Headquartered in Silicon Valley, Cadence Design Systems, Inc., founded in 1988 is a global technology company that spans 40+ countries with over 8,000 employees worldwide. Cadence supplies electronic design technology and engineering services in electronic design automation (EDA) to much of the semiconductor industry including Fortune 100 companies. Cadence produces software, hardware and silicon structures that are used to design integrated circuits, systems on chips (SoCs) and printed circuit boards.
Cadence’s Journey to the Public Cloud
Originally, Cadence ran their own datacenters and found those to be sufficient for their computing needs. However, as the enterprise expanded, it began to outgrow the computing capacity of its on-premise system. Cadence needed a system that has scalability, elasticity and securely enabled cloud demand. Sreeni Kancharla, Chief Information Security Officer (CISO) and Sr. Group Director for Cadence, and his team of ten engineers, including his head Cloud Architect, Koji Kuramatsu, turned to Amazon Web Services (AWS) for help. With the resource capabilities supplied by AWS at their fingertips, Cadence was able to provide the computing power necessary to respond to customers’ requirements instantaneously as needed.
Cadence started their public cloud journey in 2014. Today Cadence primarily uses AWS, via 50+ accounts. Cadence has a presence in mainly three of AWS Regions worldwide which include the USA West and East Coasts, and Europe. It makes full use of the AWS cloud functionality for production utilizing services for compute, storage, networking, database, security, developer and management tools. Cadence’s AWS footprint covers more than 1,000 instances, 770 security groups, and 115 Amazon VPCs, with more than 4,000 different network security policies and rules, which leaves Kancharla and Kuramatsu with the challenge of securing a very dynamic cloud environment. In addition, while AWS is their primary cloud service, Azure is also represented with tens of compute and storage resources deployed in 29 security groups. They have also begun incorporating Google Cloud Platform(GCP) into their multicloud environment.
Cadence Tackles Cloud Challenges with New Solutions
From the get go, Kancharla knew that migrating to the cloud would bring challenges in the realm of network security, compliance and visibility. He needed to be sure that any cloud management integrated solutions would be compatible and effective across the major public cloud infrastructures-as-a-service (IaaS) providers, which included AWS, Azure, and GCP. Due to their anticipation of these security challenges, Cadence began using CloudGuard Dome9 as soon as they moved to the cloud.
Visibility into the cloud is vital in order to control security and minimize the infrastructure attack surface. With the highly dynamic nature of the public cloud and unlimited amount of resources it would afford its customers for scalability, the need arose to tightly monitor and track the various network configurations. According to Kancharla, “With several administrators adding to the cloud configuration, the occasional misconfiguration is inevitable. With thousands of constantly shifting rules across hundreds of security groups and VPCs, Cadence’s cloud presence is far too big and complex to be managed by humans. It’s impossible for an individual to manage it. We needed an automated tool that actually tracks all the changes.”
When a change occurred, Kancharla’s team needed to be able to peer into the system to see exactly what took place so that it could be corrected quickly. Cadence needed to automate repetitive tasks such as security group auditing, fix any misconfigurations with in-place remediation, and have built-in active protection to enforce established policies with the ability to track and revert unwanted changes consistently.
CloudGuard Dome9 Clarity for Granular Network Visualization
Cadence found their solution in CloudGuard Dome9 Clarity. As part of the CloudGuard Dome9 service, Clarity is a powerful visualization capability that provides a granular view of network topology and workflow traffic so Kancharla’s team can easily map all subnets and drill down to view reports of all AWS EC2 instances on a single, easy-to-use dashboard. In addition, Cadence uses CloudGuard Dome9 Clarity to check their AWS VPCs state and overall network exposure. This includes using CloudGuard Dome9 IP Lists for grouping and configuring permissions to specific public IPs. Using CloudGuard Dome9 Clarity, Cadence has centralized management of its network security posture and can efficiently whitelist those IPs that can be viewed coming to and leaving from their security groups, in order to define the internal and external network links.
One of Cadence’s most common uses for Clarity, is to find potential vulnerabilities that would create a security alert. Clarity gives Kuramatsu a quick view of a specific subnet or route going from A to B so he can quickly identify any unauthorized changes to the network. In addition, the CloudGuard Dome9 VPC Flow Logs allow the team to quickly respond to events without the efforts of cumbersome investigation of the data logs.
Maintain Access Control While Providing User Flexibility
Enforcement of access and authorization to ports and services are vital in a complex cloud network. One of the main concerns Cadence faced was protecting their customers’ data while providing multiple users access. Cadence needed a tool that could not only monitor, but protect the movement of resources both between the segregated subnets as well as on and off the public cloud networks. This tool would ensure that only authorized individuals could access specific data, make changes, and enforce only authorized changes.
At the same time as securing access, Kancharla had the added challenge of retaining flexibility. Cadence provides training sessions for their customers which requires the off-site trainer to enter the Cadence system remotely from the customer’s site. However, permitting such adhoc temporary entry naturally puts the network at risk and makes it vulnerable to outside threats. Kancharla’s team sought a solution which would bring the capability to add access without compromising strong security controls.
Active Protection for Security Enforcement with CloudGuard Dome9
Kancharla recognized that the cloud security solution he implemented needed to offer full security orchestration, going beyond monitoring and reporting to include enforcement. Automated control over the implemented and established baseline security posture was essential. Within the CloudGuard Dome9 service, Kancharla found the control he was looking for with the always on security enforcement of Active Protection with CloudGuard Dome9. With active protection, Cadence acquired the following three-pronged approach to the challenge of granting user access and providing flexibility and agility to its customers, while securing their multi-cloud environment with confidence.
CloudGuard Dome9 Dynamic Access Leases: “We use Dynamic Access Leases heavily,” says Kuramatsu. He and others on his team use CloudGuard Dome9’s Dynamic Access Leases to solve the challenge of individuals who need temporary remote access to the network. With Dynamic Access Leases, the person can get specific temporary access to only those parts of the networks that he needs for a limited time frame. The CloudGuard Dome9 tool opens up the ports automatically and closes access again at the end of the defined time frame, thus reverting to the original, defined network state, ensuring consistent protection across their clouds.
CloudGuard Dome9 Tamper Protection: Attempts to modify a security group from the multi-cloud environment will result in Tamper Protection detection and a message. Cadence’s predefined policy in CloudGuard Dome9 is always enforced, and any modification attempt will be overridden, forcing the policy to revert to its original definition. Kancharla’s team leverages this capability to make sure there are no port changes that result in configuration conflicts, especially in the case of network configuration updates.
CloudGuard Dome9 Region Lock: Since Cadence operates across three AWS regions, Kancharla and Kuramatsu rely heavily on Region Lock to enforce regulations which prohibit moving data between regions. Cadence uses Region Lock to ensure that information cannot be moved outside of the USA or Europe. Furthermore, with Region Lock, Cadence can make sure that user access is granted accordingly and employees cannot view data that they should not be seeing. With Region Lock, Cadence can make sure that user access is granted accordingly and employees can not view data that they should not be seeing.
Compliance Reporting for Customers
Cadence is a large public enterprise that serves leading industry vendors. As such, customer trust is key. With the migration to the cloud, Cadence had to be able to continue to demonstrate consistency with industry standards such as ISO 27001 and other cyber security frameworks’ best practices in order to reassure their customers that their applications and data are safe.
Compliance Automation and Reporting with CloudGuard Dome9
The Compliance Engine from CloudGuard Dome9, a part of the CloudGuard Dome9 service, delivers continuous end-to-end compliance testing and reporting against industry standards using automated data aggregation and an intelligent insights generation system. Cadence turned to the Compliance Engine from CloudGuard Dome9 to generate compliance reports for AWS and Azure.
Kuramatsu notes that CloudGuard Dome9 best practices reports are, “One of the best parts of the Compliance Engine from CloudGuard Dome9 and we use them quite often.” They also use CloudGuard Dome9 to validate their cloud security against CIS AWS Foundations Benchmark framework, which is a set of security configuration best practices to protect one’s footprint on AWS. Kuramatsu can prove how robust Cadence compliance truly is by producing compliance reports and quickly respond to Cadence management requests, with well structured and trusted information.
Cadence Uses CloudGuard Dome9 for Robust Security Across Its Multi-cloud EnvironmentRead the Story
Nihondentsu Co. Ltd
Nihondentsu is an ICT consultancy, based in Japan. By deploying Check Point Next Generation Firewalls the business has simplified its security management and established a platform for continued growth.
Securing a seamless link between branch offices
Nihondentsu has more than 50 years’ experience in advising businesses on their ICT strategies. As it leads clients through digital transformation projects, so too its own business has changes to adhere to: Nihondentsu must become more agile, mobile and flexible.
Critical to this is a seamless link between the 18 Nihondentsu offices. The company wants to enable all staff to have access to the latest corporate and customer data securely.
A VPN solution, installed across all 18 branches in 2000, had become unstable and insufficient. With communications across the business steadily increasing, the VPNs were unable to cope with higher levels of traffic. The system was difficult to maintain and complex to manage.
“The situation was difficult,” says Hiroshi Ainaka, Chief, Network Group, Technical Department, Nihondentsu. “We recognized the urgent need to replace the VPN routers, but we had to look at the issue from many angles. The challenge was not just to improve access response, but to make sure that security was solid, that post- deployment management and operation would be easy, and that the cost/performance ratio was fitting.”
Rapid deployment and simplified management
The Check Point 700 Appliance delivers enterprise security in a series of simple and affordable, all-in-one solutions. Automated reporting, scalable deployment, and hands-off setup and configuration are all Firewall features which enable Nihondentsu to protect their employees, networks and data from cyber theft.
“The most impressive feature of the 700 Series is that it is an all-in-one product that achieves high performance and advanced security in a very balanced manner,” says Ainaka. “For a company of our size it’s unrealistic to have dedicated security personnel in place. What clinched it for us was that the 700 Series is easy to deploy, easy to run, and has a solid post-deployment support system.”
Setup can be done in minutes using pre-defined security policies and a step-by-step configuration expert. Check Point 700 Appliances are conveniently manageable both locally via a Web interface and centrally by means of the Check Point Security Management Portal (SMP). The solution allows users to connect securely from any device directly or through secure authenticated Wi-Fi for simple cloud management.Array
Nihondentsu enforces secure mobile workplace to drive business growthRead the Story
ABOUT DATASTREAM CONNEXION
DataStream Connexion is a premier technology consulting and web application development agency. Formed in 2000, they have built web applications for the Federal Government, USDA, FDA, the Department of Homeland Security, healthcare organizations, Fortune 500 companies and small businesses looking for best-of-breed solutions. This small yet nimble team, led by Eric Hoffman, President and owner, provides services that range from product development and DevOps, to cloud security and compliance. DataStream Connexion excels at incorporating comprehensive security and compliance management into the innovative products they design, and thus have garnered the trust of many government agencies and healthcare organizations with maintaining their critical applications in the cloud.
BACKGROUND: AN EARLY CLOUD ADOPTER
In 2006, Amazon opened the door to the cloud with Amazon Web Services (AWS), providing a more robust and resilient infrastructure solution. Seeing great potential, Eric made the strategic decision to migrate both compute and storage to Amazon EC2 and S3 respectively. In addition, as AWS matured, DataStream Connexion’s customers benefited from the evolving robust security controls as well as certifications such as FISMA, SAS-70, ISO 27001 and HIPAA that AWS has to offer.
LEVERAGING AWS GOVCLOUD
With the introduction of AWS GovCloud in the US region in 2011, the team also recognized the great opportunity of the cloud when it came to hosting highly regulated workloads. This newly introduced Amazon GovCloud was a perfect fit for their customers, supporting the common AWS security controls and compliance standards, but in an isolated, dedicated region, designed specifically for sensitive government agency data. However, in the early days of the public cloud, there was still pushback from Datastream Connexion’s federal customer base who were unsure of securing their data in AWS.
During this early cloud adoption stage, Hoffman and his cloud operations team knew that the advantages of AWS were many. However, they also understood their part in the AWS shared responsibility model and that it presented a new set of challenges they would have to overcome to make their customers’ cloud adoption journey a successful one. They began to search for tools that would help them build out the visibility and compliance their customers depended on, in order to increase their customers’ trust in this new Infrastructure as a Service (IaaS) model. It was the same year that Hoffman found CloudGuard Dome9 and they became one of CloudGuard Dome9’s earliest adopters. Since then, as Hoffman states, “CloudGuard Dome9 has become our trusted partner in ensuring the security posture of all DataStream Connexion customers.”
NAVIGATING THE NETWORK SECURITY CHALLENGE
As with every new technology adoption scenario, there were challenges that had to be worked
out along the way. With the CloudGuard Dome9 platform by their side, DataStream Connexion was able to address and mitigate each one of the following challenges.
Challenge 1: Effective and Efficient Security Management
DataStream Connexion has tens of VPCs and security groups, which end up creating an elastic cloud environment consisting of hundreds of inbound and outbound rules. They also have temporary rules that come and go as their Dev and Ops teams provision temporary access from different locations to allow their flexibility. The first priority was to simplify governance and policy implementation, to limit vulnerabilities and mitigate risk.
Challenge 2: Providing Access While Ensuring Integrity
DataStream Connexion’s small yet agile team of developers, database admins, network admins and generalized office staff all have different needs within AWS. The Ops team has to be able to provide access to various resources for development and specific environments for production, while enforcing strict segregation according to predefined user roles. This means running strict access policies for different security groups in order to avoid widespread administrative access to sensitive highly regulated environments.
Challenge 3: Allow The Broader Team Self-servicing and Flexibility
One facet separating DataStream Connexion from their peers is a bond of trust and accountability among the entire staff, including Ops, Dev and Test. The team practices continuous integration/continuous deployment (CI/CD) DevOps methodologies to move rapidly, without being bogged down with cumbersome legacy procedures that can hinder progress and agility.
This means allowing individuals remote access to their cloud environment at anytime. However, providing remote access requires a change in network security rules, which includes security ports. This is a potential landmine, as enabling the broader team to change configurations is clearly prone to human errors.
Challenge 4: Implementing End-to-End Compliance Management
Adhering to compliance standards can be complex. This is especially true for DataStream Connexion, whose customer base is made up of federal agencies which must adhere to standards such as FedRAMP and NIST. In addition, over the last year, AWS has expanded its offering for the healthcare market, and Datastream Connexion’s customer base has also grown in this segment with the customers’ focus on HIPAA compliance. Tracking compliance status is no small feat, and a complex cloud network must be consistent and reliable when it comes to different rules posed by various regulatory compliance standards requirements. When it came to validating compliance at scale, Hoffman realized that running manual checks was not an option and
would eat up much of his team’s valuable time and resources.
Solution 1: Complete Visibility Over the Entire Infrastructure
Network security with CloudGuard Dome9 Clarity allows the team to visualize their cloud perimeter, network topology, security policies and configurations in real-time. It lets them see how the network changes, including configurations of different security groups, as well as being able to drill down to see each instance exposure and its security group assignment. CloudGuard Dome9 Clarity allowed them to quickly spot misconfigurations and eliminate vulnerabilities such as open ports or broken network links between different system tiers. Finally, CloudGuard Dome9 Clarity eased policy analysis, helping the team to enhance rules and strengthen their network security policies with quick links to edit relevant rules and components.
Solution 2: Implementing RBAC to Allow Work to Flow Unhindered
As mentioned above, together with CloudGuard Dome9 Clarity and CloudGuard Dome9’s role- based access control (RBAC) capabilities, all Dev and Ops members have access, but only the team admin is able to adjust settings – such as opening user restrictions to a specific security group. The Ops team is able to provide developers the instant access they need to test out new processes, which helps them accomplish their goals faster and with greater ease.
While it is very important for Hoffman to trust his staff and allow them to be nimble and empowered to do their work, if a change has been generated, it is critical that he can oversee it to ensure that it has been implemented properly. CloudGuard Dome9 Alerts keep him aware of what is taking place at all times, and he can always inquire about events as needed. This allows for fast paced innovation, enabling flexible access to the different environments without compromising their network security posture.
Solution 3: Controlled Temporary Access
CloudGuard Dome9 Dynamic Access Leases allow DataStream Connexion to schedule time- limited and on-demand access to services and ports, so that when the time allotted has ended, all ports are closed by default. Access is provided on an as-needed basis, reducing open port exposure, even via mobile device or with the Chrome Browser extension. With CloudGuard Dome9 Tamper Protection, the environment is continuously monitored for any changes to the last approved state. All changes are reverted back automatically, and the Ops team is immediately alerted to validate the policy change. Finally, the risk of open port exposure is dramatically reduced, and the DataStream Connexion staff has the access they need at the click of a button.
Solution 4: Automating Compliance with the Compliance Engine from CloudGuard Dome9
One of Hoffman’s most important weekly tasks is reviewing the Compliance Engine’s policy reports from CloudGuard Dome9. This comprehensive compliance and governance solution simplifies complicated procedures with automated data aggregation in real-time, and in-place remediation control which streamlines the analysis process, saving hours of complex work. The team can create and enforce custom policies unique to DataStream Connexion’s needs, while identifying risks and gaps using built-in test suites for common compliance standards such as HIPAA. In addition, the Compliance Engine from CloudGuard Dome9 continuously runs audits against their cloud deployment, and with it the team can validate its network security posture as well as report the current exposure status and vulnerabilities across their whole cloud network. Leveraging the easy to use dashboards and controls, the team benefits from this transparency and can enforce their established policies and be confident in their cloud compliance status at any point in time.Array
Datastream Connexion Builds Secure Federal and Healthcare Applications With Cloudguard Dome9Read the Story
ProSiebenSat.1 Media is the leading German entertainment player with a strong e-commerce business. Every day, 45 million TV households in Germany, Austria and Switzerland enjoy its 14 free and pay TV channels. Its online offers generate 1 billion video views per month. Every year, the company invests more than €1 billion in 120,000 hours of programming.
Protecting an increasingly complex broadcast environment
New, digital competition has changed the way viewers consume content. We tend to watch content when and where we want, rather than linear. The phenomenon of ‘second-screening’, with viewers watching TV alongside a smartphone or tablet, is now commonplace. Viewers may also have contracts with multiple providers and many will pay for specific content.
As a consequence, broadcasters are now in a continuous state of service delivery: They must constantly engage with viewers across multiple platforms and offer entertainment across any device.
“The business has changed significantly, not just in terms of how we process content,” says Andreas Mang, Senior Network and Firewall Manager at ProSiebenSat.1. “We live in an age of digital transformation and this development demands us to change.”
ProSiebenSat.1 brought its security management in-house seven years ago. The objective was primarily to protect media files and customer data when moving between sites. The business also wanted greater responsiveness around security and to build its corporate knowledge of security threats and solutions. “We saw many attack vectors,” says Mang, “from spearfishing to protocol exploitation.”
Check Point was central to moving everything in-house, with Check Point 44000 Next Generation Firewalls and SmartEvent providing full threat visibility.
“The challenge now is scale and network segmentation” says Mang. “We have really high bandwidth requirements on the internal networks, say 20GB per second. We need to accommodate this scale, but also future-proof any investment. We want to have headroom up to 50GB per second.”
The scale to accommodate long-term growth
The Check Point 44000 Next Generation Firewalls is a scalable solution which is designed to excel in large data center, media and telco environments. The multi-bladed, chassis-based security systems scale to support the needs of growing ProSiebenSat.1’s networks, while offering reliability and performance.
The Next Generation Firewall also gives Mang and his team better control over the IT environment, allowing them to identify new applications and either allow, block or limit their use; and making the implementation of new policies simpler and more consistent.
“It’s a big deal for us,” says Mang. “It is an investment we will benefit from for many years.”
The 44000 Next Generation Firewalls provide high port density, with 10, 40 and 100 GbE fiber ports. In addition, full redundancy (N+N) prevents down-time, there is advanced protection against known and unknown threats, and the solution is designed for ease of management and fast deployment – ideal for ProSiebenSat.1’s fast-moving, downtime-intolerant environment.
ProSiebenSat.1 also uses the SmartEvent event management solution to provide a single view of all security risks, allowing the IT team to respond immediately to security incidents.
“We use SmartEvent for troubleshooting mostly,” explains Mang. “It’s one of the best products on the market, providing metrics and analysis on a daily basis, without being over complicated to use.”Array
Leading German entertainment player prevents downtime in always-on media industryRead the Story
The Good Sam Club makes outdoor adventures a safer and more rewarding experience for more than 2 million members. With a wide range of discounts and services, Good Sam enables recreational vehicle (RV) owners to enjoy their time on the road. Its parent company, Camping World Holdings, is a leading retailer of outdoor recreation products and services.
Taming a Wild Threat Landscape
Millions of North American households are avid campers, with 2.6 million new households joining the ranks in 2017 alone. This enthusiasm – together with an initial public offering in 2016 – resulted in double-digit annual growth for Good Sam. With this new growth and their numerous acquisitions, cyber threats facing the company also increased, but its cyber protection infrastructure did not keep up.
Good Sam originally deployed McAfee Sidewinder firewalls and Cisco ASA devices for their security and remote access capabilities. But as the threat landscape changed radically in the past two years, Good Sam lacked visibility into the advanced threats attacking its business. It had no way to know what threats were lurking in its infrastructure or targeting end users. Good Sam management decided to significantly upgrade its security posture.
“I joined Good Sam to mature its IT and security infrastructure,” said Steve Moran, Director of IT Systems and Security for the company.” Based on my experience with Check Point solutions over many years, it was clear that Check Point would enable us to quickly increase security and visibility with minimal management requirements.
Better than Previous Platforms
Moran began by deploying Check Point 15600 Next Generation Security Gateways in the data center. These firewalls deliver comprehensive multi-layered protections including: URL filtering, IPS, Antivirus, Application Control, Anti-Bot, and Email Security. They also included the award winning Check Point SandBlast Zero-Day Protection with Threat Emulation, which monitors traffic at the CPU level to detect and stop attacks before they evade detection.
Check Point R80 Security Management consolidates views, policy, threat management, and automation into a single console to deliver visibility and control across the entire security infrastructure. Logging, monitoring, event correlation, and reporting are also unified, giving Moran instant insight of security events across the whole network.
“Deployment was flawless,” said Moran. “There’s simply no comparison between Check Point and our previous platforms.”Array
Good Sam Upgrades Its Security
Posture with a Single Solution
Omnyway is a born-in-the-cloud advanced mobile shopping and payment platform that provides retailers with the ability to offer their customers a complete digital shopping experience with the use of their smartphone for all aspects of their buying journey. Omnyway’s solution enables their customers to be more competitive by creating a dynamic digital channel between the retailer and shopper across all levels of interaction including in-store, online, in-app, virtual aisle and dynamic media. Omnyway’s platform is designed to interface with a retailers existing system and mobile app with minimal development needed to turn a traditional retail store into a first-class shopping experience for its customers. Omnyway’s customers consist of several of the Fortune 500 retailers and is headquartered in Redwood City, CA.
Omnyway’s first product was developed for Kohl’s department store and provided rewards and special offers as well as payment services. This original product used Amazon Web Services (AWS) EC2 instances along with relational database services (RDS). The original platform has since evolved, moving away from instances to take advantage of the newer managed services offered by AWS which include microservices architecture, docker containers, the use of Fargate and elastic container service (ECS), Lamba functions, key management service (KMS), and managing IAM policies with simple system manager (SSM) parameters.
“The fact that Omnyway is PCI certified, drove us to think about cloud security from the beginning,” said Robert Berger, CTO & SVP Engineering. “We were looking for specific tools to enhance our security and compliance. As our platform channel continued to grow with more applications being developed, our environment was becoming very complex. It was becoming difficult to visualize our VPC peering, security groups and workflows to verify our environment was secure. We also needed a secure yet flexible way to accelerate our DevOps by providing developers with easy remote access while making sure ports remained closed when not in use. Additionally, we wanted to ensure robust security within our platform and wanted a way to consistently scan our environment to provide reports on compliance status along with security best practices, showing us where we could improve. We were looking for a public cloud security solution that would address these concerns, while being future-built to secure existing and new microservices.”
Omnyway’s AWS cloud environment consists of 2 regions, 4 accounts and 20 VPCs that support different applications, with applications being spread across all 4 accounts. The VPCs are designed to isolate specific information that does not need to be shared. All applications are replicated in the second region for resiliency and redundancy so if one region fails, coverage continues. In working with customers and credit card payments, Omnyway’s system is PCI certified but goes beyond the required PCI levels of security. Their frontend system never sees credit card data and the back end uses VPCs to segregate crucial data, with the additional use of AWS CloudHSM security service for an extra level of protection for their data in meeting PCI regulatory compliance requirements.
Visibility into Security Infrastructure
“As we continued to build our platform and scale in the cloud, our security groups became very complicated and it was hard to track workflow”, said Marius Ducea, VP of Operations. “We needed clear visibility into our security infrastructure to locate misconfigurations and see where items were blocked to fix and secure our environment.”
CloudGuard Dome9 Clarity
One of the key reasons why Omnyway selected CloudGuard Dome9 was for its powerful network security visibility at scale. The CloudGuard Dome9 platform’s visualization tool, CloudGuard Dome9 Clarity, provided Omnyway with granular visibility into their network topology and workflows so that they could see their VPC peering and security groups in locating vulnerabilities and remediating them in-place. Additionally, they were able to use the VPC flow log feature in helping identify any misconfigurations, which was crucial in troubleshooting flow issues and debugging in the initial design of their system.
Secure Access for Agile DevOps
Omnyway was providing developers access to their production environment through their bastion host. With the bastion host open, and a port always exposed, they were consistently experiencing brute force attacks. Additionally, they would encounter a large amount of noise from their SIEM that monitors their logs, that would keep generating alerts due to all the attacks. Omnyway wanted to provide flexible access to ports for their developers, making sure the port was closed after use and a way to minimize alerts to key events.
CloudGuard Dome9 Dynamic Access Leases
CloudGuard Dome9 offers comprehensive network security that goes beyond monitoring and assessment to offer active protection to enforce wanted policies and access control. CloudGuard Dome9’s Dynamic Access Leases was able to provide Omnyway’s DevOps team with time-limited, on-demand access to services and ports, that once the lease had expired, would close the port by default. This feature removed the need for using a bastion host and helped reduce the potential attack surface while still allowing legitimate users to get the access they need with the click of a button. According to Robert Berger, CTO & SVP Engineering, “Dynamic Access Leases provides me with a feeling of comfort with only a single person’s IP address able to gain access for a specific amount of time. Being a PCI certified platform requires a separation of duties, traditionally with a big wall between Dev and Ops. CloudGuard Dome9 provides self-service, fine grained access control to both groups, without isolating the teams. For access to services that are more critical, my security team can control access. The amount of noise we were experiencing with our SIEM has also diminished. Our CloudTrail events are now only triggered when someone is logging on. Dynamic Access Leases has been a key component in providing Omnyway with agile DevOps and a huge benefit in advancing our platform.
Enforcement of Continuous Compliance and Security Best Practices
Omnyway is committed to building the most secure mobile platform for its retail customers that it possibly can. With PCI certification, they must meet specific guidelines in securing their environment. Omnyway has gone beyond what is required and was interested in finding a solution that could not only automate scanning of its environment and generating continuous compliance reporting, but also provide security best practices to suggest ways to heighten security policies to ensure a robust security posture.
CloudGuard Dome9 Compliance Engine
The CloudGuard Dome9 Compliance Engine provided Omnyway with a way to bolster security across their AWS environment. Within the Compliance Engine are several compliance and best practices test bundles that once selected, can be automated and set to run checks at desired times across AWS accounts. The test points to assets that have passed or failed and identifies policy issues that need to be addressed to enhance security best practices. These reports are able to point to the status of new assets when added which has been of great value to Omnyway.Array
Omnyway uses CloudGuard Dome9 to provide secure devops for its retail mobile platformRead the Story
As a provider of business services to two of Italy’s largest trade associations, FIASA handles a wealth of highly sensitive personal and corporate data. This puts FIASA in the position of having to pay the utmost attention to protecting the data it holds.
A more sophisticated position on threat prevention
“FIASA has a long history of taking cyber threats seriously,” says IT manager, Giovanni Montomoli. “We provide payroll processing services, invoice management, and overseeing accounts. These are all critical services for our members. We’ve had ‘traditional’ firewalls in place for years. There has always been a compromise between price and performance, but we’ve never suffered.”
However, the introduction of GDPR, and an awareness that the threat landscape was changing, led Montomoli to re-examine FIASA’s position. “There was a more powerful case for developing a 360° view of our customers’ data. I attended several security conferences and could see that threat prevention was evolving.”
Montomoli wanted to strengthen threat prevention for around 200 users of the FIASA network. The aim was to support mobile working, while reducing the strain on in-house management and help desk support.
Maximum security without impacting performance
Check Point SandBlast and Check Point 5000 Next Generation Firewalls offer a fully integrated, multi-layered solution tuned to deliver maximum security without impacting performance. The gateways provide FIASA with the most advanced threat prevention security.
“We considered a couple of options,” says Montomoli, “I’d like to tell you the decision was based on a thorough proof of concept. However, the truth is we heard some very good things about Check Point from our peers. Everything we heard told us that Check Point was versatile, effective, and could be trusted.”
