Checkpoint Podcast Transcript
Allyson
Welcome to Tech Arena. My name is Alison Klein, and today I'm delighted to be joined by TJ Gonan, vice president of cloud security at Checkpoint Software. Welcome to the program, TJ.
TJ
Morning, Allyson. Good to be here.
Allyson
TJ, why don't you just start with an introduction of Checkpoint and the solutions that you're delivering for enterprise and cloud customers.
TJ
Yeah, so, actually, Checkpoint is probably best known for being the firewall company Gil Shwed invented, who I think I may be throwing it out there, but I do think he's the longest acting CEO at NASDAQ.
Allyson
Oh, interesting.
TJ
Yeah. So Checkpoint was founded 30 years ago. Gil Shwed founded it in Israel, invented the firewall. I mean, just think about it. Literally invented the firewall. The first firewall out there, and the company has been, 30 years, one of the biggest companies in the cybersecurity space, like I said on Nasdaq, I think, for 20 years, probably even more. You know what? I'm old enough to forget. Let's say that.
And so for 30 years, Checkpoint has been in the cybersecurity space, evolving with the cybersecurity space, started with the firewall business. But since then expanded to a lot of other areas just as the cybersecurity space expanded, endpoint security, remote access, and obviously, in the last few years, cloud security, as it became more and more important for organizations as they moved to the cloud.
And in the cloud security space, we started with extending our network security solutions into the cloud, which is sort of a natural expansion. Okay, I'm protecting your network on premise. Let's move that protection to the cloud. But since then, cloud security has evolved dramatically. And to some extent, I like to say that cloud security today is as big as cybersecurity. It's like cybersecurity just in the cloud. It's everything. So since then, if you look at our portfolio of solutions, it's quite comprehensive. Anything from vulnerability and posture management to workload protection, detection, response, application security in the cloud. It's a very broad portfolio.
Allyson
It's interesting. You mentioned firewalls, and I was thinking at one point it was a firewall and VPN, and you were good to go with security. Now, with DDoS and ransomware and deepfake technology, you've got so many different types of threats that are coming at It organizations, and then the complexity of the fact that they're managing workloads in multi-cloud environments. What do you think is the state of cybersecurity today? And what is it that you talk to when you're talking to your customers about what's the best approach to take to ensure that they've got the right security protection that they need?
TJ
Actually, I think, Allyson, what you said is really interesting because I think cloud is even an extreme scenario of what you just talked about. Because it's funny. I always say, like, when I started in cybersecurity 30 years ago, it wasn't even called cybersecurity. It was called anti-virus and Firewall zero point, right? Like, there were two things that's it that was cybersecurity. And obviously, as the Internet became more popular and the connected world became more popular, so did the attack surface grow, right? And that made cybersecurity more important. Suddenly you started to need all these other things. Cloud is an extreme scenario of that because think about, I think for anyone listening, just think what's happening in the cloud. It took a long time to build the It industry. Just think about, like, I'm 50 plus. I've seen this over 30 years. And it was I mean, it feels fast, but it was really slow. Things took time. The Internet was ‘93, and it took a long time for us to get to where we are right now. And you built a data center. It was a matter of months in the cloud. It's one script, boom, data center. And then boom, another data center. And by the way, on three different clouds and you want to launch 50 machines a second, you want to launch 5000 machines same second, right? And then the cloud providers are innovating and they're introducing new types of databases, new types of workloads and new ways to connect. And everything is code.
So you have a gazillion, developers touching everything. The complexity that if people thought that cybersecurity is complex prior to the cloud, then the cloud makes it even more complex because the speed and scale, there was nothing before cloud that enabled organizations and developers and applications and people who deploy applications to move so fast.
