Zètema protects Rome’s heritage from cyber threats with Check Point
A Community Hospital in the Western United States Proactively Defends Assets against Cyber Threats
Ayesa protects Cloud deployment with Check Point CloudGuard SaaS
Organization: ENT Credit Union is a leading credit union in Colorado
Industry: Financial Services
Alrov Luxury Hotels protects against cyber threats with Check Point to ensure flawless guest experience
For complete view of network traffic, ENT Credit Union Gains East-West Network Traffic Visibility with Check Point Next Generation Firewalls.
SmartWave Technologies Secures IP Everywhere with Robust Endpoint Protection
D. C. Law firm future-proofs security across network, cloud, and mobile security threat vectors with Check Point Infinity Architecture
NHS England provides 6,800 agile workers with Check Point secured mobile devices
Furniture Manufacturer secures its ICS network, keeping employees safe and operations running with Check Point rugged appliances and cyber security management
RCB Bank Protects its Fleet of Mobile Devices with Real-time Prevention from Check Point
IZA contributes to the future of labor research by supporting young scholars
Based in Montgomery, Alabama, Medical Advocacy & Outreach (MAO) is a nonprofit medical institute providing HIV, Hepatitis C, and diabetic care. MAO began in 1987 as a volunteer organization. Today, its services span 28 Alabama counties. In 2011, MAO launched the Alabama e-Health Telemedicine Initiative, delivering HIV-specific care, pharmacy consultations, mental health counseling, and social services, a pharmacy and dental clinic opened in 2017. The organization continues to look for ways to improve Healthcare options in their coverage areas.
Starting With a Clean Slate
When Benjamin Urquhart joined MAO as Division Manager of Information Technology, he found that the network and security infrastructure was not able to support the organization’s rapid growth. For several years, MAO had relied on third parties for network management and security services. An anti-malware product installed on the endpoints was not enough to meet compliance requirements, and other security measures were not current.
“As a medical provider, HIPAA compliance and data privacy concerns are critical, especially when working with HIV cases, which have stricter regulations,” said Urquhart. “We decided to bring our network and security management in house for more control and better protection. It was time for a clean slate.”
Urquhart had experience with Check Point solutions in the past. Before he approached MAO senior management and the Board of Directors to explain why the organization needed enterprise-level security and technology, he launched a small proof of concept deployment of Check Point Security Appliances and R80 Cyber Security Management.
The Check Point security logs with analysis and reporting found thousands of botnet connections, malware, and other malicious threats coming in and going out of the network. With SmartEvent providing crystal-clear visibility into cyber attacks, it was easy to see how serious the threats were.
“I expected to see these kinds of threats, but even I was surprised at the volumes,” said Urquhart. “The Check Point solutions gave me hard data about how much visibility we lacked and where we were at risk.”
The data was also compelling to the Board and senior managers, who approved a significant security and technology initiative to not only support the organization’s growth, but also provide compliance ready security. Urquhart deployed the Check Point Security Appliances over one weekend to secure the clinics as quickly as possible. Check Point SandBlast Agent with Threat Emulation and anti-ransomware now defends end-user systems against zero-day threats, bot communications with command-and control servers, and other advanced attacks. Check Point Anti-Malware efficiently detects malware with a single scan, while Check Point Compliance continuously monitors security infrastructure, gateways, technologies, policies and configuration settings all in real time to ensure compliance
MAO, Medical Advocacy and Outreach, Takes A Giant Step Forward in Security and Data Privacy
BH Telecom is the leading telecoms operator in Bosnia and Herzegovina, providing high quality, state-of-the-art telecommunications services. Around one in three Bosnians are BH Telecom customers; the company is also a service provider to the country’s SME sector.
BH Telecom is a market leader acting like a disruptor. The business, which holds 46.98% share of Bosnia’s mobile telecoms market, is in the process of transforming its digital landscape. The company’s future vision is to provide a range of cloud, digital and data services to its customers.
“Security is hugely important to us,” says Edina Muminovic, Head of Service Integration and Security at BH Telecom. “We need to protect our own services, and want to offer security- as-a-service to our customers.”
As the market leader, BH Telecom is continuously working towards securing its ICT service offerings. It’s imperative for the business to future-proof its security position across its data center in order to ensure business continuity and to retain the trust of its customers. In addition, BH Telecom needed to work with one vendor who could simplify its security management and clarify the company’s security roadmap.
The Check Point CloudGuard solutions deliver consistent and complete cloud security for virtualized data centers to SDN, IaaS and SaaS applications, providing protection from emerging threats of account takeover. The CloudGuard portfolio seamlessly integrates with the largest number of cloud platforms and cloud-based applications, giving BH Telecom the freedom to choose the cloud solution that best aligns with its goals, without sacrificing the company’s security.
Check Point CloudGuard IaaS delivers advanced, multi-layered security for public and private cloud environments. The solution protects BH Telecom’s assets in the cloud from attacks while enabling their customers to securely connect from their enterprise networks to the cloud.
EMC, a local Check Point partner and long-time technology provider to BH Telecom, worked alongside Check Point to implement the CloudGuard IaaS solution. The decision to purchase Check Point CloudGuard IaaS was made after a public tender and a PoC involving Check Point as well as other competitors in the market.
“Check Point fitted perfectly with our VMware environment and scored highly in Gartner’s security quadrant,” explains Muminovic.Array
BH Telecom Consolidates their Security in the Cloud
Lightbeam Health Solutions provides a data analytics platform that unifies claims and clinical data to help healthcare organizations provide superior patient care with lower costs.
DEFENDING PROTECTED HEALTH INFORMATION IS MISSION #1
Lightbeam’s technology provides Accountable Care Organizations (ACOs), payers, large provider groups, health systems, and other healthcare organizations with actionable information that helps them better manage patient care while reducing costs. The company aggregates and analyzes high volumes of clinical and claims data using advanced modeling, Artificial Intelligence (AI), and reporting technologies. Customers access their information through their accounts in the customer portal.
“Our biggest security concern at Lightbeam is Protected Health Information, or PHI,” said Jay Orler, Vice President, Infrastructure and Security for Lightbeam. “Protecting our customers’ data is not only required by HIPAA, it’s also critical to maintaining customers’ trust in us as a service provider.”
When the company began, operations were based in brick-and-mortar data centers. However, continual changes in the healthcare industry, new technologies, and company growth were outpacing the data centers’ abilities to keep up. Lightbeam began to extend its infrastructure to the cloud.
“The need for agility, scale, and cost-effectiveness are increasingly driving us to the cloud,” said Orler. “We’re moving to Microsoft Azure, which will help us achieve all of those benefits. But we also need the same level of security in the cloud that we have in our data centers. We got that with Check Point CloudGuard IaaS.”
UNIFYING THE ARCHITECTURE FOR BOTH ENVIRONMENTS
Lightbeam adopted the Check Point Infinity architecture to gain consistent protection across its physical and cloud infrastructures. The Infinity architecture provides complete threat prevention, which seals any security gaps. It also shares immediate threat intelligence automatically across both environments. Orler and his team can manage security for both environments with consolidated security management for unmatched efficiency.
Within the Infinity architecture, Check Point CloudGuard for Microsoft Azure seamlessly protects workloads, data, and assets with secure connectivity between the Azure cloud and on-premises environments. CloudGuard IaaS brings the same firewall, IPS, data loss prevention, zero-day protection, and other threat prevention capabilities to the cloud that Check Point firewalls deliver to Lightbeam’s physical data centers and offices.
In addition, Lightbeam also leverages Check Point CloudGuard SaaS to provide zero-day threat protection, and data protection to its Microsoft Office 365 environment. CloudGuard SaaS prevents data loss and scans email messages and attachments for malicious content, thus blocking phishing email attacks and protecting file sharing and messaging. Powered by the Check Point Infinity architecture, CloudGuard SaaS provides comprehensive Gen V threat protection across the enterprise, with shared threat intelligence across network, cloud, and mobile devices, and simplified management.Array
Lightbeam Health Solutions Chooses Check Point to Protect Sensitive Info in Hybrid Cloud Environment
X by Orange is the branded trademark of Orange B2B Technology, a subsidiary of Orange Spain. Established to promote the growth of small and medium businesses, it uses the cloud to transform and digitize communication.
“The company is followed with great enthusiasm by the whole Orange group. We are implementing a new model of software development and product integration which is not only of interest and relevance to Orange Spain, but also outside the business itself,” explains José María San José, CTO and CIO of X by Orange.
GROWING IMPORTANCE OF SECURITY
X by Orange’s mission is to enable access to digital services via the cloud, providing the features SMBs need at a competitive price and without requiring long-term commitment.
When it began developing two new products, X-Privacy and X-Security, X by Orange needed a security solution that would ensure the products were not only affordable, predictable and easily operated, but would also protect their clients’ corporate data from known and unknown cyber threats without requiring hands-on management.
“In designing our business plan, we saw that providing security via a next-generation firewall, a control panel for threats and endpoint security is fundamental to developing a digital infrastructure security service and product for SMBs,” explains José María San José.
