Israeli Cyber Security Firm Finds Niche Standing Guard Inside Computer Networks

'It's easier to attack from the inside, and therefore it's more urgent to provide another layer of protection,' says CyberArk CEO Udi Mokady.

Cyberark

During the Great Depression, there was a steep rise in the number of home burglaries. To reduce crime and save themselves the cost of paying out claims, insurance companies had teams go from house to house to check if doors were locked. What else was there to do? Only the well-off could afford alarm systems.

Many decades later, two friends from Jerusalem realized that in the world of internet servers, it’s also not enough to make sure that all the doors are locked. The year was 1999, Check Point Software Technologies was celebrating its seventh anniversary and the firewall systems (in effect, network doors) it had developed are all the rage everywhere. The idea of thinking one move ahead, about how to protect networks from hackers who defeated the firewall — seems farfetched to many.

“It dawned on us that big organizations, including governments and armies, are captive to a misconception. We thought, ‘Wait, in the physical world this conception doesn’t really exist. Even after you put up doors and gates, you still add more defenses for the most sensitive things,” recalls Udi Mokady, who founded CyberArk with his friend Alon Cohen.

“The sign of a good startup is that people tell you at first, ‘You’re crazy! What are you talking about?’” says Mokady.

“From the experience we gained in the army and at work for big companies, we learned that the information technology guy may be seven floors away from management but if he wants to, he can read all their emails and see everyone’s salary. We’re not talking just about illegal stuff, but curious employees who have authorization.”

While Check Point and Palo Alto Networks provide perimeter protection, at CyberArk they’re trying to prevent someone who’s already breached the perimeter from getting to the most important and valuable information it contains. It started by developing a digital safe that racked up its first sales less than a year after it was developed.

But when the company tried to break into the U.S. market in the early 2000s, it discovered the path to success would be much longer and harder.

Fail-safe

Customers began saying they didn’t want to store information in the digital safe, but just the authorization privileges, so CyberArk turned its attention to that in 2004. Cohen turned over the CEO position to Mokady while staying on as chairman. Seven years later, he sold his shares in CyberArk and severed his relations with the company.

The people with authorization privileges are those whose work requires authorization to access important information within the company; essentially, they hold the keys to sensitive information. What CyberArk does is to manage these authorizations, to ensure that those without authorization people can’t enter prohibited areas and verifies the identities of those who do. To do so, the company studies users’ behavior and identifies unusual patterns.

The goal isn’t just to prevent information from leaking out to unauthorized employees on the inside, but to prevent hackers from the outside to move around inside the network by access they’ve gained to privileged accounts. While outside attacks is how most people picture a hack attack, the financial website Business Insider recently reported that 60% of cyberattacks in the past year came from inside companies, mostly via viruses spread by users.

Business has gradually woken up to the cost of inadequately defended networks. In what turned out to be a watershed moment, the CEO of retail giant Target was forced to resign two years ago, after the company’s computers were hacked, compromising the credit-card details of tens of millions of customers.

Spending on cybersecurity has ballooned. At CyberArk, revenue increased by 55% from 2013 to 2015, reaching $161 million last year. In almost every quarter since it went public in September 2014, the company has exceeded revenue forecasts. Still even today CyberArk only has about 2,600 clients, compared to Check Point’s 100,000-plus.

“No question that when you’re out to solve a problem that the market will encounter because of a technological change that has yet to occur, you need bridging time. In our case, the problem had already appeared — everyone was investing in an external network and they were vulnerable in the internal network. For years we worked hard to educate the market,” Mokady says.

“We had very few competitors, and they reaped the benefits of our educational efforts. We were opinion leaders. We shouted, ‘Guys, you’re vulnerable from the inside.’ Back then we sold mostly to companies that were subject to stringent regulation, like financial institutions and infrastructure companies, or those that were ahead of their time and grasped the magnitude of the risk.”

These needs already existed 15 years ago. What is it that has really changed in the last few years?

“The big change of recent years is that the industry is now shining a big light on the problem, largely because of the reports about major cyberattacks — like the hacks of Sony and the insurance company Anthem. The number of attacks went up, and you could also see that these breaches involved the theft of authorization privileges of people on the inside. Also, the wide spread use of social media gives the hacker a way to mislead users into thinking they’re receiving a friendly email, and to infiltrate that way. It’s easier to attack from the inside, and therefore it’s more urgent to provide another layer of protection.”

