Q&A during the session is below the video.
Slides are linked below the Raffle Winners which are linked below the Q&A.
If you would like to schedule a more detailed conversation or demo, please fill out this form: https://www.research.net/r/LMMTZT3
Q&A
Do you provide firewall as a service (without deploying hardware)?
in the cloud, yes, both PAYG and BYOL models
What's the reliability of this cloud software?
Very realiable!
Our cloud security solution is deployed by thousands of customers protecting the most largest cloud environment. Largest banks, retails and technology companies.
We have been securing various aspects of cloud environments for over 7 years.
With all the types of AI that will be utilized by Hackers. What is your plan to mitigate this?
This is a field of active research across all our solutions. Specific to CloudGuard, we plan to announce specific solutions to protect AI engines using CloudGuard WAF. Stay tuned!
API Discovery and API Schema Validation is available?
API Discovery and API Schema Validation are now available... you can definitely start using it!
How do I deal with Malware?
Our CloudGuard Network can scan and prevent malware from entering your cloud. If a user upload a malware file to cloud application, we can prevent it. We also allow application developers to integrate with our ThreatCloud solution to check if file are malicious, you can do it with API calls to ThreatCloud. We offer the same service also for URL and File reputations and File emulation and extraction.. All via API.
Can you elaborate on the specific technical advancements within CloudGuard that address the growing challenges of multi-cloud and hybrid cloud environments?
First, Multi/Hybrid Cloud is the most common IT set up for organizations. Not only that but also, the DC are distributed acosss the globe.
The first advantage is managing everything on a single pane of glass. Additional advantage is getting the same level of visibility and security across all your DCs. It will save you training of teams....
CloudGuard Network supporting numerous public cloud providers and it's likely your choice of platform will be supported.
Addressing growth of could and growing challenges - We are building all features to simplify operations, automate process, enabling high resiliency constructs, and scaled architecture.
How does CloudGuard integrate with existing security tools to provide a holistic cloud security posture?
Here is a short list of some of the integrations that we have
- AWS Security Hub
- AWS SNS
- Defender for Cloud
- Eventarc
- GCP Security Command Center
- GuardDuty
- Jira
- PageDuty
- QRadar
- ServiceNow
- Slack
- Splunk
- Sumo Logic
- Teams
- Tenable.io
What are the risk involved when the front door or service door are not protected?
The risk is huge... obviously there are many attack vectors available and we have different cloud solution to protect against them.
Example 1: On the service door - limiting access with our amazing cloud network security solution will eliminate the way to access your cloud even if something was leaked.
Example 2: Prevent injection attacks to your exposed web applications (company site, other systems). Log4Shell allowed command injection on the server itself.
Does Check Point have a Vulnerability scanner that needs to be revisit time to time for any kind of threats?
We have Agentless vulnerability scanning both for VMs, Serverless currently avaialble for AWS and Azure and registries & live running containers scanner which is available for any cloud and on prem. The scanner is constantly up to date, VMs are continuously rescanned while images in registries are rescaned when needed. The SBOM information are stored on our end we continiously examine it for newly discovered threats. All without storing any PII on our end.
What's the recommended way to prevent cybersecurity attack that tricks employees into divulging sensitive information or granting access to their accounts?
We offer a number of zero-phising technologies in our Harmony suite and in Quantum Security Gateways. Harmony Email and Collaboration should also assist in identifying and preventing such emails from reaching your users.
What redundancy and failover mechanisms are in place to ensure continuous protection against network breaches?
On top of our full support for machine level redundancy, we have some architectures that provide even greater level of resiliency such as Cross AZ clusters on AWS.
Can you delve into the technical aspects of CloudGuard's AI-powered threat detection and prioritization?
There are different aspects of using AI in CloudGuard:
- CDR to identify anomalies, for example, to prevent data exfiltration
- WAF which uses AI to identify malicious HTTP/HTTPS requests
- Network Security uses Check Point’s ThreatCloud AI
I use GCP and AWS. Are there any significant variations in complexity in terms of implementing CloudGuard integration?
While we support all the major Cloud Service Providers, each one is different which results in small differences when integrating CloudGuard on AWS versus GCP.