DESIGNING THE RIGHT PRODUCTS
“After analyzing the market and running a highly competitive tender, we saw that Check Point CloudGuard IaaS for AWS and Check Point ZoneAlarm were the perfect fit for the X Security and X Protection products we planned to launch.”
CloudGuard IaaS protects businesses against Gen V cyberattacks on the cloud, using real-time sandboxing and cloud-based threat intelligence. ZoneAlarm provides X by Orange with anti-virus and advanced firewall protection, along with anti-phishing to block identify theft and threat emulation to prevent zero-day attacks.
X by Orange assessed Check Point against strict criteria, including the number of features and their level of sophistication. “From an operational point of view, working with Check Point also gave us access to a wide network of first-class support across Spain,” continues José María San José.
Check Point next generation firewall and threat protection are now built into both X- Security and X-Privacy. This allows multiple sites to interconnect in a secure way, protecting corporate and financial data, even when accessed using mobile devices.Array
X by Orange Guarantees Security in the Cloud with Check Point
Headquartered in Silicon Valley, Cadence Design Systems, Inc., founded in 1988 is a global technology company that spans 40+ countries with over 8,000 employees worldwide. Cadence supplies electronic design technology and engineering services in electronic design automation (EDA) to much of the semiconductor industry including Fortune 100 companies. Cadence produces software, hardware and silicon structures that are used to design integrated circuits, systems on chips (SoCs) and printed circuit boards.
Cadence’s Journey to the Public Cloud
Originally, Cadence ran their own datacenters and found those to be sufficient for their computing needs. However, as the enterprise expanded, it began to outgrow the computing capacity of its on-premise system. Cadence needed a system that has scalability, elasticity and securely enabled cloud demand. Sreeni Kancharla, Chief Information Security Officer (CISO) and Sr. Group Director for Cadence, and his team of ten engineers, including his head Cloud Architect, Koji Kuramatsu, turned to Amazon Web Services (AWS) for help. With the resource capabilities supplied by AWS at their fingertips, Cadence was able to provide the computing power necessary to respond to customers’ requirements instantaneously as needed.
Cadence started their public cloud journey in 2014. Today Cadence primarily uses AWS, via 50+ accounts. Cadence has a presence in mainly three of AWS Regions worldwide which include the USA West and East Coasts, and Europe. It makes full use of the AWS cloud functionality for production utilizing services for compute, storage, networking, database, security, developer and management tools. Cadence’s AWS footprint covers more than 1,000 instances, 770 security groups, and 115 Amazon VPCs, with more than 4,000 different network security policies and rules, which leaves Kancharla and Kuramatsu with the challenge of securing a very dynamic cloud environment. In addition, while AWS is their primary cloud service, Azure is also represented with tens of compute and storage resources deployed in 29 security groups. They have also begun incorporating Google Cloud Platform(GCP) into their multicloud environment.
Cadence Tackles Cloud Challenges with New Solutions
From the get go, Kancharla knew that migrating to the cloud would bring challenges in the realm of network security, compliance and visibility. He needed to be sure that any cloud management integrated solutions would be compatible and effective across the major public cloud infrastructures-as-a-service (IaaS) providers, which included AWS, Azure, and GCP. Due to their anticipation of these security challenges, Cadence began using CloudGuard Dome9 as soon as they moved to the cloud.
Visibility into the cloud is vital in order to control security and minimize the infrastructure attack surface. With the highly dynamic nature of the public cloud and unlimited amount of resources it would afford its customers for scalability, the need arose to tightly monitor and track the various network configurations. According to Kancharla, “With several administrators adding to the cloud configuration, the occasional misconfiguration is inevitable. With thousands of constantly shifting rules across hundreds of security groups and VPCs, Cadence’s cloud presence is far too big and complex to be managed by humans. It’s impossible for an individual to manage it. We needed an automated tool that actually tracks all the changes.”
When a change occurred, Kancharla’s team needed to be able to peer into the system to see exactly what took place so that it could be corrected quickly. Cadence needed to automate repetitive tasks such as security group auditing, fix any misconfigurations with in-place remediation, and have built-in active protection to enforce established policies with the ability to track and revert unwanted changes consistently.
CloudGuard Dome9 Clarity for Granular Network Visualization
Cadence found their solution in CloudGuard Dome9 Clarity. As part of the CloudGuard Dome9 service, Clarity is a powerful visualization capability that provides a granular view of network topology and workflow traffic so Kancharla’s team can easily map all subnets and drill down to view reports of all AWS EC2 instances on a single, easy-to-use dashboard. In addition, Cadence uses CloudGuard Dome9 Clarity to check their AWS VPCs state and overall network exposure. This includes using CloudGuard Dome9 IP Lists for grouping and configuring permissions to specific public IPs. Using CloudGuard Dome9 Clarity, Cadence has centralized management of its network security posture and can efficiently whitelist those IPs that can be viewed coming to and leaving from their security groups, in order to define the internal and external network links.
One of Cadence’s most common uses for Clarity, is to find potential vulnerabilities that would create a security alert. Clarity gives Kuramatsu a quick view of a specific subnet or route going from A to B so he can quickly identify any unauthorized changes to the network. In addition, the CloudGuard Dome9 VPC Flow Logs allow the team to quickly respond to events without the efforts of cumbersome investigation of the data logs.
Maintain Access Control While Providing User Flexibility
Enforcement of access and authorization to ports and services are vital in a complex cloud network. One of the main concerns Cadence faced was protecting their customers’ data while providing multiple users access. Cadence needed a tool that could not only monitor, but protect the movement of resources both between the segregated subnets as well as on and off the public cloud networks. This tool would ensure that only authorized individuals could access specific data, make changes, and enforce only authorized changes.
At the same time as securing access, Kancharla had the added challenge of retaining flexibility. Cadence provides training sessions for their customers which requires the off-site trainer to enter the Cadence system remotely from the customer’s site. However, permitting such adhoc temporary entry naturally puts the network at risk and makes it vulnerable to outside threats. Kancharla’s team sought a solution which would bring the capability to add access without compromising strong security controls.
Active Protection for Security Enforcement with CloudGuard Dome9
Kancharla recognized that the cloud security solution he implemented needed to offer full security orchestration, going beyond monitoring and reporting to include enforcement. Automated control over the implemented and established baseline security posture was essential. Within the CloudGuard Dome9 service, Kancharla found the control he was looking for with the always on security enforcement of Active Protection with CloudGuard Dome9. With active protection, Cadence acquired the following three-pronged approach to the challenge of granting user access and providing flexibility and agility to its customers, while securing their multi-cloud environment with confidence.
CloudGuard Dome9 Dynamic Access Leases: “We use Dynamic Access Leases heavily,” says Kuramatsu. He and others on his team use CloudGuard Dome9’s Dynamic Access Leases to solve the challenge of individuals who need temporary remote access to the network. With Dynamic Access Leases, the person can get specific temporary access to only those parts of the networks that he needs for a limited time frame. The CloudGuard Dome9 tool opens up the ports automatically and closes access again at the end of the defined time frame, thus reverting to the original, defined network state, ensuring consistent protection across their clouds.
CloudGuard Dome9 Tamper Protection: Attempts to modify a security group from the multi-cloud environment will result in Tamper Protection detection and a message. Cadence’s predefined policy in CloudGuard Dome9 is always enforced, and any modification attempt will be overridden, forcing the policy to revert to its original definition. Kancharla’s team leverages this capability to make sure there are no port changes that result in configuration conflicts, especially in the case of network configuration updates.
CloudGuard Dome9 Region Lock: Since Cadence operates across three AWS regions, Kancharla and Kuramatsu rely heavily on Region Lock to enforce regulations which prohibit moving data between regions. Cadence uses Region Lock to ensure that information cannot be moved outside of the USA or Europe. Furthermore, with Region Lock, Cadence can make sure that user access is granted accordingly and employees cannot view data that they should not be seeing. With Region Lock, Cadence can make sure that user access is granted accordingly and employees can not view data that they should not be seeing.
Compliance Reporting for Customers
Cadence is a large public enterprise that serves leading industry vendors. As such, customer trust is key. With the migration to the cloud, Cadence had to be able to continue to demonstrate consistency with industry standards such as ISO 27001 and other cyber security frameworks’ best practices in order to reassure their customers that their applications and data are safe.
Compliance Automation and Reporting with CloudGuard Dome9
The Compliance Engine from CloudGuard Dome9, a part of the CloudGuard Dome9 service, delivers continuous end-to-end compliance testing and reporting against industry standards using automated data aggregation and an intelligent insights generation system. Cadence turned to the Compliance Engine from CloudGuard Dome9 to generate compliance reports for AWS and Azure.
Kuramatsu notes that CloudGuard Dome9 best practices reports are, “One of the best parts of the Compliance Engine from CloudGuard Dome9 and we use them quite often.” They also use CloudGuard Dome9 to validate their cloud security against CIS AWS Foundations Benchmark framework, which is a set of security configuration best practices to protect one’s footprint on AWS. Kuramatsu can prove how robust Cadence compliance truly is by producing compliance reports and quickly respond to Cadence management requests, with well structured and trusted information.
