Check Point CEO Gil Shwed On ‘Prevention-First’ XDR And Security Vendor ‘Overload’

In an interview with CRN, Shwed makes the case for the company’s prevention-focused approach to cyberdefense, and says more security vendors may shut down amid the challenging economy.

Shwed On The Record

In the cybersecurity industry, many see it as a positive development that cyberdefense is not just about prevention anymore. Since it’s now recognized that “breaches happen,” deploying tools on the preventative side is not enough, the thinking goes. But if Gil Shwed is right, we maybe shouldn’t be so quick to demote the role of prevention. Shwed, the co-founder and CEO of Check Point Software Technologies, has played a central role in shaping the cyberdefense industry for three decades. And in his view, the fact that cyberattacks continue to grow in number and sophistication suggests a “prevention-first” mindset is still required. “Our message to the world is that these attacks can be prevented,” he said in a recent interview with CRN.

[Related: Check Point Hires Distribution Vet Francisco Criado As New Channel Chief]

For Check Point, that means taking a different approach from competitors on extended detection and response (XDR), Shwed said. XDR gathers data from numerous sources to correlate and prioritize threats, but most XDR platforms are focused on detecting attacks that’ve already occurred, he said. Check Point, instead, is touting its platform as “XPR,” for extended prevention and response. “Many XDR solutions go and collect logs, but the collection takes time and the analysis is done minutes or even hours later,” Shwed said. “What we’re doing is in real-time. I’m seeing a file, I’m analyzing the file, and immediately I take action. It’s not an hour later.”

Beyond Check Point’s XDR/XPR platform, Shwed also discussed the advantages of the company’s SASE (secure access service edge) offering and why Check Point opted to develop its own SD-WAN platform, which was announced in February. And the Check Point CEO offered thoughts on how the difficult economic environment could impact the cybersecurity industry and its vast quantity of vendors: “I think we will see some rationalization of the market, and unfortunately [some] companies that don’t survive or have a hard time surviving.”

What follows is an edited portion of CRN’s interview with Shwed.

What are the big themes for Check Point’s product portfolio in 2023?

We call it the three Cs — comprehensive, consolidated and collaborative. So comprehensive means that we need a comprehensive architecture to address all the attack vectors. For us, it’s from code to cloud, from network to user. Consolidated means that you can’t achieve it by buying 1,000 different products. Even if you don’t buy 1,000, but you buy 20 or 30 different products — instead of being busy implementing security, you’re busy managing multiple consoles, you’re busy renewing contracts, you’re not getting to the essence of security. So consolidation means that I think that we will see fewer vendors, bigger solutions. We aim to provide one unified security [platform], one pane of glass, that you can use to control the entire security environment.

Maybe the newest thing in what we’re doing is what I call the collaborative element of the system. If we sit in a conference room and there’s a fire in the far-end corner, we’re not sitting and saying, “That’s the problem of Gil on the far end.” We’re all [responding to it]. If you contrast that with cybersecurity, in many cases, it’s the opposite. There’s malware in one computer but no other security software even knows about it. And if we identify it, there’s a lot we can do. For example, if we find the command and control that it communicates with, we may find there’s more infected computers and we of course can stop the attack. If we identify it, we can stop it from spreading around. And I think that’s one of the key elements that we’re building now is building security solutions that are truly collaborative, and all the different technologies work together to stop the attack and prevent any damage.

Within your portfolio, are you talking about your Horizon line of products — XDR and MDR — when you talk about this collaborative element?

You’re absolutely right — Horizon is an important piece of it. It’s not all of it. We have ThreatCloud that collects real-time information from the entire environment, from the entire world, and translates it to prevention in real-time, in a matter of seconds. So we built on the foundation of ThreatCloud. Then you’re absolutely right that the Horizon family collects that information and creates a bigger picture. But there are many other technologies that are being involved in it. And what’s more important is that all the technologies, and all the products that we have, have to connect to that central brain. That’s what we were building for quite a few years and that’s what we are putting a lot of emphasis on this year, to make happen and to be real.

What are the biggest ways that Check Point is differentiated on XDR?