Can you describe the role of machine learning and artificial intelligence in enhancing CloudGuard network security?
CloudGuard Network is using AI in a couple of ways... Starting from AI engines to better derive multi vector attacks and block them. The second for CloudGuard WAF all our detection is based on AI using a patented detection methodology to detect malicious requests. And last, soon enough we will be adding Chat to opreate and analyze your security based on Open AI integration.
Will 'WAF as a Service' have an additional cost?
Yes, as the infrastructure that scans the traffic will be provided as a service, cost for WAF as a Service will be higher than agent based WAF.
Is it possible to convert a CloudGuard security gateway (single) to a cluster?
Yes. unfortunately, this will require a side by side deployment and traffic steering.
Can you provide examples of how CNAPP with prevention has helped organizations prevent security incidents in their cloud-native environments?
Suppose you have a machine / workload that is publicly available to the Internet and it wasn’t meant to be. You will be notified about this and it can be made private automatically. The same goes for S3 buckets for example, which might be public and contain sensitive data. These are just a few of the examples of events that you can be notified on.
Given the critical role of email in everyday business communication, how do you balance the imperative of robust security with the need to minimize disruptions and false positives? I'd like to hear about the user-centric design principles guiding Check Point's email security approach.
Harmony Email is unique in that it is flexible in deployment and policy creation. Organizations can choose to deploy it inline before the inbox, or in a post-delivery mechanism. Organizations can also mix and match per department (Finance, for example, could be inline while HR isn't.) Our use of AI/ML with ThreatCloud helps minimize false positives and we have a strong feedback loop to continue training the AI. Organizations can also be very granular with policy, if they want, or use it right out of the box. The goal of Harmony Email is to ensure that when a user receives an email, they know it's clean and safe to act on.\
CNAPP FW aware...will it identify if a particular IPS signature needs to be enabled or changes to the threat policy to mitigate risk?
We will start showing the residual risk on affected protected cloud assets that will be protected by Check Point cloud network security firewall deployed in the cloud environment.
For Azure Web App Services, does CloudGuard WAF replace or does it work with and require Microsoft Defender for Cloud?
We have few ways of deployments - we can deploy a container that will act as a reverse proxy to you app and you can deploy using docker-compose.
See also: https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/d...
Obviously - with Waf as a Service you don't need to deploy anything on your end and we can protect any app...
How does Check Point address the escalating complexity of hybrid and multi-cloud environments? How does it ensure interoperability and consistent security policies across diverse cloud platforms within its cloud security offerings? Can you provide examples of how Check Point's solutions have effectively tackled challenges faced by multinational corporations operating across AWS, Azure, and Google Cloud Platform? How does Check Point ensure seamless security orchestration and compliance in such scenarios?
This is the exact reason we are introducing the new paradigm shift, to include the front door and service door. CloudGuard is largely cloud agnostic so you can mange multi CSP’s in the same place and have a complete view or your cloud security.
How does CNAPP with prevention enhance the security posture of cloud-native applications?
By integrating Check Point WAF and Network security to CNAPP and adding additional layers of security to your cloud environment, we will be able to present the residual risk of your cloud asset , prioritizing other assets that need to be prioritized. CNAPP Effective risk management (ERM) take into consideration the additional security layers that were added to protect your cloud environment.
As cyber adversaries continually evolve their tactics to bypass traditional security controls, how does Check Point stay ahead of the curve in email threat detection and response? I'm keen to explore the research, intelligence, and analytics capabilities that empower Check Point's email security solutions to adapt and respond effectively to emerging threats?
We rely on a number of mechanisms.
It starts with ThreatCloud AI. This is fed by over 50 unique AI technologies, as well as a threat intel database from over 150,000 connected networks, millions of endpoints, 2.8 billions websites and much more. When a detection is found in any of our products from this database, it's instantly propogated to all customers. Further, we have a renonwed Check Point Research (CPR) team, compromised of 150+ threat researchers?
Given the complexity of balancing robust security measures with operational efficiency, I'm curious about how Check Point navigates this delicate balance within its Harmony SASE solution. For instance, could you provide an example of how Harmony SASE has successfully optimized security posture while minimizing operational friction for a multinational corporation transitioning to remote work during the pandemic?