Cadence Uses CloudGuard Dome9 for Robust Security Across Its Multi-cloud Environment
Nihondentsu Co. Ltd
Nihondentsu is an ICT consultancy, based in Japan. By deploying Check Point Next Generation Firewalls the business has simplified its security management and established a platform for continued growth.
Securing a seamless link between branch offices
Nihondentsu has more than 50 years’ experience in advising businesses on their ICT strategies. As it leads clients through digital transformation projects, so too its own business has changes to adhere to: Nihondentsu must become more agile, mobile and flexible.
Critical to this is a seamless link between the 18 Nihondentsu offices. The company wants to enable all staff to have access to the latest corporate and customer data securely.
A VPN solution, installed across all 18 branches in 2000, had become unstable and insufficient. With communications across the business steadily increasing, the VPNs were unable to cope with higher levels of traffic. The system was difficult to maintain and complex to manage.
“The situation was difficult,” says Hiroshi Ainaka, Chief, Network Group, Technical Department, Nihondentsu. “We recognized the urgent need to replace the VPN routers, but we had to look at the issue from many angles. The challenge was not just to improve access response, but to make sure that security was solid, that post- deployment management and operation would be easy, and that the cost/performance ratio was fitting.”
Rapid deployment and simplified management
The Check Point 700 Appliance delivers enterprise security in a series of simple and affordable, all-in-one solutions. Automated reporting, scalable deployment, and hands-off setup and configuration are all Firewall features which enable Nihondentsu to protect their employees, networks and data from cyber theft.
“The most impressive feature of the 700 Series is that it is an all-in-one product that achieves high performance and advanced security in a very balanced manner,” says Ainaka. “For a company of our size it’s unrealistic to have dedicated security personnel in place. What clinched it for us was that the 700 Series is easy to deploy, easy to run, and has a solid post-deployment support system.”
Setup can be done in minutes using pre-defined security policies and a step-by-step configuration expert. Check Point 700 Appliances are conveniently manageable both locally via a Web interface and centrally by means of the Check Point Security Management Portal (SMP). The solution allows users to connect securely from any device directly or through secure authenticated Wi-Fi for simple cloud management.Array
Nihondentsu enforces secure mobile workplace to drive business growth
ABOUT DATASTREAM CONNEXION
DataStream Connexion is a premier technology consulting and web application development agency. Formed in 2000, they have built web applications for the Federal Government, USDA, FDA, the Department of Homeland Security, healthcare organizations, Fortune 500 companies and small businesses looking for best-of-breed solutions. This small yet nimble team, led by Eric Hoffman, President and owner, provides services that range from product development and DevOps, to cloud security and compliance. DataStream Connexion excels at incorporating comprehensive security and compliance management into the innovative products they design, and thus have garnered the trust of many government agencies and healthcare organizations with maintaining their critical applications in the cloud.
BACKGROUND: AN EARLY CLOUD ADOPTER
In 2006, Amazon opened the door to the cloud with Amazon Web Services (AWS), providing a more robust and resilient infrastructure solution. Seeing great potential, Eric made the strategic decision to migrate both compute and storage to Amazon EC2 and S3 respectively. In addition, as AWS matured, DataStream Connexion’s customers benefited from the evolving robust security controls as well as certifications such as FISMA, SAS-70, ISO 27001 and HIPAA that AWS has to offer.
LEVERAGING AWS GOVCLOUD
With the introduction of AWS GovCloud in the US region in 2011, the team also recognized the great opportunity of the cloud when it came to hosting highly regulated workloads. This newly introduced Amazon GovCloud was a perfect fit for their customers, supporting the common AWS security controls and compliance standards, but in an isolated, dedicated region, designed specifically for sensitive government agency data. However, in the early days of the public cloud, there was still pushback from Datastream Connexion’s federal customer base who were unsure of securing their data in AWS.
During this early cloud adoption stage, Hoffman and his cloud operations team knew that the advantages of AWS were many. However, they also understood their part in the AWS shared responsibility model and that it presented a new set of challenges they would have to overcome to make their customers’ cloud adoption journey a successful one. They began to search for tools that would help them build out the visibility and compliance their customers depended on, in order to increase their customers’ trust in this new Infrastructure as a Service (IaaS) model. It was the same year that Hoffman found CloudGuard Dome9 and they became one of CloudGuard Dome9’s earliest adopters. Since then, as Hoffman states, “CloudGuard Dome9 has become our trusted partner in ensuring the security posture of all DataStream Connexion customers.”
NAVIGATING THE NETWORK SECURITY CHALLENGE
As with every new technology adoption scenario, there were challenges that had to be worked
out along the way. With the CloudGuard Dome9 platform by their side, DataStream Connexion was able to address and mitigate each one of the following challenges.
Challenge 1: Effective and Efficient Security Management
DataStream Connexion has tens of VPCs and security groups, which end up creating an elastic cloud environment consisting of hundreds of inbound and outbound rules. They also have temporary rules that come and go as their Dev and Ops teams provision temporary access from different locations to allow their flexibility. The first priority was to simplify governance and policy implementation, to limit vulnerabilities and mitigate risk.
Challenge 2: Providing Access While Ensuring Integrity
DataStream Connexion’s small yet agile team of developers, database admins, network admins and generalized office staff all have different needs within AWS. The Ops team has to be able to provide access to various resources for development and specific environments for production, while enforcing strict segregation according to predefined user roles. This means running strict access policies for different security groups in order to avoid widespread administrative access to sensitive highly regulated environments.
Challenge 3: Allow The Broader Team Self-servicing and Flexibility
One facet separating DataStream Connexion from their peers is a bond of trust and accountability among the entire staff, including Ops, Dev and Test. The team practices continuous integration/continuous deployment (CI/CD) DevOps methodologies to move rapidly, without being bogged down with cumbersome legacy procedures that can hinder progress and agility.
This means allowing individuals remote access to their cloud environment at anytime. However, providing remote access requires a change in network security rules, which includes security ports. This is a potential landmine, as enabling the broader team to change configurations is clearly prone to human errors.
Challenge 4: Implementing End-to-End Compliance Management
Adhering to compliance standards can be complex. This is especially true for DataStream Connexion, whose customer base is made up of federal agencies which must adhere to standards such as FedRAMP and NIST. In addition, over the last year, AWS has expanded its offering for the healthcare market, and Datastream Connexion’s customer base has also grown in this segment with the customers’ focus on HIPAA compliance. Tracking compliance status is no small feat, and a complex cloud network must be consistent and reliable when it comes to different rules posed by various regulatory compliance standards requirements. When it came to validating compliance at scale, Hoffman realized that running manual checks was not an option and
would eat up much of his team’s valuable time and resources.
Solution 1: Complete Visibility Over the Entire Infrastructure
Network security with CloudGuard Dome9 Clarity allows the team to visualize their cloud perimeter, network topology, security policies and configurations in real-time. It lets them see how the network changes, including configurations of different security groups, as well as being able to drill down to see each instance exposure and its security group assignment. CloudGuard Dome9 Clarity allowed them to quickly spot misconfigurations and eliminate vulnerabilities such as open ports or broken network links between different system tiers. Finally, CloudGuard Dome9 Clarity eased policy analysis, helping the team to enhance rules and strengthen their network security policies with quick links to edit relevant rules and components.
Solution 2: Implementing RBAC to Allow Work to Flow Unhindered
As mentioned above, together with CloudGuard Dome9 Clarity and CloudGuard Dome9’s role- based access control (RBAC) capabilities, all Dev and Ops members have access, but only the team admin is able to adjust settings – such as opening user restrictions to a specific security group. The Ops team is able to provide developers the instant access they need to test out new processes, which helps them accomplish their goals faster and with greater ease.
While it is very important for Hoffman to trust his staff and allow them to be nimble and empowered to do their work, if a change has been generated, it is critical that he can oversee it to ensure that it has been implemented properly. CloudGuard Dome9 Alerts keep him aware of what is taking place at all times, and he can always inquire about events as needed. This allows for fast paced innovation, enabling flexible access to the different environments without compromising their network security posture.
Solution 3: Controlled Temporary Access
CloudGuard Dome9 Dynamic Access Leases allow DataStream Connexion to schedule time- limited and on-demand access to services and ports, so that when the time allotted has ended, all ports are closed by default. Access is provided on an as-needed basis, reducing open port exposure, even via mobile device or with the Chrome Browser extension. With CloudGuard Dome9 Tamper Protection, the environment is continuously monitored for any changes to the last approved state. All changes are reverted back automatically, and the Ops team is immediately alerted to validate the policy change. Finally, the risk of open port exposure is dramatically reduced, and the DataStream Connexion staff has the access they need at the click of a button.
