Ahead in the Cloud: Cybersecurity in the Cloud-First Computing Era with Ofir Israel

Chad Watt: Welcome to Ahead in the Cloud, where business leaders share what they've learned on their cloud journey. I'm Chad Watt, Infosys Knowledge Institute researcher and writer. Today, I am joined by Ofir Israel, Vice President of Threat Prevention Products at Check Point Software, a global cybersecurity firm. Ofir, welcome.

Ofir Israel: Thank you, Chad. Happy to be here.

Chad Watt: Ofir, what was your first computer, and how secure was it?

Ofir Israel: My first computer was 486 XT computer, which I used to play games. It was not connected, in the beginning, to anything. Afterwards, at the start of the... I got a modem and started playing with BBS services. It was very nice. I remember coding a bit programs to call my friends over the modem and chat with them. So it wasn't like the internet as it is today. So yeah, I grew up tinkering with computers. I developed websites when I was 12 years old. It was very old, like the old age or the beginning of the commercial internet. And I remember watching the movie called WarGames from 1983.

Chad Watt: With Matthew Broderick, yeah.

Ofir Israel: Broderick, yeah. He does what is called war dialing, so dialing with his modem, trying to find something interesting that picks up and answering with something interesting. And I thought it was very cool. I didn't do it myself because the costs were too high and my parents would kill me, but I was fascinated by that.

Chad Watt: Tell me a little about the state of cybersecurity when you were 18 and you started working in it.

Ofir Israel: I think, in the past, a lot of the defense was actually an illusion of what is called security by obscurity. And I would maybe call it like cyber innocence. That was, I think, the original threat. It's like in the movie I mentioned. The people who own the service, like an airline service, they didn't think that anyone would call this specific phone number, so there is no need to guard it with either a password or with anything, actually. The fact that you had to guess the number was all the security that was needed. So I think that was the change, from that era of the innocence, I would say, and into this area, where you understand that if you don't guard yourself good enough, you're going to get hacked.

Chad Watt: And we live in a world where you don't need to know anyone's phone number. Everything's connected via internet. Most operations are in the cloud. So let's talk about cloud and security. Coming through, I would say, the pandemic, we shifted to this work from home, work from wherever type setup, and that shift was done quickly and crisis mode, and we evolved to where we've been. Did that impact cybersecurity standards?

Ofir Israel: Every change is an opportunity to rethink your strategy, and cybersecurity is one of the main topics today for business organizations. We see a lot of attacks that hurt businesses much more than the denial of service that we used to see 20 years ago. We see a lot of ransomware, and we see organizations, really, that need to pay a lot of money and be closed for business for a significant amount of time. So everybody sees that and understands they need to rethink the security strategy.

Chad Watt: So companies today are managing cybersecurity differently. I think a lot of businesses have come to the realization that we're going to be in some sort of hybrid work from home, work from work, work wherever arrangement. What is your recommended first step? What should businesses do to secure this new workplace?

Ofir Israel: It means the endpoint that you distribute to the workers, like the laptops, and it can also be their own personal laptops, if that's how you work, to allow access to what is called BYOD, bring your own device. If you allow access to your corporate asset from the mobile phone, then you must make sure that also the mobile phone is secure, even if it's a corporate mobile phone or a personal mobile phone.

Chad Watt: Ofir, given the number of endpoints and bring your own device and laptops, personal laptop, private laptop, company-supplied laptop, how are companies performing on the cybersecurity front now?

Ofir Israel: We published a five-minute quick assessment survey for your enterprise readiness, readiness for secure remote work, and we collected the hundreds of responses, and we published a report on the answers. And we saw that the vast majority of companies are not ready or did not tick all the right boxes. Not everyone had defense for the mobile device. Not everyone had the right protection for their endpoint devices. Not everyone had the right solution for email security.

Chad Watt: So these are a lot of different things you've got to address. How do you get closer to ticking all those boxes?

Ofir Israel: First, of course, you need to have a strategy, and you need to buy solution rather than point products. So you need to go with cybersecurity vendor that gives you the strategy and the full solution for all these aspects. In Check Point, for example, we have our Harmony suite of products, which is addressing exactly the remote users. We protect users on their endpoint systems, laptops, desktops, mobile phones. It doesn't matter if it's Windows, Linux, macOS, iOS, Android, et cetera. Then we compliment that by inspecting the traffic that goes inside the organization, inside the data center, through the perimeter from employees or from contractors at homes, where they access corporate assets. We scan emails. We scan your cloud workloads. We scan everything, and we combine everything into the same cloud management platform, and the data is available to SOC teams and for the managed SOC offering.