His most critical concern was working alongside a partner experienced enough to manage the configuration. “Without Sarce as our partner, we might not have moved forward,” he admits. “This kind of project has to be managed by certified professionals. You cannot improvise.”Array
FIASA Secures Critical Corporate and Personal Data with Check PointRead the Story
Commune d’Uccle is a local authority to the south of Brussels. Whilst it delivers and manages a range of critical services to a population of over 80,000, it must ensure the consistent delivery of local services while integrating with new service providers. This often requires the sharing of sensitive personal data while facing new security threats, including zero-day disruption.
Ensuring continuity of local services
For Commune d’Uccle, it’s become standard practice to share data on the authority’s schools and public housing with national planners. The critical nature of the organization and its wealth of sensitive personal data make it an attractive target for cyber-attacks.
“We’re seeing up to 200 attacks an hour on the network,” says Ugo Dammans, IT manager, Commune d’Uccle. “It became clear that the previous firewall solution was failing to stop every threat that penetrated our network.”
With the organization becoming increasingly mobile, and a desire to promote remote working for 500 staff members, Dammans wanted to upgrade its cybersecurity: “We want employees to be able to work remotely, yet we’re aware that the threat landscape is changing. We want to protect ourselves from current threats, and stay ahead of future issues.”
Addressing security in totality
Dissatisfied with its incumbent firewall product, Dammans assessed other solutions. “It quickly became clear that we needed to look at cybersecurity holistically – from firewalls to antivirus to the cloud,” says Dammans. “The more we explored Check Point, the more we liked it.”
The complete Check Point solution includes Next Generation Threat Prevention & SandBlast™ (NGTX), Mobile Access Software Blade, and Endpoint Security.
“As a municipal authority we have to be aware of our costs,” says Dammans, “but we’ve not hesitated to invest in the security of the administration, the employees, and our citizens.”Array
Belgian Local Authority Doubles its Protection with Check PointRead the Story
Pacific Life, a Fortune 500 Company, is one of the largest financial institutions in the US. Founded in 1868, they offer a wide range of products and services, including life insurance, mutual funds, annuities and other investment products for individuals and businesses. More than half of the 100 largest companies in the US are Pacific Life customers.
A Story of Cloud Adoption
In 2013, the Retirement Solutions Division at Pacific Life began planning the migration of a portion of their workload to the public cloud. Reza Salari, Manager of Information Security and Telemetry, drove the cloud migration effort. Until that point, Reza’s small team of only three engineers used an array of tools to manage their cross-country VMware® data centers. In moving to the public cloud, they sought to optimize operations without increasing their team size. After exploring public cloud options, the team chose Amazon Web Services (AWS), for its business differentiating value.
The first workload they moved to the cloud was their actuarial grid computing which included resource-depleting hedging models. Today, four years later, the team has approximately 100 EC2 instances that run regularly; however, when running a hedging model, this number can increase significantly for a short time. With Amazon EC2 spot instances, they are able to deal with this elastic demand by bursting to 2,000 instances while running a cost efficient cloud footprint. In addition to EC2 instances, the team also uses RDS for databases, S3 for their object storage, and Glacier for archiving.
Compliance and regulations are major areas of concern in the insurance industry. Reza and his team are responsible for adhering to national regulations like Sarbanes Oxley as well as regional requirements such as the New York Financial Responsibility Laws. In an effort to manage all their layers securely and at scale, the team has employed a mix of AWS security products, including CloudTrail, KMS, and third party tools such as Splunk for log analytics, and CloudGuard Dome9 for cloud infrastructure security management.
THE DRIVE FOR NEW SOLUTIONS
Need 1: Manage Network Security
Pacific Life’s AWS network includes over 150 security groups across seven Amazon cloud accounts in three US regions, with each varying between 5-20 security rules. In total, their network deployment holds thousands of rules in a constantly changing elastic cloud environment. A system issue compelled Reza’s team to understand that moving forward, they wouldn’t be able to control the growing complexity with AWS native tools as they expanded their footprint and would need to make some changes. This included building new networks leveraging both AWS, VPCs and even nested security groups (security groups that reside within other groups).
Need 2: Accelerate Software Delivery
Prior to CloudGuard Dome9, the R&D and Ops teams lacked a way to quickly test the security posture of software products early in the software development lifecycle (SDLC). More than once, the DevOps team deployed workloads only to find that they were not designed properly from a security and compliance perspective. Reza’s team was also looking for ways to accelerate product delivery by leveraging DevOps tools such as AWS CloudFormation, AWS CodeCommit and Chef. Even as the product lifecycle became accelerated, security reviews of new release candidates needed to be streamlined and efficient.
Need 3: Control Data Residency
Compliance and regulations are cornerstones of the insurance industry and therefore keeping information inside the US is critical. For regulatory reasons, Pacific Life cannot have US data being sent out of AWS cloud US regions. Additionally, as mentioned, Pacific Life’s cloud environment spans multiple AWS US regions. In order to comply with regulations, Reza’s team had to control and prevent usage of AWS regions outside of the company’s approved US regions.
Solution 1: Active Protection and Enforcement with CloudGuard Dome9
CloudGuard Dome9 allows businesses to actively assess, remediate, and control the state of their network at all times. The platform helps Reza’s team easily manage security and compliance across their entire Amazon environment. With CloudGuard Dome9, Reza’s team can continuously monitor their VPCs and security groups, and the system will provide real-time alerts in cases of misconfigurations, such as an open IP port. In addition, the team relies on the system to stop unauthorized users from modifying security groups and automatically reverts unintended or malicious policy configurations. For example, if a user changes a security group policy to allow inbound SSH traffic, CloudGuard Dome9 can detect this change, revert it, and alert the team.
SEPARATION OF DUTIES
Other teams, such as the DevOps team, occasionally needed to reconfigure settings; while the compliance team needed to review and ensure the security prior to deployment. Before implementing CloudGuard Dome9, Reza’s team was challenged with providing access to the other teams while maintaining control and ensuring that they were the only ones with access to configure the network security. This resulted in a cumbersome, manual, error-prone process. Today, with consolidated control over all the AWS accounts created by CloudGuard Dome9, Reza’s team can easily set up access for these other teams to specific subnets and infrastructure elements. The CloudGuard Dome9 service allows Reza’s team to enforce and monitor separation of duties more effectively than before. If anyone attempts to change a configuration outside of the defined policies, CloudGuard Dome9 will simply revert back to the correct settings, ensuring control. As Reza puts it, so that “There is only one chef in the kitchen.”
Policy misconfigurations in the public cloud can expose the network to outside threats. CloudGuard Dome9 detects these misconfigurations and immediately alerts the security operations team via an SMS message to their mobile devices. The message includes the cause and a corresponding action path to fix the issue and return the system to optimal operation. Receiving the alerts in real-time allows the team to quickly remediate vulnerabilities and prevent security issues.
VISUALIZING VPC FLOW LOGS
With the introduction of AWS VPC Flow Logs back in 2015, the team decided to leverage the capability to learn about traffic flows and troubleshoots issues. Once enabled for a particular VPC, relevant network traffic is logged to Amazon CloudWatch Logs for storage. However, it was difficult for Reza’s team to make sense of all the data from these logs, in particular when it came to controlling seven different AWS accounts. The CloudGuard Dome9 platform’s powerful visualization tool Clarity, provides a real-time topology of security groups and an intuitive visual representation of VPC Flow Logs. This allowed the Pacific Life team to identify security risks and operational issues, visualize policies and remediate threats on all of their accounts, all from a central console.
“CloudGuard Dome9 is a huge force multiplier, providing tools that are highly effective and efficient. Because CloudGuard Dome9 is enabling our cloud strategy, we can innovate and offer better products, while lowering our expense ratio, giving customers better value.”– Reza Salari, Manager of Information Security and Telemetry, Retirement Solutions Division Pacific Life
Solution 2: Integrate Security Review to Reinforce Development
The DevOps team at Pacific Life uses CloudGuard Dome9 Clarity to understand the security configuration of their applications and how each one must be built. Clarity provides a granular view of cloud assets, including VPCs, security groups, and instances, automatically looking for any misconfigurations. By combining Clarity with AWS Flow Log support, Pacific Life can identify what traffic is being accepted vs. that which is not, and manage adjustments as needed, all from a single pane. They are also able to check their stack before deploying it into production. Once checked by the Dev team, and as it moves into production, Reza’s team takes the next step, checking the new deployment to validate its network security. In addition, the team uses the Compliance Engine from CloudGuard Dome9 to continuously run audits against their cloud deployment to make sure the deployment follows their policies and best practices, such as the CIS AWS Foundations Benchmark.
Solution 3: Locking-out Non US Regions
CloudGuard Dome9 complements the ease of access to AWS and the cloud’s great global presence with its security controls, leveraging AWS security building blocks. CloudGuard Dome9’s active protection is two fold, and guarantees that no unauthorized network changes will be made to the AWS account, utilizing CloudGuard Dome9 as the security policy definition and enforcement point for all organizational security policies. CloudGuard Dome9’s Tamper Protection locks the existing security groups and guarantees that no network changes can be made unless they are created via the CloudGuard Dome9 console. In addition, using CloudGuard Dome9 Region Lock, the team configures policies about how the system automatically treats newly available security groups. CloudGuard Dome9 Tamper Protection and Region Lock ensure secure and consistent security group configurations, making sure that their sensitive data remains compliant, preventing any practical usage of unauthorized AWS regions.Array
Cloudguard Dome9 Helps Pacific Life Streamline Security Complexity in the CloudRead the Story
Banco del Pacífico is recognized as a pioneer of the Ecuadorean banking sector. Founded in 1972, it was the first bank to introduce ATMs, and the first to create networked banking. Now, they’re undertaking a comprehensive digital transformation program to advance leadership in online and mobile banking.
Protecting a National Institution
As one of Ecuador’s leading financial institutions, Banco del Pacífico is all too familiar with cyberattacks. In recent years, the bank has seen a huge increase in the volume and sophistication of these attacks. Some have been designed to disrupt day-to-day banking activities, while others, for financial gain.
“Security is very, very important,” says José Luis Nath, Vice-President of Technology and Security at Banco del Pacífico de Ecuador. “We have to protect our customers’ money. Our strategy has been to invest in the best security technology on the market to protect the bank’s assets and our customers’ data and deposits.”
The Most Advanced Threat Protection, Managed from a Single Platform
Banco del Pacifico has been a Check Point customer for many years, relying on their latest, feature-rich security solutions.
The Check Point Next Generation Gateway serves as the bank’s internal and external firewall, meeting datacenter demands for power, performance, and scalability. Check Point has also delivered the highest levels of protection through industry-leading, next-generation security solutions.
Check Point Next Generation Threat Prevention and SandBlast Network protect Banco del Pacifico’s perimeter – the first Latin American bank to use SandBlast in this way. This provides the bank with multi-layered protection, preventing known threats and zero-day attacks by using the SandBlast Threat Prevention suite, including Threat Emulation, Threat Extraction, antivirus, anti-bot, IPS, app control, URL filtering, and identity awareness.
SandBlast Threat Emulation technology monitors and inspects CPU-level instruction flow to detect attacks attempting to bypass operating system security controls. SandBlast Threat Extraction then removes dangerous content, such as embedded objects, reconstructs files to eliminate potential threats, and promptly delivers secure content to the bank’s users.
For José Luis Nath, SandBlast’s advanced features ensure that Check Point examines all incoming email traffic for active or malicious content – and quarantines it before it’s able to enter the bank’s network and inflict damage. A PDF version confirms the malware has been extracted and the bank obtains a clear record of the source of the attack and the action taken to block it.
More recently, Banco del Pacífico added Check Point Security Management R80.10 to its security portfolio. This has allowed the bank to obtain the most advanced threat prevention across networks and cloud, and managed through a single security management platform and console that provides transparency and an up-to-date network protection status. It also unifies security policies and enables the bank’s network to connect securely to third-party organizations. Another benefit is that they can make sure the same software runs across all platforms and in all locations.Array
Fighting Back Against Gen V Threats
Control Southern has been a trusted automation partner for process industries in the Southeastern United States for more than 50 years. It is an Emerson Impact Partner, providing local access to global Emerson engineering services and expertise. Industrial customers across market segments rely on Control Southern automation, engineering, monitoring, valve and instrumentation, and training services to maximize production performance and efficiency.
As the company’s firewalls were reaching end of life, the Control Southern IT team began seeing a growing number of multi-vector attacks targeting its network and endpoints. Malware, phishing, and larger-scale infections had outstripped the capabilities of the company’s existing Sophos platform, and it needed costly hardware upgrades. When Control Southern moved to Office 365, it experienced a tremendous influx of phishing attacks on its endpoints. Then, ransomware gained access through malware on a web browser, infecting servers and spreading to connected client computers. In just a few minutes, gigabytes of data were encrypted and inaccessible.
David Severcool, Manager of IT Infrastructure and Security for Control Southern, and his team removed and remediated the infected computers and restored files from backup, but ransomware hit two more times during the same week. The team discovered that the McAfee software on endpoints was not updating systems correctly. Now they had the additional burden of manually pushing updates to endpoints almost every day.
“As we began looking for better protection, we wanted the best platform out there,” said Severcool. “We wanted a next-generation firewall, unified threat management, management capabilities from a single pane of glass, and logging. It was a tall order.”
Far Above and Beyond
The Control Southern team evaluated Barracuda, Check Point, Cisco, and Sophos solutions. However, Severcool knew that Control Southern needed next-generation protection across all attack surfaces—network, endpoints, and cloud deployments. The team also wanted unified threat intelligence to detect Gen V threats and single-pane-of-glass visibility to preempt them. As they evaluated Check Point CloudGuard SaaS, they immediately found several infections in SharePoint and OneDrive, and Office 365 email. The findings made their choice easy. The team chose Check Point Infinity and its unifying architecture.
“We needed more protection for Office 365,” said Severcool. “The company had experienced serious email phishing campaigns after moving to Office 365. When an attacker gained access to our email address list through one of our partner companies, phishing emails spread like wildfire. Check Point CloudGuard SaaS solved that problem, protecting Office 365 as well as our SharePoint and OneDrive environments.”
CloudGuard SaaS provides Threat Emulation capabilities to sandbox and analyze suspicious emails and files, as well as Threat Extraction to ensure that clean files are delivered to end users. Control Southern also deployed Check Point Security Appliances with threat prevention and SandBlast Zero-Day Protection across its locations. The company replaced the McAfee endpoint solution with the Check Point SandBlast Agent endpoint suite for comprehensive protection against bots, exploits, ransomware, and malware. SandBlast Agent also provides application control, endpoint compliance, endpoint firewall, and remote access VPN capabilities.
Deployment was fast and easy. Check Point Infinity Architecture enables Check Point CloudGuard SaaS and all other Check Point solutions to work in harmony, delivering Gen V cybersecurity defense. Check Point R80.20 Cyber Security Management gave Severcool and his team complete visibility into their infrastructure and policies. With all management capabilities and logging in one place, they have up-to-the-minute full threat visibility.
“No one else could match the logging, visibility, or protection that the Check Point Infinity architecture provided,” said Severcool. “Check Point was far above and beyond everything else we evaluated.”Array
Control Southern Engineers Cyber Protection Across All Fronts with Check PointRead the Story
Headquartered in Wellington, New Zealand, Xero provides a global online platform for small businesses and their advisors. The company has built trusted relationships with 1.6 million subscribers, enabling them to thrive through better tools, information and connections. Innovation is fueling growth at a blistering pace. To support its growth, Xero did more than simply migrate to the Amazon Web Services (AWS) public cloud—it completed a massive transformation that wove security and agility into the very fabric of its product development, security engineering, and partner relationships, with AWS and Check Point as key partners.
Transforming Infrastructure and Security
In 2014, Xero identified a challenge with its infrastructure and security. The company was managing a premises-based infrastructure that supported almost 700,000 subscribers but often found itself spending time and resources on controlling the environment, which limited the teams ability to fully support product innovation. Xero decided that only a public cloud infrastructure could provide the capabilities needed to support its next wave of growth.
In addition to scaling to support millions of new customers, Xero wanted to reduce its cost of service delivery, ensure high infrastructure availability, and defend effectively against evolving cyber threats. Agility is fundamental to Xero. Hundreds of product-based teams release more than 1,200 product features and updates each year. Xero wanted to reduce the time it took to build out DevOps infrastructure from weeks, to days, to hours, to milliseconds. It also needed to support internationally recognized security standards, so the new infrastructure had to be secure by design.
“High-growth environments have changed the way security must be delivered,” said McKeown. “Security teams aren’t traditionally built for speed, but if we can’t keep up with our DevOps teams, they’ll just work around us. We had to transform ourselves to enable our product teams to move fast, use the tools they want, and do it in a secure way.”
Xero chose AWS for its breadth of compute, storage, and networking services. McKeown praises the AWS Well-Architected framework for helping his team build a secure, high-performing, resilient, and efficient infrastructure possible for the company’s applications. The AWS environment gave Xero the opportunity to reduce costs, avoid downtime, and support its growth goals.
Of equal importance was security and the team chose Check Point as a trusted enterprise security partner for securing internal and outbound traffic. “Security was the first thing we thought about,” said McKeown. “We had to think about data encryption, inbound and outbound traffic connectivity, and protection against web-based attacks like DDoS, cross-site scripting, and SQL injection attacks.”
The Xero team worked closely with Check Point to implement security at every level of the infrastructure stack. Together, they deployed 130 Check Point Gateways across 100 different AWS accounts running Check Point CloudGuard IaaS to keep data and assets safe from even the most sophisticated threats. Check Point CloudGuard IaaS delivers automated, multi-layered, elastic security that scales with the dynamic AWS environment.
Xero deployed Check Point CloudGuard IaaS using a Transit VPC-style architecture. This enables traffic to be directed to a defined “security zone” for security scrubbing based on any number of attributes—regulatory requirements, policy, type of traffic, and others.
Micro-segmentation capabilities enable Xero to secure east-west data traffic, as well as traditional north-south traffic flows. Integration with native AWS controls enabled rapid deployment while supporting dynamic scalability and consistent control across all environments. As a result, Xero gained advanced security that moves with its applications, simplifying the overall migration without compromising protection or compliance. Check Point R80 Security Management brings the entire infrastructure into a single pane of glass with deep visibility.
“I chose best-of-breed partners that could walk with us through the journey and keep up,” said McKeown. “We built best-practice environments and pushed them to the limits months before we migrated our first customer.”Array
Xero Completes and Secures Its Cloud Migration While Transforming Its Security CultureRead the Story
Centrify is a leading cybersecurity company that serves more than 5,000 organizations around the world. Its security platform is credited with converging Identity as a Service (IDaaS), Privileged Access Management (PAM), and Enterprise Mobility Management (EMM) into a single solution.
As organizations move to Amazon Web Services (AWS), they need to control access to their resources, such as Amazon Elastic Compute Cloud (Amazon EC2) instances, and validate users are who they say they are. Centrify validates access to resources, that the devices being used are trusted endpoints, and helps to establish role-based access.
Recently, Centrify made the decision to move all software-as-a-service (SaaS) applications to AWS. Centrify went through a Well-Architected Security Review with AWS in order to become an AWS Partner Network (APN) Advanced Technology Partner. Members of the Centrify team met with Solutions Architects at AWS to discuss options for optimizing their SaaS environment. They discussed their needs and developed a shortlist of five leading AWS security automation solutions for Centrify to explore.
Upon further technical review, the DevOps team found that most of the solutions available on the market provided metrics, but did not give the team a way to efficiently monitor or control their security and compliance. In summary, they were looking for three main use cases for infrastructure security.
CHALLENGE 01 CLOUD INVENTORY MANAGEMENT
New application deployments resulted in the creation of security groups (SGs), IAM roles and policies as part of the built-in infrastructure automation. There were also various Amazon Simple Storage Service (Amazon S3) buckets created to host tenant data, configuration, logging information etc. Due to the dynamic nature of SaaS environments, when things changed, the Centrify IT team had to spend countless cycles to stay up to date with their environment and assets.
CHALLENGE 02 CLOUD COMPLIANCE
Establishing compliance on the cloud was a top priority. Given the rapidly scalable nature of their AWS environment, Centrify needed to be able to check whether they were compliant with various frameworks at all times. Misconfigurations or policy changes could immediately make them non-compliant. Also, when policy violations did occur, Centrify needed automation capabilities built into their existing workflow process.
CHALLENGE 03 NETWORK VISIBILITY
Centrify needed a solution that could deliver a more fine-grained view of the security infrastructure and help identify misconfigurations. This instant visibility was critical to minimizing security holes that could open up the attack surface. Centrify also had assets and policies across multiple accounts and regions, and needed a purpose-built tool to synthesize and visualize this information from a single pane of glass.
THE SOLUTION 01
CloudGuard Dome9 helped them improve inventory management and situational awareness, providing a single pane of glass to manage coverage for all of Centrify’s dynamic cloud assets. The ability to filter and get immediate information for any instance or object in their environment was key. CloudGuard Dome9 now monitors Centrify’s entire infrastructure (Quality Assurance, Development, and Production environments).
THE SOLUTION 02
The Compliance Engine from CloudGuard Dome9 continuously monitored Centrify’s cloud infrastructure and helped detect policy violations. Also, when a policy violation occurred, CloudGuard Dome9 would immediately push a notification via email/ SNS that could trigger an automatic response (such as create a Lambda Function or Amazon CloudWatch alarm for a quick response).
THE SOLUTION 03
CloudGuard Dome9 provided comprehensive visibility of their security groups, policies, IAM roles and permissions. CloudGuard Dome9 integrated seamlessly into Centrify’s account and was able to provide instant visibility within days with the appropriate level of permissions.
Getting CloudGuard Dome9 integrated with the DevOps teams existing systems was “fairly quick,” according to Felix Deschamps – the Principal DevOps Architect at Centrify. After only a few days, the team had all their SaaS applications on-boarded to the CloudGuard Dome9 platform. The representational state transfer (REST) application programming interface (API), single sign-on (SSO) nature of CloudGuard Dome9 simplified the process, making it easy for Centrify to establish the right level of permissions to their systems without exposing what was more than necessary.Array
Centrify Enforces Continuous Compliance and Security Best Practices on AWSRead the Story
Wagner AG is a provider of IT services, based in Switzerland. It has customers in a range of market sectors, including financial, food and healthcare. The business was founded in 1996 and has over 100 employees.
Building the infrastructure to accommodate growth
Wagner AG provides managed IT services to corporate customers in Switzerland. As businesses look to outsource their IT to a specialist, reducing management complexity and stabilizing costs, Wagner AG had drawn up plans for two new data centers. Located 120kms apart with two 40GB connections, the investment would provide room to grow and strengthen redundancy.
“This was a sizeable, strategic investment, built from the ground up,” says Thomas Eltschinger, Head of Managed Backend Services, Wagner AG. “We wanted to incorporate the latest technology. As we’re delivering managed services, with strict SLAs, we needed clustered firewalls at both locations.
“We want to be able to offer our customers the best possible protection with today’s modern options. We can do this with the various blades and the flexible license model of Check Point.”
Maximized uptime with advanced protection
The Check Point Next Generation Security Gateway combines the most comprehensive security protection with data center grade hardware to maximize uptime while safeguarding enterprise and data center networks. The solution ensures high performance protection against the most advanced cyber-attacks.
Eltschinger says the Check Point solution offered the best fit in terms of features, and enables the business to meet industry compliance in terms of security and traceability. Check Point Next Generation Security Gateway offers unique ‘first time prevention’ for the most sophisticated zero-day attacks. It is optimized for inspecting SSL encrypted traffic and its centralized management control and Lights Out Management (LOM) improves serviceability. It is also modular, and can be expanded if necessary.
In addition, Check Point R80.10 Security Management provides fully integrated visibility and clearer security insights. R80.10 SmartConsole allows Wagner AG to create unified policies for all network and cloud environments, all managed centrally.
“Automation and API options are useful features in R80.10,” says Eltschinger. “We’re standardizing our customer environments, which means the existing API becomes more important for automation. The TCO becomes smaller and costs can be saved.”Array
Swiss IT service provider uses Check Point to protect new data centers and maintain strict customer SLAsRead the Story
Tradair makes end-to-end trading infrastructure software from price creation and dynamic distribution, to trading optimization solutions. Tradair’s solution runs as a service and helps financial institutions enhance their client relationships and create new revenue streams. The solution leverages advanced technology services like Docker and Google Big Query, and is delivered through a hybrid hosting model residing in the Amazon cloud and Equinix data center.
TRADAIR MINIMIZES RISK AND MEETS COMPLIANCE
The Tradair team wanted to ensure that the crown jewels of its mission- critical business were protected by the best technologies available on the market. A cloud security product was needed to help Tradair minimize security risk and eliminate unnecessary infrastructure exposure, as well as provide firewall management, policy automation, authentication and access control. Additionally, the security solution would be a key aspect of Tradair’s audit and compliance program and help meet international financial regulations on 3 continents such as SOX and PCI. CloudGuard Dome9 won out as their security solution of choice.
CLOUDGUARD DOME9 DIFFERENTIATION
Tradair Protects Cloud-Based Financial Trading Platform With CloudGuard Dome9Read the Story
Laterlite is a manufacturer of insulating products for the construction, agriculture and industrial sectors. In common with many modern manufacturing businesses, Laterlite is an increasingly complex and international operation. Headquartered in Milan, the business has factories throughout Italy, and sales offices in France, Switzerland and Spain. IT is managed centrally, coordinating production, R&D, customer services and sales operations in more than 20 countries.
The challenge for Laterlite is a familiar one for globally dispersed businesses. It needs to ensure consistency of service for a diverse workforce, spread across multiple locations. Any kind of cyber-attack could have a widespread impact on the company’s IT services.
When the company’s incumbent firewall solution was coming to end of support, it provided an opportunity to explore more advanced threat prevention solutions. “In the 20 years I’ve been here we’ve never suffered a serious attack,” says IT Manager, Gianluca Falsi. “But I recognize that security threats, and security solutions, have evolved. We want to understand exactly what’s going on with our network, and to keep threats as far away as possible.”
“Aside from the product features, what impressed me most was the Check Point philosophy. I felt we would be aligning with a company that could work with us into the future.”
– Gianluca Falsi, IT Manager, Laterlite
Laterlite cuts time spent on threat prevention management by 30% with Check PointRead the Story
The Banregio Grupo Financiero S.A.B. de C.V, trading as Banregio, is one of Mexico’s leading regional banks, founded in 1994. Today it has over 3,000 employees working at 133 branches across Mexico.
As well as consumer banking, it specializes in services for small and medium-sized enterprises. Banregio has been listed on the Mexican Stock Exchange since 2011
Increasingly Sophisticated Cyberattacks
Mexico’s financial sector has grown rapidly in recent years, attracting the attention of cyber criminals as a result. As a leading financial institution, one that is critical to regional enterprise in Mexico, Banregio was experiencing an increase in cyberattacks.
“There are currently many security threats in the world. In Mexico we are starting to see more incidents and this motivates us to work harder to protect our customers’ information and the assets we hold for them. This is of great concern to us, to the general management and to the bank as a whole,” explains Victor Oziel Martinez Vázquez, Chief Security Officer, Banregio.
The bank must protect its assets (data, finances and corporate reputation), and those of its customers – for example, it holds many citizens’ inherited family wealth – and it must do so effectively and efficiently. The in-house security team was struggling to deal with increasingly sophisticated and advanced attacks.
The bank wanted to strengthen its network security, with greater means to identify and block new and advanced threats. It also wanted to centralize the security management of the entire threat landscape, including PCs and mobile devices, software, and data on the cloud, simplifying administration and proactively preventing cyberattacks.
Preventing Advanced Threats
Banregio uses a range of security solutions, but the central piece of its approach is based on Check Point SandBlast Network. This protects the Banregio data center network, where all customer data is held, and all financial transactions are processed.
“Protection based on signatures has become obsolete and we were looking for a new-generation solution that could identify threats, advanced or behavioral,” Víctor Oziel Martínez Vázquez explains. “Essentially, this is what motivated us to choose SandBlast Network.”
SandBlast’s advanced network threat prevention protects against advanced and zero-day cyber threats, preventing attacks, minimizing risks and offering rapid response. Its threat extraction feature ensures files are automatically cleaned and potentially malicious content removed, before they enter the network.
“This technology , SandBlast Network, allows us to ‘sanitize’ or clean any threats present in documents and provide information to our users without any risks or threats,” explains Vasquez. “It has worked really well.”
Insights for Improved Decision-making
Banregio also makes use of Check Point support to identify technical and operational best practices, and to upskill the in-house security team.
Security management is provided through Check Point R80.10, giving the bank’s IT team a view of the entire security landscape through a single management console. This allows multiple administrators to view and prevent potential cyberattacks in real-time, update policies and turn on automated responses in response to specific threats.
“We decided to install this version of security management primarily to ensure our strategy was centralized, simpler and allowed more effective decision-making. Check Point R80.10 also significantly improved the presentation of information,” explains Víctor Oziel Martínez Vázquez.
The University Hospital Center of Charleroi (CHU Charleroi) operates from a number of locations in the Wallonia region of Belgium. Its hospitals provide surgical, geriatric, medical, psychiatric and rehabilitation services. It is also a teaching hospital and is linked to the national healthcare system.
Healthcare requires a collaborative environment. Increasingly, CHU Charleroi is enabling mobility for its doctors and management, to allow them to work more effectively from any location.
Enable secure, mobile working
As part of its mobility program, CHU Charleroi planned to roll-out 500 smartphones and tablets to medical and management teams. A mix of Android and iOS devices, the hope was that the devices would be easy to use and something employees would also enjoy using.
