Q&A: SonicWall CEO On New Products, Explosive Channel Growth, And Advanced Threats Targeting SMBs

Conner On The Record

SonicWall CEO Bill Conner joined the SMB network security company nearly six months ago, as it completed its spinout from Dell to private equity. Since then, the company has adopted a 100 percent channel model and is looking to leverage its stance as a stand-alone security company. Conner recently sat down with CRN to talk about the company's progress since the split, including what he called "crazy" growth with the channel. Conner also talked about security threats facing SMB customers and how SonicWall is evolving its portfolio to meet those challenges, including hints at possible moves around the endpoint and the enterprise. Take a look at what he had to say.

SonicWall adopted a 100 percent channel model when it separated from Dell last fall – can you give us an update on that?

A lot of people don't give out the stats and a lot of private equity companies don’t want you to give out the stats either, but we will share some information with you because it's CRN. … It's crazy. When [VP of Worldwide Sales] Steve [Pataky] and I sat down to talk numbers of what we thought, never in our wildest dreams would we think [it would go this well]. … The SecureFirst program is off to an amazing start. ... Dell is an important partner. … That continues and ultimately we will get our OEM done, which is in process. … The customers and channels that want that motion, including enterprise and government, there we go. It's kind of back to the way it was before they bought the company, to be honest with you. But, SecureFirst is 100 percent us, 100 percent security, 100 percent channel, 100 percent of the time. … [We now have more than 80 percent of partners migrated to the new program.] It's crazy. I've never talked to anyone who has done that.

What are some of the biggest threats you're seeing for SMBs right now?

The biggest clearly is ransomware. … Especially in small and medium business. You hear about it less in big companies because they have more sophisticated ways to deal with it. If you look at that in 2014 it was about 3.3 million attacks. In 2015, it was about 3.8 million. In 2016, it was 638 million. … Here's what's crazy about this: If you're a small business and you get [ransomware] and you look at the risk of not paying it, the jury is all over. I've seen from 20 percent pay to 60 percent pay. … The real hidden cost, on average, is $2.5 million [for remediation]. … If you're a small business, that's a real number. … Here's the part that we're really zeroed in on: If you think of that volume with the 638 million attacks, your next-generation firewall or firewall, how effective is it against this volume? I can argue we will catch 99 percent, or others can catch 97 percent. … One percent of 638 million is a big number. … You start to think of this arms race in a very different way.

What are you seeing around IoT for small and medium businesses? Is that a threat?

IoT is a new network. … You have to start looking at it. One botnet [with the DDoS attack last fall on Dyn] really drove that. Everyone knew IoT was predominantly not secure anyway, but people didn't think of it as attached to some business. … We're now looking at that from the gateways behind the local area networks or wireless networks, like we do any other network, to try and start to profile what's happening there. That clearly is going to be around for a while. It's the Wild, Wild West. … You used to think about how you would launch DDoS attacks on a business by commandeering laptops and servers. Well, now if I can get millions and billions of processors and [distribute them], I've got a whole different DNA strand now of attacking that can literally take out entire networks. You can think of how the variants of that could be interesting. ... The problem with IoT is no one is embedding security into that and in some cases there's no room for it. … It is a big problem and we aren't even to the chasm of it yet. This one has a lot of legs, requiring a lot of thinking and a lot of re-architecting.

What areas in security are we seeing improvements in?

When you start looking at what good is going on, I look at point of sale. Back in 2014, there were 14 variants of malware attacking the point of sale and everyone was having to get new credit cards all of the time. … That, then went down to nine in 2015. If you think about what we did, the rest of the world had gone chip and pin and we went chip and signature in the U.S. … This past year we only found one malware variant. Don't get me wrong – that doesn't say point of sale is completely safe and people aren't still going after it, but if you're a bad guy, it's kind of like that house has a fence, cameras and lights on it, so there are other places I will go. That's what's happening. … It certainly has been a deterrent and a lot less bad people are going after it.

Any other areas of improvement you're seeing in the threat landscape?

If you look at the advances in SSL and TLS encryption. … There was a huge increase in [the use of SSL] – 62 percent of all internet traffic is SSL. That's just good because it is making it harder to break the networks and to steal the data in transit. … The other thing that no one is talking about is exploit kit decline. … Those declines happened because of arrests that law enforcement made in Russia. … That is huge because I think that point still needs to be made and no one is talking about it. There is a government law enforcement role to play here globally because it does extend past global or country. As much as I want to be an isolationist, this is a global phenomenon and you're not going to nail it just with one country and isolationism. … No one is talking about that unique kits went down from 64 [million] to 60 million. That's pretty remarkable. It's the first time ever that it's gone down. … The way we sample in our grid network, we're looking for the DNA strands. That's why our efficacy is so good, because we're so good at catching DNA strands. … That's what's behind it. Our firewalls and our new capabilities around Capture do better at capturing this stuff and stopping it. The message here for small businesses and channels, especially small businesses, is if you have the right team you can sleep better. We're winning some. You wouldn't know it by everything you read, but there is good stuff happening.

