Microsoft’s $20B Cybersecurity Behemoth
A Spotlight on Microsoft's Playbook And How It Dominates the Cybersecurity Landscape
Overview:
Today, we’re taking a deep dive into one of Microsoft's largest and under-discussed businesses, its $20B cybersecurity behemoth. Earlier in January 2023, on its Q4 2022 earnings, Microsoft announced it had surpassed $20B in revenue within its cybersecurity business, making up almost 10% of total revenues. This news came as a surprise to many, but it also wasn’t a surprise to many insiders who had seen Microsoft’s increasing footprints in security within recent years. There hasn’t been much written on this topic, so I thought I’d take on the challenge of putting together a piece with the little information we have about them in public.
🚨 Quick & Important Announcement 🚨
If you’re a SaaS or cybersecurity nerd, I have exciting news! Thomas Robb and I have been hard at work building a two-week software & cybersecurity bootcamp. The bootcamp is geared toward two audiences:
Cybersecurity Deep Dive: If you’re a software investor or professional who wants to better understand the cybersecurity industry. The bootcamp will delve deep into frameworks for simplifying the complex world of cybersecurity. We’ll cover the key technologies and delve into differences between Microsoft security vs Palo Alto networks, discuss the endpoint players like Datadog or Crowdstrike vs SentinelOne and many more.
Software Modeling Foundations: If you’re a professional with no interest in cybersecurity but want to get better at understanding SaaS financials and analyzing software companies like Snowflake, Datadog and more. We have a section that covers this aspect; we’ll delve into concepts like how to build a SaaS financial model, differentiating between bookings vs. billings, FCF, and more.
Key Actionable Insights:
These are the key summary and insights if you only have 3-mins:
Microsoft is the largest technology company offering full cybersecurity services, having surpassed over $20B in revenue. The second-largest player Palo Alto Networks is expected to surpass $7B by the end of 2023, significantly paling the giant. To learn more about the rise of Palo Alto, see my full co-written report here.
Microsoft’s investments into cybersecurity since Satya Nadella took over in 2014 has been yielded rewards, especially in the current macroeconomic environment where companies are looking for cheaper but much more robust security. Gone are the days when Microsoft was considered a cheaper/less better solution, but the company has achieved Gartner’s leadership rankings across 4 of its 6-business arms showing its best of breed product potential.
It is estimated that Microsoft has an 8% market share in Cybersecurity, even as a $20B business. The sparse number shouldn’t come as a surprise to security insiders since we know the high level of fragmentation within the industry.
Microsoft categorizes its security portfolio across three areas - core security, identity & management, and compliance & privacy with 2 flagship products within each portfolio. Its largest product lines exist within its security and identity portfolio.
The competition in an already fragmented security market has significantly intensified with Microsoft’s presence across these three market categories. Strong competition exists between Microsoft vs Crowdstrike in endpoint security or within identity with Microsoft vs Okta, and virtually almost all security categories except network security, as I discuss in the report.
This piece intends to do a mini spotlight on each of the product and business segments. I provide some perspectives and competition within each of the areas.
Microsoft Cybersecurity Behemoth:
Microsoft categorizes its security portfolio across three areas and six products:
Microsoft Defender and Sentinel cover many of their endpoint, cloud and SIEM tools, respectively. Compliance and privacy, which are Purview and Priva, are primarily data management and security features. Microsoft Entra and Intune were recently renamed after they revamped their legacy Azure active directory. More interesting is the fact that Microsoft provides security for AWS and GCP workloads across a variety of platforms. This is something that is pretty distinct about Microsoft’s approach but has been a key driver of their success. Recently, they announced Microsoft Security Co-Pilot; it will be interesting to see where/how they categorize it over time. Let’s delve into each of the business segments:
Microsoft Entra:
Microsoft Entra is the largest business within the cybersecurity arm. This is their cloud-based identity and access management (IAM) service. It's the largest revenue driver within Microsoft’s security arm, estimated at over ~$4B in Revenue (Citi). The stack includes Azure Active Directory (AD), Permissions management, workload identities and identity governance.
💡 - An active directory in cybersecurity is simply a centralized, hierarchical database of a company’s users’ data, including their full names, roles, permissions, and internal resources within a company’s network. BofA estimates that Microsoft has an 85% market share within the IGA identity market.
They provide single sign-on (SSO) and multi-factor authentication for applications, as well as identity access control for cloud and on-premises applications. They secure user identity access, manage directories, and provide Identity Governance (IGA), a component of Identity access management (IAM).
