Prevention Core To Palo Alto Networks' Philosophy, Says CTO Zuk

Long before Nir Zuk developed his network security talent, he learned computer programming by writing a virus in the late 1980s.

That was when viruses spread by floppy disk, and not at blazing speeds through network pipes as they do today. The malicious program Zuk designed made characters on a computer screen randomly fall. The infection made letters and numbers cascade a computer screen like something akin to the opening scene to the 1999 hit move "The Matrix," albeit much more slowly.

"Back then we were doing this for fun; it was much more challenging," Zuk said. "It was mostly about learning how to program very low-level programs. It wasn't about exploiting vulnerabilities."

[Related: Security Industry Must Drive Up Attacker Costs, Says Palo Alto Networks CEO ]

Sponsored post

Today, Zuk, an Israeli entrepreneur, is founder and chief technology officer of network security vendor Palo Alto Networks, where he prides himself on making decisions from his gut, rather than by some "bureaucratic process." The company has grown from nearly 700 employees in 2012 to more than 1,300 in 2014. And it's not slowing down in innovation, Zuk said.

"We're making sure that we do as much as we can with the smallest team," he said. Despite the size of the company, the engineering team is not huge," Zuk said. "We still feel that taking a big gamble will pay off. We're not one of those companies that becomes successful and then starts having to justify new products or strategies on a financial level," he said.

Zuk's style is far from demure. He lashed out at independent testing firm NSS Labs last week in an interview with CRN following the release of its report on breach detection vendors and quickly questioned the credibility of a recent study of breach detection appliances for setting a low bar that "enables mediocre vendors."

Palo Alto Networks gained attention in 2009 for its next-generation firewall appliances designed to identify and control applications on the network. It introduced an advanced threat detection service called WildfFire in 2011. Referring to vendors that compete with Palo Alto, Zuk said Sourcefire completely dropped off the radar following its acquisition by Cisco Systems. Fortinet and McAfee are rarely seen in customer engagements and Zuk calls FireEye, which has gained widespread attention for its threat detection platform, a "marketing machine that likes to showcase the zero-day exploits it finds like a badge of honor."

Solution providers tell CRN that no appliance manufacturers are adequately solving the problem alone. Network security vendors are taking a similar approach to threat detection and prevention, said Justin Kallhoff, CEO of Lincoln, Neb.-based Infogressive, a Fortinet partner. Because cybercriminals can get into just about any system network, security vendors prevent as much as they are able to, but they are increasing visibility to detect whatever gets through before the attacker steals data, Kallhoff said.

"It is unrealistic to think that you are going to eliminate malicious code from getting on workstations," Kallhoff said. "Now the idea is to lower the window of opportunity and lower that impact when it happens; it takes layers of security, trained people and educated staff, and even then it's not going to be 100 percent effective."

NEXT: FireEye Responds To Criticism

Palo Alto has been able to adapt to the market quickly and maintain its forward momentum, said J.D. Butt, vice president of solutions at Chicago-based Nexum, a Palo Alto Network's partner. Butt said his firm was initially skeptical at the company's approach.

"I didn't think five years ago that there would be something exciting to talk about with firewalls," Butt said. "We've never had a product in our organization take off as quickly as Palo Alto has; those customers that are used to having less value immediately see things that they never seen before."

Zuk called FireEye a "good point solution," providing a malware analysis sandbox for a business' main Internet connection. He said the appliance is too slow to handle a data center deployment and too expensive for branch office deployments.

"We've already proven that the [unified threat management] approach doesn't work for enterprise. Check Point UTM started with firewall and added a bunch of blades to it. FireEye is now taking the reverse course. They started with one blade, a sandbox blade, and now they're trying to add other blades to it," Zuk said. "I don't believe in that approach."

FireEye in its defense told CRN that Zuk's characterization is grounded on early versions of its product. Today more than 40 percent of customers deploy the appliance, enabling threat prevention capabilities, said Manish Gupta, senior vice president of products. The company also recently introduced a cloud email service to provide threat protection for Office 365 users. In addition to a strong services arm, the $1 billion acquisition of Mandiant adds endpoint prevention capabilities, enabling users that don't have the appliance deployed inline to automate incident response and quarantine infected systems no matter where they are located, Gupta said.

Prevention is Palo Altos' philosophy and will remain that way despite a security industry that markets products to detect a breach, Zuk said. Signatures are still at the heart of the prevention strategy because they can immediately provide blocking power to inline network appliances, he said.

"If we see something bad happening, we just stop it," Zuk said. "We don't just alert you of a breach and say, "Call us and we will send a bunch of incident response people to you and charge you hundreds of thousands of dollars.'"

NEXT: Acquisitions Reflect Prevention Approach

Palo Alto Networks' prevention philosophy is reflected in its latest acquisitions, including the $200 million acquisition of Cyvera in March, which adds endpoint visibility to the company's product line, Zuk said. Cyvera modifies the system processes by injecting its technology to deceive an attacker. When malware attempts to interact with the memory in the Windows kernel environment, the technology can block the attack and collect it for forensic analysis. Zuk said the Morta Security acquisition brings in a talented engineering team, but it also adds technology designed to stop an attacker from moving laterally in a network.

"What we missed was the link between the endpoint and the firewall," Zuk said. "The bad guys rarely go straight from the endpoint device and the data center. One of the reasons we are hiring people like Morta, and also Cyvera, is that they are former intelligence people; they know you need to understand how the bad guys work in order to stop them. They understand defense and how the bad guys [work] from their offense."

Solution providers told CRN that they are seeing a lot of continued momentum behind the next-generation firewall maker. NetWolves, a managed network provider, has recently selected Palo Alto as a key part of its managed services offerings to clients, said Michael Grossman, vice president of new business development and marketing. Grossman told CRN that he believes there is client demand for the appliance's capabilities and security services.

"We've got clients that are looking for increased network visibility and the security assurance that it provides," Grossman said. "They're also concerned about mitigating the many risks they face as a result of the constantly changing threat landscape."

Malware that makes characters slowly fall on monochrome, text-based screens was considered a fun prank in 1988, and Zuk said it helps that he and other novice computer programmers hone their skills. Today, automated toolkits can create a virus, Zuk said. Cybercriminals are rapidly innovating, he said, pointing to what he calls the third generation of malware threats designed to defeat security technologies and give cybercriminals remote, persistent access to corporate networks they infiltrate.

"Nobody thought at that time that viruses would be spreading through the Internet and that the bad guys would be exploiting vulnerabilities."