So to your question, your original question was what's the best practice? So I think the best practice is first to prioritize. Because I would just say, even though we're a security company, so theoretically yes, of course, protect everything. There is just no way you're going to be able to cover everything. Definitely not in a fast moving pace of cloud. You're not going to be able to cover everything. So I think the first thing is start with the basics, right? Most problems, if you think about it, it's almost like physical security. They start with posture, get the posture right, minimize the attack surface. The first thing that people should do is minimize the chances of bad things happening. So if you can prevent, for example, misconfiguration, I don't know if you've seen this, but there's tons of research, it was true by the way, on premise. It's very true in the cloud that I think it's 92% of attacks could have been prevented with the right configuration and controls in place. So if I don't leave anything open, then of course it's going to be harder to get to it just as an example. So first get your posture right. I think that's the first thing that people should be doing. So then, now that's a very big topic. How do you get posture rights? So first it's configuration, have the right protection place, have the right access control, vulnerability management, right? Don't leave anything vulnerable. There's a lot of work around that. But I would say that's the first thing that you should be doing because that before if you don't get posture right, you're in such a deficit already that trying to chase now the attackers is going to be very hard.
So that I would say is the first thing. The second thing, which is, again, it's easy, it's simple, maybe from a topic perspective, but it's not that easy to implement and not necessarily the technologies are. There is, I would say, think prevention rather than just detection. Because what I always give this example of my email, my inbox, right? My inbox is full of emails that I've never read, never going to read because at some point you just get too tired of alerts, right? You get email fatigue. And if you just detect and just think about your environment, growing cloud again is a very extreme example of that. And you're going to start detecting problems and you're just going to be spammed with alerts. So the ability to actually react to them and to do something about them is becoming really compromised. So I think thinking prevention, so don't detect if you can't prevent, don't detect. I mean, it's useless to detect if you can't do anything about it or you have no facilities to do something about. So I think the second mindset should be implement tools, technologies and processes that are really focused on taking action, whether it's actually preventing or remediating. Now, it's easy to say, it's not that easy to implement. You need the right tools, the right processes and the right mindset. And then I would say within all of that, the right way to go at this is to prioritize. Not all risks are created equal. So if your machine is way again, I don't know what you have on your machine, but it's probably less risky than a server somewhere in the data center that hosts all the PII information of a company, right? Or a server with a vulnerability that is exposed to the internet, that has access to a database. It's way more important than a server with a vulnerability that's connected to whatever, a static website. So prioritization is really important. And this is really the key challenge, I think, for cybersecurity, generally speaking. How do you operationalize cybersecurity? It's not about tools, it's not about being people, being smart. It's really okay, I've got a lot of technology, I've got a lot of stuff, how do I operationalize and it really becomes into. How do you effectively manage risk? That's I would say the biggest challenge.
Allyson
Now I know that you have a very deep partnership with Microsoft Azure. You work with other cloud service providers. One of the things that I think about is, because the cloud is so easy to spin up we see line of business spinning up cloud on their own, and IT organizations sometimes not even aware of what their organization is using from a standpoint of cloud. How do you protect against all of your attack threats if you don't even know what your organization using for cloud services?
TJ
It's funny because when I talk with the organization, what you just mentioned is the number one fear factor. Because if you think about it, you actually mentioned that with Azure or AWS, anyone, they were built for the developers and for the practitioners. They were not built for security people. Everything Azure does, definitely Amazon when AWS launched, until today, by the way, when you see their audience is what they call builders. Even when they do commercials, it's builders. It's for the builders, developers and everything is super optimized for them to move super, super fast, which is the antichrist of security. It's like you have these armies of developers with a gazillion tools that were optimized over the last ten years just to allow them to move super fast. If you're a security practitioner, you just lost. You're looking for the battery for your heart based, right? Because they're just surrounding like crazy.
So now the the question is you ask the question how do you keep how do you how do you enable that? I would say that there's two ways to look at this, to be fair. One of them is what I call you could almost call this like the trust zone and the no trust zone. And I'll tell you what I mean by that. The trust zone is, hey, listen, developer and application deployer. And the people who are actually operating the cloud, I'm going to help you do less mistakes. I'm going to give you tools that will help you deploy things more securely. I'm going to make it so easy in theory, that's a big thing. We can talk about this for hours. I'm going to make it so easy for you to do the right thing that you would rather do the right thing than do the wrong thing. So that's number one, that's I trust you.