I think the most important element is that we turn it from XDR into what we call XPR — [extended] prevention [and response]. A lot of these XDR engines will tell you, “OK, you can now investigate what happened yesterday and know what caused that attack.” There’s some value in that. But the the main value is that you can actually prevent things from happening. So our XPR is collecting the data from more sources — because of our architecture, we do have access to more events from more attack vectors, but mainly to turn it immediately into action and into stopping the attack. One example — when you have an endpoint and you see the indicators of that malware, it can actually not just tell you later that we’ve seen that indicator in 20 different places, and that’s why the attack shut down your network. It’s actually the opposite. We’re seeing 20 computers in your network that communicate with that command-and-control based on the malware we just analyzed — we’re stopping that. We’re blocking that immediately. We’re not just telling you, “Clean these 20 computers.” We’re stopping altogether the fact that these computers won’t be able to communicate with the command-and-control. So I think that’s the most important differentiator that we have in that regard. It’s prevention-first.

I sometimes hear the criticism that some XDR platforms are missing the “R” — they have the detection but don’t really have the response. Is that what you’re getting at here — that you’ve got the automated response, and not just the detection?

It’s not just to respond — it’s [also] prevent. And again, we can do it because we’ve got sensors all over. We’ve got sensors on the endpoint, we’ve got sensors on the gateway, on the network. We’ve got sensors on the cloud. And these are not just sensors that collect information. And by the way, it’s also the real-time aspect of it. Many XDR solutions go and collect logs, but the collection takes time and the analysis is done minutes or even hours later. What we’re doing is in real-time. I’m seeing a file, I’m analyzing the file, and immediately I take action. It’s not an hour later.

Would you say that XPR/XDR is one of your top focus areas this year?

Absolutely. But again, it’s not just the XDR, it’s how it’s embedded into all the different products. It’s how we turn the gateway to be proactive and prevent these attacks. It’s how we turn the endpoint, it’s how we turn the cloud, the email security — all of these to cooperate and collaborate and work together. It’s like if you look at the human body, there are things that require a lot of processing, and you need to analyze those things. And then there are instincts. We need both to work. With instinct, you see something, you stop it — and you stop it not only in one place, you stop it all over. So that’s the point.

It would seem that the collaboration and consolidation themes go hand-in-hand — if a customer consolidates on one platform, then they also get the security benefits from the tools working collaboratively together. Is that the right way to think about it?

Absolutely. That’s our big benefit and our big advantage. When you look at other vendors, there are some interesting vendors in the industry that used to be called SIEM, security incident event management, which we now call it XDR. In most cases, these vendors are on the collection side and the analysis [side], but they don’t have much access to the prevention side. We’ve got both sides of the equation, and they work together.

Why is all of this a big opportunity for channel partners?

First, I think, [is that] channel partners have access to more places in the infrastructure than just a single vendor, because some of these things require a more-sophisticated implementation. Now the level of implementation — if you need to implement a Check Point solution — will be much simpler and much easier than taking 20 vendors. That’s the consolidation element. But you still need the partner that understands the customer environment, that knows how to service that — that knows how to create that relationship at every level, and [for] many market segments.

Are more partners working with you on the MDR side than on the XDR side?

They’re working with both. The MDR solution is based on the same technologies, the same architectures — even though in our case, the managed service is actually a little bit ahead in the marketplace. I think it allows us to get a lot of experience. There is a big difference between developing a product and getting it to work. The approach that we provide as a managed service is a good one, because when we come to the market, we come far more prepared. We come with experience, we come with a system that works for real time. Both of them work with partners. We empower our partners to provide that, to manage that, to run it. And of course to sell it — 100 percent of our sales are partner-based.

What are some of the things you’re looking to do next with your XDR and MDR offerings?

There’s a lot of things coming down the road. This is just the first step. We are already supporting several third-party infrastructures including Microsoft [Active Directory], which is a big source for events and data. I think opening up and connecting to other vendors is an important element in this, because today the environment is very distributed. It’s very diversified — it’s not all Check Point. So we definitely need to do more in terms of working with other vendors. There’s a lot of room for growth on that side of the equation.