We presented a customer use case last week where we migrated a 6,000 person company to Harmony SASE over a weekend. See: https://community.checkpoint.com/t5/SASE/Harmony-SASE-Masters-Migration-Video-Slides-and-Q-amp-A/m-p...
How is CloudGuard WAF different from the competition?
They can't protect preemptively against unknown attacks as they require a specific signature. In CloudHuard WAF, using our AI mechanism we have proven many times that we can do it - our engine allows us to detect unknown attacks based on anomaly detection from the normal behavior of users + identify just specific indicators and any combination of them instead of full blown specific signature
Can CloudGuard Code Security work with a programmers codebase on their development machine or does it require a code repository (e.g., Azure Dev Ops Services (formerly Visual Studio TFS)?
Yes, it’s supported
Can CNAPP be easily integrated to existing environment
Yes, onboarding CloudGuard is super easy!
Is it possible to convert a CloudGuard security gateway to an autoscaling instance?
The transition is enabled through a side by side deployment requiring manual steps.
How does Check Point envision SASE transforming the way organizations secure their networks, particularly in the context of distributed and remote workforces?
We’re working on enhancing the SASE fabric with the best of the Check Point’s security while allowing a completely hybrid approach, meaning that you can run the security stack on device (without) connecting to the edge, on the edge, or mixed, this allows maximum security, flexibility and user experience.
Can CNAPP FW effectively determine whether enabling a specific IPS signature or adjusting the threat policy is necessary to mitigate a particular risk? It is based on Check Point’s Threat Cloud which is AI based on doesn’t require tuning to mitigate risks.
Any comparison with other vendors?
Competitive information is out of scope for this session. Partners can access competitive information in our CheckMates for Partners community. Customers should reach out to their local Check Point office.
Can I enforce the firewall policy directly on the Laptop? Or the traffic is blocked in the cloud FWaaS? If so can I have microsegmentation is this way?
Today, SWG (URL Filtering and Malware Protection) is running on the device, Firewall is enforced on the edge.
How do we differentiate Harmony Endpoint from Harmony SASE?
These solutions compliment each other, SASE is not protecting the device itself, it is functioning on the network stack of OS and in the cloud edge.
Can you explain the key components of a SASE architecture and how they work together to provide comprehensive security?
Today SWG (URL Filtering and Malware Protection) is running on the device, Firewall is enforced on the edge. On top of that, each agent is being scanned continuously by Device Posture Check.\
In addition to this, we also offer agentless ZTNA as reverse proxy (For Web, RDP, SSH and VNC).
Can you explain the advantages of adopting a Hybrid SASE approach compared to fully on-premises or fully cloud-based solutions?
Flexibility - you choose where to run the security, Performance and Capacity planning - offloading the heavy lifting of inspection from the edge.
Also, we are able to provide more bandwidth to the end user at lower latency than SASE solutions that are entirely cloud-based.
What is CloudGuard Posture Management?
We keep scanning your application assets for configurations, CVE, secrets, malware, network topology and try to give you security findings on top so you can improve you security posture.
How does Hybrid SASE adapt to changes in network traffic patterns, user behavior, and security threats?
We’re integrating the best Check Point’s Threat Prevention based on ThreatCloud Intel, UEBA and advanced network features are on our roadmap.
Can you showcase a complex deployment scenario of Harmony SASE for a large organization with geographically dispersed branches and a mix of cloud and on-premises resources?
We offer today more than 60 PoPs and support IPsec tunnels, Wireguard-based connectors, and OpenVPN; this allows us to be completely agnostic about the infrastructure we’re interconnecting; we act as a switchboard no matter the cloud platform or premises equipment you’re connecting to.
Today SWG (URL Filtering and Malware Protection) is running on the device, Firewall is enforced on the edge. On top of that, each agent is being scanned continuously by Device Posture Check.
In addition to this, we also offer agentless ZTNA as a reverse proxy (For Web, RDP, SSH, and VNC).
Moreover, we are working on deepening the integration with other key components of the Infinity platform, including XDR, Playblocks, Events and more.
