Check Point CEO Gil Shwed on Why Prevention Beats DetectionShwed Shares How Check Point's MPR and XPR Tools Reduce Work for Security Analysts Michael Novinson (MichaelNovinson) • September 16, 2022
Existing security operations tools focus too much on detecting threats and creating alerts rather than stopping attacks before they happen.
To address this nagging issue, Check Point has introduced its own managed prevention and response and extended prevention and response tools that will reduce the number of events security analysts handle by at least 90%, says CEO Gil Shwed, who has led the Israeli security giant since 1993.
Check Point Horizon can take events that previously would have caused major damage and led to hundreds of hours of work for security analysts and thwart them altogether, he says (see: Check Point Pursues More Business Outside Network Security).
"Almost all the other systems today in the marketplace will let malware get through, analyze it and half an hour later give you an alert that you're at risk, and now you need to start the process of remediation," Shwed says. "This is, in my mind, ridiculous. We're the only one that, if we see an event, we will immediately stop it."
In this video interview with Information Security Media Group, Shwed also discusses:
- Check Point's biggest investments in cloud and email security;
- What sectors are most rapidly adopting Check Point's new firewall;
- How raw material shortages have affected Check Point's pricing;
Shwed is considered the inventor of the modern firewall. He has authored several patents including for the company's Stateful inspection technology and received numerous accolades for his individual achievements and industry contributions, including the Israel Prize for his contributions to the Israeli tech industry and philanthropy. Shwed is chairman of the board of trustees of the Youth University of Tel Aviv University, a Tel Aviv University governor and founder of the university's Check Point Institute for Information Security. He also chairs the board of directors of Yeholot Association, which focuses on reducing Israel's high school dropout rates.
Michael Novinson: Hello, this is Michael Novinson with Information Security Media Group. I'm joined today by Gil Shwed. He is the founder and CEO at Check Point Software. Good morning, Gil. How are you?
Gil Shwed: I'm well. Great to see you, Michael.
Novinson: It's nice to see you as well. Big news today for Check Point to announce the debut of Check Point Horizon, which includes network prevention and response, as well as managed prevention and response. I wanted to get a sense of why those are areas of focus for you.
Shwed: So I think first in Check Point, what we've built over almost three decades, we've built the best network security, the best firewalls in the industry. But in the last decade, what we build is what we call Infinity. And that's the biggest platform to deliver almost end-to-end security for every enterprise. And I think we've built three pillars there, Quantum for network security, CloudGuard for securing the cloud, and Harmony to secure the user, the user on their endpoint, user on their mobile, and the user when they're trying to connect to the different corporate systems. VC grew, by the way, securing the user when they're doing email. So basically, the entry vectors for malware into the organization are covered by us. And today, with Horizon is the ability to manage all of that, and the tools with the SOC (security operation centers) need in order to get the value out of all of these tools. And the challenge today is that many companies that provide these tools, not only that these tools are super complicated and complex and hard to work with. But mainly, we focus on detection, they don't trigger an action and they don't prevent the attack. And what's unique about Horizon is that we're focusing on what we call 'prevention first'. When we see something, we are prioritizing, and we know how to stop it, and how to prevent it, not just how to detect and create more alerts for the SOC.
Novinson: So, what are you doing from a technology standpoint in order to bring that prevention to customers around the network and from a manager's perspective?
Shwed: So, we have all these ties, all the different pillars that we have the network, the cloud, the users, the endpoints, the email, all connecting to one system. First, one layer that we have is the events, is correlating the events and understanding what they mean. The next slider is what we call MDM-XDR, or what we call XPR, is correlating the events and understanding what that means. And again, most of the industry call it XDR, we call it XPR, we pay for the prevention. And on top of that, we build the layer of managed services, because one of the challenges is that some of the world's largest organization can afford running a full 7*24 SOC, with, that's staffed by experts, all day and all night. But most of us can't afford it. Even if you're 5000-people company or a 10,000 company, running a SOC, getting anywhere from five to 50 analysts is not a realistic task. And what we are able to do is to provide that as a managed service using the same tools, but we also provide customers, so they can run their own SOCs. So the main service that we're providing now is manage the prevention and manage detection service. We've started with service the beginning of the year in stealth mode, we've got overwhelming demand, even without announcing that and now we are launching it for the public.