Then you need to have the no trust zone. And the no trust zone needs to have tools that assume that the developer, the practitioner, the builder, just did something without giving a lot of thought into it because it's not his day job. And you need to put tools that hopefully automate things like discovery, for example, hey, I deploy this, boom. I'm automatically discovering it. I know that it's there. And hopefully you can also automate protection. So you deployed something, I found it. I automatically put a policy around it, and I automatically protect it. So I would say two things that I just said here that are very important. If you take two things out of this one, on the protection side, on the no trust zone, you have to automate. There's no way everything on the other side is automated. That's the thing, right? Everything around development pipeline today, all you'll hear when you talk, when you interview people, is automation, automation, automation. And cloud is all about automation. Think about cloud. It just automated everything. It's automated infrastructure completely. It automates the platforms. It automated everything. So if security is not as automated, at some point you're going to miss something.
Actually, we have a saying that inside my product group, and I always say this, we have a sign. It says it ain't done until it's automated. If you didn't automate it, you're not done. That's your definition of done, because what you're trying to protect is automated on the trust zone, which is super important. Listen, they're going to move. The barbarians are not just at the gate. They cross the gate. They're in, they're running. You have to put them on your side. Now, the only way to put them on your side is to make it easier to do the right thing as long as security sinks in a mindset of I hate the term guardrail, even though it's a very used term in security, because I always think about like, road bumpers. Like if I'm a developer, I'm just like, you need to build a highway, right? You need to build a paved road rather than bumpers, rather than guardrails. Here's a paved road. As long as you go on this road, you can move so fast, and we'll make it so fast for you.
Now, the only way to do this is to talk developer language to build I actually throw another thing at you in the audience, is it's rather than building security tools for developers, because that's by definition almost strong, because developers don't care about security. Naturally, it's to build developer tools that are really good at security. And that's the mindset. And if you make it easier to do the right thing, I like to give this metaphor, which is true, by the way. It's a true story. I don't know if you remember, but we used to email and, we used to do a lot of movie downloads, and definitely I grew up in Israel, right? So that was huge. We know when it stopped, when it became easier to do the right thing. When Netflix started and all these streaming services, it's just easier to do the right thing. So you stop doing the wrong thing because it's easier to do the right thing if you make it easy for the developer to do the right thing. If you talk his language, if it's embedded inside his tools, if it's not something he deployed. Developers hate they deployed something and then two weeks after you say, oh, you remember what you deployed two weeks ago? It has a problem. We need to fix it. Dude, I don't remember what I did two weeks ago. Since then, I deployed, like, 20 times. So you have to do it in their tools, in their environment. So the trust zone has to speak their language. The no trust zone has to be automated. That's the way to tackle this.
And, yeah, you're going to be and it's going to be breathtaking because everything moves super fast. You're going to have a lot of stuff. Nice. The other alternative, by the way, is to put limitations, which I can tell you, we are in an age, Allyson, that it is so hard to say no for security people. They had the privilege for the first 30 years of cybersecurity. I want to say the first 25 years, you had the option to say no. You could say, hey, you're not launching until I'm checking it. You're not launching until I'm doing you just mentioned the example you just get they're just going, right? What do you mean, no? I'm gone. You go and you check this when I'm done. So you have to live with that reality and you have to adapt.
Allyson
When you look at the solutions that Checkpoint is delivering in this space, can you just give the audience a breakdown of what you're delivering for the cloud and how it addresses is the challenges that we're talking about?
TJ
Yeah. So actually it's a perfect fit in the sense of the mindset. And obviously there's always a journey towards this automation that I just mentioned and making things simpler. It's a journey, but from a mindset perspective. When you look at our platform, so the industry calls today the platform for cloud security. It went by, this industry moved so fast that it went through like 50 different buzzwords and acronyms. It's sort of settling now on something that the industry that Gartner coined, CNAPP Cloud Native Application Protection Platform, which is a cool term to say everything cloud security. That's the way to look at this CNAPP, right? CNAPP is literally like saying cybersecurity outside cloud. That's what it will be, cyber security for the cloud. So when you look at our CNAPP solution, which is super comprehensive, it does go through all these layers that I mentioned earlier in one single platform, which is very important.