Talk about the rise in encrypted traffic – are there any downsides to that?

The opposite side of the SSL coin … is we see tons of malware coming in through encrypted communications, SSL and other. We started as one of the first pioneers on un-encrypting SSL, deep packet inspection at speed, so you could see if there is malware in the SSL pieces of that. NSS had up to 70 percent coming in now through encrypted communications. … It's coming in cloaked and unless you can go in and look at it, it's in. That is hugely increasing in terms of a risk profile. While it's good everyone is using SSL for the good part, now the bad guys are … going to go in and unless they have a DPI SSL, it's coming in cloaked. A lot of that is through email and a lot of that is through SSL.

How should SMBs go about tackling more advanced threats?

When we think of all of these advanced threats, what businesses small, medium or big need is real-time breach detection. If I have 97 [percent] or 99 percent effectiveness or efficacy on detection, 1 [percent] or 3 percent is still getting in. … I'm still dead or impacted. The real-time behavior [analytics] becomes important. … The second piece of that then becomes, well, if I'm a small business how do I do that without a lot of staff and without a lot of capital? ... That's the business challenge. To do it, you have to be able to do it with some of the capabilities that we think enable you to change that paradigm. We think, clearly, inspecting encrypted traffic, including SSL and others, is fundamental. Email still remains a 60 percent transfer rate of how stuff comes in, either through PDF or attachments, files or traffic. Traditional sandboxing and firewalls are great on the detection, but you somehow need a way to be able to do it where once you see [a threat] everyone gets it for that 1 [percent] to 3 percent [that gets through]. It's more of a prevention play. Then, really do not let that 1 [percent] to 3 percent go – block [it] until a verdict [comes in] and make that as real time as you can. That's what we're doing with our platform of capabilities.

What is SonicWall doing to help SMBs up-level their security game around advanced threats?

With all of our firewalls – TZ, NSA, Supermassive – we put out a capability called Capture. … People think it's just a network sandbox and it's not. … Capture, just to spend a few moments on that, takes that 1 [percent] to 3 percent coming off the firewall or next-generation firewall and sends it to our cloud in a network sandbox, but it runs three different engines in parallel. Think of it as running a hardware look, an OS look, and an apps or a software look. … Why is that important? When you go back to how these are coming in, all of the threats come in in different ways. What we do is run those in parallel – real time – and we will block it until we figure out if it’s a strand [of malware] or not a strand. … In a small or medium business you can't separate all the networks and you can't have all the tools, costs and the resources to do that. But, now if I go to the big enterprise I think there's a paradigm shift that's going to come here. I'm not going to go compete in the data centers with Palo Alto Networks, Check Point and Cisco. Data centers are dead – they're all going to the cloud. … We're already seeing some people globally … look at what we're doing with Capture and saying that's a higher-level service and protection than a normal next-generation firewall.

Does that mean you feel that you have a bigger play in the enterprise now, rather than focusing on the SMB?

I'm not going to say now, but I think it's coming. The same thinking that got them here will not get them out of here. … If you have all of your sensitive information running on the same stuff as your not-sensitive information, [hackers] are going after sensitive information and they will find it. They are going to get through, so you have to segment and look at not just one vendor and different topologies and different engines to go drive that. I think that will open up a window. Stay tuned. I can't talk about some things, but when we get the IP locked down we will have some revolutionary technology in that space.

Are you guys looking at anything about endpoint?

Yes. Stay tuned. We are already in the endpoint with some of the legacy guys. We are evaluating that piece. That is all I want to say for now. We have some next-generation capabilities we can partner with, or partner with a combination of the legacy companies and the new guys. All of that is on the table. Stay tuned. It's important because it's Metcalfe's law – it's endpoint. But, when we look at it from a business standpoint if you just have one trick – some new piece on an endpoint – that doesn't buy you a lot. … There are a lot of trade-offs to be made with that and I think it's way overhyped in my mind. They have to work together. But, right now we're focused where we're really good, which is don't let it in to start with. But, we do understand the unique value that tying an endpoint could bring, no different than what we've done with email and what we've done with network sandboxing in the cloud. … I think there is some opportunity there and we will be doing something there. Stay tuned.

What are you rolling out around bringing Capture to email – how does that expand your strategy?

Email is the vehicle of choice to come in, whether it's on PDFs, or any kind of file. … Think of this as our first foray into how we are going to think differently about channels. People traditionally think of us with the existing email we've got as a hardware appliance, or an appliance with some great software on it for email with a client you can encrypt the email with or not. We're tremendously improving the hardware platform. We have now common firmware that can go off of our legacy hardware or our new ones, but that same firmware then is going to be able to give us … two other ways to get it: one is in software … or I could give it as a cloud service. It's a very different channel. It might be an MSP or it might not be. We've had 10,000 channel partners forever and everybody treats them all the same, except for many MSPs. The way we are going to differentiate is by giving the channel choices, just the way channels give customers choices. … That is a very different go-to-market model and motion than what I see a lot of people doing in this space right now.