Solution 4: Automating Compliance with the Compliance Engine from CloudGuard Dome9
One of Hoffman’s most important weekly tasks is reviewing the Compliance Engine’s policy reports from CloudGuard Dome9. This comprehensive compliance and governance solution simplifies complicated procedures with automated data aggregation in real-time, and in-place remediation control which streamlines the analysis process, saving hours of complex work. The team can create and enforce custom policies unique to DataStream Connexion’s needs, while identifying risks and gaps using built-in test suites for common compliance standards such as HIPAA. In addition, the Compliance Engine from CloudGuard Dome9 continuously runs audits against their cloud deployment, and with it the team can validate its network security posture as well as report the current exposure status and vulnerabilities across their whole cloud network. Leveraging the easy to use dashboards and controls, the team benefits from this transparency and can enforce their established policies and be confident in their cloud compliance status at any point in time.Array
Datastream Connexion Builds Secure Federal and Healthcare Applications With Cloudguard Dome9
ProSiebenSat.1 Media is the leading German entertainment player with a strong e-commerce business. Every day, 45 million TV households in Germany, Austria and Switzerland enjoy its 14 free and pay TV channels. Its online offers generate 1 billion video views per month. Every year, the company invests more than €1 billion in 120,000 hours of programming.
Protecting an increasingly complex broadcast environment
New, digital competition has changed the way viewers consume content. We tend to watch content when and where we want, rather than linear. The phenomenon of ‘second-screening’, with viewers watching TV alongside a smartphone or tablet, is now commonplace. Viewers may also have contracts with multiple providers and many will pay for specific content.
As a consequence, broadcasters are now in a continuous state of service delivery: They must constantly engage with viewers across multiple platforms and offer entertainment across any device.
“The business has changed significantly, not just in terms of how we process content,” says Andreas Mang, Senior Network and Firewall Manager at ProSiebenSat.1. “We live in an age of digital transformation and this development demands us to change.”
ProSiebenSat.1 brought its security management in-house seven years ago. The objective was primarily to protect media files and customer data when moving between sites. The business also wanted greater responsiveness around security and to build its corporate knowledge of security threats and solutions. “We saw many attack vectors,” says Mang, “from spearfishing to protocol exploitation.”
Check Point was central to moving everything in-house, with Check Point 44000 Next Generation Firewalls and SmartEvent providing full threat visibility.
“The challenge now is scale and network segmentation” says Mang. “We have really high bandwidth requirements on the internal networks, say 20GB per second. We need to accommodate this scale, but also future-proof any investment. We want to have headroom up to 50GB per second.”
The scale to accommodate long-term growth
The Check Point 44000 Next Generation Firewalls is a scalable solution which is designed to excel in large data center, media and telco environments. The multi-bladed, chassis-based security systems scale to support the needs of growing ProSiebenSat.1’s networks, while offering reliability and performance.
The Next Generation Firewall also gives Mang and his team better control over the IT environment, allowing them to identify new applications and either allow, block or limit their use; and making the implementation of new policies simpler and more consistent.
“It’s a big deal for us,” says Mang. “It is an investment we will benefit from for many years.”
The 44000 Next Generation Firewalls provide high port density, with 10, 40 and 100 GbE fiber ports. In addition, full redundancy (N+N) prevents down-time, there is advanced protection against known and unknown threats, and the solution is designed for ease of management and fast deployment – ideal for ProSiebenSat.1’s fast-moving, downtime-intolerant environment.
ProSiebenSat.1 also uses the SmartEvent event management solution to provide a single view of all security risks, allowing the IT team to respond immediately to security incidents.
“We use SmartEvent for troubleshooting mostly,” explains Mang. “It’s one of the best products on the market, providing metrics and analysis on a daily basis, without being over complicated to use.”Array
Leading German entertainment player prevents downtime in always-on media industry
The Good Sam Club makes outdoor adventures a safer and more rewarding experience for more than 2 million members. With a wide range of discounts and services, Good Sam enables recreational vehicle (RV) owners to enjoy their time on the road. Its parent company, Camping World Holdings, is a leading retailer of outdoor recreation products and services.
Taming a Wild Threat Landscape
Millions of North American households are avid campers, with 2.6 million new households joining the ranks in 2017 alone. This enthusiasm – together with an initial public offering in 2016 – resulted in double-digit annual growth for Good Sam. With this new growth and their numerous acquisitions, cyber threats facing the company also increased, but its cyber protection infrastructure did not keep up.
Good Sam originally deployed McAfee Sidewinder firewalls and Cisco ASA devices for their security and remote access capabilities. But as the threat landscape changed radically in the past two years, Good Sam lacked visibility into the advanced threats attacking its business. It had no way to know what threats were lurking in its infrastructure or targeting end users. Good Sam management decided to significantly upgrade its security posture.
“I joined Good Sam to mature its IT and security infrastructure,” said Steve Moran, Director of IT Systems and Security for the company.” Based on my experience with Check Point solutions over many years, it was clear that Check Point would enable us to quickly increase security and visibility with minimal management requirements.
Better than Previous Platforms
Moran began by deploying Check Point 15600 Next Generation Security Gateways in the data center. These firewalls deliver comprehensive multi-layered protections including: URL filtering, IPS, Antivirus, Application Control, Anti-Bot, and Email Security. They also included the award winning Check Point SandBlast Zero-Day Protection with Threat Emulation, which monitors traffic at the CPU level to detect and stop attacks before they evade detection.
Check Point R80 Security Management consolidates views, policy, threat management, and automation into a single console to deliver visibility and control across the entire security infrastructure. Logging, monitoring, event correlation, and reporting are also unified, giving Moran instant insight of security events across the whole network.
“Deployment was flawless,” said Moran. “There’s simply no comparison between Check Point and our previous platforms.”Array
Good Sam Upgrades Its Security
Posture with a Single Solution
Omnyway is a born-in-the-cloud advanced mobile shopping and payment platform that provides retailers with the ability to offer their customers a complete digital shopping experience with the use of their smartphone for all aspects of their buying journey. Omnyway’s solution enables their customers to be more competitive by creating a dynamic digital channel between the retailer and shopper across all levels of interaction including in-store, online, in-app, virtual aisle and dynamic media. Omnyway’s platform is designed to interface with a retailers existing system and mobile app with minimal development needed to turn a traditional retail store into a first-class shopping experience for its customers. Omnyway’s customers consist of several of the Fortune 500 retailers and is headquartered in Redwood City, CA.
Omnyway’s first product was developed for Kohl’s department store and provided rewards and special offers as well as payment services. This original product used Amazon Web Services (AWS) EC2 instances along with relational database services (RDS). The original platform has since evolved, moving away from instances to take advantage of the newer managed services offered by AWS which include microservices architecture, docker containers, the use of Fargate and elastic container service (ECS), Lamba functions, key management service (KMS), and managing IAM policies with simple system manager (SSM) parameters.
“The fact that Omnyway is PCI certified, drove us to think about cloud security from the beginning,” said Robert Berger, CTO & SVP Engineering. “We were looking for specific tools to enhance our security and compliance. As our platform channel continued to grow with more applications being developed, our environment was becoming very complex. It was becoming difficult to visualize our VPC peering, security groups and workflows to verify our environment was secure. We also needed a secure yet flexible way to accelerate our DevOps by providing developers with easy remote access while making sure ports remained closed when not in use. Additionally, we wanted to ensure robust security within our platform and wanted a way to consistently scan our environment to provide reports on compliance status along with security best practices, showing us where we could improve. We were looking for a public cloud security solution that would address these concerns, while being future-built to secure existing and new microservices.”
Omnyway’s AWS cloud environment consists of 2 regions, 4 accounts and 20 VPCs that support different applications, with applications being spread across all 4 accounts. The VPCs are designed to isolate specific information that does not need to be shared. All applications are replicated in the second region for resiliency and redundancy so if one region fails, coverage continues. In working with customers and credit card payments, Omnyway’s system is PCI certified but goes beyond the required PCI levels of security. Their frontend system never sees credit card data and the back end uses VPCs to segregate crucial data, with the additional use of AWS CloudHSM security service for an extra level of protection for their data in meeting PCI regulatory compliance requirements.
Visibility into Security Infrastructure
“As we continued to build our platform and scale in the cloud, our security groups became very complicated and it was hard to track workflow”, said Marius Ducea, VP of Operations. “We needed clear visibility into our security infrastructure to locate misconfigurations and see where items were blocked to fix and secure our environment.”
CloudGuard Dome9 Clarity
One of the key reasons why Omnyway selected CloudGuard Dome9 was for its powerful network security visibility at scale. The CloudGuard Dome9 platform’s visualization tool, CloudGuard Dome9 Clarity, provided Omnyway with granular visibility into their network topology and workflows so that they could see their VPC peering and security groups in locating vulnerabilities and remediating them in-place. Additionally, they were able to use the VPC flow log feature in helping identify any misconfigurations, which was crucial in troubleshooting flow issues and debugging in the initial design of their system.
