Feeds

Check Point boss looks beyond 'weapons' for security defence

Right said Shwed

Providing a secure and efficient Helpdesk

Interview De-perimiterisation and the move to cloud computing will not alter the central place the firewall occupies in corporate security architectures, according to Check Point chief exec Gil Shwed.

Check Point is advocating a three-phase strategy of security policy enforcement centred around the firewall, user education and enforcement as a means of reducing costs while improving security for corporates. The technology part of this combination comes from Check Point in the form of the latest version of its firewall platform – the R75 – and software blades to carry out functions such as URL-blocking or intrusion prevention.

Check Point is pushing the architecture as a means for customers to reduce the number of point products they support. "Having 10 different types of weapons is useless unless you have a strategy for what you want to do," Shwed, who founded Check Point shortly after leaving an elite technology unit of the Israeli army, told El Reg at a conference last week.

Cornerstone

Simplification to save costs is a sound enough idea but we questioned whether the firewall – rather than systems management or logging technology – was the right hub for information security.

"Our technology is broader than just a firewall but it's a great platform," Shwed told El Reg. "Management software collects and presents information, but it's not the best place to manage security policy.

"Years ago I thought systems management firms would become either competitors or partners but this never happened. Managing a system and event analysis, which is what the likes of Tivoli and HP do, is different from developing and enforcing a security policy," he said.

Although Shwed said that Check Point is seeing "nice growth from its core market" of firewalls, it is also trying to get into adjacent security markets, sometimes by acquisition. The company wants to stay focused as a pure-play information security supplier.

Questions in Congress

Check Point could hardly be described as acquisitive, especially in comparison to the likes of Symantec and McAfee, and we wondered whether its abandoned bid to buy Sourcefire back in 2005 had anything to do with this. The Israeli firm's plans to buy the intrusion-prevention pioneer for $225m were withdrawn after it became clear that US authorities would attempt to block the acquisition.

The Committee on Foreign Investments in the US had concerns about a foreign firm getting hold of technology used to protect US government systems.

Shwed said a deal might have been agreed, but only if Check Point had agreed to US government terms that didn't suit its interests and agreed to turn over source code for its technology, a move he was loathe to make. "We've done four different acquisitions in the US since then," he said. "The reason there was concern about Sourcefire was down to a bad coincidence. The Port of Dubai was buying US ports at around the same time. Both deals got blocked, but the US Congress eventually approved the Dubai deal."

Rather than deal with the uncertain and undoubtedly delayed outcome of the deliberations of US politicians, Check Point walked away from the deal. It eventually got into the intrusion-prevention market with the purchase of NFR, another US developer, a year later.

Cyber-intrigue and the Stuxnet worm

The concerns expressed by politicians over security deals have been heightened by the perceived increase in threats stemming from government agencies as well as criminal hackers, particularly over the last two years or so.

The Operation Aurora attacks against Google and other high-tech firms last year, to say nothing of targeted attacks against finance agencies in France and EU ministries more recently, go a long way toward explaining why BT's decision to source its kit from Chinese supplier Huawei raises concerns about possible backdoor snooping.

We wondered whether the publicity about the recent Stuxnet worm, a sophisticated and targeted worm blamed for sabotaging Iranian nuclear power plant control systems, might make it more difficult for Check Point to do business. Nobody knows for sure, but Stuxnet is widely rumoured to be a joint US-Israeli operation.

It's possible to think Check Point, whose founders started their careers in the Israeli army, might encounter the same sort of concerns from politicians as have been raised by Huawei, which was founded by a former Chinese PLA officer. Shwed said such concerns are misplaced, and stem from a misunderstanding of Check Point's history.

"We established Check Point as a civilian firm with no ties to the military and not based on government contracts," Shwed said.

"The Israeli government doesn't share with us what it's doing and we don't ask. We'd like to think if it had elite people trying to compromise firewalls that the last one it would compromise would be ours but that's more because it wouldn't be an easy target rather than any sense of patriotism."

Shwed concluded by saying that the threat landscape was changing with the increased prevalence of targeted attacks – a development he described as "unsurprising". Government-sourced attacks might be either more sophisticated or less sophisticated than those attempted by criminal hackers, Shwed said, adding that the tendency would be towards more sophisticated assaults that require a different approach than simply applying a new security gizmo.

"You don't need an anti-Stuxnet or anti-Aurora product, you need a security strategy," he concluded. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.