What role does SD-WAN (Software-Defined Wide Area Networking) play in enabling Hybrid SASE deployments?
Integration with SD-WAN allows a security layer on top of SD-WAN by forwarding the traffic to the cloud edge for inspection.
How does Harmony SASE address the challenges of securing access for mobile and IoT devices within a SASE framework?
Harmony SASE has clients for mobile devices. IoT devices generally require some sort of on-premise device to provide protection since IoT devices typically don’t allow installation of additional software. For specific details, please contact your local Check Point office.
How does my organization get a complete a Check Point Security Assessment?
Your local Check Point office can arrange this. You can also reach the right team via the contact form here: https://www.checkpoint.com/services/infinity-global/
How do you approach securing a large, distributed network?
It depends on the public cloud vendor you are utilizing and the use cases you want to address and the security perception of your organization.
If you are on Azure / AWS and globally distributed we are offering something Gartner is calling Cloud Hybrid Mesh Firewall Platform. We have an amazing offering around Azure Virtual WAN as well.
What is the difference between SASE and SD-WAN?
SD-WAN is largely about traffic steering and does not have a security component. SASE is about security and can include SD-WAN functionality.
Harmony SASE runs different than Harmony Connect? SASE will Replace Connect? Will our Connect Licensing will work to change to SASE?
Harmony SASE is the successor product for Harmony Connect, which was made End of Support in October 2023 with End of Life at the end of 2025. For more details, see: https://support.checkpoint.com/results/sk/sk181531 and reach out to your local Check Point office for further assistance.
What security measures are currently in place on the network, with URL filtering, malware protection (SWG), and firewall enforcement at the edge?
In addition to the above, we also offer browser security. In the coming months, we are also adding Threat Emulation/Extraction and Zero Phishing.
How do I manage security in a DevOps environment?
Have a look here: https://www.checkpoint.com/cloudguard/devsecops/
When all the various Check Point Security features be integrated in Harmony SASE?
We’re working to integrate the Threat Prevention engines into SASE, these will be introduced gradually starting Q3 this year.
How will Check Point address the potential security risks introduced by the convergence of SASE and XDR ?
We’re working to integrate Harmony SASE into Infinity Portal, this includes XDR, soon we will introduce the capability to enforce Custom IOCs in Harmony SASE and also send SASE events to Infinity Events and XDR.
Do you offer the ability edges to connect to all endpoints into SASE service?
SASE fabric functions as a switchboard, each endpoint connected into can communicate with each other.
How do you manage security in a hybrid cloud environment?
The policy is a single policy, just like with cloud only SASE. The policy is managed from the cloud. However the enforcement is either on the agent or the cloud.
How do you manage security in a hybrid cloud environment?
Check Point offer unified policy and management solution to manage security across AWS, Azure, GCP and on-prem datacentre. Our best security, scalability and multicloud solution is what brings customer to select Check Point.
What distinct advantages does a Hybrid SASE approach offer when contrasted with both fully on-premises and entirely cloud-based solutions?
1/ Faster Internet Security (local breakout).
2/ Cloud based service advantages without the disadvantages of high latency, privacy and higher cost
How do email security measures like SPF, DKIM, and DMARC align with the principles of Zero Trust security?
We encourage all organizations to adopt a p=reject status, as it represents a great layer of security. Our AI analyzes SPF, DKIM and DMARC in our email analysis, and we offer a DMARC monitoring tool.
How do organizations balance the need for robust email security with the usability and accessibility requirements of their email systems?
The idea is to enhance security while keeping usability at a premium. We offer multiple deployment modes that allow for flexibility that fits the organization's needs.
How does Harmony Email's "inline prevention" differ from traditional detection methods for email threats?
This is our patent. Gateways scan emails before the inbox, but it passes by Microsoft or Google. Post-delivery means that the email hits the inbox before it is scanned. Being inline ensures that emails are scanned by default security and by us before it reaches the end-user inbox.
The functionalities offered by Check Point Harmony Connect Remote Access (Acquisition of ODO Security) are coming to Harmony SASE?
Yes. Some is already available but agentless RDP and RDP recording are expected later this year.