“We needed to monitor, and to be certain which apps were on the device, but there also needed to be freedom,” says Edwin Urbain, Network & Telecom Team Leader, CHU Charleroi. “It’s important that staff want to use these devices.”
The ICT team wanted to allow staff to add personal applications, but needed the means to authorize, validate and approve quickly. “Ideally this should be automatic,” explains Urbain. “The key issue was ‘does the app send data’?”
Depending on the success of the project, if Urbain’s team could monitor the 500 corporate devices it would then open up mobility to Bring Your Own Device (BYOD) users; allowing employees to work from their own mobile device. Again, it would need to monitor BYOD access to suitable applications.
Market-leading threat protection, and simple management
CHU Charleroi has been a Check Point customer since 2013, using Check Point firewall solutions.
“We’re under regular attack, and the Check Point firewalls have always responded well. The solution has been effective,” says Urbain. “We saw Check Point’s mobile protection capabilities as an evolution of this protection.”
Check Point’s SandBlast Mobile is a mobile threat defense solution (MTD), protecting and preventing advanced cyber-attacks from entering devices. It protects against malware, man-in-the-middle attacks over cellular and Wi-Fi networks, OS exploits, and phishing attacks. In addition, the cloud-based dashboard provides real-time threat intelligence and visibility into the type of threats that could impact CHU Charleroi.
“Obviously we reviewed other options, but Check Point was the only product that met our needs,” says Urbain. “SandBlast is the complete product.”
Urbain also adds, “We are happy to work closely together with our Check Point partner, Prodata Systems. Thanks to their extensive knowledge and their great understanding of our needs, they are vital for the implementation and support of the Check Point solutions we use.”Array
Belgian Teaching Hospital and Healthcare Provider Enables Secure Mobile Working with Check PointRead the Story
Prominent Museum in D. C.
This prominent museum in D.C. documents history and preserves artifacts. Since its dedication, the Museum has welcomed more than 40 million visitors, including 99 heads of state and more than ten million school-age children. To protect its irreplaceable documents, photos, videos, and recordings from today’s fifth generation cyber-threats, the museum turned to the Check Point
Preserving and Protecting
This museum keeps one of the world’s largest archives of significant historical events, focused on their digital preservation and storage. More than 16.5 million people from over 200 countries visit the site annually, which is available in 16 languages.
The museum’s systems are barraged by hate emails, vicious social media posts, and increasingly sophisticated 5th generation cyber-attacks from around the world.
“We’re moving our applications to the cloud to eliminate our data center and maximize our resources,” said Michael Trofi, founder of Trofi Security and Acting CISO. “With the risks we face, we needed strong, effective protection for users and applications across our existing on-premises and multi-vendor hybrid cloud infrastructure.”
Securing All Applications Equally
Securing SaaS and hosted applications across a hybrid cloud environment is not as easy. One of the security team’s first challenges was to manage and protect user identities across the entire infrastructure.
Employees and partners are located around the world with varying levels of online access to our institutional assets. The museum chose software-as-aservice (SaaS) applications, including Microsoft Office 365, Google Suite, file-sharing, and operations solutions to meet users’ needs. Each is hosted in its respective vendor’s cloud and protected by Check Point CloudGuard SaaS.
A component of the Infinity Architecture and delivered from the Check Point cloud, CloudGuard SaaS delivers zero-day threat, identity, and data protection while preventing employee account breaches.
“Employees’ Google email accounts and credentials were especially vulnerable to spoofing through the Chrome browser,” said Trofi. “We needed a way to detect account hijacking attempts and prevent unauthorized access to petabytes of priceless data. In addition to our Check Point Firewalls, Check Point CloudGuard™ SaaS was the right solution.”
The museum also utilizes Check Point CloudGuard IaaS to protect its applications that have been moved to public clouds. Financials, human resources, PCI-compliant payment systems, and data archives are being deployed on AWS, Google, Oracle, and Azure public clouds. By hosting various
applications within their specific vendor’s cloud, the museum is assured that application performance, upgrades, and maintenance are optimized by the cloud providers themselves, with a reduced effort by museum staff. Check Point CloudGuard IaaS extends the same protection as the Check Point firewalls to the museum’s applications in these public cloud environments.
Since CloudGuard SaaS and IaaS are part of the Infinity Architecture, they both benefit from Check Point SandBlast™ Zero Day protection software which runs across all Check Point physical and virtual appliances at the heart of the Museum’s security infrastructure. It provides multi-layered protection from known threats and zero-day attacks using Threat Emulation technology, as well as identity awareness, content awareness, antivirus, anti-bot, intrusion prevention, application control, and URL filtering capabilities. With Check Point SandBlast, advanced protections are extended across all environments, regardless of the physical network construct or cloud environment used.Array
Prominent Museum in D.C. Safeguards Its Mission with Check PointRead the Story
Motortech is a leading German engineering specialist, manufacturing parts and accessories for stationary gas engines. The business operates throughout the world, with over 250 employees.
Protecting a connected, global operation
Motortech operates in an increasingly connected, global marketplace. While based in Germany, it has operations throughout the world, and is working more closely with international customers.
Protecting itself against cyber threats is a priority. The business creates, shares and develops critical engineering designs, which form the basis of its valuable IP. It is also a vital link in a global supply chain; in reputational terms, Motortech cannot afford to be seen as a weak link.
“It is important that cyber threats are controlled, blocked or dismissed before they reach the end-user,” says Marcus Morig, Head of Information Technology, Motortech. “We want our trained experts to manage security threats, not our end- users.”
Motortech implemented a complete Check Point solution, based around SandBlast and Security Management R80.10, running on Check Point Infinity architecture. This combined solution gives Motortech peace of mind that potential cybersecurity threats are prevented from even entering the business, whilst giving the IT team complete visibility of all network activity.
Check Point Security Management R80.10 provides integrated visibility and clearer security insights, lowering the complexity of managing cybersecurity. It enables Morig to create single unified policies for all networks and cloud objects, with enhanced performance productivity delivered through policy automation capabilities.
Check Point SandBlast automatically cleans all email attachments entering the business, preventing security threats without placing responsibility in the hands of the end-user. This was a deciding factor for Motortech; “We researched the market and found Check Point to be the best overall solution,” says Morig. “It convinced us it had the most unified approach to cybersecurity.”
According to Mr. Morig, implementation went smoothly, “We wanted a period of adjustment, but the Check Point systems were very intuitive. The management interface is very good. It’s now in place for more than 250 users across three locations, monitoring internet traffic, email, data transfers and file sharing.”
He is also complimentary about Check Point’s expertize and services: “All very positive, we have a direct line of communication with Check Point. And the training and webinars were excellent.”Array
German Engineering Strengthens Threat Prevention and Halves Administration Time with InfinityRead the Story
Phoenix International, a privately held multinational corporation in Italy, is a leader in custom steel dyes for aluminum artifacts. Founded in 1972, the company has built a reputation for delivering customized projects with a rapid turnaround. Working across the industrial, transport, building, automotive and aerospace industries, the company has branches worldwide.
Protecting data around the world
To keep ahead of the competition, Phoenix relies heavily on IT security: to ensure business continuity and to protect the technical and process data that contains the company’s industrial secrets. The company has had a strong partnership with Italian IT system integrator, Project Informatica, for many years. Together with Project Informatica’s dedicated ICT & Cybersecurity division, a project was launched to replace Phoenix’s old IT system with a better performing, centralized and secure one. Project Informatica managed the whole process from pre-sale to post- installation.
Stefano Biava, IT Manager for Phoenix International, explains; “Last year we addressed the issue of IT security, both for data and for employee privacy. We had no consistency in the security solutions being used worldwide, with branches each using different security brands. This was making IT security difficult to monitor and maintain. We conducted a vulnerability assessment to understand how to deal with the problem.”
Project Informatica carried out the security assessment and the results were collated and analyzed over a long period of time in order to understand how best to protect the company’s perimeter. The project was made more challenging as Phoenix International was also going through a phase of business growth, opening new branches around the world and placing added pressure on the IT team.
An impenetrable barrier
A Check Point Next Generation Security Gateway had been tested in Dubai when a new branch opened, but this was an isolated case with multiple software brands being used in Phoenix offices around the world.
“We analyzed the various solutions on the market,” says Biava, “and we chose Check Point Next Generation Threat Prevention software, not only for its favorable price/performance ratio but also for its easy and efficient centralized management console. We decided to deploy Check Point at the new sites, as well as replacing our old firewalls with Check Point Next Generation Security Gateway.”
The Next Generation Security Gateway provides multi-layered protection from known, signature-based threats and unknown threats. The solution includes anti- virus software that blocks malicious files before they enter the network, URL filtering software to control access to millions of websites, and anti-bot software to detect bot- infected machines and actively block bot communications.
The solution is managed via a unified security management platform, which provides a single pane of glass to view threats, devices, users and reports across the whole network, in real-time.Array
Phoenix International spends 80% less time on IT security thanks to Check PointRead the Story
Askoll is an Italian company with 11 plants throughout the world and more than 2,000 employees. Founded in 1978 by Elio Marioni, Askoll has been developing highly innovative technologies for electric motors, by using synchronous technology. Initially developed for the aquarium sector, this technology was subsequently extended to the world of home appliances (Askoll is a partner of Bosch, Siemens, LG, Samsung, Haier, Whirlpool) and, since 2015, to the world of sustainable mobility. Today, the company is the leading manufacturer and distributor of Italian electric vehicles through a network of single-brand stores and dealers in Italy and Europe.
Protect users before devices
Askoll delivers IT services to its global locations from two data centers in Italy. “Our business changed quickly when we entered the electrical mobility market,” explains Moreno Panetto, IT Systems Manager at Askoll. “From that moment, we needed to protect our employees more effectively, whilst giving them the freedom to work from anywhere.”
The company has also developed a long-term partnership with IT service provider, Lantech Solutions, which manages Askoll’s firewalls globally.
“After careful consideration of numerous solutions, we chose Check Point because they had the same approach as us to cyber security: people first. We also trusted their partner, Lantech, when they recommended Check Point.”
With the business expanding, Askoll’s IT team had to ensure users were always connected and protected, on various devices and in any location.
Individual protection and simplified management
Check Point Identity Awareness allows Panetto’s team to create identity-based policies. This simplified the experience for both users and IT management, enabling the IT team to protect users and reduced the number of policies required.
In addition, Check Point’s mobile threat defense solution (MTD) SandBlast Mobile, means Askoll can monitor mobile devices and prevent cyber-attacks. With advanced protection and full threat visibility, even the latest and most unexpected threats are caught.
“We now have a mobile defense system consisting of SandBlast Mobile software and Check Point Identity Awareness,” says Panetto. “This is an efficient and effective way to protect our mobile environment.”Array
Electric Motor Manufacturer Completes Mobile Security with Check Point SolutionsRead the Story
Unisinos is a leading private university, located at Sao Leopoldo, nearPorto Alegre in the south of Brazil. Founded in 1969 with its roots in theJesuit community, it is ranked among the best in the country by theBrazilian Ministry of Education. The university has a strategicorientation towards science, technology and innovation, with 30,000students and more than 1,000 teaching staff.
Modernizing Outdated Security Infrastructure
Unisinos had a firewall solution in place for a number of years. As the university expanded and formed links with other Jesuit colleges across Brazil, it was apparent that this solution had grown increasingly outdated.
The university struggled to cope with the increase in security threats, unable to provide visibility of those threats and lacked the control over content access that the modern Unisinos required.
This vulnerability became clear during the semester registration of new students. Concentrated cyber-attacks during this period left the Unisinos system down for an entire day, causing considerable disruption and inconvenience for everyone.
Targeted Protection and Simplified Management
After consulting with local IT partner, Sentinela Security, Unisinos selected Check Point next generation appliances with Virtual System technology, R80 Security Management, CloudGuard IaaS, and VSX technologies as part of a comprehensive move to help upgrade, protect and manage its IT infrastructure, giving the university’s IT department greater visibility of threats to the network before attacks could occur.
Built on the unique Check Point Infinity architecture, R80 Security Management gives Unisinos a single console with a unified view into all security events allowing them to manage all aspects of cyber security for their physical, virtual and cloud based environments. Check Point Next Generation Security Gateways are designed for high performance and reliability, and support Unisinos’s growing capacity requirements. “Management of the solution was one of the main factors in the purchase decision-making process”, explains Maikon Rodrigo Graeff, a security expert at Unisinos. “The visibility and control provided by the Check Point solution made all the difference when making this decision.”
From a single console, Unisinos can monitor threats and analyze events, turning on automated responses to prevent specific threats. CloudGuard IaaS private cloud ensures that data held in the private cloud is fully protected.Array
Brazilian University, Unisinos, Simplifies Cyber Security ManagementRead the Story
Telefónica is one of the largest telecommunications companies in the world by market size and number of customers, supported by a comprehensive offering and the quality of connectivity provided by the best fixed, mobile and broadband networks. It is a growing company that offers a differential experience, based both on the values of the company itself and on a public positioning that defends the interests of the client.
Present in 21 countries and with a client base of more than 327 million connections, Telefónica has a strong presence in Spain, Europe and Latin America, where it concentrates most of its growth strategy.
Ensuring full confidence in a mobile, digital life
ElevenPaths, the global cybersecurity unit of the Telefónica Group, has the remit to act “like a start-up”, according to CEO Pedro Pablo Peréz. It is charged with creating disruptive innovation in cybersecurity that enables clients to gain more confidence in their digital activity.
For ElevenPaths, the challenge is securing clients’ assets in an increasingly interconnected environment. At the same time, the organization has to preach personal responsibility: “One of the principles of a security policy must be co- responsibility: users have to be involved in the security of their own assets,” says Peréz.
Safe mobility is a key area of focus, with unprotected mobile devices offering a backdoor to network breaches. “To complete our value proposition we wanted to evaluate the best defense solutions against mobile threats,” says Perez.
Threat detection to security, research and analysis
Check Point SandBlast Mobile is a complete mobile security solution, which covers all advanced cyber threats to mobile devices, with the highest threat catch rate in the market. It can also be integrated with leading enterprise mobility management solutions (EMMs).
“During the evaluation process, we realized that SandBlast Mobile and Tacyt, our mobile threat cyber intelligence tool, were perfectly compatible,” explains Perez. “This gives our Security Operations Center (SOC) experts a joint and intuitive solution to move from threat detection to response, research and analysis.”
In addition, ElevenPaths is a Check Point Mobility Technology Partner. Its security analysts have been trained and certified to offer and manage the SandBlast Mobile solution to clients.
“We value Check Point’s expertise, support and long track record,” says Perez.Array
Telecoms Giant Telefónica Strengthens Mobile Security with Check Point Sandblast MobileRead the Story
Wilkin Chapman LLP solicitors
Wilkin Chapman LLP is the largest law firm in Lincolnshire and the East Riding of Yorkshire, UK. As a full service law firm, Wilkin Chapman provides legal services for both businesses and individuals.
“A solicitors’ practice is built on reputation,” says Dean Hall, Head of Technology and Facilities, Wilkin Chapman solicitors. “If our reputation is damaged as the result of a highly publicized data breach, it would have an adverse impact on the firm.”
For Hall, the challenge is keeping up with a changing threat landscape, especially with the firm’s limited resources to appoint a dedicated cyber security expert.
“From an IT perspective, our focus is on refreshing our infrastructure,” says Hall. “Our teams want to be able to work from any office, share documents, securely access information from mobile devices, and we need to provide a service that allows them to do so.”
In particular, Hall wanted to strengthen the security between branch offices. The web filtering solution was also out of support, he adds: “We wanted to increase our security across the board. We’re not large enough to employ our own security manager, so we needed an external expert to manage security on our behalf and make us aware of solutions and threats.”
Advanced Threat Protection
Wilkin Chapman solicitors implemented Check Point Next Generation Threat Prevention & SandBlast (NGTX) with Check Point R80.10 Security Management.
The solution, implemented and managed by SJG Digital, a Check Point partner and IT security specialist, ensures the same technology runs across all devices at each Wilkin Chapman location. NGTX delivers a significant performance increase using a wide range of threat prevention techniques, including detecting malware before it enters the network and converting content to a safe format before it is opened. This multi-layered approach ensures Wilkin Chapman is protected from all known and unknown cyber-attacks.
Check Point SmartEvent provides fully integrated threat visibility in R80.10 giving real time security insights across the entire firm and lowers the complexity of managing cyber security even with multiple devices and branch locations.Array
Wilkin Chapman relies on Check Point for its secure environment and prevention of cyber-attacksRead the Story
The European Space Agency (ESA) is an international organization, comprised of 22 Member States. Its mission is to shape the development of Europe’s space capability and ensure that investment in space continues to deliver benefits to the citizens of Europe and the world.
The priority for ESA and the Earth Observation Directorate is to protect the different Earth Observation space missions. It must do so across multiple locations and with a changing cast of international partners (including its equivalent in the U.S., NASA). It is a highly complex environment, processing huge volumes of scientific data.
Check Point 64000 scalable Next Generation Firewalls are designed to excel in large data center and telco environments. The ESA selection criteria included management, performance, and flexibility. The multi-bladed, chassis-based security system scales to support the needs of growing networks while offering reliability and performance. The Check Point 64000 currently runs at 100 gigabyte per second. “Check Point has been selected as one of the best products that covers all of our requirements”, Buscemi said.
Based in Ramsey, Minnesota, Connexus Energy is Minnesota’s largest electric cooperative, providing electricity and services to member residents and businesses.
Standing Up Under Challenging Conditions
Connexus Energy serves more than 130,000 members across seven counties north of Minneapolis. Energy companies have become significant targets for cyberattackers and malicious nation-states that aim to disrupt vital services. Utilities have relied on Supervisory Control and Data Acquisition (SCADA) and Industrial Control System (ICS) networks for decades to control and monitor devices and data across their distribution networks. As smart grids, smart devices, and Internet of Things (IoT) devices become widely adopted, traditional SCADA and ICS systems often lack the same level of security controls needed to defend against sophisticated cyberattackers who can exploit their vulnerabilities to create widespread damage.
“We have some corporate devices that connect to an external network and we didn’t want them to introduce vulnerabilities to a network where there might also be servers,” says Arcopedico’s Information Technology Department Manager, Serafim Couto.
“Our SCADA system is our bread and butter,” said Jon Rono, Group Leader for Technology Services at Connexus Energy. “We wanted to make sure that it delivers power safely, securely, and without interruption in the face of increasingly malicious cyberattacks. We began looking for a better way to secure it and be alerted to any communication issues that might compromise service.”
Connexus Energy used many different security solutions from multiple vendors, such as Cisco, McAfee, and Palo Alto Networks. Each solution had specific management requirements, which consumed a lot of the team’s technical resources. Individual security team members responsible for cybersecurity, help desk, endpoint security, network security, and server security had to parse logs from different systems to identify issues and respond accurately.
“We wanted one management solution for all of our security needs,” said Rono. “We needed a single pane of glass that would work across all of our systems and streamline visibility.”
Finding a solution for protecting the SCADA system while delivering centralized visibility across the entire security environment was a challenge. Secure gateways for the SCADA system have to operate in extreme physical conditions. They must fit within constrained spaces or locations that are difficult to access. Environments are harsh, with dust, sub-zero temperatures in Minnesota winters, and high heat and humidity in summer months. Many of Connexus Energy’s existing security solutions were not ruggedized at all or only partially ruggedized. Simply keeping everything operating—and trying to make them work together—was consuming a lot of time without delivering the desired results.
Time for a Complete Change
The security team conducted a full RFP to evaluate solutions from existing vendors, as well as Check Point solutions. Only Check Point delivered the single-pane-of-glass management needed with a suite of integrated solutions and additional capabilities, such as historical logging and unified policy management.
Connexus Energy deployed Check Point 15400 Next Generation Security Gateways with high availability for its core security gateway. Check Point 5600 Security Appliances protect the SCADA network and Check Point 3200 Next Generation Security Gateways are deployed at multiple remote sites. Finally, Connexus Energy deployed Check Point 1200R rugged appliances with next-generation threat prevention for its ICS at all substations. A solid- state appliance, the Check Point 1200R protects all critical operational systems.
In addition to security protection, Check Point solutions provide Connexus Energy with a Compliance Software Blade. Based on a library of more than 300 security best practices, the Compliance Software Blade highlights configuration errors, identifies security weaknesses, and validates changes in real time. Not only does it enable real-time security policy audits, it ensures proper configuration and function of Firewall, Antivirus, IPS and Data Loss Prevention protections.
“The Check Point 1200R delivered ruggedization, comprehensive security, and centralized visibility in one product,” said Melissa Kjendle, Cybersecurity and Senior Infrastructure Analyst. “Its footprint is so small that it easily fit in every environment we needed to place it.”Array
iVRESS provides information security consulting for small-to-medium-sized businesses (SMBs). It builds multilayered security environments for corporate clients, built on Check Point security appliances.
iVRESS offers flexible security solutions to SMBs across multiple industries, with a particular focus on mobile security. A key business challenge iVRESS faces is securing mobility for their corporate customers, especially with the exponential growth in mobile threats.
Yusuke Kubo, iVRESS’s Mobile Threat Prevention Department Manager, explains; “The rapid expansion of mobile devices means they are now a natural part of the business. One advantage SMBs have is agility, and mobile technology is a powerful business tool for them. Unfortunately, there are few companies which have adequate security measures in place. In Japan, everyone was so focused on the convenience of mobile technology, that security was put on the back burner for a while.”
Despite the importance of mobile security, however, iVRESS had trouble finding suitable security solutions to offer its customers. There were few security vendors in the market with native support for Japanese customers. Mobile Device Management (MDM) vendors provided management tools rather than security tools, and they were overly complex, expensive, and took a long time to deploy.
“When I found out about SandBlast Mobile at the sales kick-off meeting organized by Check Point, I thought, ‘this is it!’” explains iVRESS president, Hiromi Toyama. “You could feel the quality of the appliances in the Check Point 700 series products, and SandBlast Mobile was a particularly high-quality solution. It can prevent attacks from malicious apps and has excellent accuracy by using advanced static code analysis and machine learning. It also offers the kind of flexibility we need for fast deployment, easy scaling, and efficient operation. It really is a perfect fit for our business.”
The superiority of SandBlast Mobile lies in its ability to provide comprehensive mobile security. It delivers industry-class threat prevention rates in both iOS and Android mobile devices, while also protecting against hidden threats in operating systems, applications, and networks.PSI is a business ally of iVRESS and a distributor of Check Point products. Tsutomu Ogura, who works in PSI’s Security Solutions Department, says; “SandBlast Mobile provides maximum quality when it comes to mobile technology. We no longer live in an age where convenience and availability are all that is sought after. I believe SandBlast Mobile is a groundbreaking solution thanks to its amazing quality and ease-of-use.”
SandBlast Mobile, strengthening mobile security and protecting against hidden threatsRead the Story
Founded in 1907, Mutua Universal is a voluntary association of non-profit companies established to support the operation of the Spanish social security system. Its workforce of 1,800 provides health services and assistance to 1.3 million employees in 160,000 companies throughout Spain.
Protecting the traditional perimeter is not enough
Cybersecurity is a constant concern for Mutua Universal. In 2014, a security plan was drawn up for implementing a package of initiatives to protect against technology and cybersecurity risks. One of the initiatives, which has been under study since 2017, was the implementation of security and data-protection measures for mobile devices.
Over the last ten years, the company has used various security solutions for its perimeter as part of a multi-layered security strategy. These include innovative software such as Check Point Next Generation Firewall, which provides one of the highest levels of protection in the industry.
Mutua Universal recently decided to provide the corporate mobile devices of over 500 employees (iOS and Android tablets and smartphones) with access to corporate applications. This move is part of a range of digital transformation initiatives, some of which are based on the use of corporate mobile phones.
“The use of mobile technology has diluted the traditional concept of the security perimeter, creating a need for solutions that provide the right technology for the threats we face. The corporate digitization processes we are currently undergoing will make the situation even more critical,” explains Marc Muntañá, Cybersecurity Manager at Mutua Universal.
The new service complements others for accessing data and browsing outside the corporate perimeter. “We immediately saw the need to provide increased security for these devices, firstly to protect the devices themselves from threats on the network and secondly to avoid any problems that could have repercussions on the corporate network,” explains Josep Maria Ezcurra, IT Services Technical Manager at Mutua Universal. “We had to protect mobile devices immediately, with a simple solution that easily integrated with our other security infrastructure.”
Perfect integration and building on past experience
Mutua Universal weighed up a number of options in the market. The Technical Architecture department tested solutions from various suppliers with different devices and users for a period of four months. The trial of Check Point SandBlast Mobile was made easier by the company’s past experience in working with Check Point, resulting in the highest evaluation among the various products. Users highlighted the usability and, in technical terms, the application stood out for its easy adoption among users and its supported integration with any MDM platform, something that was not possible with all the options that were tested. “The integration with AirWatch was a decisive factor in choosing SandBlast Mobile,” remarks Dominique Pérez, Head of the Technical Architecture Department at Mutua Universal.Array
Protecting Mutua Universal’s corporate mobile devices from emerging threatsRead the Story
Headquartered in Los Angeles, Smart & Final Stores, Inc. operates 330 grocery and foodservice stores in California, Oregon, Washington, Arizona, Nevada, Idaho and Utah. It has an additional 15 stores in Northern Mexico operated through a joint venture. Like many retailers, the business is focused on price and customer service. Security is crucial, but IT resources are limited.
Smart & Final Secures Corporate Data and Reputation, as It Drives Rapid Retail ExpansionRead the Story
Since its inception, Central New Mexico (CNM) Community College has delivered strong career-technical programs. It offers focused curriculum in math, science, and engineering; business and information technologies; applied technologies; and communication, humanities and social services to prepare students for rewarding careers upon graduation.
With eight locations around Albuquerque, CNM has a large attack surface to defend. The IT and security teams work closely to protect users, data, and other assets from cyberthreats. Even though threats continue to proliferate, a higher education institution’s budget cannot increase at the same rate. When it was time to refresh the college’s firewall, the IT and security teams looked for a way to improve defenses while simplifying operations.
“We wanted to combine firewall, IPS, and web security capabilities into one solution and manage them through a single pane of glass,” said Luis Brown, IT Chief Operations Officer/Chief Information Security Officer for CNM. “Having multiple interfaces and systems not only obscured visibility into threats across the infrastructure, but supporting multiple systems was time-consuming and costly.
The team began evaluating possible solutions from Check Point, Cisco, Fortinet, and Palo Alto Networks. Their first consideration was effectiveness in identifying and stopping threats. However, ease of management was also a priority. After conducting proof of concept tests with the solutions, CNM chose Check Point SandBlast Zero-Day Protection with Threat Emulation and Threat Extraction.
“Check Point has delivered great protection, performance and value for the challenges we were facing at CNM,” said Brown. “Management is seamlessly integrated, and we gained features that we never had before, such as application control and identity awareness, which allowed us to maintain better security and prevent attacks.”
Check Point SandBlast Zero-Day Protection increases network security with evasion-resistant malware detection and comprehensive protection from the most dangerous attacks. Check Point SandBlast Threat Emulation monitors CPU-based instruction flow for exploits attempting to bypass operating system and hardware security controls. The Threat Extraction component removes risky content, such as macros or embedded links, and reconstructs documents using only known safe elements and provides sanitized “clean” files in a very quick time without interrupting the business flow.
The team deployed Check Point gateways across its locations to protect the college’s web browsing and Internet traffic. Currently, email traffic is encrypted and goes directly to Microsoft Office 365.
“We worked with the Check Point engineering team to deploy the management console,” said Johnny Garcia, Senior Network Security Administrator. “Check Point’s commitment from presales through deployment was fantastic.”Array
Central New Mexico Community College Improves Security Defenses While Simplifying OperationsRead the Story
Grupo Financiero Multiva
Based in Mexico, Grupo Financiero Multiva is a financial group comprised of Banco Multiva, Casa de Bolsa, and Fondos de Inversión. It provides various personal and commercial financial products and services throughout 25 branches in Mexico.
Securing Customers’ Assets
As a financial institution, Multiva experienced growing security concerns regarding the protection of its customers’ assets, such as customer transactions, account information and personal identification information.
Although the bank could deal with known malware via traditional tools, it remained defenseless against Zero-Day attacks because legacy solutions simply aren’t sufficient any longer for detection and prevention. In addition, Multiva noticed a rise in the frequency of Distributed Denial-of-Service (DDoS) attacks. Facing targeted threats such as these as well as ransomware, APT, and email-borne attacks, Multiva knew it needed a central and manageable security solution with comprehensive protections.
“We realized we needed to enhance our security posture when we had a ransomware attack,“ said Juan Muñoz, Assistant Director of Infrastructure at Grupo Financiero Multiva. “While the attack did minimal damage, we needed to get the strongest protection out there to avoid being a victim again.”
Next Generation Threat Extraction
To find the best solution, Multiva tested Micro Solutions, FireEye, and Check Point SandBlast. Although Micro Solutions and FireEye could detect threats, they were not able to stop them as effectively as SandBlast. Neither were they able to deal with the complex task of remediating encrypted files in cases of ransomware which were a tremendous threat to the bank. FireEye’s solution was too complex and expensive.
“We decided to look for a sandbox solution. We looked at Micro Solutions, FireEye and Check Point,” said Muñoz. “Micro Solutions was out because it could only detect and not prevent. While FireEye could provide the same level of security, it required a separate appliance for each security protocol, making sandbox protection cost prohibitive and difficult to manage.”
