In The Arena by TechArena - The Battle for Multi-Cloud Security with TJ Gonen
Episode Date: December 15, 2022TechArena host Allyson Klein chats with Checkpoint Software's TJ Gonen about the state of cloud security and how security solutions must start with a developer lens...
Transcript
Discussion (0)
Welcome to the Tech Arena, featuring authentic discussions between tech's leading innovators and our host, Allison Klein.
Now, let's step into the arena.
Welcome to Tech Arena. My name is Allison Klein, and today I'm delighted to be joined by T.J. Gonen, Vice President of Cloud Security at CheckPoint Software. Welcome to the
program, T.J. Good morning, Allison. Good to be here. T.J., why don't you just start with an
introduction of CheckPoint and the solutions that you're delivering for enterprise and cloud customers?
Yeah, so actually Checkpoint is probably best known for being the firewall company.
Gil Schwed, the founder of Checkpoint, who is, I think, I may be throwing it out there, but I do think he's the longest acting CEO at NASDAQ.
Oh, interesting.
So, yeah.
So Checkpoint was founded 30 years ago.
Gil Shred founded it in Israel.
Invented the firewall.
I mean, just think about it.
Literally invented the firewall,
the first firewall out there.
And the company has been 30 years
one of the biggest companies
in the cybersecurity space.
Like I said, on Nasdaq,
I think for 20 years, probably even more. You know what? I'm not probably not old. I'm old
enough to forget. Let's say that. And so for 30 years, CheckMint has been in the cybersecurity
space, evolving with the cybersecurity space, started with the firewall business,
but since then expanded to a lot of other areas just as the cyber security space expanded
endpoint security remote access and obviously in the last few years cloud security as it became
more and more important for organizations as they move to the cloud and uh in the cloud security
space we started with extending our network security solutions into the into the cloud
which is sort of a natural expansion okay i, I'm protecting our networks on-premise.
Let's move that protection to the cloud.
But since then, cloud security has evolved dramatically.
And to some extent, I like to say that cloud security today is as big as cybersecurity.
It's like cybersecurity, just in the cloud.
It's everything.
So since then, if you look at our portfolio of solutions, it's quite comprehensive. Anything from vulnerability and posture management to workload protection, detection and response, application security in the cloud.
It's a very broad portfolio.
It's interesting you mentioned firewalls. wall and VPN and you were good to go with security. Now with DDoS and ransomware and
deepfake technology, you've got so many different types of threats that are coming at IT
organizations. And then the complexity of the fact that they're managing workloads in multi-cloud environments. What do you think is the state of cybersecurity today?
And what is it that you talk to
when you're talking to your customers
about what's the best approach to take
to ensure that they've got the right security protection
that they need?
Yeah.
Actually, I think, Alison, what you said is really interesting
because I think cloud is even an extreme scenario of what you just talked about.
Because it's funny, I always say like when I started in cybersecurity 30 years ago, it wasn't even called cybersecurity.
It was called antivirus and firewall to your point, right? Like there were two things. That's it. That was cybersecurity.
And obviously, as the Internet became more popular and the connected world became more popular, so did the attack surface grow.
And that made cybersecurity more important.
Suddenly, you started to need all these other things.
Cloud is an extreme scenario of that.
Because think what just, I think for anyone listening, just think what's happening in the cloud.
It took a long time to build the IT industry.
Just think about like, you know, I'm 50 plus.
Like I've seen this over 30 years.
And it was, I mean, it feels fast, but it was really slow.
Things took time.
The internet was 93.
And it took a long time for us to get to where we are right now.
And you built a data center.
It was a matter of months.
In the cloud, it's one script,
boom, data center. And then boom, another data center. And by the way, on three different
clouds. And you want to launch 50 machines? A second. You want to launch 5,000 machines?
Same second, right? And then the cloud providers are innovating and they're introducing new
types of databases and new types of workloads and new ways to connect and everything is code.
So you have a gazillion developers touching everything. when the cloud makes it even more complex because the speed and scale, there was nothing before cloud
that enabled organizations and developers
and people who deploy applications to move so fast.
So to your question, your original question was,
what's the best practice?
So I think the best practice is first to prioritize
because there's just, I would just say,
I mean, even though
we're a security company,
so theoretically, yes,
of course, protect everything.
There's just no way
you're going to be able
to cover everything.
Definitely not
in a fast-moving pace of cloud.
You're not going to be able
to cover everything.
So I think the first thing is
start with the basics, right?
Most problems,
if you think about it,
it's almost like physical security.
They start with posture.
Get the posture right.