The Identity Product Line:
In Identity, there are several ways of categorizing the industry. One category is breaking down the sector into workforce (internal) and customer (external) identity management. Microsoft’s legacy AD was primarily good in workforce identity but recently started its push into customer identity, allowing them to provide a full breadth of identity products.
This push into customer identity was bolstered by its acquisition of Cloudknox, a player that gave them capabilities in cloud privilege access and entitlement management. To highlight a couple of the product features, the Entra CIEM product is a unified resource where organizations can obtain resource usage and implement consistent cloud access policies across their entire cloud portfolio. Entra Workload Identities manages access controls for how apps, users and services connect and consume cloud resources. An added feature here allows companies to detect compromised identities automatically. As discussed, Entra is its largest product portfolio, and it includes a vast number of products outlined here on its Entra homepage. It recently announced a variety of new identity features at its Developer Build conference. They added more robust features to their existing Entra permissions manager, Microsoft verified ID and Azure active directory product lines.
🔋 Microsoft vs Okta:
It’d be poignant to provide a commentary on the Microsoft vs Okta rivalry in the identity market. Many people might not be aware, but Okta’s biggest competitor within the IAM market is Microsoft. Citi estimates that Microsoft has the largest market share within the IAM market, estimated at around 24%, meanwhile Okta at around 9% market share in a $13B IAM TAM.
OKTA acquired Auth0 to better compete within the SMB market. Okta’s key differentiator from Microsoft is its vendor neutrality, more in-depth identity features and better user experience for external identities. Some key differences include:
Microsoft’s Entra is primarily focused on internal/workforce employee identity, e.g. Large companies with >500 or 1000 employees that require robust identity, authentication, authorization etc.
Okta provides identity security for both internal and external identity products. Their core strength lies within workforce identity. However, they acquired Auth0 to give them core capabilities within external identity, i.e. customer identity.
Some commentary from BofA suggests:
“Okta was initially seen as more competitive versus Microsoft because of it its platform neutrality and robust library of out-of-the-box integrations with popular business applications such as Salesforce.com, Workday and others. However, the widespread adoption of open security standards accelerated Microsoft’s development of integrations and the company now has a similar library of out-of-the-box API connectors.”
This competitive battle between both companies will be interesting to watch. As Microsoft expands its identity product suite at significant discounts, Okta remains to be highly affected by its aggressive pricing. As can be seen on their website, Identity security is being added for Microsoft E5 and E3 customers at almost no cost.
Microsoft Defender:
Microsoft Defender is their flagship cybersecurity product. The product protects the company’s workloads across endpoints, applications and the cloud. Defender is broken down into four areas:
Defender for cloud security
Defender for cloud Apps and Multi-mode CASB
Defender 365 for endpoints, XDR, and email security
Defender for IoT, vulnerability management and EASM
Defender for cloud security protects customer’s workloads on the cloud providing developer security, cloud posture management (CSPM) and cloud workload protection (CWPP). The CSPM ensures that companies have the best policies/standards while building apps on the cloud; meanwhile, CWPP provides ample visibility across your cloud environment, e.g. Databases, containers, Kubernetes and many more.
Defender for cloud apps: This is the Microsoft product for DevOps and application security. This closely integrates with Github’s application security to protect and detect code vulnerabilities. This business also integrates with a company’s SaaS applications to provide comprehensive security and prevent DLP situations.
I’ll also add that Microsoft has a highly successful email security business. This business is tightly coupled with Microsoft Outlook. As one of the largest email providers, Microsoft has invested significantly in ensuring that companies that tight security for emails to prevent phishing and malware attacks.
Within the defender, Microsoft also provides some network security and Cloud Access Broker Security (CASB) solutions. To gain a full understanding of CASB and the industry, see my full deep-dive on the industry. However, I’ll add that Microsoft’s CASB is a minor solution and isn’t as robust as many of the major CASB players within the industry. The key area where their CASB shines is within shadow IT assessment and DLP (Data loss prevention). It helps security teams with delivering visibility into all cloud applications, sanctioned and unsanctioned. Further, helping teams protect sensitive information like a company’s financial data and enacts policies to prevent the unauthorized sharing of data.
