You don't choose your battles, they choose you
There is a fundamental problem within the cyber security world, a problem that Gil Shwed believes Check Point is uniquely poised to address with its technology. This fundamental problem is that the entire cyber security industry approaches threats in a reactive way.
Enterprises are inclined to pursue defense-in-depth strategies that delay rather than prevent the advance of cyber attackers. However, security-aware enterprises need to focus on prevention, instead of detection.
The prevention-first perspective
“You should make every effort to prevent the attack, rather than to remediate the situation,” says Shwed. “From every perspective, it’s far more effective to prevent it if you can…”
“When you’ve been attacked, the damage is done, your reputation is lost,” says Shwed.
“Even some of our better competitors are far more on the detection side than the prevention side,” he continues, observing that Check Point provides value that spans beyond what competitors can offer.
Check Point’s comprehensive suite of prevention-focused tools enable the company to “…protect an entire enterprise from the widest spectrum of attack vectors that are out there.”
The contemporary threat landscape
Today’s threat landscape is filled with Gen 5 attacks from multiple vectors. “Gen 5 attacks are in many cases polymorphic,” says Shwed. “Every instance of the attack, they use the same technology but the attacks look different…” meaning that it’s not easy to scan for the “signature” of the attack.
Further, such attacks are often delivered through innocuous-looking code, such as a weather app on a phone that downloads a small “app-let” that may lie dormant until awakened by a remote computer.
“The worst that we’ve seen consisted of networks that had fifty million mobile phones, and the [malicious] application was installed on them” says Shwed. “In a very short period of time, you can actually create an army of agents, fifty million, and you can turn on anything that you want in a matter of minutes.”
At the level of Gen 6, of mega-attacks, nation-state actors start to enter the picture.
Nation-state attackers are known for creating and maintaining exquisitely organized cyber crime operations. “It’s interesting to see the structure,” says Shwed. “There are organizations that we’ve identified that behave like real high-tech companies,” with “employees…HR…recruiting, and all of the facilities of a modern company.”
These kinds of nation-state backed groups build ransomware in order to steal monetary resources or proprietary data, as traditional ransomware gangs do, but “they also operate to provide services to governments,” wrangling a kind of public-private partnership where commercial ends also serve geopolitical agendas. Check Point has “identified several organizations like that in different parts of the world” says Shwed.
Contending with modern threats
In the face of such complexity, the question is whether or not customers can really handle it themselves – even if the firewall is excellent.
For that reason, the tip of the spear among Check Point’s proactive initiatives consists of a new product called “Horizon.”
Horizon is an instance of what is known in the industry as a managed service, more specifically, a “managed detection and response” service, or MDR. The MDR, as it’s known, isn’t delivered as a product. Rather, it’s sold as a service run by Check Point.
Check Point has traditionally sold software, and purpose-built hardware to run it, as either a product to be installed on a customer’s premises, or through partners who would run it as a managed service. Now, Horizon is Check Point’s move into running the service itself.
“We see everything in the environment,” says Shwed in reference to Horizon, which he prefers to refer to by the alternate acronym “MPR,” the “P” in this case standing for prevention.
“If something goes wrong, we stop it,” or in some cases, “we call the customer and explain what they have to do on their end to stop it.”
Horizon, and MPR overall, is “an emerging category,” notes Shwed, “not tiny, but it’s not big compared to the average cyber security category.”
To run security for Check Point’s customers, says Shwed, is in alignment with the fact that companies are starved for the expertise that knows how to use prevention-first security tools.
“The typical enterprise, a company consisting of anywhere from five hundred employees to even ten or twenty thousand employees, simply cannot afford to have what we call a security response team that will monitor the network twenty-four seven,” says Shwed.
Conversely, with Horizon, Check Point runs “one center that sees the data of hundreds of companies.” By filtering the attacks from all those companies simultaneously, the Check Point sense of the threats gets sharper. It’s a form of leverage that makes the task of defense more efficient, says Shwed.
“We learn from every customer,” he says. “If we see a new hack indicator in one part of the world, within minutes or seconds, we can block that all over the world with every customer.”
The new business model
Running a service is not only a major change for Check Point in product terms, it is also a change in how Check Point runs as a company. Irrespective of the recent slowdown in revenue, Check Point has, over the course of three decades, been a consistent generator of profit because of a certain institutionalized predictability.
“We’ve built a very good global model of operation, and that creates things that are very good,” Shwed tells me.
“It creates a unified set of products, it creates a unified go-to-market, it creates really, really good economies of scale in the company, and it creates a good operating model that shows in our operating margins and so on.”
“The flip side of that is that sometimes it’s hard to run fast,” says Shwed. The traditional business of the firewall is “a very big piece of technology developed by almost two thousand people,” he notes. Such a mammoth effort changes only very carefully, with the enormous coordination of engineering resources in a methodical fashion.
And what we’re trying to balance is keeping that component and making it gpost and providing all that value, and letting smaller parts of the organization run fast and kind of independently.”
This MPR rocket is like a small startup,” explains Shwed. Operating Horizon like a startup has the desirable prospect that the nascent business “can run fast, try a new business model, try new technologies and so on,” he says.
Because it is still early with Horizon, from a business standpoint, Shwed speaks in broad terms about the financial implications. “We are exploring,” he says of Horizon and other such rockets. “We’re gposting as a technology company, we’re exploring different options of gpostth.”
While he expects Horizon and other rockets to take market share, Shwed has also told the Street that gpostth will come not just from superior product but from selling differently. On the October conference call, asked what is going to kick-start revenue gpostth, Shwed replied, “I think a lot of it is also about our sales execution.”
He noted that Check Point has “created a new go-to-market or what we call commercial organization,” as well as “put a big investment into getting more frontline sales, more people that would address the customers and go there.”
Closing sentiments
“Even today, most people, even people within security, don’t understand everything,” says Shwed. “It’s very, very technical.”
And, he says, “There’s always a struggle between what works in theory and what’s practical.”
“I think that’s the secret in Check Point,” he says, “that we know how to take the most sophisticated technology and turn it into something far more practical and far simpler.”
“That’s what we started with thirty years ago, to take this whole concept of security, pack it, make it strong, make it real. And the customer should see it and say, ‘okay, it’s simple, I get it.’”
This article content is an edited excerpt from an interview that was originally published in The Technology Letter. Read the full piece here.