Minimize the attack surface.
The first thing that people should do
is minimize the chances of bad things happening.
So if you can prevent misconfiguration,
I don't know if you've seen this,
but there's tons of research.
It was true, by the way, on premise.
It's very true in the cloud that I think it's 92% of attacks
could have been prevented with the right configuration
and controls in place.
So if I don't leave anything open, then, of course,
it's going to be harder to get to it, just as an example.
So first, get your posture right
i think that's the first thing that people should be doing so then now that's a very big topic how
do you get posture right like so first it's configuration have the right protection in place
have the right access control vulnerability management right don't leave anything vulnerable
there's a lot of work around that but i would say that's the first thing that you should be doing because that before, if you don't get posture right, you're in such a deficit already that trying to chase now
the attackers is going to be very hard. So that I would say is the first thing. The second thing,
which is, again, it's easy from a, it's a simple, maybe from a topic perspective, but it's not that
easy to implement and not necessarily the technologies are there,
is I would say think prevention rather than just detection.
Because what I always give this example of my email,
my inbox, right?
My inbox is full of emails that I've never read,
never going to read.
Because at some point, you just get too tired of alerts, right?
You get email fatigue.
And if you just detect and just think about your environment growing,
cloud, again, is a very extreme example of that.
And you're going to start detecting problems,
and you're just going to be spammed with alerts.
So the ability to actually react to them and to do something about them
is becoming, is really compromised.
So I think thinking prevention.
So don't detect if you can't prevent.
Don't detect.
I mean, it's useless to detect
if you can't do anything about it
or you have no facilities to do something about.
So I think the second mindset should be
implement tools, technologies, and processes
that are really focused on taking action,
whether it's actually preventing or remediating.
Now, it's easy to say, it's not that easy to implement.
You need the right tools, the right processes, and the right mindset.
And then I would say within all of that, the right way to go at this is to prioritize.
Not all risks are created equal.
So if your machine is way, again, I don't know what you have on your machine,
but it's probably less risky than a server
somewhere in the data center
that hosts all the PII information of a company, right?
Or a customer or a server with a vulnerability
that is exposed to the internet
that has access to a database
is way more important than a server with a vulnerability
that's connected to whatever, a static website.
So prioritization is really important.
And this is really the key challenge, I think,
for cybersecurity, generally speaking.
How do you operationalize cybersecurity?
It's not about tools.
It's not about people being smart.
It's really, okay, I've got a lot of technology.
I've got a lot of stuff.
How do I operationalize it?
And it really becomes into how do you effectively manage risk
that's i would say the biggest challenge now i know that you have a very deep partnership with
microsoft azure you work with other cloud service providers one of the things that i think about is
because the cloud is so easy to spin up we see line of business spinning up cloud on their own and IT organizations sometimes not even aware of, you know, what their organization is using from a standpoint of cloud.
How do you protect against all of your attack threats if you don't even know what your organization is using for cloud services.
It's funny, you know, because when I talk with the organizations, what you just mentioned is the number one fear factor.
Because if you think about it, you actually mentioned that with Azure or AWS, anyone.
They were built for the developers and for the practitioners.
They were not built for security people.
Everything Azure does,
definitely Amazon,
you know, when AWS launched,
until today, by the way,
when you see their audience
is what they call builders.
Even when they do commercials,
it's builders.
It's for the builders, developers.
And everything is super, super, super optimized
for them to move super, super, super fast,
which is the antichrist of security.
It's like you have these armies of developers
with a gazillion tools that were optimized
over the last 10 years just to allow them
to move super fast. If you're a security
practitioner, you just lost, you're looking for the battery for your hard base, right? Because
they're just running like crazy. So now the question is, you asked the question, how do you
keep up? How do you enable that? I would say that there's two ways to look at this, to be fair.
One of them is what I call, you could almost call this like the trust zone and the no trust zone.
And I'll tell you what I mean by that. The trust zone is, hey, listen, developer and application
deployer and you, the people who are actually operating the cloud, I'm going to help you
do less mistakes. I'm going to give you tools that will help you deploy things
more securely. I'm going to make it so easy in theory. That's a big thing. We can talk about
this for hours. I'm going to make it so easy for you to do the right thing that you would rather
do the right thing than do the wrong thing. Okay. So that's number one. That's I trust you.
Then you need to have the no trust zone. And the no trust zone needs to have tools
that assume that the developer,
the practitioner, the builder
just did something
without giving a lot of thought into it
because it's not his day job.
And you need to put tools
that hopefully automate things like discovery.