Chad Watt: Tell me what SOC stands for.

Ofir Israel: Oh, SOC is the security operations center, which is usually the team that monitors the security aspects of the enterprise.

Chad Watt: How does Check Point use cloud to add functionality or deliver more capabilities, in terms of the security offerings you guys have?

Ofir Israel: As a cybersecurity vendor that develops product, delivers security, the cloud has enabled us in several ways. So as I mentioned, we have a large portfolio of cloud security solutions called CloudGuard, which, of course, both operates entirely in the cloud and protects cloud workloads. So doing the security in the cloud for the cloud is obvious in this product line.

Ofir Israel: Second, as a vendor with a lot of track record in history, we have products which their production systems were migrated from on-prem data centers to cloud workloads, mainly for dealing with scale and efficiency, agility in changes, and all sorts of modern engineering gifts that the cloud provides. And all of our new products are developed in what is called the cloud native way. So we leverage the cloud for the same engineering benefits that it gives other companies.

Chad Watt: Can I ask a question on cloud native? What is distinct and different with cybersecurity products in the cloud? What do you have to do differently to develop those for cloud native?

Ofir Israel: I wouldn't say that our use in cloud native designs is very different than other engineering organizations' use of the cloud native, but for us, it allows us the scale and efficiency and the agility that development in the cloud allows. And in some cases, it even allows us to secure more because of the ability to scale.

Chad Watt: This is interesting to me because historically, security measures impact performance. The more security layers you put into a system, the slower your processing. Or in my experience, layers of security can slow down your performance. But what you're saying is, when you're doing this in the cloud, you've got some scale. And would you say you're resolving some of that issue there, as far as performance being impacted by security measures?

Ofir Israel: Yes, because when we process the samples, for example, file samples that we need to understand if they're malicious or not, when we inspect them in the cloud, we have infinite resource to scan them, and then I can do a lot more inspections than I would do if I had to inspect them on your endpoint or on the appliance that you put in your data center. So the cloud allows us a lot more flexibility and scale and resources to do the inspection.

Ofir Israel: As the threats become more complicated and sophisticated, then also the solutions that we have to provide get more sophisticated. If we didn't have cloud computing, you as a customer, you as an enterprise would have to buy more and more appliances to do the inspection on your premises. Now, you can stay with your current appliances or install lower footprint agents on your endpoints but get the benefit of the very sophisticated and resource-intensive scan that we do on the cloud workloads.

Chad Watt: What proportion of your assets are in the cloud now? How much do you guys do on-prem versus in the cloud?

Ofir Israel: I would say that, as a company, we have, if I have to guess, maybe 1% on-prem, and most of our development is done in the cloud. When I arrived to Check Point, it wasn't the case. As a company, we started the digital transformation, just like a lot of other software companies and other companies, and we started moving more and more assets or end workloads to the cloud, and now we almost have everything on the cloud today.

Chad Watt: You mentioned that threats are getting more sophisticated, and responses have to be more sophisticated. Let me ask you about machine learning and AI. Are you combining machine learning and AI with your cloud security systems?

Ofir Israel: Yes, definitely. This is what I would say is the most prominent tool that we have now on our belt, and this is only because of cloud. We have lots and lots of data. We scan millions of files per day. We scan a lot of work in Check Point. We have more than 100,000 organizations that are secured by Check Point. So we have a lot of data that goes throughout our clouds, and so that provides us a huge data set. And we use those data sets to train our models to predict whether the next sample is malicious or not.

Chad Watt: I'm curious, how well is the model working? Can you give me an example of how the model has improved over time as you've fed more data into it?

Ofir Israel: It's something that is constantly improving. It's one part of our tool, and it's the most prominent tool because training the dataset and collecting the dataset is very resource intensive, and that is done on the cloud. But we also use this model, or we use one of those models, on our endpoint devices. So you get the wisdom from the cloud trained into the model and delivered to the endpoint and done locally on the endpoint, where the prevention can happen on the endpoint in a very short time.

Ofir Israel: And these models are things that are improved over time. As we collect more and more data, we train more frequently, and the efficacy of the models is just getting better and better. And we are constantly working on applying machine learning to specific vectors and to more and more vectors. So for example, we started with malicious files, executables and office documents and PDF files, and we also have machine learning models for detecting malicious domains. We can even detect if specific DNS requests, so requesting the name of the IP for the domain, or a series of those is used to exfiltrate data with a technique called DNS tunneling, which is something that was done in quite naive ways before we had machine learning and the ability to use that for cybersecurity.

Chad Watt: That's fascinating. How quickly do you reach a point where there's some significant new learning and then field it? So take the DNS tunneling. Once the model had informed you, how quickly were you able to deploy that to clients?