Multiva needed a large enterprise solution, and chose Check Point Next Generation appliances for threat prevention with greater performance, uptime, and scalability. NGTX stood out with comprehensive protections including Firewall IPS, Application Control, Anti-Bot, Anti-Virus, Anti-Spam & Email Security, URL Filtering, and the award-winning sandboxing technology in Check Point SandBlast. SandBlast did all that without interfering with the daily business flow of the organization.
With the appliance, Multiva received SandBlast Zero-Day Protection with Threat Extraction and Threat Emulation, ensuring the most advanced protections against unknown malware, vulnerabilities, and Zero-Day attacks. Integrating SandBlast with their email solution allows Multiva to stop email-borne ransomware and APT attacks.
For Multiva, the performance of the equipment and the integration with its Security Information and Event Management services truly stood out.
“We’ve had a really good experience with Check Point Next Generation Appliances and SandBlast technology,” said Muñoz.” We are now confident we are well protected against both known and unknown attacks.”
Fortifying the Perimeter
Since Multiva had experienced a rise in Denial-of-Service attacks, it sought to fortify its perimeter defense with the Check Point DDoS Protector Appliance, an add-on to Multiva’s security architecture. The appliance responds to DDoS attacks quickly using multi-layer protection against volumetric, specific server, and application attacks.
Nowadays, DDoS attacks use new techniques that can circumvent traditional security solutions and cause serious network downtime and negatively impact businesses. The DDoS Protector is built to extend security perimeters to block DDoS attacks before any damage is done, and integrates seamlessly with Check Point Security Management.
When Multiva was recently targeted by a DDoS attack, the DDoS Protector was able to alert the Information Security team and prevent the threat.
“The Anti-DDoS solution is doing great on preventing DDoS attacks. We feel safe because we get alerts and reports in a timely manner,” said Muñoz.“ We actually know when we’re being attacked, thanks to the box.”Array
Grupo Financiero Multiva Safeguards Clients' Financial Assets from Malicious AttacksRead the Story
Arcopedico is a Portuguese company that produces ergonomic footwear. It exports to around 50 countries and has an annual business turnover of €15 million. It has its own stores and distributors and works directly with the Portuguese and Spanish retail market.
Faced with increasing cybersecurity threats, Arcopedico believed that its corporate firewall had limited functionality and was reaching its end of life. More and more devices were connecting to the corporate network, so Arcopedico decided it needed to partition the network.
“We have some corporate devices that connect to an external network and we didn’t want them to introduce vulnerabilities to a network where there might also be servers” says Arcopedico’s Information Technology Department Manager, Serafim Couto.
The decisive moment came when Arcopedico was faced with a ‘phishing’ incident introduced by an external email account on the network. Fortunately, it had no impact on the business and was quickly contained, but it made it very clear that there was an urgent need for a change in corporate policy.
Greater Speed and Control
Advised by its hardware partner, Pamafe IT, Arcopedico saw a demonstration of the latest Check Point solutions and concluded the best fit would be Check Point’s high-performance security gateway with R80.10 software version. To ensure complete threat prevention against both known and unknown and zero-day attacks, Arcopedico chose Check Point SandBlast Zero-day Protection.
Check Point Infinity architecture provides the IT department with a new level of security that they never had access to before. “With Check Point Infinity we are now taking a pre-emptive approach to our IT security. We are preventing cyberattacks from entering the network. Plus, we know that every aspect of our business is covered; networks, cloud and mobile.”
Check Point SandBlast agent provides Arcopedico with added reassurance that the business is prepared for even the most advanced threats. Endpoints are protected using Threat Emulation and Threat Extraction and Anti-Ransomware technology blocks ransomware and automatically reverses any damage caused.
The entire Check Point solution is managed via a single console which gives Arcopedico’s IT department not only great visibility, but also complete control over their network security, which makes managing their security more efficient and simple.
“The R80.10 security management makes it much easier to manage the network in a more centralized way. The logs monitor allows queries to be run succinctly and rapidly and the reporting function lets us see exactly what threats have been prevented and where,” explains Serafim Couto.Array
Check Point Infinity Architecture Prevents Advanced Threats Across Network, Cloud and Mobile with Zero-Day Protection and Consolidated ManagementRead the Story
The Mississippi Secretary of State’s Office oversees business formation and services; charities; public lands; elections and voting; regulation and enforcement; securities; education and publications; and policy and research for the state. Check Point’s SandBlast Mobile solution provides protection to employees’ devices to carry out those responsibilities.
Delivering Better Protection for Mobile Users
The Mississippi Secretary of State’s Office supports approximately 100 state executives, department heads, and directors who use their own mobile devices for business. These “high-value targets” usually have access to more sensitive information than lower-ranking employees and travel more often. For determined cybercriminals, they represent the fastest path to valuable data, systems, and assets.
“Mobile users represent a moving attack surface,” said Russell Walker, Chief Technology Officer in the Mississippi Secretary of State’s Office. “Even though we had recently upgraded our security infrastructure, I still wasn’t comfortable with these devices being able to directly access the network, because the antivirus solution on them wasn’t really enterprise-grade.”
The previous solution couldn’t ensure secure connections for mobile devices to the state’s network, which increases the risk of an attacker breaching the device. The antivirus solution also took up space and processing power on the device, which was a nuisance to users. Finally, the entire solution was difficult to manage. It wasn’t integrated with the rest of the network or security infrastructure, and there were different processes required for Android and iOS platforms.
“Just managing 100 devices required a substantial investment of staff time and system resources,” said Walker. “For instance, it took up to 30 minutes just to load it correctly on one mobile device. We needed a more powerful solution that was truly cross-platform and didn’t require any user interaction.”
From Pilot to Production
The Secretary of State’s Office identified three possible solutions, including Check Point SandBlast Mobile, and conducted proof-of-concept testing. Walker’s team initially deployed SandBlast Mobile on a small number of devices to see how it worked.
“SandBlast Mobile worked great,” said Walker. “Users didn’t even know it was there. It took so little effort and worked so well that we took it straight to production.”Array
Mississippi Secretary of State's Office Secures Mobile Devices, Gaining Peace of Mind and Significant SavingsRead the Story
RheinMain University of Applied Sciences offers more than 85 degree programs for 13,000 students at five locations in Wiesbaden and Rüsselsheim. As a family-friendly university, it offers maximum support in balancing studies and careers with family life.
RheinMain University of Applied Sciences Increases IT Security for Students, Teachers and EmployeesRead the Story
Low Cost Airline
From America’s favorite small cities to world-class destinations, this airline makes leisure travel affordable and convenient.
On Board for Virtualization
This airline focuses on delivering affordable air travel while also offering related products, such as hotel rooms and rental cars. With 85 aircraft and 350 scheduled routes across the United States, this low cost airline flies out of 120 airports. Across all of these airports, this airline’s IT and information security teams manage network traffic for business-critical systems such as reservations and flight schedules.
In the past, the airline had supplied laptops for staff and deployed physical firewalls at each of their locations. Because traffic was shared over a common network, any security or network problem at one airport could potentially affect all locations. The infrastructure also was costly and difficult to manage consistently. As the threat landscape intensified, the airline’s team wanted to simplify their network design as well as bring more automation into their releases while increasing their ability to prevent attacks across an increasingly virtualized infrastructure.
The airline chose to deploy VMware NSX in their datacenter and implement a virtual desktop infrastructure (VDI) delivered over Internet links to all airports. This dramatically simplified network management, delivered greater agility, and enabled the team to micro-segment traffic with policies specific to each segment for higher resiliency. To secure this dynamic environment, the airline chose Check Point CloudGuard for VMware NSX.
Extending Protection for Virtual Coverage
“We’ve implemented the Check Point Infinity architecture to help us consolidate and unify security across our networks,” said the airline’s Information Security Manager. “In addition to Check Point CloudGuard for NSX, it includes Check Point firewalls, Check Point SandBlast Zero-Day Protection, and Check Point R80.10 Security Management. Together, these solutions have made our lives much easier and our network more secure.”
Check Point Infinity uses unified threat intelligence and open interfaces to protect the airline’s environments against targeted attacks. With Check Point R80.10 Security Management, the team consolidated security management across all network environments into a single pane of glass. Check Point CloudGuard for VMware NSX delivers a multi-layered defensive posture to protect east-west traffic in their VMware-deployed datacenters. CloudGuard transparently enforces security at the hypervisor level and between virtual machines, automatically quarantines infected machines for remediation, and provides comprehensive visibility into all virtual network traffic trends and threats.
Airline Grounds Cyber Threats with CloudGuard Advanced SecurityRead the Story
STLC — Russia’s premier leasing company
STLC was established in 2001 as ZAO Civilian Aviation Leasing Company. It expanded its portfolio in 2005 to include road transport and infrastructure. STLC has evolved into the largest Russian leasing company entrusted with the financing of high-profile civilian aviation and transport projects, such as deliveries of the Sukhoi Superjet 100 passenger plane.
Bolstering corporate network security and easing the workload of system administrators
“Our employees handle all sorts of commercial and sensitive information: says Sergey Rysin, Security Advisor to the STLC Director, adding: “The IT department is tasked with keeping it secure. In the face of increasingly sophisticated security threats and data breach mechanisms, it is vital that we are able to respond quickly to all intrusions and develop systems that can ward off external threats. Since a person is incapable of processing such a vast array of information single-handedly, we have come to rely on a robust solution that can respond to our corporate needs. Check Point gives us the highest level of security.”
In recent years the company has repeatedly faced all kinds of issues concerned with data protection, from unauthorized access to corporate resources and threats posed by ransomware. While the IT team promptly prevented all issues as they came to light, STLC management realized the need for proactive threat prevention in order to avoid damage to the business.
“Prior to Check Point, the IT infrastructure of STLC relied on a solution by another well-known vendor, which failed to solve the task of blacklisting of resources and real-time prevention of cyber attacks. When we decided to take critical action and search for a new solution, we considered offerings by PaloAlto and a number of Russian vendors. Check Point products stood out among the competitors for their ease of configuration, a user-friendly interface and the ability to prevent threats from entering the network more effectively than the competition. Last but not least, they did a good job achieving the requirements identified during the pilot project stage,” Mr Rysin continues.
Effective Integrated Security
The STLC corporate network has a multi- layered architecture. Check Point Next Generation Threat Prevention protects the corporate network perimeter from external threats and prevents user access to potentially malicious websites and services while preserving access privileges essential to performing the user’s duties. When a user attempts to access a potentially malicious external resource, the system automatically blocks the request and notifies the administrator. “Check Point solutions prevent threats of all kinds when users unknowingly access malicious or unknown resources, completely eliminating the very possibility of damage or data theft, and preventing any potential damage,” says Rysin. All network traffic is continuously monitored by SmartEvent, the Check Point SIEM system, which allows to track all network activity and generate reports on demand.
The SandBlast solution is used to protect endpoints on the STLC corporate network. “The SandBlast solution provides quality endpoint protection against any type of malware and other security threats, which makes it all the more easier for the IT department to provide support to users,” Mr Rysin adds.
All major companies face the same common problems associated with the use of removable drives, internet access and external mail services used by employees. The Check Point Sandblast Endpoint Security enables administrators to flexibly configure access privileges, prohibit downloads and transmission of specific file types, and protect users against both common threats and zero-day attacks such as ransomware. The intuitive interface and ease of administration enables the company to respond to changing conditions and requirements promptly while maintaining the much-needed flexibility with a high level of security.Array
State Transport Leasing Company (STLC) chooses Check Point to create a new standard for cyber securityRead the Story
Edel AG is one of Europe’s leading independent media groups which employs around 1,000 people. optimal media GMBH is one of the most modern and innovative media service providers. The company specializes in the production of high quality printed materials and packaging, as well as the production of CDs, DVDs, Blu-ray discs and records. optimal also has a full-service print shop, digital distribution centers, a logistics and fulfilment center, an audio mastering studio and an Authoring Studio. Its customers include well-known music labels and distributors, software companies, film studios and distributors, media and book publishers, agencies, artists and industrial customers from Germany and worldwide.
Preventing data breaches
As the technical service provider of the group, optimal media’s IT Department is responsible for network and IT security systems for all eight of Edel AG’s European offices.
“Cyber security is very important to us. The production data our customers send us for their new CDs or records contains incredibly sensitive information and intellectual property that must be protected,” says Christoph Andreas, Team Leader, IT Systems & Support at optimal media. The international recording industry network, the IFPI, audits the IT security systems at optimal media each year – and so far it has passed every time. “But the threat level is becoming ever more critical, and the time it was taking to prepare for the audits had become unmanageable. Our existing, outdated firewall solution was not going to be enough for us in the long term, as it could not handle unknown threats,” says Andreas.
Comprehensive protections and visibility for all network traffic
The results of a one month evaluation of Check Point technology impressed the Edel AG board. The solution covered many loopholes and weak-points that the IT team had not even been aware of. “Comparing the results with other solutions showed us that Check Point was by far the only solution able to provide comprehensive protection and visibility for all network traffic, identify and block all types of threats in real-time and classify all applications and protocols,” says Andreas.
Check Point Infinity powered by R80.10 – A new standard of security
With Check Point Infinity architecture optimal media achieved a new standard of security. Using Check Point’s high performance security gateway, powered by Check Point Infinity R80.10 version, and using R80.10 security management, all networks, users, applications and data are controlled leveraging a unified security policy. The DLP prevents sensitive information from leaving the organization from any application and protocol, while SandBlast, Check Point’s zero-day threat prevention solution, prevents advanced threats and cyberattacks in real time – keeping them outside the network. Consolidating the entire security into a single platform managed by a unified, single-pane-of-glass management, optimal media now covers all aspects of security for complete protection – now and in the future.Array
Optimal Media protects digital assets with Check Point InfinityRead the Story
U.S. Public Health Services Provider
As a leading West Coast provider of emergency health services, this organization has over two million patients and runs over 90 locations, with two major trauma and rehabilitation centers. The organization provides critical, life-saving services in emergency cases.
Being a large-scale healthcare provider, the organization is responsible for securing its patients’ highly sensitive data. Information such as patients’ medical information, social security numbers, and personal addresses makes the organization a prime target for malicious actors. Entry of any bad actor could have disastrous results for patients and the hospital including identity theft, insurance fraud, data manipulation leading to mistreatment and more.
With important medical devices that require internet connectivity, it is
absolutely crucial that the organizations’ network is protected. If an attack compromises connectivity, downtime to life-saving devices could result in serious repercussions to patients receiving emergency care. This could lead to delays in treatments, patients getting sicker or even death.
To ensure patients receive the emergency services they need, the organization needed a solution that would not just detect advanced threats to its network, but ultimately prevent them from coming in.
“I believe in the Check Point product, SandBlast, because we believe in
prevention and not just monitoring. So we use it in line, and it works really well,” said the Information Security Manager at the Public Health Service Provider.
Advanced Threat Prevention
To protect its network, the health services provider chose Check Point
SandBlast with Zero-Day Protection. The organization uses Check Point
Firewall IPS, App Control, Anti-Bot, and Anti-Spam capabilities, as well as Threat Emulation and Threat Extraction technologies. Check Point’s unique CPU-level exploit detection capability enables Threat Emulation to block malware designed to bypass regular sandboxing technologies, ensuring security against advanced threats such as WannaCry.
With Check Point SandBlast, the organization has been able to prevent
countless attacks through email and web thanks to the Threat Emulation technologies. According to the organization’s Information Security team, event logs show that CPU-level evasion detection has been highly effective in catching malware.
The team also found Threat Extraction to be highly useful.
“Threat Extraction was very promising, as we could deliver a cleansed
document while the file actually gets checked in the background to see if it’s malicious,” said the Information Security Manager.
U.S. Public Health Services Provider Safeguards Network Ensuring Quality Health Care Delivery to MillionsRead the Story
Present everywhere in Belgium as well as in Grand Duchy of Luxembourg and France, Laurenty is a family group specialising in cleaning, road sweeping, building and green spaces. With an annual turnover of more than €120 million, the company serves around 5,000 clients thanks to its 4,300 employees.
Simplify Management and Increase Security
In 2015, Laurenty realized that its IT security infrastructure was technically outdated and fragmented. Several point products were used to address specific security challenges. Using products from multiple vendors means several consoles, different approaches and no global visibility. “Instead of renewing the existing licenses, you might as well investigate the market to find the very best solution to secure both the network and the endpoints,” says Laurent Grutman, CIO at Laurenty.
Responding to Strict Regulations
From May 2018, all European companies will need to demonstrate, at any given time, that all personal data held by them is protected and, in particular, that it could not be used in the event of theft. This new European regulation is known as the GDPR (General Data Protection Regulation) and, if it is contravened, the company in question may have to pay severe penalties of up to 4% of its annual turnover.
To protect its laptops against data breaches Laurenty needed a strong encryption solution.
Advanced Threat Prevention
With the help of Shinka, an IT security integrator and a recognized Check Point partner, a global solution was implemented, protecting both endpoints and network while incorporating the principles of Check Point Infinity architecture.
The first priority was to protect the company’s endpoint devices against zero day and other advanced threats. Check Point SandBlast Agent protects Laurenty against all kinds of unknown malware, bots, phishing and ransomware attacks. Anti-ransomware is part of SandBlast Agent and doesn’t only stop the spread of ransomware, it also recovers your data in case some files were already encrypted.
Next to antimalware that is still needed to protect against known viruses, Laurenty was also looking for a good solution to protect themselves against data breaches caused by stolen or lost laptops. By using full disk and media encryption and port protection, all endpoint security requirements were met, which help Laurenty achieve GDPR compliancy.
Laurenty chose Check Point’s Complete Endpoint Protection Suite as it brings them data security, network security, advanced threat prevention, forensics and remote access VPN for complete endpoint protection in one package and it’s manageable with one console. Phase two was the replacement of the old gateways with the new Check Point 5600 appliances with SandBlast Next Generation Threat Prevention (NGTX) to defend the company’s network against zero-day threats.
SandBlast incorporates two technologies, explains Laurent Verhees of Shinka. Each email attachment, such as Excel, PDF, etc., is now forwarded to Check Point SandBlast cloud for inspection. SandBlast emulates and scans the attachment for malware and only if the file is clean, sends it back to Laurenty. While this process can take a few minutes, Threat Extraction strips out any active content that can be malicious and delivers a clean version of the attachment in a matter of seconds without business delay to the end user.
Email recipients have access to a safe, “static” version of the attachment only. “This static file is generally all that our employees need, so there is no delay in getting our work done. We just know that data is secure,” adds Laurent Grutman of Laurenty.
Laurenty was one of the first customers in Belgium to implement the newest version of Check Point security management R80.10. The installation went flawlessly and R80.10 brings a lot of advantages, such as consolidated security into one place with one console, integrated threat management and a unified policy.Array
Laurenty Unifies Security to Comply with General Data Protection Regulation (GDPR)Read the Story
OpenLink is the global leader in trading, treasury, and risk management solutions
for energy, commodities, corporate, and financial services companies. More than
37,000 users from 600 clients use the company’s highly sophisticated software for
activities such as hedging commodity prices, automating logistics, forecasting raw
material needs, and trading derivatives.
Moving to the Cloud
OpenLink’s solutions power decision-making and operations for many of the world’s largest oil companies, banks, and utilities. Each client’s OpenLink implementation is tailored specifically to their unique business needs. Until recently, OpenLink solutions were typically deployed in clients’ own data centers. Each deployment was built with high amounts of excess processing capacity to handle peak periods of demand. As an example, a client might need 10 compute systems for most of the day, but during a peak processing period, complex transactions would require 100 systems to handle the computational load and minimize delay.
OpenLink’s large clients also maintain multiple development and testing (DevTest) environments and staff. Due to the complexity of customized software implementations, these teams work continuously to keep their solutions upgraded with release levels and to develop customized plug-ins. The production and DevTest environments represent high capital investment, maintenance, and support costs, yet they are mission-critical to the company’s operations.
For smaller clients that don’t have large data centers, OpenLink began hosting customer workloads and data in its own data center. Using its private cloud, OpenLink essentially began functioning as a service or hosting provider, processing large amounts of client data.
“We saw an opportunity to reach more customers with OpenLink solutions through a cloud model,” said Michael Lamberg, VP and Chief Information Security Officer for OpenLink. “If we could progress from private cloud to a public cloud model, we could gain significant advantages.”
OpenLink chose Azure based on compatibility with OpenLink technologies, robust regional coverage, pay-per-minute pricing model and a mature security stack.
Adopting a service delivery architecture that included public cloud would enable OpenLink to support more clients with less physical infrastructure and with the added flexibility to scale on demand for peak usage periods. Clients would only pay for the resources they use—enjoying substantial savings and higher performance. OpenLink also would reduce its physical infrastructure costs. The public cloud accelerates OpenLink implementations for new clients because with the proper tools, it is much simpler to manage. By providing DevTest environments in the cloud, OpenLink can provide rapid access to versions of its application, giving everyone a competitive advantage and offering an affordable solution for many more potential clients.
“Security in the cloud is paramount,” said Lamberg. “We chose Microsoft Azure for our cloud, but wanted in-depth control over security. I need the ability to see and verify the layers of security deployed. We chose Check Point vSEC for Microsoft Azure to meet our security requirements. In addition, vSEC is cloud agnostic making us less dependent on the cloud provider’s native security controls giving us the flexibility to choose where we could host our workloads in the future.”
Check Point vSEC Secures Client “Bubbles”
OpenLink’s Azure cloud consists of multiple single-tenant environments defined as bubbles. Each client’s solution operates in its own “bubble,” which is securely linked to a cloud-based management hub and the client access portal. Private peering links connect back to the OpenLink physical data centers, which operate separately. OpenLink had previously deployed Check Point 5600 Next Generation Security Gateways in two of its data centers. Now it deployed Check Point vSEC for Azure to secure its public cloud environment, thus moving towards significant security deployments on Check Point solutions.
“In my experience, Check Point is one of the only security solutions that can easily and efficiently scale to hundreds of gateways,” said Lamberg. “I can be assured that no client environment (bubble) can talk to any other bubble, and nothing can pass through vSEC for Azure into the OpenLink cloud unless I configure it to do so. That’s an extra level of assurance for us and our clients.”
Check Point vSEC for Microsoft Azure extends advanced threat prevention security to protect customer Azure cloud environments from malware and other sophisticated threats. As a Microsoft Azure certified solution, vSEC enables customers to easily and seamlessly secure their workloads, data and assets while providing secure connectivity across their cloud and on-premises environments. It
provides the full protections of Check Point’s Advanced Threat Prevention security, including firewall, IPS, antivirus, anti-bot protection, application control, data loss prevention, and more.
The decision to utilize vSEC to secure their cloud environment means that every OpenLink client bubble enjoys the same comprehensive next-generation threat prevention capabilities.
“Our partnership with Check Point is one of the most valuable aspects of the solution,” said Lamberg. “Check Point works very well with Azure, and we get great support from both vendors. The adoption of public cloud challenged us in verifying the security layers offered by the cloud provider, also given limited visibility into the layers of the Azure stack, vSEC helped us overcome these challenges.”Array
Secure Move to the Cloud Delivers Savings, Flexibility and Confidence to OpenLink and Its ClientsRead the Story
Edenred introduced the Ticket Restaurant meal voucher to the French market in 1962—one of the first employee benefits adopted by organizations across the country. Today, Edenred connects 43 million users with 1.4 million merchants and manages trusted transactions for 750,000 companies.
Edenred provides digital solutions by giving companies and employees the ability to perform a variety of everyday transactions worldwide. Corporate employees use Edenred payment cards or their mobiles to buy lunch or groceries. Fleet drivers fuel up, pay parking fees, and get their trucks serviced with Edenred cards. Merchants use Edenred to accelerate customer checkout and reimbursement. Companies use Edenred services to improve expense management, reduce operations costs, and minimize risks involved in complex transactions. With more than 2 billion transactions managed every year, Edenred has to meet the highest security and compliance standard to protect its customers’ privacy and data.
Protecting Client Security and Privacy
“We know our corporate clients and their employees,” said Romain Dayan, IT Security and Telecommunications Director at Edenred. “Because we process personal and financial data, security and privacy are our topmost concerns.”
Edenred has been a Check Point customer for many years, using Check Point solutions to protect its corporate networks and data centers worldwide. As the company continues to evolve, so do its data transport, storage, and security needs. As a financial organization, it is also subject to the Payment Card Industry Data Security Standard (PCI DSS), banking regulations, transaction authorization requirements, and General Data Protection Regulation (GDPR) laws. One of the most important requirements for Edenred was to create security and compliance standards that encompass its operations in North America, Europe, Brazil, and Singapore. In order to achieve it, Edenred needed a solution that provides not only the best protection but also can meet the most demanding compliance standards.
Edenred was seeing a growing amount of malware arriving with email. Its antispam solution wasn’t enough to protect against advanced threats, so the security team chose SandBlast Zero-Day Protection for complete protection against zero-day and targeted attacks. Unlike other sandbox solutions, SandBlast’s Threat Emulation technology with CPU-level inspection can stop the most sophisticated threats. Using evasion-resistant malware detection techniques, SandBlast can look into exploits that try to bypass OS security controls and stop the attack even before it tries to launch and evade detection. In addition to that, SandBlast’s Threat Extraction component removes malicious active content and embedded objects and delivers a clean file to end users.Array
Edenred Protects Its Prepaid Card Services with Check Point SandBlastRead the Story
A U. S. regional bank was expending many hours and resources every week remediating issues caused by infections on the network and endpoints. Advanced threats coming in through email and web were getting past the bank’s existing firewall and negatively impacting the business. To protect their assets, The Bank chose Check Point SandBlast and SandBlast Agent. With these products the bank is able to proactively detect and prevent zero-day attacks and unknown malware from the web and email, significantly reducing remediation efforts.
Protecting Users from Malware
Before choosing Check Point, the bank had been expending resources and man-hours every week remediating issues caused by malware entering the network and infecting the endpoints.
The bank’s network security was jeopardized when internal users visited websites that were malicious or had been compromised. The websites would download malicious content, some of which they had never seen before, infecting the users’ machines.
In addition, spam emails and embedded word documents were getting through the Bank’s firewall and reaching the end users. When users opened the malicious files, it was already too late. The executable code in them would enable attacks on the endpoints. The IT security team had to engage remediation procedures which could take hours or even days. The bank needed to find a solution that would detect the malicious files before they arrived at the endpoints and reduce the time spent on remediation.
Zero Day Protection for both Network and Endpoints
The regional bank chose Check Point SandBlast Network Security to protect its network as it was the market leader and determined after a detailed process of its own tests to be the best in terms of preventing malware. With SandBlast, the bank secured its network from malicious content accessed by users.
As the bank was satisfied with the performance of SandBlast Network Security, it chose Check Point SandBlast Agent to protect its endpoints.
“We went with SandBlast Agent because it was more effective than the agent we were using; there were things slipping through it,” said the Network Security Administrator at the Regional Bank.
In order to test SandBlast Agent, the Network Security administrator threw a lot of malware at it, all of which was blocked.
“You couldn’t really get anything by it”,” said the Network Security Administrator.
Since implementation, SandBlast Agent has been immensely effective in protecting the bank’s users.Array
U.S. Regional Bank gains operational efficiency while preventing advanced attacksRead the Story
The company serves more than 19 million clients worldwide with industry-leading retirement plans, Employee Stock Ownership Plans (ESOPs), deferred compensation plans, and insurance offerings. Businesses, governments, institutions, and individuals turn to it to help them achieve their financial goals. Founded in the U.S., the company operates in Asia, Europe, Australia, Latin America, and North America.
Investing in the Cloud for Added Agility
Financial services organizations, such as insurance companies, investment banks, and asset managers, realize that extracting value from “big data,” will make them more successful and competitive driving new revenue streams and cost efficiencies. With this vision or goal, in-house development teams are creating new financial models and algorithms by tapping into unstructured data sources, machine learning, and predictive analytics capabilities. This helps asset manager’s development teams as they needed more agility and flexibility as they developed and tested new applications in short time frames.
“Our developers want to be able to quickly spin up a virtual environment for testing or Quality Assurance (QA) purposes and then spin them down just as quickly,” said the Senior IT Network Analyst for the asset management firm. “They need workloads at some times and not others, so we’re moving to a private cloud model for more hosting flexibility to service these dynamic compute requirements.”
The firm’s security infrastructure team already managed firewalls and rules, proxies, and remote access using Check Point solutions. However, as they deployed a VMware NSX private cloud environment, they needed to secure it while maintaining security for their existing data center applications.
“We have a number of home-grown, proprietary applications that we will not move to the cloud,” said the Senior IT Network Analyst. “We wanted the ability to segment and protect applications, regardless of whether they are hosted in our traditional data center or in the cloud without compromising security for either environment.”
Orchestrating the Migration
The team looked at several potential solutions for securing their private cloud environment before choosing Check Point vSEC for VMware NSX, which protects internal data center (east-west) traffic with multi-layered protections. It transparently enforces security between virtual machines at the network level, automatically quarantines infected machines for remediation, and provides comprehensive visibility into virtual network traffic patterns and threats.
“Check Point vSEC for VMware is a more robust solution than others we evaluated,” said the Senior IT Network Analyst. “vSEC gives us the deep packet inspection we wanted, as well as the orchestration and automation we’re looking for.”
What’s more, the team deployed VMware NSX ahead of schedule, deciding to deploy Check Point vSEC for NSX without vendor or partner assistance. With the help of the administrator’s guide, they had the NSX cloud environment secured in under an hour. In addition, they transformed existing physical Check Point gateways into vSEC gateways using the Check Point R80 Hotfix feature for vSEC.