For example, hey, I deploy this, boom,
I'm automatically discovering it. I know that it's
there. And hopefully you can also automate
protection. So you deployed
something, I found it, I
automatically put a policy
around it, and I automatically protect it.
So I would say two things
that I just said here that are very important.
If you take two things out of this. One,
on the
protection side, on the no-trust zone,
you have to automate.
There's no way.
Everything on the other side is automated.
That's the thing, right?
Everything around development pipeline today,
all you hear when you talk, when you interview people,
is automation, automation, automation.
And cloud is all about automation.
Think about cloud.
It just automated everything.
It automated infrastructure completely
it automated the platforms
it automated everything
so if security is not as
automated
at some point you're going to miss something
actually we have a saying
inside my product group
and I always say this, we have a sign
it says it ain't done till it's automated
if you didn't automate it you're a sign, it says it ain't done till it's automated.
If you didn't automate it, you're not done. That's your definition of done, because what you're trying to protect is automated. On the trust zone, which is super important, listen, you can't fight,
they're going to move. The barbarians are not just at the gate, they cross the gate, they're in,
they're running. You have to put them on your side. Now, the only way to put them on your side
is to make it easier to do the right thing.
As long as security thinks
in a mindset of, I hate
the term guardrails, even though it's a very
used term in security, because I always
think about road bumpers.
If I'm a developer, I'm just like
this. You need to build a highway.
You need to build
a paved road rather than bumpers,
rather than guardrails.
Here's a paved road.
As long as you go on this road, you can move so fast and we're going to make it so fast for you.
Now, the only way to do this is to talk developer language,
to build.
I'll actually throw another thing at you in the audience is,
it's rather than building security tools for developers,
because that's by definition almost wrong because developers don't care about security
naturally. It's to build developer tools that are really good at securities. And that's
the mindset. And if you make it easier to do the right thing, I like to give this metaphor,
which is true by the way, it's a true story. I don't know if you remember, but we used to do Emule and BitTorrent. We used to do a lot of
movie downloads. And definitely, I grew up in Israel, right? So that was huge. You know when
it stopped? When it became easier to do the right thing. When Netflix started and all these streaming
services, it's just easier to do the right thing. So you stop doing the wrong thing
because it's easier to do the right thing. If you make it
easy for the developer to do the right thing,
if you talk his language, if it's
embedded inside his tools, if it's
not something, you know, he deployed,
developers hate, hate. They
deploy something and then
two weeks after you say,
oh, you remember what you deployed two weeks ago? It has
a problem. We need to fix it. Dude, I don't remember what I deployed two weeks ago? It has a problem. We need to fix it.
Dude, I don't remember what I did two weeks ago.
Since then, I deployed like 20 times.
So you have to do it in their tools,
in their environment.
So the trust zone has to speak their language.
The no trust zone has to be automated.
That's the way to tackle this.
And yeah, you're going to be,
and it's going to be breathtaking
because everything moves super fast.
You're going to have a lot of tough nights.
The other alternative, by the way, is to put limitations, which I can tell you, we are in an age, Alison, that it is so hard to say no for security people.
They had the privilege for, you know, the first 30 years of cybersecurity.
I want to say the first 25 years, you had the option to say no. You could say,
hey, you're not launching until I'm checking it. You're not launching until I'm doing,
you just mentioned the example you just gave. They're just going. What do you mean no? I'm
gone. You go and you check this when I'm done. So you have to live with that reality and you
have to adapt. When you look at the solutions that Check Point is delivering in this space, can you
just give the audience a breakdown of what you're delivering for the cloud and how it
addresses the challenges that we're talking about?
Yeah, so actually, it's a perfect fit in the sense of the mindset. And obviously, there's
always a journey towards this automation that I just mentioned and making things simpler.
It's a journey.
But from a mindset perspective, when you look at our platform, so the industry calls today the platform for cloud security.
It went by, you know, like this industry moved so fast.
So it went through like 50 different buzzwords and acronyms.
It's sort of settling now
on something that the industry, that Gartner coined the CNAP, Cloud Native Application
Protection Platform, which is a cool term to say everything cloud security. That's the way to look
at this. CNAP, right? CNAP is literally like saying cybersecurity outside cloud. That's what
it will be. It will be cybersecurity for the cloud.
So when you look at our Synapse solution,
which is super comprehensive,
it does go through all these layers that I mentioned earlier
in one single platform,
which is very important.
And one single platform
is not just important
because it's cool.
And yes, one dashboard, one API.
This is so complex.
We talked about that alert fatigue.
