The information security market keeps growing as customers struggle to adapt to new threats and risks while maintaining a mass of existing technologies, solutions and practices.
Companies have done fairly well protecting their networks but their ability to control the devices attaching to the network is limited. These “endpoints” must be made secure in order for an overall security strategy to be successful.
Here is a great quote from The Register's John E Dunn from 2017 that sets the stage well:
With humble viruses long gone and even the term “malware” starting to morph, security clients now behave more like sensors for multi-layered, centralised security systems encompassing not only defence and remediation, but response, forensics, and even data security.
This change might seem like a natural development that parallels how many technologies have evolved since the turn of the millennium, but within cybersecurity it reflects deeper currents. The most important of these is the almost supernatural rise of the professional criminal developing malware at industrial scale. This has not only forced security companies to innovate at an uncomfortable pace, but to integrate the multiple layers of protection necessary to counter such dark innovations.
At the same time, what is being protected now extends way beyond the desktop Windows PC or server. Whether they are laptops or smartphones taken beyond the protection of the firewall perimeter or any one of a multitude of Internet of Things devices, the simpler age of PC security has given way to that of the modern “endpoint.”
Carbon Black (NASDAQ: CBLK) is a niche player in this expanding part of the IT security space. They priced their IPO at the high end of the increased price range - $19/share.
Despite being perceived as a "second-tier player" in the IT security space, our IV suggests that there a post-IPO share price of $32 based on 35% growth and a 35x earnings multiple. (see below)
The big question for CBLK investors is how the company will compete in an increasingly crowded market with both large established players who offer multiple products and other effective niche players like CrowdStrike.
Having a channel-based strategy is what gives Carbon Black a chance. Their network of partners allows them to "punch above their weight" but their strategy is not unique enough to be immune to disruption. Several competitors have effective channel programs with pervasive reach.
Our top concerns are 1) does CBLK have enough resources and uniqueness to elevate their position in this market? and 2) is their technology good enough to stand up to both established vendors and newer competitors with newer and more modern cloud-centric solutions? (CBLK started in 2005.)
Market Dynamics - Gorillas and Gazelles
Endpoint security products have been mainstream for a few years now. The Gartner Magic Quadrant below illustrates most of the players. There are gorillas like Symantec that clearly understand the need for endpoint security and have built products to address it. The large companies like Symantec are not loved by customers but they are at least well-tolerated and already in place within most enterprises.
How does Carbon Black stand out in a sea of competitors? Their major claim is that they process "unfiltered" data at the endpoint. They contrast this with other vendors who use "filtered" or a subset of endpoint data and claim that other vendors have been unable to do this because the amount of data processing required is too large. Carbon Black relies on their "proprietary data shaping" technology to help process the data and a stream-processing approach to reduce storage needs and latency.
We couldn't find much independent validation that this is a major advantage in the eyes of the customer. All vendors have their "special sauce" technology claims but until customers and analysts agree that one is a "must have" it's not a major differentiator. Also to my ear "data shaping" sounds a lot like filtering which is what everyone else does too.
The full excerpt from the recent Gartner report on Endpoint security is included below. Generally speaking, CBLK get's okay marks from Gartner - not high enough to make the standout nor low enough to prevent an enterprise from considering them. However being low on the "ability to execute" axis is a warning sign for larger companies.
Our final concern is that Carbon Black is a "vintage 2005" company which pre-dates much of the modern cloud-based architectures in the market today. It's also a reminder that the company has taken a decade to reach this point of maturity in the market. So they fit somewhere between an established player and a newer "gazelle."
Company Valuation & Stock Conclusion
We've been fairly charitable in constructing the IV model below. We're using a 35% growth rate and 35x earnings multiple. This isn't inconsistent with recent CBLK results but top-line growth has been slowing down consistently over the past four quarters ended December 2017 (54%, 47%, 39% and 34%).
Deferred revenue has grown dramatically to $164M as of December 2017 but this was based on more 3-year contracts. According to management, they are now shifting back to one-year agreements which will decrease deferred revenue from current levels.
We think investors will look upon CBLK as a "second tier" IT security player based on their current industry position, product features and even the list of bankers which includes Keybanc, William Blair, RayJay, and Cowen as co-managers.
Our IV model is very sensitive to growth rates and multiples. While we are showing a $32/share potential if the company ends up being a 30% grower the estimate falls to $23 which is a small premium to the current top-of-range $19.
The conclusion is that it's probably best to sit on the sidelines with respect to CBLK and wait to be "bribed by outstanding results" should management be able to deliver.
Appendix - Gartner Take on Carbon Black
Carbon Black is in the middle of a significant corporate transition, consolidating its overall offerings into a new cloud-based security platform called Predictive Security Cloud. The company's overall offerings consist of Cb Defense (EPP), Cb Response (threat hunting and incident response), and Cb Protection (application whitelisting and device lockdown). Carbon Black began to consolidate EDR features from Cb Response into Cb Defense in 2017 as it started to build a presence in the EPP market.
Carbon Black has earned a strong reputation as offering one of the leading EDR solutions in the marketplace. Cb Response (threat hunting) is typically found in more complex environments with very mature security operations teams. The Cb Defense agent collects and sends all the unfiltered endpoint data to the cloud using a proprietary data streaming mechanism that eliminates bursting and peaks on networks.
The majority of Carbon Black clients make tactical purchases, usually a one-year subscription with options to renew at the end of the term.
Carbon Black is in the Visionaries quadrant this year, but Cb Defense is still unproven, which impacts its execution. The vendor has a poor record of participation in public, independent malware accuracy and effectiveness testing, which impacts its vision and execution in this assessment.
• Carbon Black provides an advanced toolset that has broad appeal with organizations that have mature security operations teams consisting of high-caliber and very experienced personnel.
• Carbon Black's Cb Defense solution incorporates a blended approach consisting of signatures, ML, software behavior monitoring, process isolation and memory protection, along with exploit prevention.
• Carbon Black's updated and streamlined console offers advanced administrators simplified views of threats via visual alerts and triage, resulting in faster detection and response.
• Carbon Black's rich set of APIs and broad third-party partner ecosystem provide opportunities for mature SOCs to integrate Carbon Black findings into a diverse set of analysis, workflow, and case management solutions.
• Clients that have not yet moved to Carbon Black's cloud-based EPP and EDR product (Cb Defense) continue to report that they are struggling with the operational complexity of their Carbon Black deployments.
• Some advanced prevention features such as cloud detonation and hash lookups require online access to the Carbon Black cloud infrastructure, reducing the effectiveness for devices without a permanent connection to the internet.
• Carbon Black has not yet integrated its threat hunting module from Cb Response or its application whitelisting capabilities from Cb Protection into its cloud-based platform, so customers that require those features will need separate agents and separate management consoles.
• Carbon Black continues to be at the premium end of cost per endpoint in terms of cost to acquire and cost to operate, especially if organizations require the EPP and the separate application whitelisting capabilities provided by Cb Protection.
• Carbon Black has continued to favor private or sponsored malware accuracy and effectiveness tests of its product and has had a poor record of consistent participation in public tests in 2017. Consequently, it is difficult to determine its efficacy versus peers.