Symantec: Hacking the Enterprise Security Space

By: Christopher Nguyen & Samantha Wu

The Ivey Business Review is a student publication conceived, designed and managed by Honors Business Administration students at the Ivey Business School.

Security breaches are increasing in both frequency and severity. Last winter, Anthem Blue Cross, a major US health insurance company, experienced a cyber attack on their IT system which compromised the personal information of 80 million Americans. This breach was one of 888 reported breaches in the first half of 2015, with each breach costing almost $4M. With the rise of e-commerce, mobile applications, and cloud-based computing, there is a greater need to protect sensitive data. These trends are driving cybersecurity spending, which is expected to grow at a CAGR of 9.7% over the next five years.

The Wild Wild Web

In the past, antiviruses functioned on a signature detection basis. A virus signature is like a fingerprint: it can be used to detect and identify specific viruses. The process worked by having infected systems send malware details to the antivirus provider’s in-house lab. Data scientists then investigated the nature of the virus to determine its unique signature that could be used to ensure such an attack could be prevented in the future. The signature would then be uploaded onto a database that all licensed products would use to compare suspicious files against to determine whether a threat exists. Through this ‘learn by failure’ method, only one in hundreds of thousands computers would be compromised before a certain malware would no longer be effective.

This method had been effective in the 2000s, but cyber-attacks have become increasingly sophisticated. Comparing a potential virus against a database of previous attacks is now ineffective for three reasons:

1) The process is slow and malware may not be detected prior to entering the system

2) The evolution of malware makes it so that protection against past attacks is no longer effective against future threats

3) The process is prone to human error

Today, over 80% of large companies are targeted by cyber criminals. Ponemon Institute, a security research company, found that security firms receive over 90 serious threats daily. On any given day, the average anti-virus system is unable to pick up on 50% of new malwares, showing a significant lag time in anti-virus vendors responding to emerging threats.

Consequently, companies are moving towards reactionary mechanisms where systems are protected and damage is mitigated in the event of an attack. Companies like FireEye are developing system analytic software to protect systems by limiting the amount of information that certain malware can access.

Symantec’s Weakening Defences

In response to the changing cybersecurity landscape and shrinking top line figures, Symantec announced its strategy in October 2014 to exit from information management in order to streamline operations and focus on its other business segments. Symantec needs to re-establish its market leadership by using the proceeds of its divestiture to organically develop its two other business areas - consumer security and enterprise security. Post divestiture, Symantec consumer security and enterprise security will account for 47% and 53% of revenues respectively.

As a whole, Symantec is the largest player in the cybersecurity space with an estimated 17.2% market share in 2014. However, Symantec’s market position is eroding, with market share down 1.3% from 18.5% in the prior year due to product lags and discontinuations. Symantec faces competition from two fronts: start-ups like Tanium and Menlo Security that are trying to solve niche problems, and diverse technology firms like IBM looking to capture the growth of the broader cybersecurity market.

No growth in Consumer Security

The driver for consumer security growth is new PC sales, which is projected to decline by 3.1% in 2016. Though declining new PC sales negatively affects all players in the space, other competitors such as Microsoft and Intel’s McAfee have more diversified revenue streams. Symantec, in comparison, derives 47% of its revenue from consumer security, and saw a contraction of 10.3% in that segment from 2012 to 2015. The sharp decline in consumer security puts additional pressure on Symantec to deliver results through its enterprise security arm.

Late entry into Enterprise Security

Symantec offers a suite of enterprise security products including: Secure Socket Layer (“SSL”), certificates, authentication, mail and web security, data center security, data loss prevention, information security services, endpoint security and management, encryption, and mobile security. However, Symantec’s new enterprise product offerings lag the market due to the fact that Symantec’s strategic direction is disorganized. Symantec has switched leadership three times in two years, and with each change came a reorganization of the sales and product development teams. An example of product lag is when Symantec released its Advanced Threat Protection (ATP) product in October 2015. In contrast, advantage helped increase Intel’s share of the enterprise security market by 4.6%. While its R&D expenditure, at 18% of revenues, is consistent with the industry, Symantec needs to accelerate product development in an emerging security sector by completing an acquisition.

Smartening the Defenses

Although Symantec works vigorously to classify and defend against new malwares as they arise, the process is not fast enough. 70% of malwares were able to slip past detection in the first hour, and 34% remained undetected after 24 hours. In some cases, more sophisticated attacks could take up to a week before any progress is made in minimizing the damage. The industry’s best response times are inadequate as the timeframe allows not only for the original victim’s network to be compromised, but also does not provide protection to customers in the same space for the malware in question.