If you're going to have five
different solutions generating these alerts, one, they're not going to be in context. So it's going
to be very hard to correlate them. Second, you're going to be really tired because you're going to
get five times the amount of mess. So our platform starts, I would actually start like this. Our
platform starts from the left. It starts from the developer. We have a super comprehensive solution around developer-first security.
So it's actually, by the way, just in a quick word,
Checkpoint's CloudGuard platform, which is our product,
which is our platform name, CloudGuard,
grew through a series of acquisitions over the last four years.
The Checkpoint did.
A bunch of acquisitions, different acquisitions
that altogether make the CloudGuard platform.
They're integrated into one platform.
So it starts with the left.
It starts with our solution.
Actually, a company we acquired about a year ago
around developer-first security.
So all this stuff that I talked about,
how do I start from the code?
Looking at the code,
understanding where the problems are there,
letting the developer know that there might be a potential problem super early
and also helping them with the remediation, telling them what they can fix.
So not just throwing this out there and say, hey, by the way, there's a problem.
Fix it.
All the way from code scanning, container scanning,
and a bunch of other good stuff that integrates into the development environment.
And then when it moves into the cloud, let's call it.
So first it's multi-cloud.
So it supports a different cloud environment.
Over 60% of organizations I talk with,
and I think that's the official stat also,
are multi-cloud, right?
So they have stuff in different cloud providers.
So in that runtime environment,
we have solutions for posture management.
That's where a lot of companies started with cloud security. So that gives you that automated visibility into what's going on
in your environment. What do you have? What's running? How is it configured? Are there
misconfigurations? Which workloads are running? Do they have vulnerabilities? And then on top of that,
we have solutions for workload protection. So basically looking at the machines,
the containers, the serverless functions, everything that's running and understanding one,
if them themselves have vulnerabilities and the second, if they're misbehaving, right? If there's,
if they're under attack, and then we have solution for application security in the cloud.
And again, all of the stuff that I'm talking about is to a large extent, almost fully automated,
I want to say,
because that's super important. So for example, our solution for application and API security,
one of our claim to fame and where we invested most of the effort is to make sure that it can automatically adapt to application changes. So you don't need to every time fine tune policies,
because applications change so fast in the cloud, you're not going to have time to change anything
anyway. And then we have a solution for detection and response in the cloud. So that makes the entire
platform. What's really interesting around all of that is actually a lot of our recent efforts
around this platform has been around, okay, how do I take a million potential alerts and tell you
which are the 10 that matter? And how do I take these 10 that matter and guide you through either automatic prevention?
So, hey, I found a problem.
Boom, I stopped it.
Or help you fix the problem with guided remediation
in the most efficient way.
Because again, operationalizing,
what we found out in the last year
as we evolved through this is that,
what we started with,
the biggest problem is operationalizing
cloud security you can have 50 000 tools but the question is how do i operationalize it with all
these alerts and all these problems and all these places that i need to be so our synapse solution
goes throughout from code to cloud and through the different layers procedure and vulnerability
management workload protection application, cloud detection response.
And we have a lot of effort and technology
around effective risk management
within these big environments.
I mean, some of our customers,
just to give an example,
have 50,000 workloads in the cloud, right?
Like literally, that's 50,000 machines running,
going up, going down,
serverless functions, containers in hundreds
and sometimes thousands of different cloud accounts
across different cloud environments
with tens of thousands of developers
writing code and deploying it.
It's massive.
And these same companies a year ago had half the size.
And in a year from now, they'll probably have double.
So it's a crazy environment.
So effectively managing risk is probably our biggest effort right now as far as how we're continuously improving that.
A lot of talk has focused in the media on data sovereignty. And when you describe that customer with all of those environments, knowing where your data is and do you have real control of your data is a big concern.
What is the role of the industry in helping to address it?
And do you expect more government action in this space?
Yeah, so I think it already starts.
I can tell you even as a vendor, there's countries or customers we can't sell to
if our solution doesn't sit in the, for example,
AWS or Azure region in Switzerland.
The banks in Switzerland will not buy a SaaS software
that doesn't sit in Switzerland.
It's really interesting, right?
Data sovereignty.
So it starts from us.
So definitely that's a topic that comes up a lot.
And I think as the industry also evolves, Data sovereignty. So it starts from us. So definitely that's a topic that comes up a lot.
And I think as the industry also evolves,
the conversation starts to be around,
okay, great that we're securing the infrastructure.
Great that we're understanding where things are as far as the platforms and the servers and the workloads.
Where's my data?
It's a very good point that you're bringing up.
And now the question starts, where's my actual data?
