion detection and prevention is accomplished:
- Host Intrusion Detection and Prevention: Businesses add these systems to individual critical hosts or devices residing on the network. This type of IDPS monitors both inbound and outbound packets — but only through the device with which it is associated.
- Signature-Based Intrusion and Prevention: This type of IDPS is useful for detecting viruses and other types of malware. The product compares all of the packets that flow through it with a database of known threats. Like anti-malware offerings, a signature-based IDPS is only as good as the information it uses, meaning that technology is vulnerable to "zero day" security events. On the other hand, a signature-based IDPS is a very reliable way of defending a network against known threats, which constitute the majority of network perils.
- Anomaly-Based Intrusion and Prevention: One could describe this kind of IDPS as being naturally suspicious. That's because an anomaly-based IDPS is always looking for something out of the ordinary. The system continuously scrutinizes network traffic and compares it against an established baseline. Any detected deviations from "normal" performance in terms of bandwidth use, ports accessed or devices connected will cause the IDPS to issue an alert and take proactive steps to ensure the network's health. This type of firewall can be particularly effective in helping business cope with DDoS (distributed denial of service) attacks, when large numbers of computers are recruited to join together and bring down a Web site.
There were a good number of pure play companies in the cyber security space in years past. Over time, however, many of the companies were acquired or combined with each other. Today, we see that Cisco has absorbed Entercept, Wheel Group and Air Force. IBM has acquired Internet Security Systems, also known as ISS. Enterasys now owns Network Security Wizards. Symantec acquired Axent, provider of the Net Prowler product. Juniper, Tivoli and Computer Associates have all bought various IDPS companies. The upshot of all this acquisition activity is that IDPS has become just a small part of some very large companies.
So who's left? In the table below, I present five companies that are still independent, publicly traded and reasonably pure plays in the IDPS sector.
|SonicWALL||Check Point Software Technologies||Fortinet||Sourcefire||Radware|
|PEG Ratio (5 yr expected):||1.49||1.34||3.06||2.27||0.81|
|Enterprise Value/EBITDA (ttm)3:||13.317||12.681||27.714||55.626||-275.185|
|Profit Margin (ttm):||6.56%||38.67%||23.87%||8.58%||-5.45%|
|Operating Margin (ttm):||8.26%||45.88%||10.05%||8.01%||-6.52%|
|Revenue Per Share (ttm):||3.72||4.415||9.574||3.91||5.768|
|Qtrly Revenue Growth (yoy):||-0.20%||25.10%||19.70%||37.20%||29.10%|
|Diluted EPS (ttm):||0.24||1.69||0.78||0.32||-0.31|
|Qtrly Earnings Growth (yoy):||43.60%||26.70%||453.20%||193.90%||N/A|
|Total Cash (mrq):||200.15M||884.00M||260.31M||53.07M||59.09M|
|Total Cash Per Share (mrq):||3.69||4.228||3.897||1.968||3.129|
|Cash Flow Statement|
|Operating Cash Flow (ttm):||35.85M||548.69M||62.32M||20.16M||N/A|
|Levered Free Cash Flow (ttm):||10.82M||430.93M||26.37M||-21.91M||N/A|
The data above is from Yahoo! Finance as of Friday, March 5. It shows that all but one of these companies is profitable and none of them are particularly cheap.
Here is a quick look at each company.
Check Point probably has the most extensive and wide-ranging security-related product suite: security gateways (encompassing firewalls, IPS, etc.), security management, encryption solutions for PCs and digital media and complete turnkey systems integrated into hardware appliances. In addition, the company provides consulting and services.
Sourcefire (FIRE) is best known as the creator of SNORT, one the first and most widely used open source network intrusion prevention and detection systems.
Radware is the most diversified of the companies listed in this post. Though they have strong offerings in network security including firewalls, IDPS, PCI Compliance, real-time fraud detection, VPNs and VOIP security they are best known for application acceleration, management and monitoring and network optimization. The company is equally at home in enterprise datacenters and at telecom carriers or Internet service providers.
The companies profiled above are all in a hot industry sector. All have little to no debt. None of these companies would ever be mistaken for value stocks based on the metrics listed in the table above. All should benefit from the gradual increase in tech spending that seems to be occurring. But will they benefit sufficiently to justify their current valuations?
Check Point is probably the safest investment among this group though its size may make it harder to register outsize returns. Radware is less of a network security pureplay but that may actually be a plus. At the beginning of this post I described how many of the biggest tech companies, Cisco, IBM, Symantec, etc., had acquired network security companies. These large companies will offer stiff competition to the companies discussed in this post.
I can't tell you which of these companies will out-perform but this post should be a good jumping off point for anyone wishing to investigate the sector further.
Disclosure: no positions in any stocks mentioned in this post