Novinson: In terms of these offerings, I know you've positioned it as managed prevention and response as well as extended prevention and response. What's the difference? What's the difference from a customer standpoint of using your MPR or your XPR versus the conventional MDR-XDR offerings that are already on the market?
Shwed: So first, I think the number of alerts or the number of events, which we're going to need to handle, is going down by say anything from 90 to 99%. Because most of the events are going to be solved by the system. Or if I see some endpoint, which being suspicious, it will be automatically disconnected from the network. We won't allow it to connect to our systems and we will automatically stop that attack. So, let's evaluate talking about extreme cases when the malware already got to an endpoint. But let's start with the simplest events. You get the malicious email with a malicious file, almost all the other systems today in the marketplace, when this is, in my mind, ridiculous, we let malware get through, we'll analyze it and half an hour later, we'll give you an alert that you're under a risk. And now you need to start the process of remediation, call the user and tell them not to open the email, if they opened it, run an investigation and see if something bad happened. If it did happen, trying to contain it. We're the only one if we see that event, we will immediately stop that. And by the way, we will also stop that file from everywhere else. So even if the attacker says, "The email doesn't get through, I'll send it through Gmail, and the user will download it, I will get it in another way," the same document will be blocked on all vectors. So we take that event what could have been many hours of work for a security analyst and potentially big damage and turn it into nothing, because it doesn't happen. In the extreme case, we do recognize that some malware got to an endpoint on the customer, we will also handle it. And what we've seen statistically, we've seen an example. We took a customer over a few days, they got 365 events, that in a normal environment they would have to handle, we reduced it to two events, but they needed to handle and then we call them and notify them and tell them this is what you need to do in order to contain that event and prevent the damage.
Novinson: Interesting. I know, as part of this Horizon platform, you also have Horizon events. And what's the interplay between Horizon events and the MPR and the XPR that you also announced today.
Shwed: I think you can look at it from two different angles. One angle is we want the data, we want to investigate, we want the evidence and events will take log files and will take not just log file, real-time data, real-time logs from multiple system and correlate them, and show you that it's not 20 different log records, it's one event. And the flip side of that is once you analyze that you realize what's happened and you can stop it. So, I think it works from two different ways. From us, it's the foundation with the ability to correlate with, and to give you, a unified view of what's happening in multiple systems is the foundation to the XDR-SBR. And that's the foundation for the managed detection and prevention services that we provide. So it's all the same technology stack.
Novinson: And it's starting in February, and then again in May. In conversations with investors, you called out three technology areas that were going to be, what you termed as speed boats. One of them was MDR, the other two were cloud security and email security. And I wanted to get a sense from you of what the speed boats have meant for your cloud security and your email security practice. What have you been able to do with that increased focus in recent months?
Shwed: So first, we call them rockets, not speed boats, because we aim for the sky, not for groaning in the sea, but what we were able to do is focus on far more resources in order to correlate between the user needs, the technology development and all these function which needed to support our customers. And I think one rocket like that was the Harmony email. And I think we've got a great entry into the email space. And I think by now we have the best system for cloud-based email, Office365, etc. I think we have the best technologies today both to handle phishing, which is a major vector, and to end malware, malicious files that are entering through emails. I think no one has something like that. Not on the cloud email. And I think that's a result of an acquisition that we did about a year ago. And combining the different technologies, this company has the best technology to handle a cloud-based email but also in the best anti-phishing technology. We had the best anti-malware technology and combining the two together created something even stronger. So which one rocket - number rocket to CloudGuard? I think we don't have enough time to cover it for today. I think it's worth a different discussion because we have the broadest tech to handle everything on the cloud. And the last rocket that we have is the same MDR-NPR, the detection and manage prevention service. And this rocket is like a small startup, started from zero a year ago. Having today getting close soon to almost 200 customers providing tremendous value. And I think that's the Horizon MDR-NPR that we're launching today.