You just introduced SD-WAN to your SASE platform. What’s your vision on SASE?

What we are trying to bring is the [full] Check Point value. I think that’s one of our big advantages but also one of the challenges — that many of these [competing] SASE solutions are far more simplistic. They don’t have the level of security, the level of control. Our customers demand from us the level of security that they are used to, but also to have the level of management. So we are closing that gap of being able to secure users and remote branches from the cloud. We are conveying all our principles of the three Cs. We are connecting it now to the full architecture. So it’s the same solution that you can use when you’re deploying it on site, the same solution when you’re doing it on the branch offices, same when it’s cloud-driven. They are connected together.

There is no one company that’s 100-percent cloud, and many of the companies that are based on data centers and centralized sites, want to experiment with the cloud-based technologies. And last but not least, as you mentioned, the incorporation of SD-WAN — we worked on that for a long time. We looked at different companies, different technologies [for potential acquisition]. But we figured out that we need to have it really embedded into the core of the gateway, because we are very dominant on the gateway of the customers.

You’ve done a number of acquisitions in the past — could you say a little bit more about how you decided that SD-WAN wasn’t something you wanted to acquire your way into?

We looked at different acquisitions, and we almost made some. In the end, we decided that it’s best to do it on our own, because it’s very [tied] into the gateways. And we are already selling the gateway. [In terms of] standalone SD-WAN providers, I would say there are some good companies in the marketplace. But we really needed to make sure that the security and the communication — the SD-WAN is the communication part — actually work together very, very closely. We use the same engine to classify the traffic. We use all the same management to build that together. This is a really, really tight integration within the same gateway. So that’s why we ended up developing it on our own.

This [approach] is something we’ve been doing for 15 years. If you look at the gateway, the firewall — the firewall started with something that does network access control. And over the years, that firewall got more and more capabilities and into that. In many cases, it was [absorbing] different industries. There was an industry for intrusion detection, and there was an industry for VPN, and for sandboxing technologies. All of these capabilities are not standalone industries anymore. It’s embedded into the gateway. It makes sense, because the customer cannot afford to manage five different boxes or even five different software packages in every site that they have. So the fact that it is combined, the fact that it’s working together, there’s no conflict about the processing — and mainly the fact that you can manage it together — is a huge advantage for that.

How do you feel about your SASE offering now — about how differentiated and competitive it is with others that are out there?

It’s more comprehensive in terms of security capabilities. It’s more scalable and interoperable with many more systems. Many SASE systems today are good, but they are independent of the rest of your security infrastructure. For most of our customers, they need something that would work together — not two separate control systems, two separate communication systems. So I feel very good about what we have. It’s still in the early stages. It’s not small [in terms of customer adoption] — if you look at companies in these markets, most of them are not huge. They don’t have hundreds or thousands of customers. We do. But we’re still in the very early stages of [SASE].

What impacts from the difficult economic environment are you expecting to see in the cybersecurity market?

Right now we are facing some challenges because of the economy, because of the overload of companies. I think we will see some rationalization of the market, and unfortunately, we’re already starting to see some of that — companies that don’t survive or have a hard time surviving because they didn’t build a business model that would make them a viable vendor. So I think the level of innovation is still high, there’s still a lot of technology coming into the market. But now we’re starting to see some signs of maturity when companies have to turn a profit. They have to rationalize their business models. And unfortunately, we’ll also see some companies that don’t survive it.

While obviously unfortunate for the people involved with those companies, is that ultimately a healthy thing for the industry - given the overwhelming number of security vendors right now?

I’m an entrepreneur, so I never like to see an entrepreneur lose their dreams. I hate to see people lose their jobs. It’s not that I look at it in the positive way. It’s not positive, it’s very negative. But I think we got to a point where the market cannot absorb all the innovation. There are good ideas, good people, good technologies. But if you’re a customer, you cannot review 300 technologies every year.

I think in this case, the market needs to mature a little bit. There’s always waves. There’s a wave of too much innovation, then there’s a wave of rationalization.

At least from Check Point, we have plenty of innovation. But it’s not just coming with the innovation — it’s also making it simple and accessible to the customer.