Secure Access for Agile DevOps
Omnyway was providing developers access to their production environment through their bastion host. With the bastion host open, and a port always exposed, they were consistently experiencing brute force attacks. Additionally, they would encounter a large amount of noise from their SIEM that monitors their logs, that would keep generating alerts due to all the attacks. Omnyway wanted to provide flexible access to ports for their developers, making sure the port was closed after use and a way to minimize alerts to key events.
CloudGuard Dome9 Dynamic Access Leases
CloudGuard Dome9 offers comprehensive network security that goes beyond monitoring and assessment to offer active protection to enforce wanted policies and access control. CloudGuard Dome9’s Dynamic Access Leases was able to provide Omnyway’s DevOps team with time-limited, on-demand access to services and ports, that once the lease had expired, would close the port by default. This feature removed the need for using a bastion host and helped reduce the potential attack surface while still allowing legitimate users to get the access they need with the click of a button. According to Robert Berger, CTO & SVP Engineering, “Dynamic Access Leases provides me with a feeling of comfort with only a single person’s IP address able to gain access for a specific amount of time. Being a PCI certified platform requires a separation of duties, traditionally with a big wall between Dev and Ops. CloudGuard Dome9 provides self-service, fine grained access control to both groups, without isolating the teams. For access to services that are more critical, my security team can control access. The amount of noise we were experiencing with our SIEM has also diminished. Our CloudTrail events are now only triggered when someone is logging on. Dynamic Access Leases has been a key component in providing Omnyway with agile DevOps and a huge benefit in advancing our platform.
Enforcement of Continuous Compliance and Security Best Practices
Omnyway is committed to building the most secure mobile platform for its retail customers that it possibly can. With PCI certification, they must meet specific guidelines in securing their environment. Omnyway has gone beyond what is required and was interested in finding a solution that could not only automate scanning of its environment and generating continuous compliance reporting, but also provide security best practices to suggest ways to heighten security policies to ensure a robust security posture.
CloudGuard Dome9 Compliance Engine
The CloudGuard Dome9 Compliance Engine provided Omnyway with a way to bolster security across their AWS environment. Within the Compliance Engine are several compliance and best practices test bundles that once selected, can be automated and set to run checks at desired times across AWS accounts. The test points to assets that have passed or failed and identifies policy issues that need to be addressed to enhance security best practices. These reports are able to point to the status of new assets when added which has been of great value to Omnyway.Array
Omnyway uses CloudGuard Dome9 to provide secure devops for its retail mobile platform
As a provider of business services to two of Italy’s largest trade associations, FIASA handles a wealth of highly sensitive personal and corporate data. This puts FIASA in the position of having to pay the utmost attention to protecting the data it holds.
A more sophisticated position on threat prevention
“FIASA has a long history of taking cyber threats seriously,” says IT manager, Giovanni Montomoli. “We provide payroll processing services, invoice management, and overseeing accounts. These are all critical services for our members. We’ve had ‘traditional’ firewalls in place for years. There has always been a compromise between price and performance, but we’ve never suffered.”
However, the introduction of GDPR, and an awareness that the threat landscape was changing, led Montomoli to re-examine FIASA’s position. “There was a more powerful case for developing a 360° view of our customers’ data. I attended several security conferences and could see that threat prevention was evolving.”
Montomoli wanted to strengthen threat prevention for around 200 users of the FIASA network. The aim was to support mobile working, while reducing the strain on in-house management and help desk support.
Maximum security without impacting performance
Check Point SandBlast and Check Point 5000 Next Generation Firewalls offer a fully integrated, multi-layered solution tuned to deliver maximum security without impacting performance. The gateways provide FIASA with the most advanced threat prevention security.
“We considered a couple of options,” says Montomoli, “I’d like to tell you the decision was based on a thorough proof of concept. However, the truth is we heard some very good things about Check Point from our peers. Everything we heard told us that Check Point was versatile, effective, and could be trusted.”
His most critical concern was working alongside a partner experienced enough to manage the configuration. “Without Sarce as our partner, we might not have moved forward,” he admits. “This kind of project has to be managed by certified professionals. You cannot improvise.”Array
FIASA Secures Critical Corporate and Personal Data with Check Point
Commune d’Uccle is a local authority to the south of Brussels. Whilst it delivers and manages a range of critical services to a population of over 80,000, it must ensure the consistent delivery of local services while integrating with new service providers. This often requires the sharing of sensitive personal data while facing new security threats, including zero-day disruption.
Ensuring continuity of local services
For Commune d’Uccle, it’s become standard practice to share data on the authority’s schools and public housing with national planners. The critical nature of the organization and its wealth of sensitive personal data make it an attractive target for cyber-attacks.
“We’re seeing up to 200 attacks an hour on the network,” says Ugo Dammans, IT manager, Commune d’Uccle. “It became clear that the previous firewall solution was failing to stop every threat that penetrated our network.”
With the organization becoming increasingly mobile, and a desire to promote remote working for 500 staff members, Dammans wanted to upgrade its cybersecurity: “We want employees to be able to work remotely, yet we’re aware that the threat landscape is changing. We want to protect ourselves from current threats, and stay ahead of future issues.”
Addressing security in totality
Dissatisfied with its incumbent firewall product, Dammans assessed other solutions. “It quickly became clear that we needed to look at cybersecurity holistically – from firewalls to antivirus to the cloud,” says Dammans. “The more we explored Check Point, the more we liked it.”
The complete Check Point solution includes Next Generation Threat Prevention & SandBlast™ (NGTX), Mobile Access Software Blade, and Endpoint Security.
“As a municipal authority we have to be aware of our costs,” says Dammans, “but we’ve not hesitated to invest in the security of the administration, the employees, and our citizens.”Array
Belgian Local Authority Doubles its Protection with Check Point
Banco del Pacífico is recognized as a pioneer of the Ecuadorean banking sector. Founded in 1972, it was the first bank to introduce ATMs, and the first to create networked banking. Now, they’re undertaking a comprehensive digital transformation program to advance leadership in online and mobile banking.
Protecting a National Institution
As one of Ecuador’s leading financial institutions, Banco del Pacífico is all too familiar with cyberattacks. In recent years, the bank has seen a huge increase in the volume and sophistication of these attacks. Some have been designed to disrupt day-to-day banking activities, while others, for financial gain.
“Security is very, very important,” says José Luis Nath, Vice-President of Technology and Security at Banco del Pacífico de Ecuador. “We have to protect our customers’ money. Our strategy has been to invest in the best security technology on the market to protect the bank’s assets and our customers’ data and deposits.”
The Most Advanced Threat Protection, Managed from a Single Platform
Banco del Pacifico has been a Check Point customer for many years, relying on their latest, feature-rich security solutions.
The Check Point Next Generation Gateway serves as the bank’s internal and external firewall, meeting datacenter demands for power, performance, and scalability. Check Point has also delivered the highest levels of protection through industry-leading, next-generation security solutions.
Check Point Next Generation Threat Prevention and SandBlast Network protect Banco del Pacifico’s perimeter – the first Latin American bank to use SandBlast in this way. This provides the bank with multi-layered protection, preventing known threats and zero-day attacks by using the SandBlast Threat Prevention suite, including Threat Emulation, Threat Extraction, antivirus, anti-bot, IPS, app control, URL filtering, and identity awareness.
SandBlast Threat Emulation technology monitors and inspects CPU-level instruction flow to detect attacks attempting to bypass operating system security controls. SandBlast Threat Extraction then removes dangerous content, such as embedded objects, reconstructs files to eliminate potential threats, and promptly delivers secure content to the bank’s users.
For José Luis Nath, SandBlast’s advanced features ensure that Check Point examines all incoming email traffic for active or malicious content – and quarantines it before it’s able to enter the bank’s network and inflict damage. A PDF version confirms the malware has been extracted and the bank obtains a clear record of the source of the attack and the action taken to block it.
More recently, Banco del Pacífico added Check Point Security Management R80 to its security portfolio. This has allowed the bank to obtain the most advanced threat prevention across networks and cloud, and managed through a single security management platform and console that provides transparency and an up-to-date network protection status. It also unifies security policies and enables the bank’s network to connect securely to third-party organizations. Another benefit is that they can make sure the same software runs across all platforms and in all locations.Array
Banco del Pacifico Thwarts Bank Robbers at their Cyber Gate
Fighting Back Against Gen V Threats
Control Southern has been a trusted automation partner for process industries in the Southeastern United States for more than 50 years. It is an Emerson Impact Partner, providing local access to global Emerson engineering services and expertise. Industrial customers across market segments rely on Control Southern automation, engineering, monitoring, valve and instrumentation, and training services to maximize production performance and efficiency.
As the company’s firewalls were reaching end of life, the Control Southern IT team began seeing a growing number of multi-vector attacks targeting its network and endpoints. Malware, phishing, and larger-scale infections had outstripped the capabilities of the company’s existing Sophos platform, and it needed costly hardware upgrades. When Control Southern moved to Office 365, it experienced a tremendous influx of phishing attacks on its endpoints. Then, ransomware gained access through malware on a web browser, infecting servers and spreading to connected client computers. In just a few minutes, gigabytes of data were encrypted and inaccessible.