Novinson: Let me just ask one thing in terms of the CloudGuard piece, which is, I know, starting in February. You called out with these rockets, bringing the technologists in the sales organization closer together around specific technology areas. What does that mean for CloudGuard bringing technology people, the technologist and the sales teams closer together?
Shwed: I think one of the challenges in the cloud with what you call cloud security, it sounds simple, but cloud security is replicating all the security that we built over the last 30 years, moving them to the cloud, and extending them because the cloud today has all the services that we have in a traditional IT environment. Plus, some more services, and it's far more vulnerable than the traditional systems. Let's take a cloud email in the traditional email system, there's a high level of security just because most of the access to the email system is governed by VPNs and access control that's provided by the company firewalls. Cloud email is open to everyone, so anybody who know your email and the password may access your cloud, the mailbox that, by definition, creates a higher level of risk. And what we found out that we had a few dozen technologies in Check Point which covered the cloud. And what we try doing is consolidate them into a more unified platform. Because when you're shopping and want to secure your cloud, you don't know which one out of the 20 technologies that we can offer you need. You know that you need to secure the cloud. And I think what we want to offer you is the end-to-end stack. And I think in the cloud, it was important combining all the development teams to develop the same interfaces, the same concepts, with the sales teams that you're saying, "I need to secure, I don't know container in the cloud." We don't come back to you and say, "Okay, we have three answers." No, we have one answer. And that's consistent, it will be with all the different technology elements working together to secure your cloud. And I think that was a big achievement that we did so far. And I think it will continue to be a huge roadmap in making that vision an even better reality.
Novinson: In terms of your heritage, IPC Check Point grew up in the firewall worlds, you've been in that space for nearly three decades. Earlier this year, you've announced the debut of the Quantum Lightspeed Firewall. And I was wondering, since that debuted, what customer segments, what use cases have you seen the greatest adoption of your new firewall?
Shwed: We've seen Quantum Lightspeed is amazing. For the first time, we're doing hardware accelerated firewall, it's good for a low-latency environment, for a high level of transaction environments. And I think that's been nice success so far. A few segments have been the main successes, so far. One is banking and financial, when they need to do high-frequency trading and transactions like that, which, in many cases, they gave up security because the performance was so important and especially, the low latency that we gave up security. And now, in many cases, they can get a good security without sacrificing performance, or can call it the other way around. So, that's one. Manufacturing is another one, when there're huge data flows, what we call elephant flows, they have backups of 400 terabytes and so on, which we couldn't afford before because they couldn't get the fastest links on that. And we have a lot of successes in the telco space where we also need to process large amounts of data in that regard. So, these have been the few segments. The good news that we found that we started with Lightspeed with the relatively focused decks of security operations that are being accelerated. And we've seen the good interest of that. But the nice thing is many customers, they said that they want us to expand the number of services that we can accelerate, which is good, because that's what we've been preaching for the last decade. You don't need basic operation, you need the full stack of security operation if you want to secure your enterprise.
Novinson: Wanting to turn to the economy here for a little bit. I know the industry-wide supply chain shortage has dragged on much longer than any observer has anticipated. And I wanted to get a sense of what the impact of the supply chain constraints have been at Check Point.
Shwed: First, I think we've managed them. We don't speak too much about that because I think we are lucky, but so far, we were able to keep it almost transparent to our end users. So, we've been shipping products all the time, we've been shipping them in very quick turnaround times. And we've been working hard with our suppliers around the world. It's interesting, we have teams with our hunting electronic components, so we can build enough systems. It's been a big cost to us, we are paying 40-50% more for the average or for our manufacturing costs. Because we are looking into what's called the gray market to find many components that we need. These are all genuine good components, but we're not necessarily getting to us from the manufacturers, but from third party that somehow have some inventories. And we've been working hard around the entire supply chain to get the product to our customers and got to some nice wins.