Microsoft Defender 365 is the endpoint and XDR protection platform to detect and respond to threats on devices. It provides advanced threat prevention, attack surface reduction, and endpoint detection and response capabilities. Defender is a unified security solution that integrates endpoint protection, email protection, identity and access management, and advanced threat protection. It enables organizations to detect, investigate, and respond to advanced threats across their entire digital estate. This is one of their more prominent businesses because it competes against Crowdstrike, SentinelOne, Palo Alto Networks, Symantec and many of the key endpoint players. As avid followers and investors know, Microsoft is regarded as a key leader by Gartner. It’s important to note that Crowdstrike seems to be less affected by Microsoft, but it’s likely SentinelOne is more affected (because of its lower marketplace influence and less enterprise base), and legacy vendors are more at risk of being affected by Microsoft’s dominant presence in the endpoint market.
Defender for IoT, vulnerability management and External Attack Surface Management (EASM) - This arm provides a collection of endpoint solutions for Microsoft Defender for IoT and Microsoft Defender for External Attack Surface Management (EASM). IoT delivers security for connected devices and could include critical infrastructure. EASM, which stands for an external attack surface, is the entire area of an organization or system that is susceptible to an attack from an external source. An EASM solution continuously discovers and maps a company’s digital attack surface to provide an external view of their online infrastructure. This visibility enables security and IT teams to identify unknowns, eliminate threats, and reduce risk exposure using an attacker’s view.
Microsoft Sentinel:
Azure Sentinel is a cloud-native security information and event management (SIEM) and Security orchestration, automation, and response (SOAR) tool for security data logging and collection for all their cloud and defender products. Sentinel serves as a storage repository to capture security data from Defender, Entra, and all security products shown below. As a result of having this data securely aggregated and stored, security teams can perform security data analysis, incident response investigation and correlates alerts from virtually multiple sources. Microsoft’s core competitor here is Splunk. Other adjacent competitors include LogRhythm, Exabeam, Elastic, and Sumo-Logic.
By having this data centrally, machine learning can be applied to detect and respond to threats across an organization's entire network. Microsoft’s vision for Sentinel is to integrate both its SIEM and XDR to deliver an integrated offering that connects Microsoft Sentinel with end-user environments (email, documents, Microsoft Teams, identity, apps, and endpoint), and Microsoft Defender for Cloud provides XDR capabilities for infrastructure and multi-cloud platforms including virtual machines, databases, containers, storage, and IoT. The goal is that sentinel becomes the storage engine, and XDR automatically assists in preventing, detecting and responding to attacks. Microsoft Sentinel now has around 20,000 customers, up from 15,000 a year ago.
Microsoft Intune:
Intune is a cloud-based unified endpoint security product that allows companies to deploy and manage all their company devices (including computers, servers, and mobile devices) through a single console.
In a world where companies have disparate employees working from home with company devices and critical data. It becomes a challenge for companies or IT Admins to protect organization data, manage end-user access, and support users from wherever they work. Intune serves as a solution for companies to centrally govern access to these tools. Intune also provides privilege and configuration management for company assets, including IoT devices. Key competitors in this market include CyberArk, Tanium, IBM, and Crowdstrike. In the private markets, some competitors include asset management players like Axonius, JupiterOne, and others.
Microsoft Priva:
Managing Privacy and personal data are top priorities for organizations and individuals today. Priva is a business that provides software for companies to navigate privacy, data rights management, and personal data risk management for companies. It specifically helps companies deal with compliance regulations like European Union's General Data Protection Regulation (GDPR), EU regulations, or California Consumer Privacy Act (CCPA) legislation around data privacy.
Many businesses struggle to keep up with the latest legislation from the government, especially with the recent proliferation of data. Additionally, many SMBs don't have the budget to hire data governance specialists or consulting firms to help them navigate this. In this case, implementing a tool like Microsoft helps manage that process. Some competitors in the private market that provide similar services include OneTrust, Vanta, and Drata.
Microsoft Purview:
Purview is a data security business that works closely with Priva, but they are separate businesses. Purview helps companies manage data across workloads (cloud or on-prem). Meanwhile, priva has to deal with primarily helping manage privacy issues around customer data.
Purview deals with data in motion and at rest. The software provides a unified data governance portal that helps with data cataloging, managing risk compliance solutions, audit solutions, lifecycle management, insider risk management, information protection, and eDiscovery.
