Perspectives - S - The Next NGAV (1/3)

This is the first article of a three-part series on SentinelOne (Ticker: NYSE:S). Here we share why S has a technical edge within the highly competitive endpoint security space.

Welcome to Covequity's Quick Takes¹— Timely interpretation of news & special events for cybersecurity and enterprise tech investors. If you are new, you can join our email list here:

Sources of Alpha: Complexity of the Business
Expected Price Appreciation: 500% from $45 within 5 years²

Executive Summary

• SentinelOne is one of the most, if not the best, private cybersecurity companies going public in 2021. Its technology and vision are highly promising. (Article 1/3)

• The company is executing an audacious GTM strategy following its years of stealth R&D. This means deep negative margins and operating metrics on paper - even higher than ASAN that we’ve discussed before. (Article 2/3)

• Although skepticism may rise alongside a possible correction upon S’s lockup expiry, over the long haul, we view S as one of the best cybersecurity companies for its tech advancement. (Article 3/3)

Why do we love S’s tech?

SentinelOne’s Flagship product Singularity XDR Logo from the official website

SentinelOne is an Anti-Virus software vendor founded by Tom Weingarten in 2013. Anti-Virus software is the earliest form of cybersecurity product. In 1987, the first AV software was created by MCFE’s founder, the late John McAfee, who had just passed away in a Spanish prison on Jul-21.

Signature-based AV

Following McAfee’s initial success, numerous AV vendors have come into play - Trend Micro, Symantec, ESET, Bitdefender, etc. are the early AV vendors alongside MCFE in leveraging their signature-based AV technology. How does it work? At the core of these vendor’s solutions is a database storing all the signatures of malicious files. A signature is a unique identifier of a specific file - just like a fingerprint of a human being. The AV software on the computer will perform scanning across all files to detect if there are malicious files that match those in the signature database.

There are multiple issues with this type of AV. At its core, it isn’t flexible enough – changing one single line of code could change the virus’ signature completely and help the virus evade detection. Subsequently, it takes more effort to identify this new variant and add it to the updated database.

Tweaks around signature-based AV

As time went by, MCFE and Symantec (now NLOK) tried to add more and more products to its core AV engine with firewall, URL filtering, etc. to complement its weaknesses. There are also some early attempts to alter this approach to endpoint security:

• Network security vendors like CHKP, PANW, and FTNT also came into play by leveraging their unique status within the network - which remains highly competitive.

• Bit9, founded in 2003, (later renamed Carbon Black and now acquired by VMW) introduced app whitelisting whereby only authorized apps are allowed to run. This turned out to be highly restrictive and unproductive, as apps change and upgrade rapidly.

• FEYE, founded in 2004, introduced sandbox whereby an unknown app would be run in an isolated environment and monitored closely for any malicious activity. This turned out to be less successful, as hackers quickly found ways to detect the sandbox environment and stay stealth upon the detection.

Thanks to tons of internal management issues pertaining to the two biggest AV vendors - MCFE & NLOK - numerous NGAV vendors were founded to take on this big endpoint security market. Given the duopoly stopping innovation, making tons of money-losing M&As, losing top talents, and increasingly disappointing customers, there were ample opportunities for Next-Gen AV providers. This clip from Richard Stiennon on Forbes should give you a bit of taste:

McAfee, the company, focused on security. It acquired Foundstone, the vulnerability scanning software company along with its founders. Kevin Mandia later left to form Mandiant, now part of FireEye, where Mandia is CEO. Stuart McClure left McAfee to found Cylance, which sold to BlackBerry in late 2018 for $1.4 billion. George Kurtz left to found Crowdstrike. After an IPO in 2019 Crowdstrike’s market cap hit $21.7 billion before settling down to $12 billion.

These top two vendors have also wasted two decades not innovating to solve the issue around signature-based AV. The primary issue is that as the number of malicious files grows, the database grows in size as well and the scalability issue becomes more and more important as one endpoint software may take 4GB+ of disk space, 90%+ of CPU utilization rate, and tons of memory - consuming lots of resources while providing <100% protection as there is always going to be new variants with simple change of codes.

Next-Gen AV

Around 2010, there is a new wave of AV startups being founded with a novel philosophy and approach to tackling the problem.

• Tanium, founded in 2007, was initially started as an endpoint management platform - the idea is to not only use AV to protect the device but combine functions like patch management, software management, configuration management, and asset discovery and inventory all together in a unified platform. By taking a more unified approach to endpoint security, Tanium is able to reduce the attack surface and provide a more comprehensive security solution. However, as the company was created very much early on, it wasn’t built on the SaaS model and a strategic shift to SaaS had only begun in 2017, which is pretty late compared to others like CRWD.

• CrowdStrike, founded in 2011, is amongst the earliest in leading the creation of NGAV. The idea is simple - if legacy signature-based AV is too clumsy in its inefficient approach to identifying threats, why don’t we change the entire approach from the ground up? CRWD leverages super lightweight agent/sensor software (35 MB in size) to collect data and send it to the centralized cloud for aggregated threat hunting. Once the malicious behavior is detected, CRWD threat intelligence experts will investigate the attack techniques and the attackers behind it. These insights will be shared across all CRWD endpoints and updated frequently. Thus, the need for a giant signature database at the endpoint is eliminated and the detection rate on mutated variants is higher.

  

  CRWD Falcon Platform Overview from the official website

In essence, NGAV makes the front-end software simple and light (collecting evidence) and makes the back-end operations complex, detailed and shared across all clients (generating insights for all). CRWD’s approach is dubbed Endpoint Detection and Response (EDR) - instead of doing early prevention, you can wait and observe the activities, detect malicious ones and respond accordingly. This is also where CRWD’s product name “Falcon” came from.