“We wanted to leverage the existing rule set and management orchestration that we already had,” said the Senior IT Network Analyst. “Now we’ve automated the entire NSX infrastructure to enable automated traffic redirection through the vSEC gateways simply by assigning resources to security groups.”Array
Global Asset Management CompanyRead the Story
This regional credit union is one of the largest financial cooperatives in the U.S., offering various business and personal banking products and services through its many regional branches such as deposit accounts, credit cards, loans, insurance, and wealth management services.
Protecting Users from Malicious Emails
Entrusted with billions of dollars in assets, the credit union’s highest priority is keeping their members’ hard earned money safe. As a financial institution, it has a lot of sensitive data to protect, ranging from its customers’ private information— names, addresses, and social security numbers— to credit card numbers and financial information. Protecting this data requires taking strict measures to prevent unauthorized access attained through malware infections, defending against zero-day vulnerabilities that can lead to ransomware attacks, and eliminating phishing emails that target the bank’s unsuspecting users.
The bank’s Information Security team, consisting of only 4 people, was spending up to 20 hours a week remediating problems. The previous solution, a firewall and email security gateway using signature-based detection, had been letting various Zero-Day malware through its perimeter. Users would receive emails with infected attachments or links that once clicked would cost the bank a lot of overhead.
“We were constantly rebuilding PCs that were getting infected with malware, having to go and investigate and make sure the malware didn’t spread to other places,” said the bank’s Manager of Information Security. “It really became a lot of manual effort that was related to some of these infection events.”
The company knew it had to find a solution that significantly reduced the time spent on remediation of email-borne infections, and made management of security simpler and more effective. It sought a security solution that would stay one step ahead of the curve and be able to defend against advanced threats such as Zero-Day and ransomware attacks.
“Our Check Point SmartEvent console consolidates monitoring, logging, reporting, and event analysis to correlate data and give us actionable attack information,” said Honnold. “Our security analysts can see malicious events, attack entry points, scope of damage, and data about infected devices so that we can respond quickly.”
Regional Credit Union Protects Users with Enhanced Network SecurityRead the Story
Helvetia provides a comprehensive range of insurance services to more than 4.7 million customers with a presence in Switzerland, Germany, Italy, Austria, Spain, France, Luxembourg, and Jersey. In Switzerland alone, Helvetia serves more than 750,000 private and business customers with 6,700 employees.
Achieving high customer satisfaction and trust is one of Helvetia’s primary goals. The company is committed to delivering high-quality, secure services for customers and its employees. Therefore, having a secure IT environment is a critical part of Helvetia’s operations.
“The insurance business is based on trust,” said Andreas Hagin, Head of Corporate Network & Unified Communication Engineering in Corporate IT Operations at Helvetia. “Focusing on customers is firmly anchored in our values and we set very high standards for ourselves and our IT security.”
Next Step: Automation
Like most IT organizations, Helvetia’s IT team is always looking for ways to handle a rapidly growing volume of work with the same number of employees. That means minimizing the number of manual tasks required of team members, reducing the need to retrain and redeploy teams, and find new ways to deliver services as efficiently as possible. Helvetia sees automation and adopting a Software Defined Data Center (SDDC) strategy as the means to increased efficiency.
“We have been pursuing the vision of automation for years,” said Hagin. “Check Point vSEC is the perfect solution for this.”
Security with Flexibility
As Helvetia began its SDDC project, it had several challenges: create a new internal IT team structure, extend its VMware virtualized environment, and find a solution to secure it. Helvetia initiated a proof of concept to test its first steps toward a new SDDC based on VMware NSX.”
“We built a virtual team comprised of storage, security, VMware, and network specialists,” Hagin said. “Then we scouted the market for a suitable security product and found what we were looking for with Check Point vSEC for VMware NSX.”
Helvetia chose VMware NSX to reproduce its data center networking environment functionality in the hypervisor layer. Check Point vSEC integrates with VMware NSX to deliver multi-layered defenses. Check Point vSEC protects east-west traffic within the VMware-deployed data center. It transparently enforces security at the hypervisor level and between virtual machines, automatically quarantines infected machines for remediation, and provides comprehensive visibility into virtual network traffic trends and threats.Array
The Mississippi Secretary of State is comprised of eight divisions, each with specific responsibility for delivering information and services to its constituencies. The divisions include Business Formation and Services; Charities; Public Lands; Elections and Voting; Regulation and Enforcement; Securities; Education and Publications; and Policy and Research.
Looking for Stronger, Broader Protection
The Mississippi Secretary of State faces the same cyber threats that target large enterprises and other levels of government. Security is a high priority, and recently, the agency upgraded its security infrastructure to achieve a number of goals.
“We have a much broader range of threats to defend against,” said Russell Walker, Chief Technology Officer in the Mississippi Secretary of State. “Ransomware was a huge concern, and we needed stronger protection against everything from viruses, bots, and general malware to zero-day attacks and phishing.”
The solutions deployed previously lacked capabilities, such as sand boxing, that could accurately stop and analyze a potential threat. Endpoint protection was a traditional, signature-based antivirus product that not only missed malware and advanced threats, but also took a toll on users’ PC performance. None of the solutions delivered adequate visibility into threats that they did catch, nor did they give Russell and his team actionable information for fighting them.
“We began looking for an endpoint protection solution that did a much better job of preventing and detecting malware with fewer resources,” said Russell. “We also wanted a better Intrusion Protection System (IPS) and anti-bot solution—all in one package.”
Starting with the SandBox
Russell’s team evaluated potential solutions, including Check Point, from the perspective of being able to sandbox threats.
“Check Point Sandblast Zero-Day Protection was on a level by itself,” said Russell. “Check Point was one of the only companies that could do Threat Emulation and Threat Extraction—and they were the best.”
Check Point SandBlast Zero-Day Protection provides complete protection against zero-day and targeted attacks. Threat Emulation technology monitors CPU-based instruction flow for exploits trying to bypass OS security controls, allowing it to stop attacks before they can evade detection. Threat Extraction removes exploitable content, including active content and embedded objects, reconstructs files to eliminate potential threats, and promptly delivers sanitized content to users. To protect its endpoints, the Office chose Check Point SandBlast Agent, which gave them a complete set of real-time anti-ransomware, anti-bot, zero phishing, and automated incident analysis features.
“We could use Check Point’s threat cloud, which eliminated the need for another appliance,” said Russell, “and we got protection with visibility that isn’t available from other products in a single offering. Wow.”
Mississippi Secretary of State Gains End to End Advanced Threat Protection for Its DataRead the Story
Denham Capital is a private equity firm with more than $8.5 billion invested in the power, oil and gas, and mining industries. It has backed successful power projects around the world and achieved recognition for its deals. As Denham migrates its infrastructure to the cloud over the next two years, it needed a way to secure cloud-based assets—as easily as possible.
Industry Unpredictability Demands Adaptability
Notoriously unpredictable, the energy industry requires that IT vendors be able to stop or turn on a dime. With billions of dollars at stake, Denham is always seeking to increase network agility while reducing costs and improving end user productivity. From an IT perspective, this drives Denham to seek solutions that reduce the high costs of operating physical data centers and associated hardware, increase application performance for users who process and analyze financial models with large amounts of data, and enable rapid and easy deployment and provisioning of new offices or users—or moving existing ones—without compromising performance or security.
“The market is shifting to software defined infrastructures and subscription services,” said Peter Ostashen, IT Manager at Denham Capital. “We began a phased migration to the cloud, but moving security to the cloud can be a painful process. We wanted to minimize that.”
Based on their existing Windows environment and long experience with Microsoft as business partner, Denham’s team chose Microsoft Azure for its enterprise-grade cloud-computing infrastructure. The lean three-member Denham IT team needed to easily protect data and applications in the cloud, gain visibility into traffic both on premises and in the cloud, and ensure consistent security everywhere.
Check Point CloudGuard IaaS Smooths the Move
Ostashen and his team began exploring security solutions from large, well-known networking vendors. However, they found that those solutions were limited in terms of the number of supported VM interfaces, had extensive VM resource requirements, and lacked the required performance. Denham Capital already had physical Check Point security appliances deployed on premise, and sought the same level of security protections and policy management provided by their premise solutions. After carefully evaluating other competing products, Denham decided Check Point CloudGuard IaaS was the best solution to secure their Azure cloud environment.
“We chose Check Point CloudGuard IaaS for Azure because it delivered the next-generation security features we were looking for,” said Ostashen. “It gave us much more flexibility in Azure, better security, and was easier to manage than the competing solution.”
Check Point CloudGuard IaaS for Microsoft Azure extends advanced threat prevention security to protect Azure cloud environments from malware and other sophisticated threats. As a Microsoft Azure certified solution, CloudGuard IaaS enables organizations to easily and seamlessly secure their workloads, data and assets while providing secure connectivity across cloud and on-premises environments.
Denham’s IT team has already begun migrating resources to their Azure cloud, starting with Active Directory and Exchange services, as well as file services and several applications. Likewise, any new services are now hosted in Azure and secured with Check Point CloudGuard IaaS. Backup appliances, storage services and remaining Check Point premises solutions will be migrated over the next several years.
Since it was established in 1961, Tecnun has maintained a balance between teaching, research and its contribution to society. Tecnun has two campuses in San Sebastián—the Ibaeta District and the Miramón Technology Park. Both campuses focus on the teaching and research of mechanical engineering, industrial engineering, telecommunications, electrical and energy engineering and biomedical engineering.
Boost Perimeter Protection and Simplify Security Management
“The progressive and unstoppable transition to a digital university, where students and teachers increasingly depend on the internet, the rise of social networks, increased voice and video traffic and the migration of applications and services to the cloud were pushing our network infrastructure to its limits and the time had come to make a decision,” explains Enrique Reina, Head of IT at the University of Navarra Technology Campus in San Sebastián.
“Like all organizations of a certain size, we were being targeted by numerous attacks of all kinds,” adds Enrique Reina. “We had been implementing solutions from different vendors that provided partial coverage. Security management had become highly complex, with a requirement to simultaneously manage and monitor various sites. We didn’t have the capacity to correlate or analyze all the information generated by the various protection systems in place.”
Complete and Effective Security
“The best way forward was to redesign our perimeter security to ensure adequate protection against the new security challenges and advances in technology,” explains Reina. “After discussing our needs with various security vendors, we chose Check Point – with whom we have worked for over 20 years – whom we felt stood out from the crowd. In just three days, the Check Point team performed a full Security CheckUp, showing us our risks and vulnerabilities and allowing us to view network activity in real time. Just one week after the CheckUp, working in partnership with Telefónica Solutions, Check Point provided a full demo installation that allowed us to see the solution they proposed.”
Tecnun decided to replace equipment from other vendors and consolidate its entire network protection with Check Point, installing a high availability cluster of devices on each campus. At the Miramón campus, which employs about 90 teachers and researchers and around 200 students, two Check Point 4600 appliances with Next Generation Threat Prevention (NGTP) were selected. In Ibaeta, where 300 people work and more than 800 students study, two Check Point 12200 appliances were installed, as well as the management console and Next-Generation SmartEvent.
“The Next-Generation Check Point appliances are completely different from the pure firewalls we used before. They have evolved into a full security platform with an advanced range of features, including safe browsing, secure email, URL filtering, antivirus, protection from intrusions, anti-bot protection, mobile access and application control, and all this in a single appliance,” explains Reina. “Instead of having various independent applications, the Check Point Next-Generation SmartEvent console offers a single view and unified management of campus security.”Array
Tecnun Secures Its Digital Campus with Check Point Next Generation Threat PreventionRead the Story
Located in Créteil, France, this local authority manages all public services for the area’s 1.4 million inhabitants across 47 cities.
Daily Cyber Attacks
The Conseil Départemental computers and those in the IT Department were experiencing attacks regularly. They were mostly caused by suspicious email attachments containing either known or new malicious code. Despite having antivirus programs installed, this malware was so clever that it was capable of evading detection. The IT team had to find a way to halt this growing problem and ensure a secure environment to work in.
Detecting Unknown Attacks
In 2015, the Council’s IT Department researched existing solutions dealing with advanced threats and “Zero-Day” attacks, which were not recognized by traditional antivirus solutions. They then approached Check Point to perform a Security CheckUp.
“We asked Check Point to test their SandBlast solution. Like other government organizations, we have to manage IT attacks. We wanted to increase our security by adding the SandBlast product to complement our suite of IT protection tools,” explained Mikaël Auzanneau, Networks and Security Engineer at the Conseil Départemental. “The result? The management immediately gave us the green light to purchase several SandBlast blades.”Array
The Conseil Départemental du Val de Marne Blocks Threats in Real TimeRead the Story
With more than 20 years of experience in microbial fermentation for oral- and injectable-grade, microbial-derived biopharmaceuticals, Gnosis is a leading manufacturer of active and functional ingredients. The company has locations in Italy, Switzerland, the U.S., and China.
A Growing Attack Surface
Gnosis has grown rapidly, and with growth comes an increased attack surface. Zero-day and other advanced threats were increasing, and as a pharmaceutical company, Gnosis must comply with strict government security regulations. Authorities are increasing their focus on system security to include facilities such as laboratories and manufacturing facilities, but Gnosis’ legacy systems were not able to prevent advanced threats from gaining access.
Because Gnosis had expanded dramatically, it needed to implement a more efficient, consolidated security solution that could protect the network, data, and communications between headquarters and other sites. It began looking for a next-generation solution as protection from advanced threats against employees, visitors, and suppliers, as well as websites and outgoing communications, such as email.
Choosing Comprehensive Protection
Gnosis evaluated the cybersecurity providers that are listed in the Gartner Magic Quadrant. After narrowing its choices, Gnosis chose Check Point SandBlast Zero- Day Protection to secure its networks and data with protection against zero-day threats. It also deployed Check Point Next Generation Threat Prevention (NGTP) with multi-layered protection from known, signature-based threats.
Gnosis uses Check Point firewall services, app control, intrusion prevention, perimeter antivirus, antibot, antispam and URL filtering capabilities. It also adopted Threat Emulation and Threat Extraction technologies, which include evasion-resistant CPU-level exploit detection, machine learning, and Push-Forward Adobe Flash emulation.
In addition to the Next Generation Threat Prevention capabilities that protect against all known threats, Gnosis chose SandBlast Zero-Day Protection, which protects SMTP, HTTP, and HTTPS traffic from all unknown threats—zero-day, cryptolocker, Advanced Persistent Threats (APT), and others. CPU Level Protection blocks malwares intended to bypass sandbox technologies protection. These features ensure a high level of protection for Gnosis.
Threat Extraction delivers an immediate, preemptive, 100% sanitized version of a file, allowing business continuity in a secured environment, ensuring Gnosis’ high level of customer experience.Array
Security is Gnosis’ Active IngredientRead the Story
Starkey Hearing Technologies is a world leader in advanced hearing solutions, as well as the largest U.S. manufacturer. Its evidence-based design process results in products that make a dramatic difference in people’s ability to hear the world around them.
Getting—and Staying—a Step Ahead
Hearing care professionals worldwide order Starkey products through the company’s online ordering and payment system. Starkey must meet Payment Card Industry (PCI) compliance requirements in addition to securing its business with other solutions, such as Data Loss Prevention (DLP), antivirus, and other network security tools.
“Technology changes quickly, which makes it a real challenge to keep up,” said Joe Honnold, IT Manager of Network Services at Starkey Hearing Technologies. “We’re trying to minimize the impact of change and still provide a secure environment for employees and customers.”
Honnold’s job became even more challenging when Starkey was hit by an unknown advanced malware attack that started communicating with a command and control server. The team later learned that the malware was Gatak, a type of Trojan. Gatak hides data in image files. When it installs on a computer, it tries to download an image from any number of URLs that are hard-coded into the malware. The image contains encrypted data in pixel data. Next, Gatak deploys a lightweight capability that performs detailed fingerprinting on the infected machine and can also install additional payloads. A second Trojan component persists on the machine and steals information.
That persistence led to three or four advanced malware incidents per week. The attacking malware gathered valuable data that enabled it to escalate access privileges to network assets and spread laterally. It infected 2,000 machines in just two weeks. Under external control, the data could have been exfiltrated or encrypted and held for ransom. When employees took their laptops home and were no longer behind the corporate gateway, they became much more vulnerable. It was obvious that Starkey’s antivirus solution was no longer enough.
“Modern malware changes every day,” said Honnold. “We needed more advanced capabilities to protect our laptops and other edge devices. We called Check Point and asked how we could better leverage our Check Point gateway infrastructure to increase our protection.”
Protection That Lives on the Edge
Starkey chose Check Point SandBlast Agent to protect the company’s desktops and laptops. SandBlast Agent uses a complete set of advanced endpoint protection technologies—both on-premises and remote—to defend endpoints against zero-day malware and targeted attacks. Starkey deployed SandBlast Agent on 4,000 systems across 34 facilities worldwide.
SandBlast Agent detects and blocks attacks from email, removable media, spear phishing, watering holes, and command-and-control communications, even when users work remotely. SandBlast Agent also stops data exfiltration to prevent sensitive information from leaking, and it quarantines infected systems to prevent malware from spreading. Starkey gains valuable protection across enterprise file types, such as Microsoft Office, Adobe PDF, Java, and multiple Windows operating system environments.
“We use SandBlast Agent’s Threat Emulation capability to discover malicious behavior,” said Honnold. “It even uncovers new types of malware and threats hidden in SSL and TLS encrypted communications.”
SandBlast Agent Threat Emulation quickly inspects files in a virtual sandbox. Suspicious-looking files are flagged for deeper analysis and then Threat Emulation sends a signature to the Check Point ThreatCloud database, which documents and shares information on newly identified malware.
SandBlast Agent’s automated forensics capability gives Honnold’s team a deeper understanding of security events, faster. When a malware event occurs, a combination of advanced algorithms and deep analysis of raw forensic data in SandBlast Agent builds a comprehensive incident summary with a complete view of the attack flow.
“Our Check Point SmartEvent console consolidates monitoring, logging, reporting, and event analysis to correlate data and give us actionable attack information,” said Honnold. “Our security analysts can see malicious events, attack entry points, scope of damage, and data about infected devices so that we can respond quickly.”Array
Italy’s Fondazione Telethon is a nonprofit organization with headquarters in Rome and Milan. Founded in 1990, Telethon fosters research that leads to cures for rare genetic diseases. The organization prioritizes its focus on diseases that are so rare that they do not attract sufficient research investment. It then matches Italy’s top researchers with the most promising projects and promotes public involvement through a television fundraising marathon, a partner and volunteer network, and other initiatives.
Protecting Sensitive Data and a Stellar Reputation
Security at Telethon is critical because of the large amount of sensitive, high-quality research and medical data it handles. In addition to requiring information safety and business continuity, Telethon has a strong reputation for excellence. Any security breach could cause irreparable damage to its future fundraising campaigns and limit its ability to support research.
Today’s cyber threats are escalating and exposing Telethon to significant risk. Telethon needed a threat protection solution that could secure its network at the edge. Email protection was also crucial, since email is a primary attack vector. It needed better insight into cyber threats to analyze attacks, infections, and impact. Telethon also wanted to improve visibility and incident analysis capabilities.
Gaining Virtualized In-Depth Protection
To defend its network against advanced threats, Telethon evaluated several possible solutions. After careful consideration, it chose Check Point. Through Grafidata, a trusted Check Point partner in Rome, Telethon implemented Check Point virtual appliances, which are completely hardware-independent. Telethon implemented Check Point Software Blade architecture, initially using the Firewall, Intrusion Prevention System (IPS), URL Filtering, and VPN Software Blades. This deployment gave Telethon integrated security for its network gateway, connections to remote locations, web security enforcement features, and intrusion prevention.
Later, it added Application Control for creating granular security policies, Anti-Bot Software for defending against bot and C&C communications, and the Antivirus Software Blade to defend against incoming malicious files.
“Check Point solutions give us 360° security and have proven to scale up to any situation,” said Marco Montesanto, Head of Information Systems at Telethon. “The Check Point products are very flexible and adaptable to any business need, giving us an important competitive edge.”Array
Fondazione Telethon Supports Its Mission with Added ProtectionRead the Story
The Australian non-profit is a community service organization that helps people regain their independence. More than 3,500 staff members work across Australia on initiatives that include affordable housing, reducing homelessness, early learning and youth services, family support, employment, and skills development.
Securing the Azure Cloud
Moving mission-critical applications to the cloud can be a major undertaking for even large enterprises. For a non-profit with a lean IT team, moving applications and data to the cloud and securing them was essential to its goals. The non-profit’s Architecture and Engineering teams had launched the first phase of a cloud-based project designed to improve access to the organization’s CRM application. Much of the CRM data is sensitive, relating specifically to the organization’s clients.
“We’re moving to the cloud to give our staff improved accessibility to the applications they need,” said the Infrastructure Architect at the Australian non-profit.“ As we implement our cloud strategy, we also need to build security around users, instead of devices, to better protect data.”
The non-profit chose Microsoft Azure, an enterprise-grade offering for its cloud computing infrastructure and wanted to implement the highest level of security possible to protect applications and data. The team looked for a security solution that delivered intelligence, simplicity, and manageability. According to the architect, the traditional approach of the Microsoft cloud using the built-in controls of port groups and static firewall rules was just not sustainable over time for the small IT team. The organization also needed scalability with cost-effectiveness.
Finding Check Point vSEC for Microsoft Azure
“The standard Microsoft approach didn’t work for our security approach,” said the architect. “We wanted a smart firewall with high availability deployed between the Internet and our servers. We didn’t want our servers accessible directly on the Internet.”
As the team researched the firewall vendor landscape, they found that some of the firewall vendors didn’t have offerings for Azure. Others couldn’t provide supporting information about how to integrate with Azure. Still others either lacked experience being new to the security industry. When they discovered the Check Point vSEC for Microsoft Azure solution, it caught the team’s attention.
“I had worked with Check Point products in the past, and our network architect was familiar with Check Point,” the architect said. “The brand familiarity gave us confidence, so we began testing the solution and that’s what we chose.”
Check Point vSEC for Microsoft Azure extends security to the Azure cloud infrastructure with the full range of protections delivered by the Check Point’s industry-leading threat prevention architecture. vSEC for Microsoft Azure prevents network attacks and data breaches while enabling secure connectivity to Azure public cloud environments. As the team began to deploy Check Point, they quickly realized that they had to change their application design, because of the way Azure works.
“We were pushing the envelope in Australia by deploying in Azure,” the architect explained. “Very few organizations had deployed both internal and public-facing services in Azure, especially with a security appliance deployed in the middle. That integration was challenging, blazing a new trail with little reference deployments or knowledge to draw upon as no one had done it before.”Array
Australian Non-Profit Secures Its Microsoft Azure CloudRead the Story
Ultima Business Solutions provides end-to-end IT services and solutions to customers in the United Kingdom. The company’s “cloud-first” focus helps customers securely migrate to the cloud with best-of-breed technologies, consulting, and managed services—freeing them to focus on their core businesses.
We Use It First
Ultima uses new solutions and technologies itself before recommending them to its customers. That strategy has paid off over the past 25 years as customers repeatedly turn to Ultima as their trusted advisor. Ultima also is a Check Point partner and has used Check Point firewalls, endpoint security solutions, and other technologies to secure its own business, as well as its customers’ organizations.
As the company moved its operations to the cloud, it wanted to extend protection to its mobile devices. When salespeople and consultants were in the office, devices are well-protected through Ultima’s on-premises firewall and other security solutions. When users returned to the office from being in the field and the on-premises solutions detected malware, they would alert the security team, which could remediate the device. But when users were out in the field, the security team had no visibility into these devices. Even more worrisome, users weren’t aware if their devices were being attacked, because there were few obvious symptoms.
“We know of the advanced threats that our devices face when they leave the office,” said Chris Watkins, Solutions Architect in Security at Ultima. “We needed visibility into what’s going on with them and the ability to extend the same level of on-premises protection to them in the field.”
Extending Protection with Capsule Cloud
Colin Prime-Moore, Chief Technology Officer at Ultima and the Ultima security team collaborated to find the best way of protecting mobile devices. They chose Check Point Capsule Cloud to extend their existing on-premises Check Point capabilities to all Windows and Mac devices that aren’t attached to internal systems.
Check Point Capsule Cloud provides network perimeter security as a cloud service. Laptop traffic is sent to the cloud where the traffic is inspected for zero-day malware, filtered for inappropriate sites and content and policies are enforced and logged, giving Ultima always-on, always-updated protection for users off the company network.
The Ultima team conducted a proof of concept with Capsule Cloud, and immediately found viruses, began blocking malicious sites, and analyzing suspicious files on the company’s mobile devices. It deployed Capsule Cloud through Microsoft System Center Configuration Manager and gained immediate, centralized visibility into all covered devices.
“Deployment was easy—we didn’t have to do anything,” said Watkins. “It was completely automated. Now we can protect multiple devices for 450 employees.”Array
Ultima Enables Employees with On-the-Go SecurityRead the Story
Daymark architects and implements complex data center solutions providing deep technical knowledge, extensive experience, and proven methodologies to help clients make educated decisions, streamline the acquisition process, and successfully implement cost-effective solutions and service. Daymark challenges itself to continuously understand customers’ changing needs and to meet them with the right technologies. As its customers wanted to embrace cloud services with advanced security, Daymark searched for a solution that could address the security challenges of migrating workloads to the cloud.
Securing Cloud Applications and Workloads
Daymark’s business customers have begun their journeys to the cloud in order to achieve specific objectives—reduce infrastructure footprint and associated CAPEX costs, simplify management, accelerate service delivery or improve application performance. Daymark had chosen Microsoft Azure as its cloud delivery platform because it met the broadest range of customer requirements, was enterprise-ready and easy to use. About the same time, Daymark was refreshing its core infrastructure platforms so it made sense that the company also adopt the cloud that it advises customers to use. Daymark began moving core assets into Microsoft Azure as well.
“We work closely with customers to help them avoid unforeseen issues while deploying complex IT solutions,” said Corey Roberts, Director of Technology at Daymark. “As we moved our environment and helped customers deploy workloads in Azure, we knew that security was a critical capability and challenge. We began looking for a solution.”
Visibility and Protection Inside The Cloud
Daymark’s intellectual property—its documentation and processes—are critical assets. The company needed to protect these assets together with customers’ cloud data. Protecting the perimeter with advanced threat prevention, data leak prevention and intrusion prevention was essential. Customers also were experiencing malware and ransomware in their cloud environments. At the same time, the Daymark team needed much better visibility into the Azure environment for troubleshooting, forensics and reporting purposes. Specifically, they couldn’t see traffic that the firewall blocked or captured at the network perimeter or inside the cloud.
“We began looking at next-generation firewalls on the market,” Roberts said. “We wanted a solution that could inspect at Layers 4 through 7, deliver in-depth analytics, and prevent threats—not just detect them. It had to work with Azure, and it had to protect customers’ highly detailed, micro-segmented workloads.”
Comprehensive Cloud Security with Ease of Deployment
The Daymark team conducted extensive evaluations of next-generation firewall solutions and identified Check Point as an industry leader. After testing several solutions in the lab, the team was impressed by Check Point’s ease of use and superb visibility. They chose Check Point vSEC for Microsoft Azure for both on-premises and cloud environments.
The Check Point vSEC solution extends security to the Azure cloud infrastructure with a full range of protections offered by the Check Point Threat Prevention Security architecture including anti-malware, zero-day protection using sandboxing technology. vSEC for Microsoft Azure prevents network attacks and data breaches while enabling secure connectivity to Azure environments. The deployment of Check Point vSEC was straightforward for the team. They deployed vSEC in Daymark office locations and connected them together in the Azure environment.
“During deployment, we contacted Check Point support for guidance and they were amazing,” said Roberts. “They understood the deployment from both the Microsoft and Check Point perspectives. We just dropped the license keys into our Check Point portal, rolled out the appliances, and were up and running within a day.”Array
Daymark Solutions Secures Its Microsoft Azure CloudRead the Story
Koch Media is a leading independent producer and marketer of digital entertainment products in Europe and North America. It distributes movies, video games, and software products, and publishes games under the Deep Silver label.
Protecting Intellectual Property—and Revenue
Koch Media is a trusted publisher and marketer for a wide range of media products, including games. Moving products through development with multiple partners can potentially expose them to risk. For example, games are unprotected code while they are being developed. If a developer is attacked, code could be lost or exposed to the world, which would mean loss of revenue and trust. Securing game code, sensitive business data, and other assets is challenging across more than 25 locations—each of which has its own security rules and policies.
In the past, Koch Media used Cisco Adaptive Security Appliances (ASA) in each location. Company locations often need to change a firewall rule to accommodate a business process. For example, when the Koch Media office in Milan needed to use a specific web conferencing solution to collaborate with a partner, the IT team had to physically go to the firewall, change the rule, and manually reconfigure the firewall. With only a Command Line Interface (CLI), the team had to work through 100 lines of code just to change one line. Because this was a manual process, it was open to human error, and requests for changes arrived daily.
Sharing large files safely also became a concern. As applications are now critical, securing ports or IP addresses is no longer enough. Koch Media needed the ability to secure the application layer, especially with assets such as game code. In addition, the IT team was seeing a growing amount of malware that its antivirus missed.