And by the way, how is my data flowing?
Tell me where's my data and how is it flowing?
And by the way, that data that sits here,
does it actually have access or can flow to somewhere there
that it's not supposed to be?
So there's actually a lot of evolution in that space.
There's actually a term.
Go figure, there's an acronym for your question.
It's called Data security posture management now.
DSPM, right?
So the industry already came up with a name for this thing.
It's actually very recent.
I probably want to say DSPM is maybe six months, seven months old, the terminology, because that's a big question.
And I think there's already, so your question around will governments and regulations interfere, they're already interfering.
So there's regulation around that.
Canada, India, Australia, Switzerland, there's data residency regulation across the board.
Your question, though, comes even stronger because, okay, great.
Now we just, all of what we just described when we talked over the last few minutes is how developers can do whatever they want and everything can flow anywhere.
How the hell do you control that in a situation where you need to have data residency
and you need to know where the data is?
Again, without technology or without a policy and a technology
that can automatically apply this, it's a lost cause.
So you might as well not even try.
So that's where, again, a lot of effort is going there from a lost cause. So you might as well not even try. So that's where, again, a lot of effort
is going there from a technology perspective. TJ, if you were looking in your crystal ball,
it's 2023. You've already said the complexity of workloads and complexity of cloud customers
is going to go up. What else do you see for 2023? And what is Check's point strategy for helping customers with what's coming?
Yeah.
Yeah, so I think in reality, our focus is we are laser focused
on helping our customers operationalize cloud security.
This is our laser focus.
So my crystal ball is already showing that people are just,
oh, my God, I cannot deal with the level of complexity here.
And even when I deploy solutions, part of my problem is the solution that I deploy.
They are creating so much noise that I feel even more lost.
I'm getting a gazillion alerts from everywhere. focus is we are laser focused on helping our customers operationalize cloud security in order
to help them understand where the risks really are and automating prevention and remediation
that's our laser focus i think generation one i'll tell you this and maybe this would be um helpful
generation one of cloud security was very much focused on what you mentioned a couple minutes
ago hey just tell me what I have.
Just, you know what?
I'm super blind.
I have no access.
I don't know what these guys are doing,
these developers and these gals.
They're just running like crazy.
Just give me visibility, right?
That was generation one.
Generation two came and said,
okay, after this visibility and all that stuff,
can you help me prioritize, for example, right?
Just tell me, okay, that's what's happening right now.
This is now.
We're in generation two.
This is, okay, from the billion things that you can tell me about,
which ones do you think I should focus at, right?
Generation three is help me fix it.
Great.
I'll tell you, I had a customer I was talking with a couple of days ago.
I said, it's really cute that the industry has moved from 10,000 alerts to 1,000.
The 1,000 that matter, right?
Even 1,000, dude, what are you going to do with it?
It's a lot.
If I can't automate fix, if I can't guide you to remediation,
if I can't prevent that, most of them automatically,
we're going to be lost anyway.
So that's it.
So I think the real next generation and what people are going to be focused at
is, hey, okay,
great, but listen,
I need you to help me
operationalize
or automate a big chunk of the remediation
and the prevention. That's where it's
going to go because it's just...
And the industry has evolved dramatically.
Listen, five years ago, there was no
cloud security. You look at years ago, there was no cloud security.
You look at the solutions out there today,
it's insane, the variety and the depth.
And keeping up is super hard, also for vendors like us.
Because I just came back from reInvent, Alison,
and they just introduced a thousand new services, Amazon.
It's moving so fast.
There's nothing like it.
I think it's such a dramatic shift in the way that compute works.
It's not it doesn't look like anything else.
TJ, I could spend hours talking to you about this topic. I'm getting a great education.
I would love to have you on again sometime. But one final question for you for this interview. Where can folks keep touch with Checkpoint and your team as they go on their own cloud security journeys?
Right.
So first on our website, checkpoint.com,
this is the best place to go.
When you go to the website, there's a CloudGuard thing.
We're also on BrightTalk a lot.
We do tons of webinars and interviews and talks with analysts.
We just had an amazing one together with the ESG analyst on developer-first security.
Really cool talk just yesterday on Bright Talk.
So Bright Talk is another great place to go.
Start with the website, Bright Talk, and find us on LinkedIn.
By the way, you can reach out to me also.
I'm always available, and I don't mind talking like you can see.
Well, thanks so much for your time today.
It was a real pleasure.
Thank you also.
Thanks for joining the Tech Arena.
Subscribe and engage at our website, thetecharena.net.
All content is copyright by the Tech Arena.