• Carbon Black was another early pioneer of the EDR market. Carbon Black was founded in 2010, incubated by Kyrus, and then acquired by Bit9 in 2014. One year prior, Bit9 and its customers were the victims of a nation-state attack in which Bit9’s own endpoint software was used to spread a virus³. The reputational damage was significant, given that Bit9 served several U.S. government agencies and 30 of the Fortune 100 at the time. The acquisition of Carbon Black was meant to bolster Bit9’s own capabilities. A lot of parallels with FEYE and Mandiant can be drawn from this story.

  Bit9 was then renamed as Bit9 + Carbon Black and finally Carbon Black only. In 2015, Bit9 acquired a data analytics vendor called VisiTrend to leverage its capabilities in machine learning and big data analytics for security (sounds familiar to CRWD & S’s acquisition of Humio and Scalyr?).

  In 2016, Carbon Black acquired an NGAV vendor called Confer⁴ to complement its weakness in threat prevention and the product was later renamed as Cb Defense.

  In 2019, after many years of a weak GTM strategy and declining technology, attributed to combining assets with little organic development, Carbon was acquired by VMW for c. $1.5bn.

• Cylance, founded in 2012, was amongst the first to change the signature-based AV approach to ML/AI based AV whereby the centre of the protection is based on running AI algorithms to spot malicious activities in order to protect the endpoint. Initially, Cylance gained tremendous amounts of adoption, however, the company became stagnant in innovation amid the EDR trend – only adding its EDR solution, Optics, in late 2018.

  Cylance also made a strategic mistake in focusing only on the AI AV point solution while others (S in particular) have expanded into network traffic analysis, and as a result, have sharply reduced the false positive rate (normal applications being identified as malicious files) using a combination of EDR, static AI, and dynamic AI analytics. Adding to the woes, are Cylance’s years of zero Mac support, thereby excluding itself from Mac clients. Cylance was eventually sold to Blackberry for $1.1bn in 2019. Since then, multiple clients have pointed out a further slowdown in innovation and Cylance is no longer competitive in the NGAV space.

• Cybereason, founded in 2012, was founded by three Israeli ex-soldiers in the famed Unit 8200 where PANW, CHKP, and various cybersecurity founders came from as well. Cybereason’s tech is the opposite to Cylance, in that the centre of its solution is the EDR capability, whilst the relatively weaker component is the AV. In a similar vein to Cylance, Cybereason has gradually lost its momentum. It’s had some successes thanks to backing from Softbank and Fujitsu, but the momentum is certainly fading. On the whole, we view Cybereason as a stronger version of Cylance but largely gets outcompeted versus CRWD and S.

• SentinelOne, founded in 2013, is the youngest among established NGAV vendors, and this gives it a great last-mover advantage in taking a more refined approach. Instead of focusing on EDR or EPP, S chose to focus more time and resources in R&D to develop a more comprehensive platform, covering all major aspects of the endpoint security. It uses static and dynamic AI, network analysis, advanced data analytics, and superior automation, that combined, deliver the highest detection rates in the industry.

  S’s comprehensive platform approach has brought a new term dubbed XDR (Extended Detection and Response) to the industry, whereby the front-end EPP, the back-end EDR, SOAR-powered Security Operation Centres, and SIEM tools are bundled together to deliver a vastly more effective endpoint security solution.

  

  S Singularity Platform Overview from its official website

  We’ll dive into the competition between S and CRWD in the next part of this S series. For now, we’ll just note that we believe S has a unique advantage over CRWD thanks to its AI/ML-powered EDR that has higher levels of automation compared to CRWD’s more labour-intensive approach to EDR (which entails most of the threat hunting being done by humans). We also appreciate S’s greater deployment flexibility. CRWD’s deployments are cloud-only, whereas S can work offline and the agent is able to run on-prem, in the cloud, and in a hybrid environment.

  In regards to the detection rate, S leverages a combination of static AI algos running locally on the endpoint to detect 85% of malicious files, and dynamic AI algos running on the cloud to detect 95% of malicious files. This combination of threat prevention techniques helps create a 100% detection rate – considerably higher than CRWD and others in the MITRE test cited by S⁵. Of course, citing one specific test is highly biased, so interested readers should watch this test conducted by the PC Security Channel on YouTube⁶to get a quick glimpse into how it works. In essence, S is able to automatically spot where the root script was performed and shut it down rapidly. Once the cleaning is over, the security posture becomes highly aggressive, so much so that some legitimate tools with a lower risk of being malware are also blocked. This could mean that S’s high detection rate is achieved at the sacrifice of a high false-positive rate. However, from what we are seeing so far, S’s clients are not too concerned about the false-positive rate yet.

Overall, from a technical evolutionary perspective, S does signal another gap up in handling endpoint security and we are excited about it. Our next article on S will focus on how S executed its Go-To-Market effort to grow its market share in this hyper-competitive endpoint security space.

---

Related materials:

• Sentinel updated S-1 filing (424B4)

• FEB-20 CNBC interview with the CEO after the closing of Series E

• MAY-20 NASDAQ interview with the CEO

• JUN-21 CNBC interview with the CEO on IPO

1

Anything discussed in this post should not be treated as investment advice. For further disclaimer and disclosure, always refer to Terms Of Use for Convequity Ltd.'s Research

2

Assuming no further dilution, within five years, S will be grown into $50bn in market capitalization.

3

https://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/

4

https://www.infosecurity-magazine.com/news/carbon-black-acquires-nextgen-av/

5

https://www.sentinelone.com/lp/mitre/

6

PC Security Channle test of SentinelOne: