Interview: Orli Gan, Check Point

Written by

In his opening keynote at this year’s Check Point Experience, CEO and founder Gil Shwed talked about the need to develop a new security strategy away from detection, that is more about being proactive.

He said: “In cybercrime, we use detection and alerting but malware is evasive, and we know an attacker can be sitting in a different country and continent, and there is no one to punish them and the catch rate is very low.

“A different approach is for us to prevent attack with the principle of: block an attack before it happens; defend with the most advanced tools that stop today’s attack and tomorrow’s threats; and protect every frontier.”

Following this, I had the chance to meet with Orli Gan, Check Point’s product manager for threat prevention who joined with the acquisition of Hyperwise. I began by asking her if the message is about prevention over detection, and whether as an industry are we ready to detect rather than protect?

Gan said: “That’s a fair question as I think the industry and customers need to change their mindset. Really you can talk about detection and preventing the second attack as you do the first attack, and there are times when you get hit you get infected, it costs you so much that there is no point going into full prevention."

“Every time you block an attack before it infects you is money saved. So you can say ‘why bother as we’re not going to stop every attack’ which is probably true, and you cannot block 100% of attacks as if you’re a target, someone somewhere will get in. It is not the same as being hit by an infection every other week as it is to be hit once a year, and the number one thing to change is to think about prevention and you do need to steer your ship in the direction of prevention as that is the holy grail of security."

“If you prevent, every cost is gone for cleaning and data loss and all that is gone away. Focus on prevention, but that doesn’t mean you need to neglect detection.”

So is this about technology? Gan said that you do want technologies in place as there is the time factor that people need to keep in mind as if you are detecting once a day, every three days or 200 days after infection is not the same thing.

“Damage that can be done in an hour versus six months can be very different: ask Target! Clean up is one angle and that is proportionate to the time they manage to live in the network as the longer it stays, the harder it is to clean it.”

I asked Gan if the concept of Check Point is about stopping malware at the first hurdle? She said the concept is based around the fact that security has not really changed much in its basics of what it is all about.

“You have defenses one after another in layers and we always had firewalls and anti-virus, and network and endpoint presence, so those basics are there and now we are worried about things moving in the data center, but the basic truth is that things have to come in layers and that has not changed and that is our strategy, to give you all the layers which filters a threat down so that nothing can get in,” she said. “I say nothing with an asterisk, as nothing is foolproof! But even if it got in you have detection tools to identify it as soon as possible.”

So is this something that she sees customers doing? “I think that it is about getting them to act on things that they already know. I think that most companies know that they need layers of security and platforms for layers of technologies.

We concluded by talking about ransomware, and if that could be one method of offense that could be ruled out by a prevention over detection policy? Gan said that you can block ransomware by disrupting the C&C connectivity, as if it cannot communicate with the C&C server then it will not operate as it cannot handshake and collect the money.

“Most ransomware is blocked by technology that we already have,” she said. “We have prevention technologies and one of the key elements when talking about detection is technology put into prevention mode, and customers ask about how practical it is and if it is something you interfere with as security is the thing you do to allow your business to thrive.”

What’s hot on Infosecurity Magazine?