One single platform is not just important because it's cool. And yes, one dashboard, one API. This is so complex. We talked about that alert, fatigue. You're going to have five different solutions generating these alerts. One, they're not going to be in context, so it's going to be very hard to correlate them. Second, you're going to be really tired because you're going to get five times the amount of mess. So our platform starts, I would actually start like this. Our platform starts from the left, it starts from the developer. We have a super comprehensive solution around developer first security. So it's actually, by the way, just in a quick word, Checkpoint's CloudGuard platform, which is our product, which is our platform name, CloudGuard, grew through a series of acquisitions over the last four years that Checkpoint did a bunch of acquisitions, different acquisitions that altogether make the CloudGuard platform, they're integrated into one platform. So it starts with the lift, it starts with our solution, actually a company we acquired about a year ago around developer first security.
So all this stuff that I talked about, how do you know, how do I start from the code, looking at the code, understanding where the problems are there, letting the developer know that there might be a potential problem super early, and also helping them with the remediation, telling them what they can fix. So not just throwing this out there and say, hey, by the way, there's a problem, fix it all the way from code scanning, container scanning, and a bunch of other good stuff that integrates into the development environment. And then when it moves into the cloud, let's call it. So first, it's multi-cloud. So it supports a different cloud environment.
Over 60% of organizations I talk with, and I think that's the official stack also are multi-cloud, right? So they have stuff in different cloud providers. So in that runtime environment, we have solutions for posture management. That's where a lot of companies started with cloud security. So that gives you that automated visibility into what's going on in your environment. What do you have? What's running how it's is configured. Are there mis-configurations? Which workloads are running? Do they have vulnerabilities? And then on top of that, we have solutions for workload protection. So basically, looking at the machines, the containers, the serverless functions, everything that's running and understanding, one, if them themselves have vulnerabilities, and the second if they are misbehaving, right, if they're under attack. And then we have solutions for application security in the cloud.
And again, all of the stuff that I'm talking about is to a large extent almost fully automated, I want to say, because that's super important. So for example, our solution for application and API security, one of our claim to fame and where we invested most of the effort is to make sure that it can automatically adapt to application changes. So you don't need to every time fine tune policies because applications change so fast in the cloud, you're not going to have time to change anything anyway. And then we have a solution for detection and response in the cloud. So that makes the entire platform. What's really interesting around all of that is actually a lot of our recent efforts around this platform has been around.
Okay, how do I take a million potential alerts and tell you which are the ten that matter and how do I take this ten that matter and guide you through either automatic prevention so, hey, I found a problem. Boom, I stopped it. Or help you fix the problem with guided remediation in the most efficient way. Because again, operationalizing what we found out in the last year as we evolved through this, is that what we started with, the biggest problem is operationalizing cloud security. You can have 50,000 tools, but the question is, how do I operationalize it with all these alerts and all these problems and all these places that I need to be? So our CNAPP solution goes throughout from code to cloud and through the different layers, prosthetic, vulnerability management, workload protection, application protection, cloud detection, response. And we have a lot of effort and technology around effective risk management within this big environment. Some of our customers, just to give an example, have 50,000 workloads in the cloud, right? Literally, that's 50,000 machines running, going up, going down, service functions, containers in hundreds and sometimes thousands of different cloud accounts across different cloud environments with tens of thousands of developers writing code and deploying it, smash it.
And these same companies a year ago had half the size and in a year from now, they're probably up double. It's a crazy environment. So the effectively managing risk is probably our biggest effort right now as far as we're continuously improving that.
Allyson
A lot of talk is focused in the media on data sovereignty. And when you describe that customer with all of those environments, knowing where your data is and do you have real control of your data is a big concern. What is the role of the industry in helping to address it? And do you expect more government action in this space?
TJ
It already starts. I can tell you, even as a vendor, there's countries or customers we can't sell to. If our solution doesn't sit in the, for example, AWS or Azure region in Switzerland, right. The banks in Switzerland will not buy a SaaS software that doesn't sit in Switzerland. Really interesting. Right. Data storage. So it starts from us. So definitely that's a topic that comes up a lot. And I think as the industry also evolves, the conversation starts to be around, okay, great that you're securing the infrastructure. Great that we are understanding where things are as far as the platforms and the servers and the workloads. Where's my data? It's a very good point that you're bringing up.