“We needed protection against zero-day threats,” said Juri Vaisman, Director of IT International at Koch Media GmbH/Deep Silver. “We also needed to centrally manage all locations and the flexibility to change rules without disrupting the network by having to reconfigure firewalls.”
Simple, Effective, and Pervasive
Koch Media already had deployed Check Point Next Generation Threat Prevention (NGTP) with multi-layered protection from known, signature-based threats. With Check Point SandBlast Zero-Day Protection, it gained real-time protection against zero-day attacks using sandboxing and Threat Extraction.
“Check Point SandBlast was easy to deploy,” said Laing Zhang, Director of Networking and Security at Koch Media GmbH/Deep Silver. “It automatically joined our secure VPNs that connect each location and gives us end-to-end protection against attackers. It also gives us a number of other controls that we needed to better secure our stock in trade—applications.”Array
This company is an independent, not-for-profit organization that has provided health care services in its state for more than 30 years. When it experienced a growing number of cyber-attacks, it quickly moved to add another layer of security.
Protecting Patient Data
Like other organizations in the health care sector, insurance companies have experienced intensified cyber-attacks within the past 12 to 18 months. Patient care data and financial data are at stake, so the company took decisive steps early in 2015 to boost its defenses. Over time, it had acquired multiple point solutions, each with its own set of capabilities. Now the company wanted to add layers of security and new features to close some gaps, such as improving Data Loss Prevention (DLP) coverage.
“We were seeing high volumes of zero-day and other advanced threats,” said the Chief Executive Security Officer (CISO) for the company. “We needed to increase our capabilities and reduce our security infrastructure support and maintenance burden at the same time.”
The company had multiple, separate firewalls for web filtering, content filtering, and Intrusion Prevention System (IPS) protection. As the CISO and his team evaluated their options, they looked at Palo Alto Networks, F5, FireEye, and several niche solutions. However, none of them offered the unique combination of comprehensive features, high scalability, centralized threat visibility, and low IT overhead that they wanted.
“We have a small team supporting a large number of technologies and programs,” the CISO said. “It was important to simplify as much as possible so that we can focus on strategic security projects instead of multiple, point solutions.
Proof of Protection
After conducting a proof-of-concept evaluation with one other vendor, the company chose Check Point’s SandBlast Zero-Day Protection solution. Check Point SandBlast protects networks from even the most sophisticated malware and zero-day threats, using Threat Emulation sandboxing and Threat Extraction technologies.
“Check Point met our requirements of being able to consolidate capabilities into one solution,” the CISO said. “We also liked the fact that we can deploy it on premises for more control.”
The health insurance company migrated to SandBlast over several months to avoid disrupting its existing environment. It gained consolidated Check Point firewall, IPS, Virtual Private Network (VPN), DLP, zero-day protection, web filtering, and anti-bot protection capabilities in a single, easily manageable solution.Array
Health Care Insurance Company Boosts Its Defenses While Minimizing ComplexityRead the Story
A leading regional hospital in the Northeastern U.S. offers a variety of clinical services, from cardiology, critical care, and oncology, and surgical procedures to fitness, wellness, and education programs. The hospital is proud to be accredited by the Joint Commission, and has received a variety of awards, including recognition by the American Nurses Credentialing Center.
“We are a community-based hospital with about 100 beds, and are highly rated, with numerous certifications and awards,” says the healthcare provider’s IT security engineer.
Protect Patient Data in an Evolving Threat Landscape
Like most healthcare providers, the hospital relies on its network to support its most important patient services and business operations. Maintaining maximum security is a top priority. Approximately 1,200 users depend on the network, and the facility is dedicated to complying with the Health Insurance Portability and Accountability Act (HIPAA) and other industry regulations.
“We send and receive a lot of sensitive information through our network and firewall, including payment processing with our business partners,” says the IT engineer. “We have concerns about data being breached, patient security, and our own security for our employees and files.”
The hospital’s IT team stays educated on the security landscape, and zero-day malware has emerged as a major threat over the past few years. According to the 2016 Check Point Security Report, the number of unknown malware downloaded per hour in 2015 was nine times greater than the previous year. The stakes are high, since even a brief security lapse could compromise business systems or even impact healthcare services.
“Our patient systems are generally separate from our patient care systems, but we are still in a connected environment,” says the engineer. “If a threat gets through, there is the potential that it could impact large parts of the network.”
The technology team understands that effective security needs to protect the network not only from external threats, but from issues that originate inside the hospital as well.
“One of our biggest worries is about what happens internally,” says the IT engineer. “A problem could arise from something as simple as a user bringing in an infected file on a thumb drive. Research has shown that oftentimes employee behavior can increase risk.”
Preventing New and Unknown Attacks Before They Strike
The hospital has employed Check Point security solutions for years, and depends on redundant 12400 Appliances to provide complete, high availability protection against evolving threats.
To help the organization complement its firewall and IPS solutions, Check Point recommended the cloud-based SandBlast Threat Emulation Service. This convenient, zero-day sandboxing solution not only offers the protection the healthcare provider requires, but is simple to set up and manage.
“I like the cloud-based service because Check Point can take care of it and keep the environment up to date better than we can,” says the IT engineer. “That eliminates the worry of having to maintain OS upgrades, patches, and other updates. And we can still configure the rules, so we can control it the way we want to and use it the way we want to.”
The Check Point SandBlast Threat Emulation service lets the hospital discover and stop new threats and zero-day attacks using emulation in a virtual sandbox. The solution focuses on email attachments and file downloads, and works smoothly without impacting the hospital’s existing environment.
“Our SandBlast Threat Emulation runs in the cloud, and I have to say it’s fast,” says the engineer. “It examines about 1500 files a day, and you would think that there would be a delay, but we tested it, and the performance is fine.”
Next-Generation Prevention, Protection, and Performance
For additional protection against external threats, the regional hospital also relies on the Check Point IPS Software Blade, which combines with the other capabilities on the 12400 Appliances to deliver proactive, best-of-breed security. Its advanced monitoring provides deep insight into attacks, their targets, and their sources.
Simple, Complete Security Management
The healthcare provider has a small technology organization, and making the most of its limited resources is important. The Check Point solution includes central unified management that gives the IT team complete control over their entire security environment from a single, intuitive dashboard.Array
Regional Hospital Protects Critical Healthcare Data and Improves ComplianceRead the Story
Ensuring a Clean, Safe Water Supply
The Hunze en Aa Water Resource Board is responsible for ensuring that communities in eastern Groningen and northeastern Drenthe, the Netherlands, enjoy access to sufficient, clean water. The water resource board also builds and maintains dikes to protect against flooding, and ensures that waterways are navigable. It’s a challenging responsibility, because much of the area is below sea level, and pumping stations regularly pump high water into the Wadden Sea.
In this sensitive environment, maintaining robust security is essential for the board—particularly for its Supervisory Control and Data Acquisition (SCADA) systems. Even a short network downtime could jeopardize the safety and lives of people throughout the region.
Protecting Water Management Environments for Compliance and Reliability
To help ensure safe operation of its pumping stations and other key systems, the Hunze en Aa Water Resource Board needed a solution that was reliable and provided complete control. The water resource board wanted to minimize risks in its SCADA environment and replace its eight year old, mixed environment of security tools with a central, manageable solution.
“The Information and Communications Technology (ICT) team is responsible for both office IT and industrial process automation, in particular the technical management of the applications and connections,” says Rudi Boets, Head of the ICT Team at Hunze en Aa’s Water Resource Board. “We ensure that the SCADA systems can send their data to the main entry system via the VPN connections. The managers can then consult the data by means of visualization.”
The Board was also looking to improve compliance with guidelines from the Baseline Information Security Water Board (BIWA). This Dutch water board union has established recommendations to secure utilities’ physical environments as well as digital information.
The stakes were high, and the water board needed a solution that could provide thorough protection against today’s advanced threats.
“Imagine that a large pump in one of our pumping stations suddenly goes off-line,” says Boets.
“In such a case, we run the risk that a large area will be flooded. That could lead to life-threatening situations and major economic damage.”
Delivering Full Visibility
To gain the network insight and security it needed, the Board decided to implement a total upgrade of its network environment. After evaluating a variety of products, the organization deployed Check Point 12400 NGTX Appliances with SandBlast Zero-Day Protection. The appliance-based solution helps the Board increase visibility into its SCADA application data. Check Point helps the water resource board reduce the risks in its SCADA environment to a minimum and replace its mixed assortment of old security tools with a central manageable cluster.
“During the proof of concept phase, the Check Point solution was the best of the bunch when it came to monitoring and developing an inventory of SCADA traffic,” says René van Hes, System and Network Manager at Hunze en Aa’s Water Resource Board.
Consolidating for Control
Check Point 12400 Appliances offer a complete, consolidated security solution available in five Next Generation Security Software Blade packages. Migrating from its outdated multi-vendor environment to a consolidated solution also helps the Board enhance control over its network environment.
“We wanted a security solution with a central control option,” says Van Hes. “Above all, it had to have more functionality than our existing solution. When it came to making a choice, we paid attention primarily to how our various tools could be combined in a single solution. The central control feature is very clear, which makes our work a great deal simpler.”
Powering Sophisticated Threat Prevention
At the outset of the deployment, Check Point and its partners performed a Security Checkup, then tested the solution for three weeks on the organization’s network.
The process involved activation of all the appliance’s software blades, as well as the cloud-based SandBlast Threat Emulation Service to protect against zero-day and unknown malware. Using the SandBlast sandboxing capability to analyze files, the water resource board is able to secure its network against the more sophisticated malwares that might bypass traditional security solutions like Antivirus.
Ensuring Consistent Compliance
Hunze en Aa’s Water Board deployed the Check Point solution to free the organization from its legacy security systems. The new solution delivers granular visibility and control it needs, as well as advanced security requirements to meet demanding BIWA standards—while also ensuring optimum security for its SCADA systems.Array
Dutch Water Resource Board Enhances Network Security and SCADA SystemsRead the Story
Headquartered in Topeka, Kansas, SE2 provides third party administration services to life and annuity insurance carriers, helping them launch products rapidly, improve efficiencies and maximize profits while improving the customers’ experience and enabling a shift to a variable cost model.
There Has to be a Better Way
Insurance carriers maintain large stores of sensitive client information, financial data, and proprietary analysis information. But as competition increases, many carriers are turning to third party administrators (TPAs) to reduce costs, improve customer service, and become more agile.
“We’re definitely growing,” said Saul Schwartz, Enterprise Security Engineer at SE2. “As our customer base grows, so does the amount of sensitive financial data that we have to protect. We’re responsible for multiple carriers’ business-critical data, so defending it is a top priority.”
Keeping up with new threats was a constant challenge, consuming a significant portion of the security team’s time. Every day they monitored logs, reviewed events, and simultaneously tried to advance new security projects. But it never seemed to be enough. Schwartz was spending tens of hours every week triaging alerts and instructing technicians on virus and malware remediation. SE2 had an existing sandboxing solution, but it took up to 10 minutes to alert the team after malware hit a workstation. By then, it was too late to stop, resulting in additional effort to remediate any impact.
“I don’t want to have to explain to my CIO that we’ve just had a million life insurance policies made inaccessible by cryptolocker,” said Schwartz. “That’s one of my biggest concerns. And it’s why I began looking for a better threat emulation (sandboxing) solution.”
Schwartz’s list of requirements included faster emulation—as close to real time as possible. He wanted a way to block threats, instead of just alerting him after the fact. He also wanted to consolidate everything to a single pane of glass, eliminating the need to manage multiple appliances and policies. List in hand, he and his team began evaluating alternative solutions.
A Simple Ounce of Prevention
The security team tried several solutions, including Check Point SandBlast. To compare them, Schwartz ran the solutions simultaneously in detect mode. In just one week, the competitive appliance missed several instances and failed to alert Schwartz, but SandBlast caught all of them.
“We checked with our compliance team to see if we could operate SandBlast in the cloud, and they had no restrictions,” said Schwartz. “It was so simple to activate using our existing Check Point gateway. We literally activated a license and turned it on.”
With SandBlast zero-day protection deployed, Schwartz gained superb threat prevention capabilities. He no longer has to spend time tracking down alerts, because machines are not being infected, and he rarely has to activate the incident response plan anymore.Array
SE2 Insures Itself Against Advanced Threats.Read the Story
The Community Newspaper Group’s (CNG’s) seventeen regional newspapers and associated websites provide readers in Western Australia with the latest local news, sports, entertainment and more.
No Time for Downtime
More than 700,000 readers rely on their daily Community Newspaper Group content to stay informed about local news and events. In today’s fast-moving publishing world, readers expect near real-time information even at the local level, so downtime that affects CNG reporters and employees or the network is not an option. Advertising is still the primary revenue source for CNG, so any interruptions that could prevent timely rollout of physical or online editions translate to lost revenue and potentially dissatisfied clients.
Until recently, Community Newspaper Group protected end-user systems and digital assets with Trend Micro and Microsoft security solutions. However, the software was aging, and IT needed better visibility into threats. The existing solutions required IT to navigate multiple dashboards to gather data from various areas of the network and then piece together a picture of what was happening.
“Visibility is everything,”’ said Michael Brine, Infrastructure Manager, Community Newspaper Group. “If you know about a problem, you can do something about it. But we suspected that there were vulnerabilities and events we didn’t even know about.”
Beyond Basic Protection
At the start of his search, Brine evaluated multiple security vendors in search for a new antivirus solution. At this time, he also looked to upgrade his existing Check Point Firewall and chose Check Point’s 4600 Appliance with Next Generation Threat Prevention. It was then that Brine learned about SandBlast Agent for endpoint security. His task of selecting the right advanced endpoint security solution became much simpler.
Having had great experience with Check Point Threat Prevention solutions on the network side, Brine felt confident that SandBlast Agent was the right choice to provide him with a deeper level of protection and visibility into threats on his endpoints that he needed.
Advanced Endpoint Protection
CNG chose Check Point SandBlast Agent to protect the company’s desktop and laptop systems. SandBlast Agent uses a complete set of advanced endpoint protection technologies to secure CNG’s users from threats, regardless of whether they are connected within their corporate network or working remotely.
Community Newspaper Group has seen an increase in attacks that use social engineering techniques such as phishing to deliver malware, including recent ransomware. SandBlast Agent helps CNG detect and block these attacks, whether originating from email, removable media, or web-based threats. By blocking any command and control communications, it also limits damage in case of infection, by preventing movement of sensitive information externally and restricting spread of the attack to other systems.
Community Newspaper Group relies on the Threat Emulation capability within SandBlast Agent to discover malicious behavior—even new, unknown malware and targeted attacks—preventing infection by quickly inspecting files in a virtual sandbox. It even uncovers threats hidden in SSL and TLS encrypted communications, while providing protection for the various files types used to share information at CNG, including Microsoft Word and Excel and Adobe PDF.
Files that look suspicious are flagged for deeper analysis. Threat Emulation sandboxing detects and stops attacks before they have a chance to evade detection, preventing systems from becoming infected. In cases where new malware is discovered, Threat Emulation sends a signature to the Check Point ThreatCloud database, which documents and shares information on the newly identified threat.
Improved Threat Visibility
SandBlast Agent’s forensics capability gives Brine and his team a deeper understanding of security events by automatically generating an incident report when any abnormal activity is tracked on any of their systems. The report summary provides actionable attack information, including evidence of malicious events, attack entry point, elements used in the attack, scope of damage, and data about devices that are infected. The combination of having the relevant attack diagnostics and visibility enables Brine and his team to respond quickly and remediate their systems in the case of a security event.Array
Community Newspaper Group Gives Threats Nowhere to HideRead the Story
Terma provides mission-critical solutions for aerospace, defense, and security customers. Based in Denmark, Terma operates subsidiaries around the world and has 1,300 employees.
Securing Mobile Connections to Corporate Resources
Security is paramount when developing and customizing components for complex defense systems like military aircraft, radar, and surveillance. Not only do Terma employees routinely work with highly confidential information, the company must also meet customers’ specific security requirements before they can collaborate on projects. As a result, Terma’s IT team implemented multiple layers of security—such as firewalls, filters, encryption, and others—to protect devices and information in all of its product areas. When mobile devices became essential to employees, Terma needed to ensure that the devices and remote connections to corporate assets were just as secure as desktop systems and connections.
“Customers must be able to trust that we handle all information securely,” said Jørgen Eskildsen, Chief Information Officer at Terma. “We choose best-of-breed solutions to meet different security needs. This is why we considered Check Point Capsule Workspace.”
Terma has used Check Point solutions as part of its security toolbox for many years. When it came to identifying a solution for securing mobile access to data for its 600 mobile users, Terma chose Check Point Capsule Workspace (Workspace).
Simplifying Mobile Protection
“We chose Workspace to meet three requirements,” said Eskildsen. “We were looking for a product to provide security, good usability, and ease of maintenance.”
Workspace includes a secure container that isolates corporate data on iOS and Android mobile devices. It provides users with one-touch access to corporate email, calendars, contacts, documents, and applications, and it enables remote access to internal corporate resources. For IT, Workspace encrypts business data and applications seamlessly to ensure secure access for authorized users.
Terma liked the Workspace architecture because, unlike competing solutions, it communicates directly with Terma’s existing Check Point firewall. Shared trust certificates on devices and the Check Point firewall eliminated the need for a synchronization server in the DMZ to ensure secure connections from the DMZ to the internal system and back to mobile devices. The direct connection reduced potential points of failure while improving the user experience by making data access faster and more efficient.
“We tested Workspace for several weeks,” said Eskildsen. “Then one of the IT team members allowed a sales manager to use it, and we quickly realized the product’s outstanding usability. That made our decision to move forward easy.”Array
Terma Boosts Mobile Security and IT ProductivityRead the Story
Opticians Gain Top-End Capabilities and Protection
Optix is the leading provider of practice management software for optical professionals in the U.K. Optix solutions are designed for cloud delivery, enabling opticians to securely access and use management, clinical, and administrative capabilities online. More than 800 independent opticians rely on Optix for seamless, leading-edge capabilities to take their practices to the next level of efficiency.
As healthcare providers, opticians treat patients and have the same requirements for managing patient, scheduling, and clinical data as other healthcare providers. Ensuring patient privacy and meeting other compliance regulations are critical. As businesses, they also need business and administrative tools for stock control, payment, ordering, and marketing. More than 800 opticians in the U.K. turn to Optix solutions to gain high-quality practice management tools without the worries of having to deploy, manage, upgrade, or support IT equipment and applications themselves. From single-doctor practices to global retail organizations with optical services departments—all need secure management, clinical, and administrative capabilities.
When Optix began delivering cloud-based services almost a decade ago, Secure Socket Layer (SSL) protocol sufficiently protected connections. However, SSL is no longer enough to secure patient, clinical, confidential business, and payment information. Optix began looking for a more secure way to connect each doctor to the Optix cloud.
“Our customers need as much throughput as they can get,” said Trevor Rowley, Managing Director at Optix Business Management Software. “We wanted to provide a secure connection without excessive overhead and have the ability to manage and support connections ourselves.”
Securing a Solution
Optix evaluated a number of security solutions for small and medium-sized businesses, but either they were not robust enough, or they lacked features that allowed Optix to easily manage hundreds of connections.
“We are committed to using top-drawer networking solutions from vendors that we can trust,” said Rowley. “Check Point is a leading security vendor, and so we turned to their offerings and chose Check Point 700 Appliances. The Check Point Small Business Appliances give us enterprise-grade security in an all-in-one security solution.”
The Check Point 700 Appliance is designed specifically to protect small business employees, networks, and data from cyber threats through integrated, multi-layered security in a quiet, compact desktop form-factor.
Optix uses the firewall, Virtual Private Network (VPN), Intrusion Prevention System (IPS), and URL filtering capabilities to secure connections with its clients. When an optician subscribes to the Optix service, Optix pre-configures the appliance using the Check Point Zero-Touch Configuration feature before sending it to the optician’s practice. The client simply plugs it in. Optix also uses the Check Point Security Management Portal to manage all of the appliances. The Security Management Portal provides a central management and service-provisioning platform for zero-touch operations. An intuitive web-based user interface enables Optix to deploy client appliances remotely, eliminating the need to travel to each client location. The Optix team can easily view and edit service plans, clients, VPN connections, and security policies in seconds—even for hundreds of appliances.Array
Optix Protects Clients’ Business Data While Gaining VisibilityRead the Story
Gaining In-Depth Threat Defense—and Peace of Mind
Samsung Research America is a wholly owned subsidiary of Samsung Electronics Company. The organization researches and builds new core technologies to enhance the competitive edge of Samsung products. Headquartered in Silicon Valley, Samsung Research occupies locations in key technology centers across North America.
Securing Devices In the Wild
As an industry-leading manufacturer of consumer electronics, Samsung is committed to forward-looking innovation and bringing new products to market ahead of competitors. An extensive portfolio of patented intellectual property forms the core of Samsung innovation. Human resources, legal, and research and development employees routinely work with confidential product plans and proprietary information. The last thing Samsung needs is leaked confidential information, which could significantly compromise its market advantage and the company’s bottom line.
Like many organizations, Samsung employees increasingly work on smartphones, tablets, and their own devices. The IT team must support approximately 800 corporate-owned and 400 employee-owned devices. A couple of years ago, Steven Lentz, CISSP, CIPP/US, Director Information Security at Samsung Research America, recognized the potential security threat to sensitive information on mobile devices.
“Mobile devices don’t operate behind a security infrastructure like corporate PCs, laptops, and servers do,” said Lentz. “Mobile devices are out in the wild, creating potential security issues and enabling malware to enter the network. There’s no mobile firewall to prevent cyber threats from getting in through emails and apps.”
Lentz viewed the problem from two sides. First, he wanted to proactively prevent data leaks from mobile users. Second, he wanted to defend against cybercriminals trying to break in from the outside via phishing emails and other tactics. He set out to find a solution that would meet rigorous requirements.
A new solution had to guarantee that no compromised device could get on the corporate network to begin with, nor could any compromised device access company applications and sensitive data. Once a clean device is allowed on the network, it must be defended. Lentz also needed to protect devices with multiple operating systems, and he needed a way to integrate protection with Samsung’s existing AirWatch by VMWare mobile device management (MDM) and Splunk security information and event management (SIEM) platforms. Integration was essential to enabling full visibility of mobile threats and automatically enforcing security policy across the enterprise.
“Defense in depth is needed because traditional antivirus is not enough for advanced threats,” explained Lentz. “We needed multiple layers of protection and critical features like application-based malware coverage, enterprise integration, and zero-day malware firewall protection for mobile devices.”
New In-Depth Protection
Lentz and his team considered numerous consumer and enterprise antivirus products, but they all fell short. Next, they talked to peers and began evaluating vendors that provided solutions for advanced threats, one of which was Check Point. During a demo, Check Point SandBlast Mobile quickly identified several mobile devices that had malware infections. SandBlast Mobile provides multiple layers of defense against exploits, targeted network attacks, mobile malware, and commercially available mobile remote access Trojans (mRATs) that enable spyware and data theft. Samsung chose SandBlast Mobile for its ability to protect devices from app-based zero-day malware and other threats.
“Check Point had more up-to-date information and automated delivery of the latest malware-related intelligence,” said Lentz. “Check Point SandBlast Mobile offers the closest thing to zero-day detection on mobile devices. I like it when a product does what it is supposed to do—and more. Check Point did exactly that.”
SandBlast Mobile also integrated seamlessly with VMware AirWatch, enterprise mobile management (EMM) and Splunk security information and event management (SIEM) platforms. Now Samsung gained comprehensive visibility into mobile threats and automated enterprise-wide security policy enforcement.
Protection in Action
Check Point SandBlast Mobile defends against threats on devices, in apps, and in the network, many of which use phishing emails, text messages, and browser downloads to attempt entry. It correlates and analyzes device, application, and network information in the cloud to deliver real-time threat intelligence.
The Check Point solution runs a copy of the mobile app without data in a sandbox environment to see if it operates suspiciously. It performs advanced code analysis on the network communication link without actually inspecting the data. Check Point also applies behavioral heuristics for advanced rooting and jailbreak protection. If a user downloads something malicious and Check Point identifies it as malware, it notifies the MDM system to quarantine the device, removes the security profile from the infected device, and prevents the device from accessing the corporate network.
Fast, Straightforward Deployment
“The deployment took just 3 weeks,” said Lentz. “We deployed SandBlast Mobile on the network and automatically activated it on devices using our MDM. It’s easy for administrators to manage.”Array
Samsung Research America Secures Intellectual Property from Advanced Mobile ThreatsRead the Story
SF Police Credit Union (SFPCU) serves more than 34,000 members. The organization offers a full set of financial services, including loans, savings and checking accounts and insurance and investment products. Founded in 1953, the SFPCU has grown to over $760 million in assets.
Like most financial institutions, SFPCU takes security extremely seriously. Even a brief lapse in security can expose its members’ most important financial data, damaging the credit union’s reputation and creating liability risks. Compliance with government and industry organizations such as the National Credit Union Administration (NCUA) is also critical. “If we fall out of compliance with the NCUA, we risk losing our rating and, in extreme cases, regulators can take over operations to resolve the failed corporates,” says Victor To, Director of Network Security at SFPCU.
Although the SFPCU’s firewall had provided adequate protection for ten years, an internal audit showed that the aging system had major compliance issues.
“The previous legacy firewall lacked a good reporting system, and we had no management transparency,” says To. “This made my job really difficult when I needed a security posture report.”
SFPCU needed to upgrade to a security solution that could deliver:
The Check Point Solution
Check Point Next Generation Threat Prevention is a unified next generation solution that gives SFPCU comprehensive threat protection to keep sensitive member and company data safe. And the solution supports detailed reporting that’s essential for regulatory compliance. Check Point Partner Dataway worked closely with the credit union to build a solution that was optimized to provide protection against a wide range of external and internal threats, plus secure connectivity for the firm’s mobile workforce. Having a complete solution running on one platform gives the credit union complete peace of mind, and helps the firm save money on management.
Complete Protection Against Sophisticated External and Internal Threats
To enhance security across its organization, the SFPCU replaced its legacy firewall with the Check Point Next Generation Threat Prevention solution at its headquarters as well as at a branch site. The solution is packed with an array of Check Point Software Blades to safeguard the network perimeter and to fight today’s advanced threats, like bots and malicious emails, and to deliver proactive intrusion prevention. The solution also helps the credit union control remote access and gain visibility into internal network traffic through unified management and monitoring.
“The Check Point Data Loss Prevention (DLP) Software Blade helps alert us about activities that could be overlooked, like transmission of account information over email,” says To. “Check Point can discover and block these events. It generates a report to alert an administrator, who can educate employees about best practices. Our previous solution didn’t support this capability.”
Detailed Security Reporting Enables Full Regulatory Compliance
The SFPCU had to meet specific guidelines to safeguard its information and demonstrate the effectiveness of its security systems to government and industry auditors. The Check Point Next Generation Threat Prevention solution delivers up-to-date reporting that the credit union’s IT staff can use to document its security best practices.
“Since the financial crisis in 2008, auditors have been examining financial institutions’ IT security much more closely,” says To. “We didn’t have strong reporting mechanisms in the past. The Check Point solution provides a foundation for my reports, so we can stay in compliance.”
Simple, Complete Security Management
The Check Point solution lets SFPCU monitor and manage all of its security via a single pane of glass and a single intuitive interface. This streamlined management is especially beneficial to the credit union’s small IT staff, which can save time by rapidly drilling down and examining security issues that occur.
“Check Point gives us a single dashboard view that lets us quickly zero-in on critical threats and events,” says To. “Having a solution that’s easy to manage is also hugely helpful when we have staff augmentation. We can train them to use the dashboard easily, without a major learning curve, so they can get started fast.”Array
Check Point Next Generation Threat Prevention Software Blade SolutionRead the Story
Independence Care System (ICS) operates a nonprofit Medicaid managed long-term healthcare plan serving residents in the New York City area. Founded in 2000, the organization supports more than 6,000 adults with physical disabilities and chronic conditions. The 350 ICS employees are committed to serving members whose needs are unmet in other long-term care facilities.
For Independence Care System, safeguarding the integrity of its network and member records is a sacred trust. The nonprofit organization works closely with local healthcare providers to serve members of the community with severe disabilities or mobility issues. To protect member privacy, as well as its own reputation, ICS has made regulatory compliance a top business priority.
“If we’re not compliant with the Health Insurance Portability and Accountability Act (HIPAA), we risk being heavily fined,” says Felix Castro, Director of IT at ICS. “And whenever you have a compliance issue, such as a security breach, you have to report that to your members, which impacts their confidence in us. These people are giving us their data, and they expect us to keep it safe. Security has direct business implications for us.”
Maintaining business continuity is also crucial for ICS, because the organization relies on its network to support its most important business applications throughout its five locations.
“If our network goes down, it takes all of our business processes down with it,” says Castro. “All of our appointment and scheduling systems are network-based, and they contain all of our member records, prescription information and physician information. Our network is simply mission critical.”
To meet these needs, ICS was seeking a complete security solution that would simplify regulatory compliance, and protect the organization against security threats that could impact network performance. The solution would have to be easy to expand and modify to meet changing needs, and provide centralized management to simplify and streamline network administration for the firm’s IT staff.
The Check Point Solution
ICS has an ongoing initiative to be 100 percent HIPAA compliant, and is continually looking at ways to improve the security and manageability of its network. As part of this initiative, the firm decided to replace its aging firewalls with Check Point 4600 and 2200 Next Generation Security Appliances. ICS added a full array of Check Point Software Blades to protect the organization against suspicious web threats, viruses, bots and other security issues. Each appliance also includes the Check Point Compliance Software Blade, a dedicated solution to help ensure compliance best practices.