One example Mokady cites is the hack of the Bangladesh central bank in February. The hackers tried to transfer $951 million from the Bangladeshi bank’s account in the Federal Bank in New York, apparently by means of the Swift global money transfer system.

Most of the payments were blocked, but the hackers did manage to transfer $81 million to an account in the Philippines, and from there to casinos. Most of the stolen money has yet to be located.

However, growth for CyberArk has been slowing, with analysts who follow the company predicting revenues climbing no more than 30% this year and 20% next year. At its peak, the company was valued at $2.2 billion, but trading in cybersecurity stocks is characterized by fluctuations, similar to growth markets. It valuation is now just $1.5 billion, but at six times the projected revenue for the coming year, that’s not a low revenue multiple in the cybersecurity world.

Its price-to-earnings ratio is 40, which is high relative to the stock market but low in comparison to rival cybersecurity companies. One reason is that CyberArk enjoys an unusually wide gross margin of 85%, compared with 80% for Imperva, 72% for Palo Alto Networks and 62% for FireEye.

Growth opportunities

Mokady sees new growth opportunities in cloud computing, the use by companies of remote servers hosted on the internet to store, manage and process data, rather than a local server or a personal computer.

“The more that organizations adopt cloud technology and a hybrid approach to the cloud, the more they increase the number of privileged accounts that have to be protected and managed,” he says. “In many ways, the ease with which companies can now boost their capacities and release applications is accelerating the growth of IT as a whole. The speed and flexibility mean that there are even more privileged accounts and their numbers are increasing at an ever-faster rate.

One burning question in cybersecurity is whether a bubble has developed. Mokady is confident there isn’t one. “You can see that organizations’ cybersecurity budgets are continuing to grow. Sometimes their entire IT budget goes up, but the security part always goes up. You can see that 80% of our customers are new customers. With the rest of the customers we’re replacing CA products. That’s the competitor we run into the most.”

Speaking of competition, CA Technologies bought Xceedium in 2015. Did that acquisition improve its competitive standing against you?

“CA is happy with the acquisition, which means that there’s a healthy market in terms of demand. But even after buying Xceedium, CA is not perceived as the most innovative and up-to-date player. We hear from a lot of distributors and clients, and we also see from our own analyses, that there’s a big difference technology-wise. Right now I don’t see anyone else who can threaten us. But I have a healthy sense of paranoia — that we’re being chased even when it’s not happening. You have to constantly be making new breakthroughs, and I think our inventive side has only gotten stronger lately.”

Unexpected competition

Competition shows up in unexpected places. Firewall companies, led by Check Point and Palo Alto, are adding layers of security to prevent infiltration through the firewall system, software that takes apart documents and rebuilds them, which helps control damage. From time to time, these companies are rumored to be eyeing acquisitions in CyberArk’s market segment, which could create players with tremendous marketing power.

Mokady isn’t worried. “The way we see it, these companies are looking at things from a completely different vantage point. They are built upon sitting at the entry to the network and monitoring what passes through there, while we’re built on locking information and communication within the network with resources within the network. In the natural development of things, we won’t get to them and they won’t get to us, but if they decide to get ahead by means of acquisitions, it could happen.”

Mokday declines to comment on acquisition offers. But in the past year CyberArk itself purchased Israeli startups Cybertinel and Viewfinity. Cybertinel technology identifies attacks at an earlier stage than CyberArk was able to while Viewfinity deals with the problem of overly sweeping restriction of authorizations that makes work less efficient. Its software manages user authorizations in the Windows operating system.

“We have ongoing connections with startups in Israel and the United States, which leads many of them to come to us in early stages, sometimes through venture capital funds. This helps us identify companies at an early stage, like Cybertinel, which we met when it was right at the beginning. One of our advantages is our access to Israeli startup companies.

“We’re constantly weighing what is better for us, to develop a technology or to buy it. Our menu includes organic development, technology acquisitions, and the rarer though possible acquisition of clients,” says Mokady.