David Severcool, Manager of IT Infrastructure and Security for Control Southern, and his team removed and remediated the infected computers and restored files from backup, but ransomware hit two more times during the same week. The team discovered that the McAfee software on endpoints was not updating systems correctly. Now they had the additional burden of manually pushing updates to endpoints almost every day.
“As we began looking for better protection, we wanted the best platform out there,” said Severcool. “We wanted a next-generation firewall, unified threat management, management capabilities from a single pane of glass, and logging. It was a tall order.”
Far Above and Beyond
The Control Southern team evaluated Barracuda, Check Point, Cisco, and Sophos solutions. However, Severcool knew that Control Southern needed next-generation protection across all attack surfaces—network, endpoints, and cloud deployments. The team also wanted unified threat intelligence to detect Gen V threats and single-pane-of-glass visibility to preempt them. As they evaluated Check Point CloudGuard SaaS, they immediately found several infections in SharePoint and OneDrive, and Office 365 email. The findings made their choice easy. The team chose Check Point Infinity and its unifying architecture.
“We needed more protection for Office 365,” said Severcool. “The company had experienced serious email phishing campaigns after moving to Office 365. When an attacker gained access to our email address list through one of our partner companies, phishing emails spread like wildfire. Check Point CloudGuard SaaS solved that problem, protecting Office 365 as well as our SharePoint and OneDrive environments.”
CloudGuard SaaS provides Threat Emulation capabilities to sandbox and analyze suspicious emails and files, as well as Threat Extraction to ensure that clean files are delivered to end users. Control Southern also deployed Check Point Security Appliances with threat prevention and SandBlast Zero-Day Protection across its locations. The company replaced the McAfee endpoint solution with the Check Point SandBlast Agent endpoint suite for comprehensive protection against bots, exploits, ransomware, and malware. SandBlast Agent also provides application control, endpoint compliance, endpoint firewall, and remote access VPN capabilities.
Deployment was fast and easy. Check Point Infinity Architecture enables Check Point CloudGuard SaaS and all other Check Point solutions to work in harmony, delivering Gen V cybersecurity defense. Check Point R80 Cyber Security Management gave Severcool and his team complete visibility into their infrastructure and policies. With all management capabilities and logging in one place, they have up-to-the-minute full threat visibility.
“No one else could match the logging, visibility, or protection that the Check Point Infinity architecture provided,” said Severcool. “Check Point was far above and beyond everything else we evaluated.”Array
Control Southern Engineers Cyber Protection Across All Fronts with Check Point
Headquartered in Wellington, New Zealand, Xero provides a global online platform for small businesses and their advisors. The company has built trusted relationships with 1.6 million subscribers, enabling them to thrive through better tools, information and connections. Innovation is fueling growth at a blistering pace. To support its growth, Xero did more than simply migrate to the Amazon Web Services (AWS) public cloud—it completed a massive transformation that wove security and agility into the very fabric of its product development, security engineering, and partner relationships, with AWS and Check Point as key partners.
Transforming Infrastructure and Security
In 2014, Xero identified a challenge with its infrastructure and security. The company was managing a premises-based infrastructure that supported almost 700,000 subscribers but often found itself spending time and resources on controlling the environment, which limited the teams ability to fully support product innovation. Xero decided that only a public cloud infrastructure could provide the capabilities needed to support its next wave of growth.
In addition to scaling to support millions of new customers, Xero wanted to reduce its cost of service delivery, ensure high infrastructure availability, and defend effectively against evolving cyber threats. Agility is fundamental to Xero. Hundreds of product-based teams release more than 1,200 product features and updates each year. Xero wanted to reduce the time it took to build out DevOps infrastructure from weeks, to days, to hours, to milliseconds. It also needed to support internationally recognized security standards, so the new infrastructure had to be secure by design.
“High-growth environments have changed the way security must be delivered,” said McKeown. “Security teams aren’t traditionally built for speed, but if we can’t keep up with our DevOps teams, they’ll just work around us. We had to transform ourselves to enable our product teams to move fast, use the tools they want, and do it in a secure way.”
Xero chose AWS for its breadth of compute, storage, and networking services. McKeown praises the AWS Well-Architected framework for helping his team build a secure, high-performing, resilient, and efficient infrastructure possible for the company’s applications. The AWS environment gave Xero the opportunity to reduce costs, avoid downtime, and support its growth goals.
Of equal importance was security and the team chose Check Point as a trusted enterprise security partner for securing internal and outbound traffic. “Security was the first thing we thought about,” said McKeown. “We had to think about data encryption, inbound and outbound traffic connectivity, and protection against web-based attacks like DDoS, cross-site scripting, and SQL injection attacks.”
The Xero team worked closely with Check Point to implement security at every level of the infrastructure stack. Together, they deployed 130 Check Point Gateways across 100 different AWS accounts running Check Point CloudGuard IaaS to keep data and assets safe from even the most sophisticated threats. Check Point CloudGuard IaaS delivers automated, multi-layered, elastic security that scales with the dynamic AWS environment.
Xero deployed Check Point CloudGuard IaaS using a Transit VPC-style architecture. This enables traffic to be directed to a defined “security zone” for security scrubbing based on any number of attributes—regulatory requirements, policy, type of traffic, and others.
Micro-segmentation capabilities enable Xero to secure east-west data traffic, as well as traditional north-south traffic flows. Integration with native AWS controls enabled rapid deployment while supporting dynamic scalability and consistent control across all environments. As a result, Xero gained advanced security that moves with its applications, simplifying the overall migration without compromising protection or compliance. Check Point R80 Security Management brings the entire infrastructure into a single pane of glass with deep visibility.
“I chose best-of-breed partners that could walk with us through the journey and keep up,” said McKeown. “We built best-practice environments and pushed them to the limits months before we migrated our first customer.”Array
Xero Completes and Secures Its Cloud Migration While Transforming Its Security Culture
Centrify is a leading cybersecurity company that serves more than 5,000 organizations around the world. Its security platform is credited with converging Identity as a Service (IDaaS), Privileged Access Management (PAM), and Enterprise Mobility Management (EMM) into a single solution.
As organizations move to Amazon Web Services (AWS), they need to control access to their resources, such as Amazon Elastic Compute Cloud (Amazon EC2) instances, and validate users are who they say they are. Centrify validates access to resources, that the devices being used are trusted endpoints, and helps to establish role-based access.
Recently, Centrify made the decision to move all software-as-a-service (SaaS) applications to AWS. Centrify went through a Well-Architected Security Review with AWS in order to become an AWS Partner Network (APN) Advanced Technology Partner. Members of the Centrify team met with Solutions Architects at AWS to discuss options for optimizing their SaaS environment. They discussed their needs and developed a shortlist of five leading AWS security automation solutions for Centrify to explore.
Upon further technical review, the DevOps team found that most of the solutions available on the market provided metrics, but did not give the team a way to efficiently monitor or control their security and compliance. In summary, they were looking for three main use cases for infrastructure security.
CHALLENGE 01 CLOUD INVENTORY MANAGEMENT
New application deployments resulted in the creation of security groups (SGs), IAM roles and policies as part of the built-in infrastructure automation. There were also various Amazon Simple Storage Service (Amazon S3) buckets created to host tenant data, configuration, logging information etc. Due to the dynamic nature of SaaS environments, when things changed, the Centrify IT team had to spend countless cycles to stay up to date with their environment and assets.
CHALLENGE 02 CLOUD COMPLIANCE
Establishing compliance on the cloud was a top priority. Given the rapidly scalable nature of their AWS environment, Centrify needed to be able to check whether they were compliant with various frameworks at all times. Misconfigurations or policy changes could immediately make them non-compliant. Also, when policy violations did occur, Centrify needed automation capabilities built into their existing workflow process.
CHALLENGE 03 NETWORK VISIBILITY
Centrify needed a solution that could deliver a more fine-grained view of the security infrastructure and help identify misconfigurations. This instant visibility was critical to minimizing security holes that could open up the attack surface. Centrify also had assets and policies across multiple accounts and regions, and needed a purpose-built tool to synthesize and visualize this information from a single pane of glass.
THE SOLUTION 01
CloudGuard Dome9 helped them improve inventory management and situational awareness, providing a single pane of glass to manage coverage for all of Centrify’s dynamic cloud assets. The ability to filter and get immediate information for any instance or object in their environment was key. CloudGuard Dome9 now monitors Centrify’s entire infrastructure (Quality Assurance, Development, and Production environments).
THE SOLUTION 02
The Compliance Engine from CloudGuard Dome9 continuously monitored Centrify’s cloud infrastructure and helped detect policy violations. Also, when a policy violation occurred, CloudGuard Dome9 would immediately push a notification via email/ SNS that could trigger an automatic response (such as create a Lambda Function or Amazon CloudWatch alarm for a quick response).
THE SOLUTION 03
CloudGuard Dome9 provided comprehensive visibility of their security groups, policies, IAM roles and permissions. CloudGuard Dome9 integrated seamlessly into Centrify’s account and was able to provide instant visibility within days with the appropriate level of permissions.