Now, the question starts out, where's my actual data, and by the way, how is my data flowing? Tell me, where is my data and how is it flowing? And by the way, that data that sits here, does it actually have access or can flow to somewhere there that it's not supposed to be? So there's actually a lot of evolution in that space. There's actually a term, go figure. There's an acronym for your question. It's called Data Security Posture Management now. DSPM. Right. The industry already came up with a name for this thing. It's actually very recent. Probably I want to say DSPM is maybe six months, seven months old, the terminology, because that's a big question. And I think there's already so your question around with governments and regulations interfere. They're already interfering. So there is regulation around that. Canada, India, Australia, Switzerland. There's data residency regulation across the board.
Your question, though, comes even stronger because okay, great. Now we just all of what we just described when we talked over the last few minutes, how developers can do whatever they want and everything can flow anywhere. How the hell do you control that in a situation where you need to update a residency, you need to know where the data is. Again, without technology or without a policy and a technology that can automatically apply this, it's a lost cause, so you might as well not even try. So that's where, again, another of effort is going there from a technology perspective.
Allyson
TJ, if you were looking in your crystal ball, it's 2023. You've already said the complexity of workloads and complexity of cloud customers is going to go up. What else do you see for 2023? And what is Checkpoint strategy for helping customers with what's coming?
TJ
Yeah, yeah. So I think in reality, our focus is we are laser focused on helping our customers operational cloud security. This is this is our laser focus. So my crystal ball is already showing that people are just, oh my God. I cannot deal with the level of complexity here. And even when I deploy solutions, part of my problem is the solution that I deploy, they are creating so much noise that I feel even more lost. I'm getting a Gazillion alerts from everywhere. So our focus is we are laser focused on helping our customers operationalize cloud security in order to help them understand where the risks really are and automating prevention and remediation. That's our laser focus. I think generation one, I'll tell you this, and maybe this would be helpful. Generation one of cloud security was very much focused on what you mentioned a couple of weeks ago. Hey, just tell me what I have. Just you know what? I'm super blind. I have no access. I don't know what these guys are doing. These developers and these gals, they're just running like crazy. Just give me visibility. Right? That was generation one.
Generation two came and said, okay, after this visibility and all that stuff, can you help me prioritize, for example? Right. Just tell me. Okay, that's what's happening right now. This is now we're in generation two. This is okay. From the billion things that you can tell me about, which ones do you think I should focus on? Generation three is help me fix it. Great. 1s I'll tell you, I had a customer I was talking with a couple of days ago and said it's really cute that the industry has moved from 10,000 alerts to 1000. The thousand that matter. Right? Even thousand, dude. Yeah. What are you going to do with it? It's a lot. If I can't automate fix, if I can't guide you through remediation, if I can't prevent that, most of them automatically, you're going to be lost anyway. I think the real next generation or what people are going to be focused on is, hey, great.
Listen, I need you to help me operationalize or automate a big chunk of the remediation, the prevention, that's where it's going to go because it's just and the industry has evolved dramatically. Listen, five years ago, there was no cloud security. You look at the solutions out there today, it's insane. The variety and the depths and keeping up is super hard. Also for vendors like us, because I just came back from Re-Invent Allyson, and they just introduced a thousand new services. Amazon, right? It's moving so fast. There's nothing like I think it's such a dramatic shift in the way that compute works. It doesn't look like anything else.
Allyson
TJ, I could spend hours talking to you about this topic. I'm getting a great education. I would love to have you on again sometime. But one final question for you for this interview. Where can folks keep in touch with Checkpoint and your team as they go on their own cloud security journeys?
TJ Right. So, first on our website, Checkpoint.com, this is the best place to go. When you go to the website, there's a CloudGuard thing. We are also on Brighttalk a lot. We do tons of webinars and interviews and talks with analysts. We just added an amazing one together with the ESG analyst on developer first security. Really cool talk just yesterday on Brighttalk. So Brighttalk is another great place to go. Start with the website Brighttalk and find us on LinkedIn. By the way, you can reach out to me also. I'm always available and I don't mind talking like you can see.
Allyson
Well, thanks so much for your time today. It was a real pleasure.
TJ
Thank you. Awesome.