Businesses need to implement policies to prevent employees from stealing data from their personal workloads, or in certain cases, companies lose data and need to find it. Purview helps with these use cases. Purview also helps organizations detect risky browsing usage and risky insider activities that may lead to a data security incident. The software solves these problems by classifying, discovering, and protecting sensitive data contained in Microsoft 365 applications and other platforms. Some other competitors within this market include public companies like AvePoint (AVPT) or Private companies like Druva, Veritas, Symantec, and others.
Microsoft Security CoPilot:
Microsoft recently announced Security CoPilot, its GPT-4 powered security AI-LLM. Its model was built around 65+ trillion data signals to help optimize the work of security analysts. Co-pilot cuts across their entire security portfolio.
Security Copilot is a huge value-add for the SOC team. It should help them identify prioritized threats in real-time and search for efficient responses to threat hunting, tactics, and vulnerability management. More interestingly is its ability to incorporate knowledge directly from within a company to return information that can be used by a SOC team to learn from existing intelligence, correlate current threat activity from other security tools, and deliver up-to-date information using Microsoft’s own threat analysis footprints.
It also assists SOC teams with security incident response (by curating playbooks quickly as attacks occur in real-time), threat hunting, and security reporting. It can detect threats that other approaches might miss and augment an analyst's work. In a typical incident, this boost results in improvements in the quality of detection, speed of response, and ability to strengthen security posture.
Overall, AI’s biggest impact on security will be automating much of the work for security teams, enabling faster detection and response to attacks. In the future, I expect to see more AI products designed to protect open-source models, as well as generative AI applications. This space is heating up quickly, with Google releasing their own Google Cloud Security Workbench, a platform powered by Sec-PaLM, an LLM designed for cybersecurity use cases powered by Mandiant's proprietary threat intel data. This is a space to watch closely over the next few years.
Microsoft Security Experts (MDR Service):
Microsoft security expert service was recently launched in 2022. This is Microsoft’s MDR (managed detection and response) which provides outsourced security services to companies. It usually caters to companies (mostly SMBs) that don’t have the budget to staff full security teams or need to outsource aspects of their security. It provides a threat-hunting service for customers who would prefer to have Microsoft experts help them hunt down threats. In this case, these companies would outsource some, if not all, of their security operations to Microsoft for 24/7 monitoring. Additionally, Microsoft also incorporates its consulting arm in this business category. I’m surprised it took Microsoft only until 2022 to launch this arm, but it is significantly behind leading players like Expel, eSentire, Red Canary and many on this list. Microsoft will usually have security analysts, consultants and experts across all the six areas of its security business and provide consulting to companies that need additional expertise in each of these areas.
Key Metrics Revenue Breakdown:
Microsoft has doubled its security business within the last two years. It is now growing at a CAGR of around 33% as of its Q1 2023 quarter this year.
This is how the revenue breaks down across all key segments, according to Citi Bank’s research. This is their best estimates of how each of the business breaks down.
The largest part of Microsoft's cybersecurity revenue comes from bundling via Office 365 E3 or E5 allocation, amounting to 30% of Microsoft's cybersecurity revenue.
Citi believes the “Other Systems Infra” is a large catch-all bucket that includes patch & endpoint management, and network security, while Info/Data Security includes email/communication security. They also believe ~1/3rd of the business is also just pure bundling via Office365 E3/E5 SKU allocation, which manifests MSFT’s “killer” distribution advantage that leverages a pervasive incumbency.
As discussed earlier, the Identity business is the largest segment due to Microsoft's Active Directory legacy. The second is the endpoint security segment.
Total customers: Microsoft says 860,000 organizations across 120 countries use its security products. Out of this number, 720,000 organizations have adopted its Identity access customers. Also, 620,000 organizations have adopted 4+ products, and this is growing 40% YoY.
Key to Microsoft's Success:
It’s poignant to discuss why Microsoft has been so successful with its security strategy. Here are a couple of discussion points:
Aggressive bundling sales strategy
There has been much discussion about Microsoft’s bundling strategy, but this is especially important to discuss. Microsoft's popular E5 and mid-tier E3 software packages include cybersecurity at significantly cheaper prices than the competition, such as Azure AD security and various flavours of Microsoft Defender. E5 includes advanced security features such as Purview data security, Azure Advanced Threat Protection, and Microsoft Cloud App Security, making it a suitable choice for organizations with the highest level of security needs. On the other hand, E3 is a more affordable option for organizations with less complex security requirements. Microsoft also has a 50% discount on Defender for Endpoint through June 2023. This is new pricing dynamics affecting next-gen players like Crowdstrike. According to a sales exec I spoke to - he explained that this is the pricing playbook tactic used by Microsoft during downturns. They can afford to absorb costs on the security business, especially with a +30% profit margin.