Getting CloudGuard Dome9 integrated with the DevOps teams existing systems was “fairly quick,” according to Felix Deschamps – the Principal DevOps Architect at Centrify. After only a few days, the team had all their SaaS applications on-boarded to the CloudGuard Dome9 platform. The representational state transfer (REST) application programming interface (API), single sign-on (SSO) nature of CloudGuard Dome9 simplified the process, making it easy for Centrify to establish the right level of permissions to their systems without exposing what was more than necessary.Array
Centrify Enforces Continuous Compliance and Security Best Practices on AWS
Wagner AG is a provider of IT services, based in Switzerland. It has customers in a range of market sectors, including financial, food and healthcare. The business was founded in 1996 and has over 100 employees.
Building the infrastructure to accommodate growth
Wagner AG provides managed IT services to corporate customers in Switzerland. As businesses look to outsource their IT to a specialist, reducing management complexity and stabilizing costs, Wagner AG had drawn up plans for two new data centers. Located 120kms apart with two 40GB connections, the investment would provide room to grow and strengthen redundancy.
“This was a sizeable, strategic investment, built from the ground up,” says Thomas Eltschinger, Head of Managed Backend Services, Wagner AG. “We wanted to incorporate the latest technology. As we’re delivering managed services, with strict SLAs, we needed clustered firewalls at both locations.
“We want to be able to offer our customers the best possible protection with today’s modern options. We can do this with the various blades and the flexible license model of Check Point.”
Maximized uptime with advanced protection
The Check Point Next Generation Security Gateway combines the most comprehensive security protection with data center grade hardware to maximize uptime while safeguarding enterprise and data center networks. The solution ensures high performance protection against the most advanced cyber-attacks.
Eltschinger says the Check Point solution offered the best fit in terms of features, and enables the business to meet industry compliance in terms of security and traceability. Check Point Next Generation Security Gateway offers unique ‘first time prevention’ for the most sophisticated zero-day attacks. It is optimized for inspecting SSL encrypted traffic and its centralized management control and Lights Out Management (LOM) improves serviceability. It is also modular, and can be expanded if necessary.
In addition, Check Point R80 Security Management provides fully integrated visibility and clearer security insights. R80 SmartConsole allows Wagner AG to create unified policies for all network and cloud environments, all managed centrally.
“Automation and API options are useful features in R80,” says Eltschinger. “We’re standardizing our customer environments, which means the existing API becomes more important for automation. The TCO becomes smaller and costs can be saved.”Array
Swiss IT service provider uses Check Point to protect new data centers and maintain strict customer SLAs
Tradair makes end-to-end trading infrastructure software from price creation and dynamic distribution, to trading optimization solutions. Tradair’s solution runs as a service and helps financial institutions enhance their client relationships and create new revenue streams. The solution leverages advanced technology services like Docker and Google Big Query, and is delivered through a hybrid hosting model residing in the Amazon cloud and Equinix data center.
TRADAIR MINIMIZES RISK AND MEETS COMPLIANCE
The Tradair team wanted to ensure that the crown jewels of its mission- critical business were protected by the best technologies available on the market. A cloud security product was needed to help Tradair minimize security risk and eliminate unnecessary infrastructure exposure, as well as provide firewall management, policy automation, authentication and access control. Additionally, the security solution would be a key aspect of Tradair’s audit and compliance program and help meet international financial regulations on 3 continents such as SOX and PCI. CloudGuard Dome9 won out as their security solution of choice.
CLOUDGUARD DOME9 DIFFERENTIATION
Tradair Protects Cloud-Based Financial Trading Platform With CloudGuard Dome9
Laterlite is a manufacturer of insulating products for the construction, agriculture and industrial sectors. In common with many modern manufacturing businesses, Laterlite is an increasingly complex and international operation. Headquartered in Milan, the business has factories throughout Italy, and sales offices in France, Switzerland and Spain. IT is managed centrally, coordinating production, R&D, customer services and sales operations in more than 20 countries.
The challenge for Laterlite is a familiar one for globally dispersed businesses. It needs to ensure consistency of service for a diverse workforce, spread across multiple locations. Any kind of cyber-attack could have a widespread impact on the company’s IT services.
When the company’s incumbent firewall solution was coming to end of support, it provided an opportunity to explore more advanced threat prevention solutions. “In the 20 years I’ve been here we’ve never suffered a serious attack,” says IT Manager, Gianluca Falsi. “But I recognize that security threats, and security solutions, have evolved. We want to understand exactly what’s going on with our network, and to keep threats as far away as possible.”
“Aside from the product features, what impressed me most was the Check Point philosophy. I felt we would be aligning with a company that could work with us into the future.”
– Gianluca Falsi, IT Manager, Laterlite
Laterlite cuts time spent on threat prevention management by 30% with Check Point
The Banregio Grupo Financiero S.A.B. de C.V, trading as Banregio, is one of Mexico’s leading regional banks, founded in 1994. Today it has over 3,000 employees working at 133 branches across Mexico.
As well as consumer banking, it specializes in services for small and medium-sized enterprises. Banregio has been listed on the Mexican Stock Exchange since 2011
Increasingly Sophisticated Cyberattacks
Mexico’s financial sector has grown rapidly in recent years, attracting the attention of cyber criminals as a result. As a leading financial institution, one that is critical to regional enterprise in Mexico, Banregio was experiencing an increase in cyberattacks.
“There are currently many security threats in the world. In Mexico we are starting to see more incidents and this motivates us to work harder to protect our customers’ information and the assets we hold for them. This is of great concern to us, to the general management and to the bank as a whole,” explains Victor Oziel Martinez Vázquez, Chief Security Officer, Banregio.
The bank must protect its assets (data, finances and corporate reputation), and those of its customers – for example, it holds many citizens’ inherited family wealth – and it must do so effectively and efficiently. The in-house security team was struggling to deal with increasingly sophisticated and advanced attacks.
The bank wanted to strengthen its network security, with greater means to identify and block new and advanced threats. It also wanted to centralize the security management of the entire threat landscape, including PCs and mobile devices, software, and data on the cloud, simplifying administration and proactively preventing cyberattacks.
Preventing Advanced Threats
Banregio uses a range of security solutions, but the central piece of its approach is based on Check Point SandBlast Network. This protects the Banregio data center network, where all customer data is held, and all financial transactions are processed.
“Protection based on signatures has become obsolete and we were looking for a new-generation solution that could identify threats, advanced or behavioral,” Víctor Oziel Martínez Vázquez explains. “Essentially, this is what motivated us to choose SandBlast Network.”
SandBlast’s advanced network threat prevention protects against advanced and zero-day cyber threats, preventing attacks, minimizing risks and offering rapid response. Its threat extraction feature ensures files are automatically cleaned and potentially malicious content removed, before they enter the network.
“This technology , SandBlast Network, allows us to ‘sanitize’ or clean any threats present in documents and provide information to our users without any risks or threats,” explains Vasquez. “It has worked really well.”
Insights for Improved Decision-making
Banregio also makes use of Check Point support to identify technical and operational best practices, and to upskill the in-house security team.
Security management is provided through Check Point R80, giving the bank’s IT team a view of the entire security landscape through a single management console. This allows multiple administrators to view and prevent potential cyberattacks in real-time, update policies and turn on automated responses in response to specific threats.
“We decided to install this version of security management primarily to ensure our strategy was centralized, simpler and allowed more effective decision-making. Check Point R80 also significantly improved the presentation of information,” explains Víctor Oziel Martínez Vázquez.
Mexican Bank Enhances Security to Better Safeguard Customer Assets and Information
The University Hospital Center of Charleroi (CHU Charleroi) operates from a number of locations in the Wallonia region of Belgium. Its hospitals provide surgical, geriatric, medical, psychiatric and rehabilitation services. It is also a teaching hospital and is linked to the national healthcare system.
Healthcare requires a collaborative environment. Increasingly, CHU Charleroi is enabling mobility for its doctors and management, to allow them to work more effectively from any location.
Enable secure, mobile working
As part of its mobility program, CHU Charleroi planned to roll-out 500 smartphones and tablets to medical and management teams. A mix of Android and iOS devices, the hope was that the devices would be easy to use and something employees would also enjoy using.
“We needed to monitor, and to be certain which apps were on the device, but there also needed to be freedom,” says Edwin Urbain, Network & Telecom Team Leader, CHU Charleroi. “It’s important that staff want to use these devices.”
The ICT team wanted to allow staff to add personal applications, but needed the means to authorize, validate and approve quickly. “Ideally this should be automatic,” explains Urbain. “The key issue was ‘does the app send data’?”
Depending on the success of the project, if Urbain’s team could monitor the 500 corporate devices it would then open up mobility to Bring Your Own Device (BYOD) users; allowing employees to work from their own mobile device. Again, it would need to monitor BYOD access to suitable applications.
Market-leading threat protection, and simple management
CHU Charleroi has been a Check Point customer since 2013, using Check Point firewall solutions.