Symantec can look to decrease its response time by acquiring machine learning capabilities for its antivirus suite. Cylance is a private security firm that has built a preliminary machine learning program that is able to evaluate malware in under 100 milliseconds. Cylance classifies malware through static analysis, an examination approach that allows the computer to study malwares without having to execute its program. By bypassing the malware’s code, it does not have the opportunity to defend itself and thus greatly decreases the complexity of malware identification.

Machine learning is a long existing data analytics concept that has only recently become commercially viable through the affordability of hardware. The physical machine is composed of many nodes that are each capable of processing information. Each individual node can be comparable to a single neuron in a brain. The machine is taught by processing raw data and pre-generated conclusions through the nodes to determine patterns that could lead to the provided answers. When this approach is repeated over millions of data points, it will teach the machine to learn how to interpret data and identify patterns. After the machine has been taught to draw accurate conclusions using past data, it is used to analyze new data and conditions.

Given the nearly 1 million new viruses that are released per day, Symantec claims that hackers are working faster than companies can defend themselves. Currently, the best available antivirus is able to only catch 87% of all new threats. Malwares are able to hide themselves through different packaging and some are sophisticated enough to rewrite their own code. The static analysis approach allows the antivirus to treat all malwares of the same strain alike and is not affected by the different packages that exist. Studies show that by using a machine learning antivirus, the risk of a security breach on any specific company could be reduced by 20%.

Cylance: A Strategic Acquisition

Symantec is well positioned to take advantage of Cylance’s knowledge and developed algorithms. Firstly, in order to build a more effective machine learning program, a large library of data is required. Symantec is the largest enterprise security vendor by customer base and therefore can leverage the quantity of data available to improve Cylance upon acquisition. Symantec also has on-demand access to data from its enterprise clients, which can continually feed into Cylance’s machine learning program in order to learn patterns of malwares - increasing the program’s efficacy.

Additionally, Cylance was the first mover of machine learning in the security space. The acquisition will make Symantec the first to bring this technology into the market on a large scale and thus can establish itself as the original distributor of machine learning antivirus. Cylance’s machine learning software is also proprietary, meaning that other firms trying to enter the space would experience a lag in getting to market. Symantec can also work with Cylance on more ambitious projects, like predicting how malwares will evolve over time and intercepting cyber attacks before they strike.

Financing the Cylance Acquisition

Symantec’s divestiture of its information security unit yielded $6.3B in after-tax proceeds. Cylance is currently backed by nine investors with a total of $77M in equity, and has recently completed a Series C funding round.

With its machine learning product, Symantec should aim to gradually win back its 2,000 lost enterprise antivirus customers from 2013 to 2014 upon launch in 2017. It was estimated that Symantec lost approximately 2,000 customers as revenue decreased by $79.6M as each endpoint was approximately $40, and each customer had an average of 500 endpoints. Symantec lost these customers due to decreased consumer confidence driven by leadership turmoil. While regaining these customers, the new antivirus price can be increased from $40 per endpoint to $58 per endpoint. This price is comparable to what competitors such as Kaspersky and Intel are charging, and can be justified given the machine learning antivirus’ additional capability. Given these assumptions, Symantec’s machine learning antivirus has the ability to earn $115.4M incremental revenue in 2017.Symantec can arrive at a purchase price by looking at the price of building a comparable technology in-house. Symantec would need hardware, software, software licenses, and training and team restructuring in order to develop a machine learning antivirus in house. Costs for all these materials and processes would be approximately $540M over a 3 year period. Symantec can take this cost and factor in the premium of being first to market to arrive at an appropriate purchase price.

Rolling Out Machine Learning

A new product should be developed by 2017 that operates separately from Symantec’s current antivirus system using Cylance’s machine learning technology. Since Symantec will be deploying this software to protect highly sensitive data, it is important that their new product is vigorously tested before being licensed for enterprise use. A one year free trial for low-priority, small and medium-sized businesses will allow Symantec to perfect the product. This release will also allow Symantec to demonstrate to clients that this new product is indeed superior to current industry offerings. In the long term, Symantec should work to transition its existing clients to this new superior product.

Developing the Next-Generation

Security breaches are grabbing news headlines, and cybersecurity is an issue that will only grow in importance. Developing a machine learning antivirus product through acquiring Cylance will help Symantec re-establish its position in the next-generation enterprise security space.