Novinson: In terms of that, the cost increase, the 45 to 50% that you're calling out there. To what extent have you pass that along to customers? And to the extent you have, what's the impact of that on demand?
Shwed: Firstly, demand is very healthy. So there hasn't been much of an impact on demand which depends on the product line, and so on. I think pricing went up between five to 15% over the last two years, not in one step. And that varies by the type of product, by the type of component, and so on. So we've kept it very modest. We've absorbed most of the costs. And remember, everything in the market went up, not just the components. We are unfortunately now living in some inflationary market. So, compensation went up, almost everything went up in the last two years. Travel even, for two years we haven't been traveling now. People are back in traveling and the travel costs are far higher, much higher than they've been in 2019. And I think we've been able to absorb that cost. And I think our focus is simply to give our customers the security that they need.
Novinson: Wanted to turn to inorganic activity. I know acquisitions have been central part of your strategy for a couple years between 2018 and 2021. Buying Dome9 for Slack, Cymplify, Protego Labs, Odo Security and Avanan. And then there was a little bit of a pause in M&A activity a little bit over a year since your last acquisition was announced. And I was curious why we've seen a bit of a pause in the M&A at Checkpoint.
Shwed: First, we are focused on finding the best technology and we still do. I'm seeing more ideas for M&A these days than I've seen before. First, I don't know if there is a slowdown. But in reality, you're right, we haven't acquired the company since like, the last one was Spectral and that was at the beginning of the year. So it's not that long ago. But I think the main one, but first, we have a very broad stack today. So the issue today is not that our stack is not full, the issue today is that we need to deliver more of that to show customers the value of using the full Infinity architecture, and not simply to add more technologies. And second, the technology sector has been overwhelmed by too many technologies, prices that are getting too high, complexity that's getting too high. So, the number one priority is to get back to reality, give the customer the value that they need, best security, simple to manage, delivers the highest level of prevention. And once we get there, I think we can continue on the argument. The platform that we have and, by the way, since we have a broad platform, there's more places we can plug additional technologies.
Novinson: May ask you here finally, looking at the market landscape, I know we're talking network security, it's been the same for companies at the top now for well north of a decade, yourselves, Fortinet, Palo Alto Networks and Cisco. And when you look at the landscape today, what do you feel are the biggest things differentiating your approach to the security industry versus Fortinet versus Palo and versus Cisco?
Shwed: I think it comes in multiple levels. The number one I would say is simple, is the best security and the best security means that we're doing everything in prevention mode. I gave the example at the beginning. You get the malicious file. Unfortunately, most, if not all of our competitors will deliver you the malicious file. And if they know how to analyze, it will give you the verdict half an hour later, or sometime later. That's not good enough. So that's one. We were the only one that will only send you a clean file very fast. You won't have to wait, so don't worry about that. Second is the fact that we do have a unified platform to do that. It's not super market, two products that don't connect. It's one architecture. One will be called the Infinity Portal, where you can control the entire environment. And with all the infrastructure that we have for correlating events, for threat cloud, which identifies the difference on a global basis, not just for an individual customer. If we see a malicious file in one part of the world, we don't just say that this file is malicious, we know who's the command and control, we know what all the IOC is embedded in that file. And within seconds, we can make them block attacks on every customer around the world. So that's a strong platform. Customers keep saying to us, "With our management platform for managing security in general and for managing the network security and the firewall, is the gold standard, and remains that way." And I think these are some of the key differentiator. On top of that, if you look at just the coverage, I don't think that anyone has everything that covers from mobile to email, everything in the middle. And we do cover everything from mobile to email. And I don't think that most of the vendors you mentioned there have this kind of scope. And again, including the network, the cloud, everything in the middle.
Novinson: Interesting. Yeah. Thanks so much for the time.
Shwed: Thank you, Michael. Enjoyed that. And I hope we will keep fighting and providing the best security or work hard to do that every day. Thank you very much.
Novinson: Of course! We've been speaking with Gil Shwed. He is the founder and CEO at Check Point Software. For Information Security Media Group, this is Michael Novinson. Have a nice day.