With security still regularly making the headlines for the wrong reasons, Jason Stamper talks to the founder and CEO of Check Point, inventor of the firewall, about its latest direction and why the computer security industry needs to change
Gil Shwed, founder and CEO of Check Point
Israeli firm Check Point has been a stalwart of the security market since it launched the first commercially available firewall, FireWall-1, in 1994. Last year it sailed past the billion-dollar revenue mark, making it one of the largest independent enterprise security companies on the block.
It’s come a long way since founder and CEO Gil Shwed started the company with two friends in a granny flat in Tel Aviv.
But how did the story begin? "I had the idea for security technology for networks," Shwed tells CBR. "I initially thought it’s not a very exciting field because convincing large companies or governments that they need more security is not a very attractive market – that was back in 1991. So I put the idea aside, but two years later I noticed the Internet starting to break through from being purely an academic network into a commercial network, with hundreds of companies starting to connect, and their first questions was, ‘how do we secure it?’
"Then I realised I had the right idea and the right technology for securing networks, and I quit everything else I was doing. I was joined by two partners and we started Check Point, with a very pure focus on making the Internet a secure place."
It’s grown every year since and been one of the stock market’s most consistent and profitable performers. Of course, it’s moved beyond offering firewalls, so how does Shwed describe its focus today?
"We still have that gateway, but it’s now based on software blades, and each software blade represents a different security functionality that can be applied. Each customer and location can decide what security features they need, whether it’s blocking attacks, controlling the flow of traffic or screening for data leakage. There are about 30 different software blades like that.
"We also have the same concept for the endpoint," Shwed continues. "If you look at the two most important elements in the network, the gateways – at the perimeter that protect the entire organisation – and the endpoint we run on each desktop and each laptop, we have the same concept for the endpoint."
Shwed says the software blade architecture enables customers to choose whether they activate the firewall, the antivirus, the disk encryption – essential for mobile users – remote access VPN to access the corporate network and so on.
So how does Shwed compare this approach to the unified threat management (UTM) technology from companies such as Symantec, WatchGuard, Fortinet and so on?
"It’s an extension of that approach," he argues. "With UTM people say, basically, ‘one size fits all’. What we are hearing from our customers is that yes, they would like to consolidate, but that they don’t necessarily feel that ‘one size fits all’ is the right approach. Each customer, site and location has slightly different needs. So you can get more functionality with UTM, but without the software blade architecture you can’t pick and choose what you need to get the desired results."
Despite making a number of acquisitions over the years, it’s inarguable that Shwed has kept Check Point far more niche than some competitors. Symantec, for example, has become much broader, acquiring Veritas for instance to include information management and backup as part of its security portfolio alongside the kind of endpoint and perimeter protection offered by Check Point.
So why stay quite so niche? "First, I think that strategy definitely proves itself," Shwed says. "We’ve seen that staying focused on security is the right way to go. I think the world deserves to have at least one large company that is entirely focused on security [rather than moving also into, for example, data protection].
"There’s both a technical and a philosophical reason here," he continues. "You need to improve the security of every part of the IT infrastructure: of the networking gear, of the servers, the endpoints. And sometimes you need to compensate for lack of security in some systems through other systems. For example, the firewall gateway can compensate for vulnerabilities in your servers or routers. If you are developing the server operating system, of course you want to have the best security, but your focus is more functionality, more performance. Security is not your number one issue."
Shwed has made a number of acquisitions, but they have been dwarfed by acquisitions from the likes of Symantec and more recently Intel, which bought McAfee. Shwed picked up Pointsec for disk encryption, Zone Labs for endpoint protection, and in 2008 bought Nokia’s appliances business, which was really Nokia hardware running Check Point’s software anyway.
Never has an acquisition made more sense – indeed, Richard Stiennon, founder of analyst firm ITHarvest, authored an open letter to Shwed two years earlier arguing that Check Point should buy some security hardware or risk becoming less relevant to enterprise customers, many of whom were voting with their feet and choosing appliances over software-only deployments.
An industry in need of change
In the computer security industry, most of the ‘bad guys’ have changed their focus from mass attacks to targeted ones that have a specific purpose of monetary gain, data theft or even political embarrassment, a shift from public to specific global targets.
Indeed, the number of virus infections has fallen for a record three consecutive years. However, attacks are becoming more technologically sophisticated.
Web threats stemming from the Internet, that can be deployed unknowingly by the user just by opening a Web page, are still at the forefront of the threat landscape. Also, as typified by the WikiLeaks story that made such sensational headlines, a spate of incidents both domestically and overseas has forced people to rethink insider security and other issues. Does Shwed agree that the security industry, too, needs to change?
"The industry needs to change a little bit," he says. "Our software blade architecture is the right direction but it’s not enough. I think the real change is actually understanding that security is not a bunch of technologies that people need to deploy but understanding that it needs to be treated like a business process. It starts with the well-defined policy of what a company wants to achieve and what is allowed or not allowed, continues with educating – or not educating but involving the users – and the enforcement side is only the last part of it.
"Most of our customers have a lot of check lists but not one clear policy. Everybody is trying to keep the users aside from that, but if users are not aware of their expected behaviour they become the weakest link in security. Then it goes to enforcement, which needs to apply these principles. We’ve just launched 3D Security that has three elements – policy, people and enforcement – and I think that would be a major change in people’s mindset when they think about security."
What about cloud computing? Many believe the cloud will need new security approaches, while others are already launching products they say will help companies secure their infrastructure, whether they are moving to private, public or hybrid clouds.
Shwed says the firm already has some products for this new era: "We have the best software for virtualisation for cloud environments. We can virtualise the firewall – we have a product that enables you to take 100 gateways and consolidate on a single platform, for providers that want to provide cloud-based security.
"We can also allow cloud providers to provide our technology from the cloud. We are working on many technologies to use the cloud as a good way to collect information on security attacks. One of the things about security is that a knock on the door might not mean anything, but if it happens in a thousand different places then it’s a very good sign of an attack. Cloud is very good at collecting that information, correlating between events and seeing that certain people are attacking the infrastructure."
In his open letter in 2006, ITHarvest’s Stiennon also argued that Shwed should move the firm’s HQ from Tel Aviv to the States. The US government had already blocked Check Point’s proposed acquisition of Sourcefire at that time because the US firm was used by the government, which had concerns about control passing outside of the country. Commenting on Stiennon’s letter, Dino Diana, director of UBS’s security and infrastructure software research, said: "Let’s see if [Shwed] heeds that advice. Not likely."
He could sell up, but as Shwed owns a large chunk of Check Point, suitors would likely need his support. Asked whether he has had to turn down approaches, he says: "Not recently. Our philosophy and policy has been very simple: we want to stay a standalone company and lead technology, and lead customers with the best security solutions."