Best Practices and Deep Visibility for Compliance
The Check Point Compliance Software Blade monitors management, software blades and security gateways to constantly validate that the ICS Check Point environment is configured in the best way possible. Designed specifically for environments where industry or government compliance is a top concern, the blade provides 24/7 security monitoring, security alerts on policy violations and out-of-the-box audit reports.
“Our compliance software blade brings together all the best practices we need for HIPAA compliance,” says Castro. “We have hired security consultants to audit our network, and they have advised us that the fact that we own and use the Compliance Software Blade is a major plus.”
To further enhance its proactive threat protection, ICS is also adding the Check Point SmartEvent Software Blade to its solution. SmartEvent correlates events on the firm’s network for greater visibility and faster remediation.
“SmartEvent will help enhance our compliance,” says Castro. “We can identify patterns and alert specific IT staff if a security issue occurs. We need to be able to report when a security issue occurs, and what our remediation was.”
Highest Level of Business Continuity
Without dependable network performance, ICS would quickly grind to a halt. To maintain the highest level of business continuity, the organization employed a resilient, cost-effective architecture that can quickly recover in the event of a gateway outage.
“We are a nonprofit organization, and it would be costly to license a separate Compliance Software Blade at each site,” says Castro. “So I decided to virtualize it so that I can replicate it to my other sites. My biggest concern had been the ability to manage a gateway in the event my links go down. This solution takes care of the issue, and we have been very happy with it.”
Simple, Complete Security Management
Centralized management was a top objective for ICS, and the Check Point solution lets the organization monitor all of its activity from a single dashboard. This consolidated view helps Castro and his team to spot potential issues faster and fix them before they impact the rest of the organization.
“With Check Point, I have one set of logs for all the different departments in our organization, so I can see what the trends are,” says Castro. “For example, if a specific office is streaming lots of video, I may want to cap the bandwidth in that office. Check Point gives me great visibility into what is happening across the organization. I didn’t have that before.”Array
Check Point Next Generation Security Appliances and Compliance Software Blade SolutionRead the Story
Hotel Nikko offers 532 guest rooms for business and leisure travelers. Luxury hotel located in San Francisco’s Union Square offers rich amenities, including an expansive heated indoor pool, meeting and event space, an elegant restaurant and 24-hour fitness center. For over 25 years, Hotel Nikko has hosted weddings, galas, major fundraisers and other special events. Hotel Nikko received the prestigious Four Diamond Award from AAA and a four star rating in the 2013 Forbes Travel Guide.
One of San Francisco’s premier hotels, Hotel Nikko prides itself on its exceptional service, appealing amenities, and comfortable guest rooms. Located in historic Union Square, the hotel offers 532 guest rooms for business and holiday travelers. Like most hotels, Hotel Nikko relies on its network to support guest services, reservation systems, property management, and other critical business operations. Keeping the network safe and secure is key, and even a brief outage means lost revenue, disappointed guests and damage to the hotel’s reputation.
“Our goal is to provide the best possible service to everyone, from guests to employees. You can’t provide superior service without investing in superior solutions,” says Manuel Ruiz, Director of IT, Hotel Nikko.
Although Hotel Nikko had a firewall in place from another vendor, the device was difficult to manage and provided only limited protection against today’s sophisticated network threats. When a virus invaded the hotel’s network and impacted some of its most critical business systems, Ruiz and his team knew that they needed more complete security.
“If any of our network systems go down, it’s chaos — and big time revenue losses,” says Ruiz. “People don’t want to wait for you to fix your network so they can make a reservation. We had to protect our brand and meet our customer expectations.”
Hotel Nikko was seeking a complete security solution that would identify and mitigate the latest online threats — all in a single solution that was easy for its IT team to set up and use.
The Check Point Solution
Following a colleague’s recommendation, Ruiz installed and evaluated a Check Point 4200 Appliance to gain better visibility into the state of the network. “The management console gave us a level of visibility that we had never had before,” says Ruiz. “It was like someone turning on a light in a dark room. You don’t realize what’s really happening on your network unless you have that kind of visibility.”
Working closely with technology partner Dataway, Ruiz deployed a Check Point Secure Web Gateway Blade Solution. This comprehensive security solution gives the hotel real-time, multi-layered protection against web-borne malware, plus advanced granular control and intuitive, centralized management. Dataway helped the hotel define and implement the policies it needed, and fine-tuned the services for the best combination of performance and security.
Real-Time, Multi-Layered Protection
The Check Point Secure Web Gateway goes well beyond Hotel Nikko’s legacy security device to provide next-generation protection. A full array of Check Point Software Blades provide protection against viruses, bots, malicious web content and other external and internal security issues.
“Our previous device was basically just a firewall,” says Ruiz. “With Check Point, we can take advantage of all kinds of filtering for all layers. Using the different software blades, the protection is virtually unlimited. And our clustered environment gives us complete business continuity, so the network is never down.”
Simple, Complete Security Management
With the Check Point solution, Hotel Nikko can gain deep insight into all network activity with a single, easy-to-use dashboard interface. Instead of spending time tracking down network issues, Ruiz and his team can focus on improving performance and delivering a better experience for guests and employees.
“The dashboard is very intuitive, and really saves us time,” says Ruiz. “I can go to the application filtering window and it will show me right away if we have any network issues. I can do the same thing with DLP, IPS, and threat prevention.”
Flexible Solution That’s Built for Growth
The threat landscape is constantly changing, and Hotel Nikko wanted a solution that could evolve and grow when new challenges emerged. With Check Point’s extensible Software Blade architecture, the hotel can expand its security services whenever it’s ready — without purchasing expensive new hardware or making management more complex.
“The Check Point Software Blade architecture lets me consolidate multiple disparate systems on a single platform that’s easy to scale when our needs change,” says Ruiz. “It’s much easier than going through multiple vendors and purchasing, deploying, and configuring different devices.”Array
The Melbourne Convention and Exhibition Centre (MCEC) hosts more than 1100 events each year, including meetings, conventions and exhibitions, concerts, tradeshows and gala dinners. MCEC’s range of in-house technology across lighting, audio, vision and IT creates memorable experiences for event attendees. MCEC offers the latest IT networking capabilities for both fixed and wireless telecommunications and computing.
Providing reliable public wireless Internet service to thousands of visitors daily, MCEC required network security and control over content and applications, without being overly restrictive. MCEC needed a solution that would:
The Check Point Solution
The Check Point Software Blade Architecture meets the need for a reliable, secure public network.
Managing network service through application control
MCEC required a solution that would ensure a secure wireless environment for thousands of users. The Check Point Application Control Software Blade allows MCEC to modify the online applications available to users at different times, helping manage the bandwidth consuming apps to control costs and keep the service available for all users.
Software Blade Architecture consolidates technologies, creating simplicity and flexibility
The Check Point Software Blade Architecture allows MCEC to run the many features of multiple software blades from a single device, enabling the company to simplify and reduce management time while maintaining high levels of security. “The other solutions we looked at couldn’t offer us the option of consolidating all our appliances, which would have resulted in wasted management time.” – Daniel Johnston, Information and Communications Technology Manager, MCEC.
URL filtering protects and enables granular web control
MCEC needed to put controls in place to protect online users while still allowing visitors access to information that was relevant to their jobs. With up to 10,000 visitors at the venue at any given time from a wide variety of industries, many users needed access to sites that were traditionally restricted or blacklisted. The Check Point URL Filtering Software Blade has allowed MCEC to enforce inspection of all traffic.Array
Melbourne Convention and Exhibition Centre: Check Point Gateway and Management Appliance with Software BladesRead the Story
Courtagen Life Sciences, Inc. offers innovative genomic and proteomic products and services for physicians and the diagnostics industry. Its tools and resources help clinicians make better decisions regarding patient care. Founded in 2012, Courtagen is privately-held and based in Woburn, MA.
Courtagen Life Sciences has decades of experience as a leader in genomic services. The organization is relentlessly focused on applying next-generation sequencing technology to help patients and doctors drive personalized, precision medicine. To free its staff to concentrate on this key mission, Courtagen outsources its network and communications infrastructure. Amazon Web Services play an integral role in supporting the firm’s operations. This cloud-based solution provides agility and cost savings, along with scalability and support for users worldwide. But to be successful, the solution must also provide comprehensive security and support regulatory compliance.
“There is a great deal of scrutiny in terms of how ePHI (electronic protected health information) data is managed in the cloud,” says Timothy Olcott, Compliance Officer and Director of Manufacturing, Courtagen Life Sciences. “We needed technology partners that would meet all of the compliance and regulatory scrutiny for patient records stored in a cloud environment.”
Courtagen required a security solution that would work smoothly with its cloud environment and provide:
The Check Point Solution
With the Check Point Virtual Appliance for Amazon Web Services, Courtagen can extend robust security to the cloud with the full range of protection using Check Point Software Blades. Easy to set up and use, the virtual appliance is a security gateway for virtual environments in the Amazon Cloud. It lets Courtagen prevent network attacks and data breaches, while enabling secure connectivity to Amazon’s cloud computing environment, which supports the majority of Courtagen’s computing power.
Robust Security to Support Cloud-Based IT
Courtagen needed a cloud-based environment that could provide accessibility to its own employees, as well as physicians and other healthcare organizations, yet incorporate strong security to safeguard patient records and other sensitive information. The organization initially selected an AWS Elastic Compute Cloud, and then migrated to Amazon’s Virtual Private Cloud. Courtagen connects directly to the AWS cloud through an Ethernet Private Line (EPL) provided by Level 3 Communications. Three Check Point Virtual Appliances for Amazon Web Services provide secure connectivity to the cloud environment.
Support for Dispersed and Mobile Employees and Partners
Many of Courtagen’s employees work offsite or on the move, so the firm needed a solution that provided secure access for people from any location. Courtagen’s cloud-based solution, safeguarded by the Check Point Virtual Appliance for AWS, lets the firm deliver the ubiquitous access it needs with complete peace of mind.
“Courtagen has three primary sites—one in Bermuda, one in California and our headquarters near Boston,” says McKernan. “We also have a field sales organization with about a dozen people, all of whom need secure access into our network. Mobility plays a very important role at Courtagen, and we wanted our outsourced solution to provide access anywhere, at any time.”
Reliable Operation for Critical Business Operations
With its key business operations residing in the cloud, Courtagen needed to be sure that its solution would provide highly available performance. The firm’s Check Point representative worked closely with the firm to develop a highly redundant solution with failover capabilities.
“Our Check Point engineer helped us ensure that the solution worked with Amazon’s Virtual Private Cloud with multiple availability zones, a direct connection from Level 3 Communications and a public Internet connection that allowed doctors to access data,” says McKernan. “It involved a complex, challenging network architecture. Check Point helped us ensure that the connections were dependable, and compliant with proper audit trails.”Array
Virtual Appliances for Amazon Web Services (Cloud Security)Read the Story
A major enterprise software developer with deep tradition of leadership and innovation in its field, this company has 3000 employees and dozens of sites worldwide, serving tens of thousands of end customers.
Like most large organizations, the software developer relies on its data center to power its most critical business processes and store essential data. DDoS attacks are a serious threat for companies of all kinds, and even a small amount of downtime could cause serious damage to the organization’s daily operations and customer reputation. However, the organization’s existing security appliance could not provide the level of security and manageability the company required. To address these concerns, the organization needed to:
The Check Point Solution
The Check Point DDoS Protector Appliance enables the software developer to discover and block Denial of Service attacks in seconds, while streamlining its network administration and improving insight into the network.
Intelligent, Accurate Attack Prevention
The previous security appliance was difficult to manage and align to the company’s security needs. Incoming traffic from its Internet content delivery network often fluctuated, but its security system lacked the intelligence to determine which traffic was legitimate. Legitimate traffic was often dropped. “Now, if we experience a spike in legitimate traffic, the Check Point DDoS Protector Appliance automatically increases the traffic threshold without intervention from our team,” says the Senior Network Engineer. “I’m extremely happy with the box, especially after the problems we experienced with our previous solution.”
Comprehensive Solution Improves Network Insight
The developer installed a DDoS Protector Appliance at each of its two Internet routers. Each router has a multimode fiber Gigabit Ethernet uplink to the company’s ISP, and is fully protected by the appliance. Built-in intelligence enables the solution to quickly distinguish between attacks and legitimate traffic. “The detection is immediate, and the solution lets us discover threats without manual intervention and troubleshooting,” says the Senior Network Engineer.
Flexible Deployment and Scalability for Changing Needs
Designed to smoothly accommodate a wide range of network environments, the Check Point DDoS Protector Appliance fits seamlessly into the software developer’s topology, while providing plenty of room to grow. “We are considering extending deployment of our solution to three or four more sales offices, and are confident that our solution can easily scale to handle additional sites or bandwidth,” says the Senior Network EngineerArray
Leading Software Developer – Check Point DDoS Protector AppliancesRead the Story
Carmel Partners acquires, creates and markets properties by combining cutting edge innovation with bold investment. The company operates and invests in select markets through the U.S. including California, Colorado, Hawaii, New York, Washington, and Washington, D.C.
With a growing multi-faceted organization, Carmel Partners was looking for a way to ensure business productivity which includes securing network traffic, protecting against data loss, and providing secure site-to-site connectivity.
4000 Appliances provide robust integrated connectivity and protection
Carmel Partners relies on the Check Point 4600 and 4200 appliances for robust multi-layered security and connectivity across its distributed environment. With eight offices and datacenters, Carmel Partners was looking for a way to securely connect all locations to share data, applications, and other resources via IPsec VPN tunnels as well as secure its connections to the Internet. They chose to rely on Check Point’s 4000 series appliances configured in a mesh environment to deliver advanced functionality and performance in a robust, scalable, and centrally managed solution. “Check Point enables us to have stable, permanent IPsec VPN tunnels with the ability to dynamically reroute traffic through different offices if needed; it’s like a self-healing network.” – Dan Meyer, Vice President – Business Intelligence and Technology, Carmel Partners.
Software Blade Architecture delivers increased security and flexibility
The Check Point Software Blade Architecture enables Carmel Partners to consolidate multiple Software Blades including Firewall, IPsec VPN, DLP, Application Control, URL Filtering, Identity Awareness, and Mobile Access on individual, centrally managed appliances. These integrated technologies allow the company to protect its network against malicious traffic and intrusions, block or limit access to potentially harmful or productivity draining applications and Websites, and protect against data loss while enabling employees to efficiently communicate and access resources across all offices or in the field via their PC, smartphone, or tablet. “All of these Software Blades, tying them together has really allowed us to safeguard the network from both internal and external threats; the modular capability of Check Point allows us to run so much more efficiently.” – Meyer
Comprehensive security management increases visibility and reporting
To manage its complex security infrastructure, Carmel Partners relies on the Check Point Smart-1 25 security management appliance. With features such as the Logging and Status Software Blade, the company has real-time visibility into all its Check Point gateways and Software Blades enabling its IT staff to manage all aspects of the solution including advanced analysis into billions of logs—all from a single centralized console. This not only simplifies management for Carmel’s IT staff, but also improves security through consistent policies and unified administration across all Software Blades. “It gives us better, insight, better visibility into our network, into our company operations, and what’s going on within the network, what more could I ask for.” – MeyerArray
Carmel Partners – 4000 Appliances and Software BladesRead the Story
CRIF is a leading provider of added-value solutions and information services for the financial services industry to support decision-making and prevent fraud. Based in Italy, with a staff of approximately 1,450, CRIF offers its services to more than 1,900 financial institutions worldwide.
CRIF had undertaken an extensive virtualization project across its entire infrastructure, ultimately extended to the security layer with the following specific goals:
Check Point VSX Appliances to Match Security and Flexibility
CRIF has deployed four VSX appliances, running dozens of virtual firewall instances, to gain control over its new virtual infrastructure. Deployment has been carried out gradually, in order to meet the growing needs of the company, as well as the growing presence of virtualization within the enterprise. Aside the VSX appliances, CRIF also counts on five clusters of physical UTM-1 appliances, running a set of software blades, providing a comprehensive and flexible security solution for the whole network. Goal of the company is to gradually increase virtualization, in order to fully reap its management and economic benefits.
Centralized Control Eases Management, Increases Security
Centralized management is extremely important for CRIF, due to the highly confidential nature of the business-critical information that the company handles. Therefore, CRIF puts a great value on both real-time visibility over transactions and the ability to run a variety of analytics. The company deployed Eventia Log Analyzer to have a further level of management and control over data and information which run on the corporate network. Both real time and historical reports are now available to the IT staff for a more comprehensive visibility over the complete system.
Easier Management to Open New Development Perspectives
Through the virtualization of security, ongoing management has become significantly easier and more effective. Systems, application and transactions can be easily monitored for a single point of control, gaining an ongoing, comprehensive visibility over the complete infrastructure. This has allowed the IT staff to redistribute and streamline its available resources to focus on critical tasks: a Business Continuity project has been defined and deployed, in order to further increase system availability and to ensure operations also in case of technical failure.Array
CRIF – Virtual Appliances and Software BladesRead the Story
Hospital 9 de Julho is one of the most important private health institutions in Brazil. Founded in 1955, in São Paulo, SP, Brazil, it cares for over 9,000 patients a month in the Emergency Room. The hospital has 4,000 registered doctors and 1,700 people on staff.
Hospital 9 de Julho only used to have a “home-made” solution. It was simple and did not offer complete security or efficient controls to protect data and information leakage. With the difficult task of managing without an effective system, the hospital often faced critical situations without having information or complete visibility of what was going on in its system.
Security Gateway Software Blades:
Hospital 9 de Julho – Data Loss Prevention Software BladeRead the Story
FXCM Inc. (NYSE:FXCM) provides online foreign exchange trading and related services to retail and institutional customers worldwide. The company acts as an agent between retail customers, and a collection of global banks and financial institutions and offers access to over-the-counter foreign exchange markets through its proprietary technology platform. FXCM serves approximately 200,000 retail customers and 200 of the world’s top hedge funds and banks.
Working across 15 global offices, FXCM serves more 200,000 retail customers and 200 of the world’s top hedge funds and banks. With its distributed environment FXCM was in need of a robust network security solution that could be deployed regionally and managed centrally by a small dedicated staff. FXCM looked to Check Point to deliver the following:
Check Point Appliances Deliver Integrated High-Performance Protection
Deployed within FXCM’s critical WAN environment, the Check Point 12000 series appliances secure the link between FXCM’s data centers, large offices, and liquidity sources. The 12000 appliances offer FXCM a mix of flexibility, performance, and high port density enabling it to support multiple lines at various rates on a single appliance. As a 24×5 shop, FXCM is also constantly concerned with uptime. The 12000 appliances provide hot-swappable redundant hard drives and power supplies to ensure business continuity and serviceability as part of FXCM’s comprehensive strategy. Additionally, FXCM utilizes Check 4000 series appliances to secure communication between some of its smaller branch offices and datacenters. The 4000 appliances offer comprehensive security with a mix of Software Blades to provide FXCM with integrated and layered protection.
Software Blade Architecture Provides Layered Protection
With a distributed environment and remote offices spanning the globe, leveraging the Check Point Software Blade Architecture enables FXCM to take a layered approach to security by deploying multiple security tools on individual appliances. This not only increases the company’s security posture, it saves time and expense as no additional hardware needs to be purchased, deployed, or configured. “Within our remote sites, it’s nice to have the ability to enable different types of technologies, which would normally be a whole different appliance, with just the click of button,” says Ryan Leonard, Director of Production Engineering at FXCM. FXCM leverages a number of Software Blades for different offices and departments around the world including Firewall, IPsec VPN, IPS, Identity Awareness, Application Control, URL Filtering, and DLP.
Centralized Management Simplifies a Complicated Environment
FXCM leverages Check Point Multi-Domain Security Management to manage, monitor, and administer its global security policies from a single, centralized console. In addition to daily management, FXCM relies on the system to create custom reports for PCI, SOX, CFTC and other domestic and international regulatory audits. Using the SmartCenter dashboard, FXCM is able to show topologies and how its products are deployed as well as basic configurations. “With Check Point, there’s a trust factor in the industry, we don’t have to go back and forth about our security posture for our firewalls; this saves us days with each audit.” – LeonardArray
FXCM Inc. – 12000 and 4000 AppliancesRead the Story
The state agency is comprised of five divisions and serves all boards and agencies of its state government. The agency belongs to one of the largest states in the US with a population of more than 25 million.
As a state entity, the agency must abide by strict compliance and privacy laws. To ensure optimal data protection, the agency looked to Check Point for the following:
Endpoint Security Software Blades Ensures Data Security and Protection from Malware
To safeguard against the loss of intellectual property, comply with HIPPA regulations, and ensure the protection of personally identifiable information, the agency leverages Check Point’s data protection technologies including Full Disk Encryption (FDE) and Media Encryption (ME). “Being able to control removable media as well as lock down all endpoint hard drives has increased our security posture dramatically.” Together, with Anti-Malware & Program Control, Firewall & Compliance Check, and WebCheck, the agency has a complete unified solution that provides better control and increased security protection in a single consolidated package.
3D Security Vision Increases Protection through User Awareness
The Check Point Endpoint security solution enables the agency to identify, set customized messages for various conditions, and drive users to take corrective actions should they be out of compliance, violating agency policy, or a number of other conditions that might arise. “With our previous product many users weren’t even aware they were out of compliance or violating agency policies. With Check Point we’re able to give a very explicit set of customized instructions for security updates, data handling procedures, and compliance policies and block or restrict access based on individual users, groups, or machines.” Check Point’s 3D security vision combines policies, people, and enforcement for stronger protection across all layers of security. This enables the agency to go beyond policies and enforcement and educate its employees on proper security policies and procedures.
Centralized management increases visibility and simplifies reporting
Leveraging the Check Point Endpoint Security Management console enables the agency to get a clear picture of all its endpoint security functions and deploy consistent policies across nearly 5000 endpoint devices. Using the SmartTracker Software Blade, the agency is able to create custom compliance reports to show virus exposures and how they have been remediated. “Our virus exposure numbers are extremely low at this point. Compared with our previous solution, we’ve been able to cut the number of infected machines by at least by half, mostly due to the reliability and distribution of definitions and the fact that Compliance Check ensures all OS and AV updates are installed and set up correctly.”Array
U.S. State Agency – Endpoint SecurityRead the Story
Established in July 1998, China Petrochemical Corporation (Sinopec Group) is a large petroleum and petrochemical enterprise founded on the basis of the former China Petrochemical Corporation. Headquartered in Beijing, Sinopec Group has a registered capital of RMB 182 billion. Sinopec Group’s key business activities include: Industrial investment and investment management; Exploration, production, storage, transportation (including pipeline transportation), marketing and utilization of oil and natural gas. Sinopec Group is the 5th largest enterprise in Fortune Global 500 in 2011.
Traditional firewall and anti-virus protection are not enough to protect Sinopec’s complex network infrastructure from today’s threats. Together with the growing sophistication of attacks network security has become more challenging than ever.
12407 Security Appliance Provides Comprehensive Security
Sinopec relies on the Check Point 12407 Appliance with Firewall, Intrusion Prevention (IPS), IPsec VPN, and Mobile Access Software Blades to provide robust network protection and accessibility to network resources. With features including hot-swappable redundant power supplies and hard drives as well as high-availability technologies such as Check Point ClusterXL and Load-Sharing, the 12407 appliances provide Sinopec with a high level of business continuity and serviceability. Moreover, with a number of Software Blades at its disposal, Sinopec can easily add new layers of protection and functionality as its needs change and evolve.
Integrated IPS Software Blade Provides Unrivaled Network Protection
The Check Point IPS Software Blade provides Sinopec with comprehensive, integrated protection against malicious and unwanted network traffic. Incorporated with various advanced technologies and up to 15 Gbps of IPS throughput, the IPS Software Blade delivers dynamic threat protection to secure the Sinopec network from potential threats.
Mobile Access Software Blade Secures Remote Access
With the proliferation of mobile devices amongst its staff and partners as well as the need for data on the go, Sinopec chose to deploy the Check Point Mobile Access Software Blade to enable secure remote access to enterprise resources, applications, and emails conveniently and safely over the Internet, via smartphones, or PCs.
Advanced Management Solution Enhances Visibility and Control
With the Check Point Smart-1 25 security management appliance, Sinpoec is able administer network policy management, track and analyze events, run reports and more from a single user interface. In addition, with Management Software Blades such as SmartView Monitor, Sinopec can centrally monitor all its Check Point devices to get a complete visual picture of changes to gateways, remote users, and security activities. This enables administrators to immediately identify changes in network traffic flow patterns and stop malicious activity.Array
Sinopec Group – Check Point 12407 Security ApplianceRead the Story
Kingdee Youshang E-business Service Co. Ltd. is a subsidiary of Kingdee International Software Group which is one of the largest online software application and service platforms in China. It has been the no. 1 player of enterprise online management service market of China for three years in a row. Headquartered in Shenzhen, Kingdee Youshang E-business Service Co. Ltd. has over 20 branches including established sales and marketing offices across seven key regions within China, and focuses on providing one-stop shopping of management software and E-business services.
Many Small and medium size business do not have the necessary IT resources for deploying ERP and CRM software solutions. Kingdee Youshang specializes in providing this market with a full array of software, platform, and service support including security. To ensure proper protection of its resources Kingdee Youshang has taken the following measures:
Kingdee Youshang maximizes data protection
Kingdee Youshang leverages Check Point data protection solutions to ensure the confidentiality and integrity of data accessed through the cloud and on its endpoint machines. This includes the Check Point Full Disk Encryption Software Blade (FDE) for data at rest on desk top and laptop PCs, which protects from unauthorized access to data if laptops are lost or stolen. The company also relies on Check Point GO to enable its clients and mobile workers to access corporate cloud applications and data on both managed and unmanaged machines.
Reduce hardware costs and increase efficiency
Prior to Check Point GO, the practice was to lend laptops to tele-workers with only the data needed at their destinations. Not only was this was inconvenient, it caused availability issues if a worker wanted or needed additional information while on the go. With Check Point GO, Kingdee Youshang and its customers have eliminated the need for providing laptop computers to tele-workers, opting instead to empower them with a secure remote access device. Check Point GO enables users to instantly turn any PC into their own desktop to securely access and work with files and applications anytime, anywhere. Not only has this reduced IT hardware and management costs, it has enabled Kingdee Youshang and its customers to increase working efficiency.
Check Point GO brings peace of mind; enables regulatory compliance
Beyond its own internal needs, Kingdee provides its customers with Check Point GO devices, allowing them to turn any PC into a trusted host device. This enables the company to meet strict internal security requirements as well as industry and government regulations while increasing mobility. Additionally, because Check Point GO segregates the virtual workspace from the host PC the device is resistant to malicious software that may reside on unmanaged machines. As a result, whether Kingdee’s customers are conducting e-commerce, electronic banking, or online trading, all data is seamlessly stored and encrypted within the Check Point GO devices and nothing is ever recorded to the host PC.Array
Kingdee Youshang E-business Service Co. Ltd. – Check Point GO and Mobile Data ProtectionRead the Story
Ada County, Idaho was named after Ada Riggs, the daughter of H.C. Riggs, one of the founders of Boise. The county includes the cities of Boise, Eagle, Garden City, Kuna, Star, and Meridian. Ada County manages and maintains security for multiple departments including Emergency Management, Parks and Waterways, Juvenile Court, Paramedics, Waste Management, and more.
With a multi-agency network comprised of several cities and multiple departments under its jurisdiction, Ada County has to maintain separate network zones for each agency as well as specific policies for departments and individuals. Robust integrated security, consolidation of technologies, and centralized management are the primary focus for the Ada County IT organization.
Check Point 12400 and 4600 Appliances Provide Robust Protection
With a large distributed network that spans six cities and numerous agencies, Ada County was looking for a robust, scalable solution to provide multiple layers of security protection for its network. The Check Point 12400 appliances sit at the county’s primary datacenter and provide robust security with up to 30 Gbps of throughput for the largest part of the county’s network. The 4600 appliances are located at the county’s secondary site and disaster recovery location which serves as a backup to the primary datacenter. Additionally, the county relies on Check Point UTM-1 appliances which are located throughout its agency’s including its main jail to secure all connectivity from police vehicles to the dispatch center and its criminal database. Ada County runs a comprehensive set of Software Blades on each appliance including Application Control, URL Filtering, Identity Awareness, IPS, DLP, and more for its layered security strategy.
Software Blade Architecture brings 3D Security to Ada County
The Check Point Software Blade Architecture gives Ada County the ability to consolidate multiple technologies onto a single gateway. With DLP, Ada County is able to eliminate unintentional distribution of confidential information over email. And with UserCheck™, the county is able to educate its employees about email and network policies, involving them in the remediation process and greatly reducing the chance of an accidental data leak. Ada County also makes use of Application Control and URL Filtering Software Blades to block or limit access to web based applications and websites. And with Identity Awareness, the county provisions its network policy rules based on individual users and groups rather than the PC. Additionally, Ada County leverages Check Point, IPS, Mobile Access, Firewall, and IPsec VPN Software Blades for a layered and integrated security strategy. “The Software Blade Architecture is excellent; being able to turn on a technology with the click of mouse is extremely easy and because I don’t have to buy additional hardware, it’s cost-efficient.” – Bret Lopeman, Network Security Administrator, Ada County
Centralized management simplifies administration
Bringing all these functionalities together might sound like a daunting task but since all Check Point Software Blades are managed centrally from a Smart-1 management appliance, Ada County is able to manage its entire security infrastructure with single security administrator. In addition to everyday management and reporting, the county is required to go through annual audits to ensure it complies with HIPPA and CJIS regulations. With the management solution, the county is able to show its entire network configuration and policies in a single dashboard as well as generate create custom reports, greatly reducing the audit cycle. “What used to be all-day meeting with an auditor now takes about an hour and a half. To me this is a huge time savings.” – LopemanArray
Ada County, Idaho - 12400, 4600, and UTM-1 Appliances and Software BladesRead the Story
One of the world’s largest medical diagnostics companies, this business provides laboratory and radiology services to medical practitioners, hospitals, community health services, and their patients. It currently employs more than 20,000 employees in its operations around the world.