Microsoft is not afraid to aggressively boast of its “60% savings compared to competitors“ across its websites. Furthermore, Microsoft has committed to investing over $20B in their security business over the next 3-5 years, which is roughly $4B each year in R&D, exceeding the R&D budget for the five largest cybersecurity companies combined (PANW, FTNT, CRWD, OKTA, and ZS). This roughly $4B is what allows them to release over 300+ robust product features at once, as they did during this announcement early in January, absorb costs, and invest in acquisitions and growth, creating a major challenge for emerging players.
Gartner’s recognitions strengthen the best-of-breed argument
The argument that Microsoft’s solutions are cheap because they lack best-of-breed features no longer holds as they did in the past. Gartner and Forrester list Microsoft as a leader in endpoint protection, Gartner in access management, enterprise data /information archiving, and unified endpoint management tools. Forrester also recognized Microsoft's leadership positions in nine categories, including cloud security gateways, endpoint security software, identity as a service, security analytics platforms, and extended detection and response. This recognition appeals to CISOs looking for best-of-breed product solutions at affordable prices.
The ultimate vendor consolidator
One of the biggest themes during this current economic slowdown has been the talk of companies wanting to cut costs and consolidate platforms with one or a few vendors. It’s hard to find any company within cybersecurity that has consolidated 50+ products into their platform. Therefore, it makes it difficult to argue against why companies wouldn’t want to consolidate on Microsoft, especially if they’re an AWS or GCP customer (platform neutrality).
According to 72% of CISOs and C-level security professionals, it’s becoming critical for a technology vendor to offer a comprehensive set of products across security, compliance, and identity. Large organizations still have an average of 75 security solutions. Microsoft’s comprehensive solution with interconnected product families across extended detection and response (XDR), SIEM, threat intel, Identity and access management (IAM), endpoint, cloud security, and data protection, compliance, and privacy.
Partner Ecosystem:
Microsoft has an unmatched GTM synergy across the security ecosystem, with over 15,000 partners, value-added resellers (VAR), and managed services recommending Microsoft's products to their customers. With many of these channel partners built over the years with other Microsoft enterprise suites, this vast network enables their bundled products to reach the market more quickly than many of their competitors.
Data Advantage:
Security is increasingly becoming a data problem. The more data an organization has within its arsenal, the more effectively it can effectively utilize AI/ML to better detect and respond to threats. Microsoft has gone from 24 trillion threat signals in 2021 to 65 trillion signals in 2023. They also block 32B email threats daily. Last year, they blocked 70 billion in email and identity threat attacks. If you combine all these data assets with its OpenAI powerhouse, it’ll be interesting to see how they evolve security co-pilot or build more AI-powered security products in the near future.
Limitations and challenges ahead:
Microsoft almost appears unstoppable to fully conquer the security industry. However, there is still an argument that despite Gartner’s recognitions, Microsoft doesn’t have the most cutting-edge technical depth within key areas like endpoint security, SIEMs and arguably identity security. However, these are just my opinions, and I could be totally wrong.
There is also the argument to be made about vendor neutrality and the case of avoiding lock-in. If your company is fully on Azure cloud or Microsoft 365 enterprise suite, many companies would avoid having the same provider for cybersecurity.
There are also hidden TCO, and a lack of robust managed offerings (higher ASPs and demand from resource-strapped SOCs) should create a safe distance from cannibalization and protect pricing premiums in most cases.
Microsoft Security underwent a brand new rebrand, and many of its products, like the identity features announced at Build, are relatively new compared to other players that released such products a while ago. Beyond the price appeal, it becomes hard to sell these new products to CISOs. Lastly, as discussed throughout the report, they have strong consolidator competitors like Palo Alto Networks and Fortinet that have made strong inroads in network security (one of Microsoft’s weak areas) but are becoming platforms for organizations to consolidate multiple security products.
Summary:
Microsoft’s success in cybersecurity is nothing short of remarkable. Their early investments into the sector and the decision to protect rival platforms (AWS, GCP) have yielded massive fruits. I won’t be surprised if we are talking about them achieving $30B by the end of 2024 and achieving a double-digit market share. They continue to be the name to watch within cybersecurity for the next 3-5 years.