Can you explain how Harmony Email's API integration work with platforms like Office 365 and what are its advantages?
Yes. It's a 7-click, 30-second install. Very similar to installing an app. We use the API to integrate deeply with Office 365, and it allows many advantages, such as scanning internal email, access to the social graph and more.
Does Harmony Email & Collaboration offer protection for collaboration tools beyond email security?
Yes. We secure Teams, Slack, Dropbox, Box, Google Drive, SharePoint, OneDrive and ShareFile.
Can you please explain how Harmony Email protect remote workers from targeted phishing attacks?
By preventing phishing before it reaches the inbox, it doesn't matter where employees are located. all phishing attacks will be blocked.
Is this tech visible in the email headers?
Our technology is actually invisible to the outside world, but admins have full visibility into every action taken.
How do emerging technologies like AI and machine learning contribute to the ongoing evolution of email security, and what are their potential limitations or drawbacks?
It plays a huge part. AI and ML can help us better understand the scale of attacks, find new patterns and deploy new preventions. Of course, like any technology, AI is still evolving, but it gives us a great baseline.
Can malware and phishing be shown in quarantine but not released by the end user?
Yes. Malware and phishing won't be released to the end-user.
How customizable is Harmony SASE and should I do it myself or have it managed?
Both options are viable. You can have it as a managed solution from one of our MSPs or manage it directly. or both 🙂
Amid the surge in supply chain attacks targeting cloud environments, how does CheckPoint fortify its cloud security solutions to
How we are detecting the impersonation attacks, default the nickname will able identify attack from the Gmail, MO365 and some other domains? How we are better from the features and catching methodology compare to other Gateway and API based email security vendor?
Impersonation attacks are done with AI and ML. Our catch rate is better than gateways because we don't rely on signatures. In terms of API-based vendors, they don't technically catch anything, as every email is delievered to the inbox before analysis.
Can we do phishing campaigns with harmony email and collaboration ?
For phishing simulation, yes, we have a product called Smart Awareness that handles this.
Does Harmony Email utilize sandboxing technology to isolate and detonate suspicious attachments or links within emails, and if so, what level of customization is available for sandboxing behavior?
Yes. All attachments and links are run in a sandbox. There is plenty of customization, from OS used and more.
Will you have the ability to tag emails as suspicious and warranting additional screening? How about quarantine email review and release, if necessary?
Yes and yes!
Can Harmony Email integrate with external threat intelligence feeds to stay updated on the latest email attack vectors and adjust its defenses accordingly?
Yes!
Does Harmony Email and Collaboration scan external email or both ( external and internal)?
Yes
Can HEC scan old emails (prior to a new customer onboarding with HEC)? And if so, how far back in time can it scan old emails for malware, threats, etc.?
Yes. We scan back 13 months
Does Harmony Email offer integrated DLP functionalities to prevent sensitive data exfiltration via email, and if so, how granular are the DLP policies that can be enforced?
Yes we have DLP and it's fairly granular and as customizable as you want to make it.
What are the techniques used in preventing a Brute Force Attack?
WAF can do bot protection and rate limit - both are legitimate techniques to block brute force attacks.
In a SASE-centric approach, the concept of "Zero Trust" assumes paramount importance. How does Check Point conceptualize and implement Zero Trust principles within its SASE solutions to mitigate risks associated with unauthorized access and lateral movement of threats?
Cloud Firewall allows for efficient network segmentation. Each agent is being scanned continuously by Device Posture Check. In addition to this, we also offer agentless ZTNA as a reverse proxy (For Web, RDP, SSH, and VNC). Moreover, we are working on deepening the integration with other key components of the Infinity platform, including XDR, Playblocks, Events and more.
Raffle Winners
Congratulations to our winners of our random draw for attending this session! Winners will be contacted separately and include:
- Daniel Olah from Hungary
- Amrom Hirsch from the United States
- Dominique Perez Gonzalez from Spain
- Kayvon Aynessazian from United States
- Jonatan Ramos from Costa Rica
- Todd Jones from United States
- Tosin Omotade from Canada
- Adrian Bolton from United Kingdom
- Cameron Emanuel from United States
- Bernardo Pizarro from Peru