With continued growth derived through global mergers and acquisitions, the company realized that many of its newly acquired companies were working with disparate security infrastructures, often including old or even nonexistent firewall technology. With Check Point, it is able to:
Check Point appliances provide robust, cost-effective protection
The company standardized on Check Point appliances to provide robust and highly scalable network security throughout its globally dispersed network. The appliances serve as core firewalls, as well as the company’s main interface and border into its partner hospitals, which can have upwards of a 1000 devices that connect into the company’s radiology imaging and pathology infrastructure with real-time patient care communication. “The Check Point 4200 appliances deliver exceptional stability, security, and price performance in an extensible package that can grow with us over time.” Additionally, the company connects its medical equipment located throughout its laboratories to the network. These devices run on both Microsoft and Linux operating systems and as a result, just like any PC, are susceptible malware and other threats. To ensure the security of the corporate network, the company leverages Check Point UTM-1 Edge devices at each laboratory location.
Software Blade Architecture consolidates technologies, improves security
The Check Point Software Blade Architecture gives the company the ability consolidate multiple technologies, such as Firewall, IPS, URL Filtering and more, on a single device and provides it with the ability add new layers of protection as its business needs change and evolve. With more than 50 gateways and over 20 million events per day, technologies such as the Check Point Identity Awareness and SmartEvent Software Blades are critical in helping the company pinpoint users and machines when security issues arise. “We’re able to look at events, easily find out who the user is, and determine if further investigation is required. This saves us a couple hours a day by having the ability to make informed decisions upfront.” In addition the company has begun using the Check Point URL Filtering Software Blade at one of its branch locations which has entirely replaced the need for its expensive and cumbersome proxy server. With this success, the company now plans to roll out the solution across its global infrastructure.
Centralized management simplifies administration
To manage its large distributed Check Point environment, the company leverages the Check Point Multi-domain Security Management solution with SmartEvent, SmartView Tracker, and SmartWorkflow Software Blades. Together, the management solution provides the company with a complete view into its network security universe from a single console. “We’re able to manage our entire infrastructure with just two administrators. Having this level of central management keeps our labor costs very low; it’s fantastic!”Array
Healthcare Company – 4200 Appliances and Software BladesRead the Story
Expert in workspace management services, connectivity, data centers and counseling, Getronics has a complete portfolio of integrated IT services and works according to a Global Service Delivery Model to deliver comprehensive services. The largest IT services provider in the Benelux, Getronics is part of the Dutch KPN Group and employs 12,000 people worldwide.
In order to strengthen its competitive position in the market, Getronics must adapt to the growing trend towards virtualization in a responsible way, this means they cannot compromise on functionality, quality, flexibility, or manageability. Check Point VE provides the following:
Check Point Security Gateway Virtual Edition (VE)
To provide integrated protection within its virtualized infrastructure, both for internal use and as a managed service, Getronics leverages Check Point VE. Deployed as a virtual machine within Getronics VMware environment, Check Point VE delivers hypervisor-level protection including Firewall, IPS, Anti-malware and host of other features to protect Getronics dynamic virtual environment from external and internal threats including those propagating from inter-VM traffic. “With Check Point VE we’re able to integrate security directly into our virtualized environment. It also gives us the ability to offer complete virtualized security services to our customers, its simple to just switch the service on and tailor it to their specific needs and requirements. Changeover is smooth and quick, and completely seamless.” – Luc Steens, Team Leader, Security Managed Services, Getronics
Remote management speeds up response times
Check Point VE simplifies operational management and enables Getronics to solve issues remotely any time. This increases flexibility and shortens the company’s response times considerably. “With Check Point VE and the Software Blade architecture, we can expand on-demand VE solutions, depending on the demand or type of threat. This is accomplished while managing all customers’ sites in a consistent and efficient manner through a single, centralized user interface.” – Steens
Centralized Security Management
Check Point Multi-Domain Security Management sits within Getronics’ virtualized environment and enables administration of the VE solution. This allows Getronics to significantly reduce hardware costs and work much more efficiently by giving its administrators a single view of all domains from a single centralized management platform. This enables Getronics to provide its customers with instant monitoring reports and analysis, saving a significant amount of time by alleviating task intensive manual filtering and compilation of data.Array
Check Point Security Gateway Virtual Edition (VE)Read the Story
Need the perfect giveaway for a memorable product launch or themed event? If it can be imprinted with a logo or message, Geiger Brothers probably supplies it. A family-owned business since 1878, Geiger Brothers offers more than a half million products that can be personalized from a wide range of manufacturing partners. Customers can choose from the online Star Performers catalog of its most popular items, search the GeigerMall, or work with a promotional counselor to select the right promotional or motivational items.
Five hundred Geiger employees in 20 offices across the United States rely on the company’s centralized order management system in Lewiston, Maine, and on its document image system containing 3 million documents, including all orders, sales receipts, and expense reports. “We run a nearly entirely paperless operation,” says Rob Herman, technical infrastructure supervisor who oversees the company data and voice networks.
In 2005, as Geiger Brothers acquired four companies and established four new offices, it also faced increasing demands from employees for remote access so that they could work more easily from home or other locations. Some of the demand came from executives who were traveling frequently to bring about the acquisitions, as well as to attend six annual industry tradeshows, but sales associates also no longer wanted to be tied to their desks.
“Security is the hardest thing we deal with,” Herman says. “It’s important for Geiger to stay up with the industry.” That is why Geiger relies on the partnership of Check Point and Akibia, its long-time consultant for network and security solutions. Akibia keeps Geiger abreast of new technologies, educated on market and industry changes, and provided with on-site technical support, helping the company assess its needs and recommending best-of-breed solutions for critical security issues.
Geiger securely connects all its branch offices to the Lewiston headquarters by site-to-site virtual private networks (VPNs) for both data and voice communications, using the Check Point VPN-1® Pro™ NGX release to provide the most fault-tolerant and secure links. With Akibia’s consultation and support, Geiger switched from frame relay to VPNs using Check Point solutions, the company saw total payback on its investment in less than one year.
The security and availability of business-critical network services is ensured through a layered defense strategy that includes a pair of clustered VPN-1 Pro NGX gateways in the data center. “With offices across four time zones, any time we are offline we lose sales. If the firewalls are down, the Web sites go down,” Herman says. “With the Check Point High Availability solution, we can upgrade without disrupting business.” In addition, bandwidth is managed to give the highest priority to VPN traffic, providing the quality of service required for voice.
Branch offices, varying from five to 30 employees, have a Check Point Express™ security gateway, which provides firewall, VPN, and intrusion prevention technologies in one solution that can be monitored, managed, and upgraded remotely from Lewiston.
To meet the growing employee demand for remote access, Akibia suggested SSL Network Extender™ was the easiest solution for users because there is no software to install on their computers. “They just log in, and they are securely connected,” Herman says. SSL Network Extender is a browser-based applet that gives users access to Web and non-Web applications with all the security features provided by VPN-1 Pro.Array
Geiger Grows With Akibia and Check Point SecurityRead the Story
Overseas travelers and workers don’t need to count on the universal distress code when they’re hooked up with International SOS. The world’s most comprehensive medical and security assistance company, International SOS is in the business of helping people.
The company provides services to leading multinational corporations, insurers, financial institutions, and government organizations, with more than 6,100 corporations and 60 million members worldwide. It has more than 3,700 employees, a global network of 24/7 alarm centers in 28 cities, 22 wholly owned international clinics, and a fleet of 10 dedicated air ambulances. Its employees speak 77 languages and are spread over remote site operations in more than 60 countries. More than a third of its employees are professional medical specialists such as doctors, nurses, medics, pharmacists, and aero-medical specialists.
International SOS used appliances to help secure communications, but found them to be unwieldy in emergencies and remote locations. At the same time, most firewall and VPN security solutions demand a great deal of patience and knowledge to set up, and receive only secondary focus in the remote field locations where medical and physical security emergencies must take precedence. Further, not every solution can be managed from a single console, and requires much attention from IT administrators. From the cost perspective, most appliances and other security solutions carry a high cost of ownership unnecessarily burdening a company. And finding local technical administration talents in remote locations, especially for specialized appliances, can be a problem.
International SOS migrated its hardware appliances to a centralized management Intel-based server running Check Point SecurePlatform™ with FireWall-1® and VPN-1® Pro™, coupled with Check Point ClusterXL®. SecuRemote® was installed on remote PC clients for International SOS’s emergency medical and physical security teams on assignments or in remote branch locations. ACE Authentication from RSA Security, a Check Point OPSEC (Open Platform for Security) partner, was installed on the PCs. There are a total of 35 VPN nodes.Array
Secured by Check Point, International SOS Comes to the RescueRead the Story
Since 1992, Pacific Coffee Company has been providing world-class coffee to satisfy Hong Kong, China, and Singapore’s growing demand for specialty coffee beverages. The company continues to grow rapidly, opening more stores in many new locations. Today, there are around 80 retail outlets throughout Singapore, Hong Kong, and China, with over 60 stores in Hong Kong.
In addition to offering world-class coffee, great tasting food, and comfortable surroundings, Pacific Coffee Company is also committed to technology—in front of the counter as well as in the back office. The chain offers customers the ultimate in communication services. Whether for business or pleasure, the availability of its in-store Internet facilities provide customers access to this technology, when and where they need it.
With its focus on offering customers coffee as well as convenient computer connectivity, Pacific Coffee is no stranger to the challenges posed by technology. These challenges were highlighted recently when the organization began the transition from conventional cash registers to a modern, integrated Point-of-Sale (POS) system, specifically in terms of network security. These concerns were emphasized when it began planning the introduction of a new customer loyalty card program called, the Perfect Cup Card.
The new Perfect Cup Card replaces the previous practice of giving customers a paper card on which they collect stamps that are used for redeeming free coffees. It is not only more efficient, but is also more flexible, supporting a host of new sales and marketing initiatives. It is even more environmentally friendly as it is completely electronic.
Customers can now purchase the Perfect Cup Card at Pacific Coffee stores in Hong Kong with an initial cash value of HK$200. The loyalty program allows cardholders to accumulate points with any purchase. And customers can even register on-line to keep track of their points, and receive news and special offers from the chain.
However, while the Perfect Cup Card is a breakthrough in terms of customer loyalty in the Hong Kong coffee market, it relies on the ability to securely share real-time transaction data (including monetary values) between the POS terminals in coffee outlets and main data center. Pacific Coffee decided to explore the potential of a VPN (Virtual Private Network) technology to reliably secure its data en route.
Pacific Coffee now uses Check Point Safe@Office® VPN capability to support its customer loyalty program, protecting real-time data as it travels across the Internet. It also protects the POS systems in coffee outlets from the malicious intentions of hackers and other intruders.
“In today’s business environment, maintaining customer confidence and protecting your business means protecting your corporate information,” says Natalie Ho, Marketing Communications Manager of Pacific Coffee. “Taking steps to safeguard critical data such as customer records, proprietary files, and accounting information is vital to our success.”
Today, Pacific Coffee has a Safe@Office appliance in every coffeehouse. These connect to the data center of the Perfect Cup Card service provider. The implementation was so simple that Pacific Coffee was able to complete the rollout to nearly sixty coffeehouses within 12 days.
“Customer relationships are critical to Pacific Coffee and we feel a strong responsibility to protect our customers and their information from the unwelcome attention of hackers or phishing operators,” says Ho. “Check Point’s Safe@Office solution gives us what we need at a reasonable price.”
Safe@Office was chosen after a monthlong evaluation that reviewed a host of criteria including link rebuild, traffic shopping, reliability, and compatibility with other firewall systems. Safe@Office worked well in each area and provided the best performance/price ratio among all the solutions that were evaluated.
“The multitude and versatility of Internet threats require hosts of different solutions that are often difficult to integrate and require a large financial investment,” says Ho. “Companies need a costeffective, all-in-one, reliable and flexible Internet security and VPN solution that is easy to manage. The Check Point Safe@Office solution fits the bill perfectly.”Array
Pacific Coffee Perks Up Customer Loyalty and Protects Point-of-Sale Platform with Check Point Safe@OfficeRead the Story
Walters-Dimmick Petroleum, Inc., (WDP) is a marketer of Shell petroleum products with a primary focus on the distribution of Shell fuels across Michigan, Indiana, and Ohio. The company maintains a large network of Shell-branded retail facilities operated by company personnel and independent dealers. In addition to selling Shell gasoline, all sites incorporate convenience stores and may also include fast food restaurants such as Subway, Jimmy John’s, and Quiznos. Sites may also have car washes, ATMs, phone card services, and other services. Where possible, many of these products and services are combined onto a single site to provide a quick and easy way for customers to get the quality products and services they want within one convenient retail location.
WDP manages more than 58 locations, each of which requires an Internet connection for secure email access and corporate communications. When the company replaced its dial-up service with broadband, it hired a managed service provider (MSP) to implement a complete high-speed DSL solution that included Check Point Safe@Office® appliances. “Once we went to an always-up Internet solution, we knew we needed security,” says Dale Williams, director of IT and retail operations for Walters-Dimmick Petroleum.
In order to effectively manage the Safe@Office appliances within geographically distributed WDP retail locations, Williams selected Security Management Portal (SMP) On-Demand™ from Check Point. SMP On-Demand is a fully-hosted central management and service provisioning platform delivered as a “Software-as-a-Service” (SaaS). Williams appreciated that SMP On-Demand featured an intuitive, Web-based user interface to manage all of the Safe@Office gateways from a single location. WDP also selected the Check Point solution because it required a minimal upfront investment and low administrative and support costs.
Another important factor that influenced William’s decision was that the Check Point solution exceeded the requirements for PCI compliance, including:
Walters-Dimmick Petroleum Secures Store Broadband with Safe@Office and SMP On-DemandRead the Story
Headquartered in Denver, Colorado, TekJet, LLC provides comprehensive managed IT services for small- and medium-sized businesses with typically less than 100 employees. Customers include financial firms, oil and gas suppliers, contract manufacturers, law firms, and other businesses.
TekJet started out as a typical “break-fix” business in which customers would only call when their IT systems were not working properly. Over time the company migrated to selling more managed services and to delivering additional value-added services. According to TekJet founder and president, Todd Jones, “Small businesses face a myriad of challenges in keeping their business up and running and secure. By offloading the day-to-day management of their computer networks to us, our customers can focus their energies on their businesses and not on their computer systems.”
To expand TekJet’s services to include IT security, Jones needed a solution that would work well with TekJet’s established managed services platform. This platform is based on a leading managed services platform for remotely managing customer infrastructures, including network components, servers, and desktop PCs. In addition, TekJet needed the ability to remotely control policy and upgrades for all customers from their Network Operation Center.
TekJet decided on a solution featuring Security Management Portal™ (SMP) from Check Point, a central management and service provisioning platform, for the management of Safe@Office® Unified Threat Management (UTM) appliances. SMP coupled with Safe@Office provided the perfect security solution for TekJet and allowed it to extend its managed services offering to include security solutions. With the Check Point solution in place, TekJet is now able to offer its customers managed messaging security services, including spam filtering, antivirus and spyware protection, Web filtering, managed IPS services, comprehensive firewall management, and managed VPN capability.
Additionally, SMP features an intuitive, Web-based user interface and a robust and resilient architecture. The combined Check Point solution integrated easily with TekJet’s existing managed services environment and supported TekJet’s strategy to grow its managed service business. Furthermore, using a central management platform supported TekJet’s efforts to manage multiple deployments and increased revenue while lowering support costs.Array
TekJet Trusts in Check Point to Grow Managed Services BusinessRead the Story
Founded as a junior college in 1966, Tokiwa University is a private educational corporation in Japan that now encompasses the entire range of education from kindergarten to graduate school. In May 2005, the university unveiled its new Media and Information Technology Center to facilitate education and research across the campus, as well as offer more effective classes to students. For network security, Tokiwa University relies on Check Point Software Technologies and its VPN-1® Pro™/FireWall-1® and SmartDefense™ solutions.
Emphasizing the important role of the Media and Information Technology Center, Mr. Masanobu Abe, professor in the department of human sciences and director of the new center, says, “We see corporations investing in the development of leadingedge hardware and software, moving the broadband platform forward. But it seems to me that small- and midsize businesses aren’t taking a strategic approach to developing and using software or other content that makes the most of this advanced platform. One important role of the Media and Information Technology Center is to educate people in Web programming, computer graphics, digital image production, and other digital media information technologies, and then send them into the world to help these smaller companies.”
The center houses a full inventory of digital equipment, including computers, video production studios and equipment, and much more. Consolidated and centralized resources allow information to be shared among departments separated geographically but now connected electronically. This has fostered an environment that facilitates education and research.
In 1995, the university connected to the Internet through participation in SINET (Science Information Network). As the needs of the faculty and students quickly grew beyond Web browsing and email, branching into a variety of other applications, the university faced growing issues of network bandwidth and guaranteed availability. Stating the need to balance security with network expansion and guaranteed availability, Mr. Tomokazu Nemoto, system engineer of the Media and Information Technology Center says, “For us to respond to Internet usage needs, we must be able to expand the network while maintaining its ease of use. And we have to have an environment allowing free access to the Internet for students, which means we absolutely have to have strong security measures in place.”
In the year following its connection to SINET, the university implemented VPN-1/FireWall-1. This is the most popular perimeter firewall in the world because it uses INSPECT, the most adaptive and intelligent inspection technology, to provide both network- and application-layer protection.
When a wireless LAN environment was implemented, allowing faculty and students to use their mobile PCs on campus, the university had foresight that those PCs would have insufficient security measures and knew that the network would need protection not only from external threats but internal ones as well.
To resolve these issues, Tokiwa adopted Check Point’s InterSpect™ internal security gateway. InterSpect protects internal networks from personal mobile computers that may not be secure. It incorporates functions to prevent the proliferation of worms and other attacks inside a network, segment an internal network into protected security zones by department, and quarantine infected devices that propagate attacks or worms.
Tokiwa University also keeps ahead of evolving Internet security threats by subscribing to SmartDefense™ Services for real-time updates and security advisories for its Check Point security infrastructure.Array
Tokiwa University Relies on Check Point for an Integrated Solution to Campus Network SecurityRead the Story
Hixardt Technologies, Inc. was founded in May 2001 by Michael E. Hicks Jr., Robert E. Barnet, and Scott T. Luthardt, all retired military veterans with degrees or specialties in Information Technology and telecommunications. The objective of the company was to provide technology services and solutions for small- to medium-sized businesses.
Based in northwest Florida, Hixardt has created several managed services offering to allow customers to outsource their technology support, or augment the capabilities of their current IT staff by using Hixardt’s Management Technology System and consulting team.
Hixardt specializes in helping businesses with 25-35 users, which co-founder Hicks says is an underserved segment of the market. “Small and medium sized businesses are often neglected when it comes to IT since most of the solutions available are either designed for individual consumers or large enterprises,” he says. “It’s very difficult to find IT solutions specifically designed to meet the unique needs of small- to medium-sized businesses.”
Since IT security is an important part of Hixardt’s offering, the company needed a solution that could not only serve the requirements of SMB customers, but could also integrate into Hixardt’s management system. This would allow Hixardt to centrally manage the overall IT needs of its clients on a real-time basis and make it cost-effective and profitable.
Hixardt has been a strong proponent of Check Point Software since their first installation for Tuskegee University in Alabama. The team put a VPN-1 system in place and was impressed at the ease of installation, the intuitive management of the solution and its overall effectiveness in providing essential security for the university’s network. “We were very impressed with the solution to say the least, which made us want to be a complete Check Point shop and able to provide the best solutions for every client,” said Hicks.
To satisfy its SMB customers, Hixardt chose to standardize its offering on Check Point’s Safe@Office appliances, which address the Internet security requirements of businesses ranging from five to 100 concurrent users. Check Point Safe@Office appliances are easy-to-use, highly affordable and deliver the same proven Internet security to small businesses as used by the majority of the Fortune 100.
To further leverage the use of Safe@Office appliances, Hixardt implemented Check Point’s Security Management Portal (SMP), a central management and service provisioning platform that features an intuitive Web-based user interface and a robust and resilient architecture to support the management of up to tens of thousands of Safe@Office gateways.
“Through our experience, we know that the Check Point Safe@Office appliances deliver powerful Internet security features and provide a solid defense against threats that range from hacking attempts and denial-of-service attacks to phishing and viruses,” said Hicks. “Combined with SMP, the Check Point solution arms us with a cost-effective, flexible platform to build our business.”Array
Hixardt Technologies Taps Check Point Solutions for SMB and MSP Security NeedsRead the Story
Osmose has long been a leader in the research and development of new products and services in all areas of wood preservation technology as well as Utility and Railroad asset management. With a commitment to quality, technical support, and service, Osmose has built an impressive network of suppliers throughout the United States and in more then 70 countries around the world.
Osmose was faced with having to support the needs of all the 800 users in their corporate headquarters as well as 200 remote users. The remote users posed a particular challenge in that they would travel frequently and bring their laptops with them, plugging in at various hotels across the country and around the world.
On the surface, this setup has maximized convenience—the technology has enabled remote workers to do their jobs wherever they may be. Deeper down, however, the situation has presented a familiar risk: with so many potentially unsecured endpoints logging in from all over the world, the company’s sensitive and proprietary information was in danger of being compromised.
Brendan Kilcoyne certainly has been no stranger to this dilemma; as network manager at Osmose, he has grappled with the issue for years. “Inside the corporate network, everything is a known commodity,” he says. “We needed to make sure this was the case when our people logged on to the network remotely as well.”
Providing their users the connectivity they need without sacrificing security was a challenge for Osmose with their limited IT resources. “We just don’t have the people to deal with it, so we always caution on the side of safety, which led to user frustration,” Kilcoyne says. There was no way to ensure these endpoints were secure before they accessed the corporate network, so Osmose instituted a closed Internet access policy that prohibited remote users from accessing the network without whitelisting the hotel’s network first.
“Some of the larger hotel chains have a single web site to authenticate customers, but with other chains, each franchise is independently owned and have different polices and configurations at each location,” he says. Kilcoyne describes the situation as “frustrating.”
This policy and its process were not well received by their users. Even those users who did keep their endpoint security up to date ended up having trouble logging on. In many cases, the only way for users to log on from afar was to call Osmose headquarters in Buffalo, New York and have Kilcoyne or another IT staffer update the white list and walk them through the process. It became so frustrating for their users that many of them stopped trying to use the Internet access available in hotels.
Another challenge was the problem of basic Microsoft Security updates. Because there was no way to force employees to download the latest improvements, many employees neglected to do so.
It was evident that Osmose needed a better endpoint security solution with integrated management so they evaluated other vendors including their existing AV vendor, Symantec. Kilcoyne found their solution “aged” and the new product line did not fit the bill. “We looked at Symantec, Check Point, and McAfee but really Check Point was the only one with an integrated VPN solution,” says Kilcoyne. “And I don’t know anybody else who can really provide the type of integrated solution that Check Point can provide.”
Everything changed for Osmose with Check Point Endpoint Security™. The solution provided them with a single agent for endpoint security that combines firewall, Network Access Control (NAC), program control, antivirus, anti-spyware, data security, and remote access, offering comprehensive protection that is part of Check Point’s renowned Unified Security Architecture. Endpoint Security also forces endpoint compliance with predetermined security policies—a feature that ensures the very same security protections across the board.
Osmose took advantage of these protections immediately. First, Kilcoyne was able to ensure the ability to sign on from any hotel utilized by company employees even with a restricted internet access policy in place. Secondly, by centralizing management to facilitate updates, Kilcoyne pushed the same protections to all endpoints as they logged onto the network, standardizing all machines on the same platform.
In addition, Osmose was able to enforce security policies and patch levels on the endpoints. “With this product, I can look for registry keys, tell when they’re out of date and force a GPO update on their systems,” says Kilcoyne.Array
Osmose Protects its Desktops and Laptops with Check Point Endpoint SecurityRead the Story
The International Fund for Animal Welfare (IFAW) began four decades ago and has grown to become the world’s leading international animal welfare organization. With a support base of over two million contributors worldwide, IFAW connects government leaders, communities, and similar organizations together to accomplish real solutions for animal safety and environmental conservation. With offices on every continent except for Antarctica, IFAW has a broad base of support, which includes legal and political experts as well as internationally recognized scientists, to tackle global preservation and animal welfare challenges.
Being a Check Point customer for about eight years, IFAW was familiar with the quality and superiority of Check Point security solutions. So when users began experiencing problems with secure remote access, IFAW knew where to turn. With approximately 70 percent of employees working outside the organization’s headquarters, IFAW needed a secure remote access solution that could guarantee more internal security and controls, especially on mobile users.
The vast majority of mobile users were migrating away from using IFAW global dial-up access to the available broadband access options in hotels and conference rooms. “As that was happening, issues were starting to arise, including worm infestations, an increase in malware, and users coming back to the office with all kinds of software installed on their device that had not been installed by the IT department,” says Paul Ponte, a network engineer at IFAW.
Because IFAW has deployed extensive VPN solutions from Check Point, it was concerned that the remote workforce, who has access to confidential internal systems while on the road, would use a VPN tunnel to unknowingly inject something inappropriate inside network headquarters.
“We were concerned with the hardcore road warriors, the ones who only alight in an office somewhere in the world maybe two to three times a year,” says Ponte. “We needed something that would be completely interoperable with our existing Check Point infrastructure.”
IFAW found its solution in Check Point Endpoint Security™. The first single agent for total endpoint security that combines the highest-rated firewall, network access control (NAC), program control, antivirus, anti-spyware, data security, and remote access.
While considering product options, IFAW relied heavily on industry trade publications like Network World, Secure Computing, and others to provide a sounding board for potential solutions. “We took a look at everything that was out there,” says Ponte. “And Check Point immediately jumped out at us.”
“Check Point Endpoint Security allowed us to integrate all environments and it provides, frankly what I think, is the best level of total end-to-end security of any solution that’s out there,” says Ponte.Array
IFAW Captures Total Security with Check Point Endpoint SecurityRead the Story
Denbighshire County Council in North Wales, United Kingdom serves a local population of 93,000. A key part of the council’s IT remit is providing and supporting leased-line Internet access for 66 primary and secondary schools across the county, as well as Internet services within the County’s local libraries. This is in addition to maintaining the Council’s own internal network.
Managing Web access for such a diverse range of users means that close control over IT security is vital, to protect against threats and attacks from these multiple endpoints. The challenge for the council’s IT team was sorting through the huge volumes of log data produced by its security and network devices every day.
“Our firewalls and other security devices produce around 1GB of log data every day,” says Shannon Gage, Principal Technical Support Manager, for Denbighshire Country Council. “This was making it difficult for me to do regular security health-checks and pro-actively identify any emerging issues or threats.”
Turning millions of data logs from multiple sources into usable, actionable information can be an insurmountable task—especially for smaller IT teams. This makes it difficult to perform security checks, or to spot emerging attacks or vulnerabilities in any kind of systematic way. It also diverts the IT team’s resources away from other important network management tasks.
The council’s IT team needed a security information and event management (SIEM) system that takes the massive volumes of data logs from all of the company’s security devices and gathers them into a central repository. This data can then be correlated and analyzed, and critical security events prioritized—reducing the complexity of security management, and saving time for the IT team.
As a long-time Check Point customer, the council has a substantial standing investment in VPN-1® technology, with two Nokia IP security platforms each running VPN-1 Power NGX R65. These provide comprehensive security and remote connectivity, and defend against denial-of-service (DoS) attacks on the council’s main 100MB Internet link, its corporate network and the leased-line connections serving each school and library, preventing hacking and intrusion attempts and securing network traffic.
With Eventia® Analyzer, the company is able to correlate log data from the Check Point VPN-1 Power solutions, and from third-party security devices, automatically prioritizing security events for decisive, intelligent action. Because Eventia Analyzer is tightly integrated with Check Point’s gateways and centralized management system, time spent in the configuration and deployment phases was minimized.
By automating the aggregation and correlation of raw logs, the company utilizes Eventia Analyzer to minimize the amount of data for review and also to isolate and prioritize critical security threats. This in turn frees up time for the council’s IT team. According to the council’s IT team, Eventia Analyzer helps them make detailed inspections of network traffic patterns and device logs easily, and gives the ability to identify issues or threats that may not have been otherwise detected, because of the ability to filter out extraneous ‘chatter’ from devices.
Deploying Eventia Suite
According to Gage, deploying Eventia Analyzer and Eventia Reporter was easy and straightforward. Working with Check Point security engineers, she was able to integrate the SIEM application into the overall network infrastructure and get up and running quickly.Array
Denbighshire County Council Selects Eventia Suite to Simplify Security ManagementRead the Story