Ofir Israel: The time between the training and the deployment is very quick. In some cases, it's even instantaneous. We just do a few tests. It's a whole pipeline that runs in the cloud, of course. And the importance of it is mostly on the cases where the traffic changes and the sample profile changes. So for example, with files, it's very common to see a campaign starting, and we have to answer to it, we have to provide protection for it very quickly. So it is very important for us to be able to train our data sets, to train our models frequently, like every few days or even every day, depending on the traffic changes, and then deploy it very quickly to our customers in order to protect against the threats that are always coming and going.

Chad Watt:Given the data set and the position you're in, securing hundreds of thousands, you said, of organizations... And this is something we hadn't discussed, but it's a topic that's coming up more and more around data sharing. How much of your data set do you share with others, and what is your stance toward sharing data with others that might make some use of it in their own models?

Ofir Israel: Oh, the answer is very clear. We can't share and we don't share any information with others. We also have a lot of discussions and internal policies, security and privacy mechanisms, in place to make sure that we collect only the data that we need, only the data that is used to train and used to protect the customers, delete what we don't need to use. And there are a lot of compliance and regulations around this topic. We, of course, do all that. Yeah, we never, of course, share the data.

Ofir Israel: And it's a good question. We also see it with customers who are maybe afraid to use our cloud processing services. They want to use the processing on their on-prem because they're afraid of data and privacy. It used to be much more of an objection a few years ago. Now we see that, but it's reducing more and more. I mean, more and more enterprises are accepting that data processing, for security but also not for security, needs to be done in the cloud and the benefit of it, so we see a decline in the objection to using cloud.

Chad Watt:Ofir, is there any downside to using cloud for security?

Ofir Israel: Yeah. So it's about the subtlety of doing it right. So processing in the cloud does have downsides. As a cybersecurity company, and unlike some of the other competitors, we believe attacks can and need to be prevented. Some people think it's okay to detect and alert and then deal with the threat. We believe prevention is key to a good, secure environment. You wouldn't replace your front door with a sensor that just tells you someone walked inside, right? You would want both, probably.

Ofir Israel: So let's go with an example about scanning files in the cloud. The scanning can take some time, a few seconds, and let's say you downloaded the document, and you want to look at it. Would you be ready to wait seconds for the file to upload to some cloud workload, then be inspected there, process it? Think about it. A few seconds from the time when you double click on the Word document and until the Microsoft Word application open. You would never accept that, but you must wait until we are finished inspecting.

Ofir Israel: Now, you can decide just to let the Microsoft Word open while you wait for the inspection results. That means detection, but we want prevention, right? So the right way isn't inspection on the enforcement point itself, on the end point itself, because it is limited, like we discussed. And the right way isn't inspection on the cloud alone. To do cybersecurity, right, to prevent threats, you need solutions that do hybrid work. You need the prevention on the agent and also use the cloud for the vast resources to inspect them.

Ofir Israel: We do it in what I think is a great way. We use both the cloud, for the sophisticated algorithms and attacks it provides, and also, we are able to prevent on the enforcement point in a way that is smooth to the user. For example, like what I mentioned, with the model that is trained by the cloud but is available on the endpoint. Now, it's not enough because we also need to use the cloud in real time, but it provides us the ability to do this hybrid work and allow both the prevention and the sophisticated attack detection.

Chad Watt: Prevention is better than detection. What do you do, given that you're in the business, when you receive a really good phishing attempt?

Ofir Israel: When I receive a really good phishing attempt, first, I smile because I really admire the hard work and the sophistication of the attackers trying to attack me. On the other hand, if it comes to me, then they had the wrong target. But first, I smile, and I really dissect it to understand why am I seeing it? Because as someone who works for Check Point, when I receive a phishing attempt, it means we didn't catch it early enough. So I don't get a lot of phishing attempts for that reason, but when I get one, I really dissect it.

Chad Watt: Thank you very much, Ofir, for your time and your insights today.

Ofir Israel: Thank you, Chad.

Chad Watt: This podcast is part of our collaboration with MIT Tech Review, in partnership with Infosys Cobalt. Visit our content hub at technologyreview.com to learn more about how businesses across the globe are moving from cloud chaos to cloud clarity. Be sure to follow Ahead in the Cloud wherever you get your podcasts. You can find more details in our show notes and transcripts infosys.com/iki in our podcast section. Thanks to our producers, Catherine Burdette, Christine Calhoun, and Yulia De Bari. I'm Chad Watt with the Infosys Knowledge Institute. Until next time, keep learning, and keep sharing.