“We’re under regular attack, and the Check Point firewalls have always responded well. The solution has been effective,” says Urbain. “We saw Check Point’s mobile protection capabilities as an evolution of this protection.”
Check Point’s SandBlast Mobile is a mobile threat defense solution (MTD), protecting and preventing advanced cyber-attacks from entering devices. It protects against malware, man-in-the-middle attacks over cellular and Wi-Fi networks, OS exploits, and phishing attacks. In addition, the cloud-based dashboard provides real-time threat intelligence and visibility into the type of threats that could impact CHU Charleroi.
“Obviously we reviewed other options, but Check Point was the only product that met our needs,” says Urbain. “SandBlast is the complete product.”
Urbain also adds, “We are happy to work closely together with our Check Point partner, Prodata Systems. Thanks to their extensive knowledge and their great understanding of our needs, they are vital for the implementation and support of the Check Point solutions we use.”Array
Belgian Teaching Hospital and Healthcare Provider Enables Secure Mobile Working with Check Point
Prominent Museum in D. C.
This prominent museum in D.C. documents history and preserves artifacts. Since its dedication, the Museum has welcomed more than 40 million visitors, including 99 heads of state and more than ten million school-age children. To protect its irreplaceable documents, photos, videos, and recordings from today’s fifth generation cyber-threats, the museum turned to the Check Point
Preserving and Protecting
This museum keeps one of the world’s largest archives of significant historical events, focused on their digital preservation and storage. More than 16.5 million people from over 200 countries visit the site annually, which is available in 16 languages.
The museum’s systems are barraged by hate emails, vicious social media posts, and increasingly sophisticated 5th generation cyber-attacks from around the world.
“We’re moving our applications to the cloud to eliminate our data center and maximize our resources,” said Michael Trofi, founder of Trofi Security and Acting CISO. “With the risks we face, we needed strong, effective protection for users and applications across our existing on-premises and multi-vendor hybrid cloud infrastructure.”
Securing All Applications Equally
Securing SaaS and hosted applications across a hybrid cloud environment is not as easy. One of the security team’s first challenges was to manage and protect user identities across the entire infrastructure.
Employees and partners are located around the world with varying levels of online access to our institutional assets. The museum chose software-as-aservice (SaaS) applications, including Microsoft Office 365, Google Suite, file-sharing, and operations solutions to meet users’ needs. Each is hosted in its respective vendor’s cloud and protected by Check Point CloudGuard SaaS.
A component of the Infinity Architecture and delivered from the Check Point cloud, CloudGuard SaaS delivers zero-day threat, identity, and data protection while preventing employee account breaches.
“Employees’ Google email accounts and credentials were especially vulnerable to spoofing through the Chrome browser,” said Trofi. “We needed a way to detect account hijacking attempts and prevent unauthorized access to petabytes of priceless data. In addition to our Check Point Firewalls, Check Point CloudGuard™ SaaS was the right solution.”
The museum also utilizes Check Point CloudGuard IaaS to protect its applications that have been moved to public clouds. Financials, human resources, PCI-compliant payment systems, and data archives are being deployed on AWS, Google, Oracle, and Azure public clouds. By hosting various
applications within their specific vendor’s cloud, the museum is assured that application performance, upgrades, and maintenance are optimized by the cloud providers themselves, with a reduced effort by museum staff. Check Point CloudGuard IaaS extends the same protection as the Check Point firewalls to the museum’s applications in these public cloud environments.
Since CloudGuard SaaS and IaaS are part of the Infinity Architecture, they both benefit from Check Point SandBlast™ Zero Day protection software which runs across all Check Point physical and virtual appliances at the heart of the Museum’s security infrastructure. It provides multi-layered protection from known threats and zero-day attacks using Threat Emulation technology, as well as identity awareness, content awareness, antivirus, anti-bot, intrusion prevention, application control, and URL filtering capabilities. With Check Point SandBlast, advanced protections are extended across all environments, regardless of the physical network construct or cloud environment used.Array
Prominent Museum in D.C. Safeguards Its Mission with Check Point
Motortech is a leading German engineering specialist, manufacturing parts and accessories for stationary gas engines. The business operates throughout the world, with over 250 employees.
Protecting a connected, global operation
Motortech operates in an increasingly connected, global marketplace. While based in Germany, it has operations throughout the world, and is working more closely with international customers.
Protecting itself against cyber threats is a priority. The business creates, shares and develops critical engineering designs, which form the basis of its valuable IP. It is also a vital link in a global supply chain; in reputational terms, Motortech cannot afford to be seen as a weak link.
“It is important that cyber threats are controlled, blocked or dismissed before they reach the end-user,” says Marcus Morig, Head of Information Technology, Motortech. “We want our trained experts to manage security threats, not our end- users.”
Motortech implemented a complete Check Point solution, based around SandBlast and Security Management R80, running on Check Point Infinity architecture. This combined solution gives Motortech peace of mind that potential cybersecurity threats are prevented from even entering the business, whilst giving the IT team complete visibility of all network activity.
Check Point Security Management R80 provides integrated visibility and clearer security insights, lowering the complexity of managing cybersecurity. It enables Morig to create single unified policies for all networks and cloud objects, with enhanced performance productivity delivered through policy automation capabilities.
Check Point SandBlast automatically cleans all email attachments entering the business, preventing security threats without placing responsibility in the hands of the end-user. This was a deciding factor for Motortech; “We researched the market and found Check Point to be the best overall solution,” says Morig. “It convinced us it had the most unified approach to cybersecurity.”
According to Mr. Morig, implementation went smoothly, “We wanted a period of adjustment, but the Check Point systems were very intuitive. The management interface is very good. It’s now in place for more than 250 users across three locations, monitoring internet traffic, email, data transfers and file sharing.”
He is also complimentary about Check Point’s expertize and services: “All very positive, we have a direct line of communication with Check Point. And the training and webinars were excellent.”Array
German Engineering Strengthens Threat Prevention and Halves Administration Time with Infinity
Phoenix International, a privately held multinational corporation in Italy, is a leader in custom steel dyes for aluminum artifacts. Founded in 1972, the company has built a reputation for delivering customized projects with a rapid turnaround. Working across the industrial, transport, building, automotive and aerospace industries, the company has branches worldwide.
Protecting data around the world
To keep ahead of the competition, Phoenix relies heavily on IT security: to ensure business continuity and to protect the technical and process data that contains the company’s industrial secrets. The company has had a strong partnership with Italian IT system integrator, Project Informatica, for many years. Together with Project Informatica’s dedicated ICT & Cybersecurity division, a project was launched to replace Phoenix’s old IT system with a better performing, centralized and secure one. Project Informatica managed the whole process from pre-sale to post- installation.
Stefano Biava, IT Manager for Phoenix International, explains; “Last year we addressed the issue of IT security, both for data and for employee privacy. We had no consistency in the security solutions being used worldwide, with branches each using different security brands. This was making IT security difficult to monitor and maintain. We conducted a vulnerability assessment to understand how to deal with the problem.”
Project Informatica carried out the security assessment and the results were collated and analyzed over a long period of time in order to understand how best to protect the company’s perimeter. The project was made more challenging as Phoenix International was also going through a phase of business growth, opening new branches around the world and placing added pressure on the IT team.
An impenetrable barrier
A Check Point Next Generation Security Gateway had been tested in Dubai when a new branch opened, but this was an isolated case with multiple software brands being used in Phoenix offices around the world.
“We analyzed the various solutions on the market,” says Biava, “and we chose Check Point Next Generation Threat Prevention software, not only for its favorable price/performance ratio but also for its easy and efficient centralized management console. We decided to deploy Check Point at the new sites, as well as replacing our old firewalls with Check Point Next Generation Security Gateway.”
The Next Generation Security Gateway provides multi-layered protection from known, signature-based threats and unknown threats. The solution includes anti- virus software that blocks malicious files before they enter the network, URL filtering software to control access to millions of websites, and anti-bot software to detect bot- infected machines and actively block bot communications.
The solution is managed via a unified security management platform, which provides a single pane of glass to view threats, devices, users and reports across the whole network, in real-time.Array
Phoenix International spends 80% less time on IT security thanks to Check Point
Askoll is an Italian company with 11 plants throughout the world and more than 2,000 employees. Founded in 1978 by Elio Marioni, Askoll has been developing highly innovative technologies for electric motors, by using synchronous technology. Initially developed for the aquarium sector, this technology was subsequently extended to the world of home appliances (Askoll is a partner of Bosch, Siemens, LG, Samsung, Haier, Whirlpool) and, since 2015, to the world of sustainable mobility. Today, the company is the leading manufacturer and distributor of Italian electric vehicles through a network of single-brand stores and dealers in Italy and Europe.
Protect users before devices
Askoll delivers IT services to its global locations from two data centers in Italy. “Our business changed quickly when we entered the electrical mobility market,” explains Moreno Panetto, IT Systems Manager at Askoll. “From that moment, we needed to protect our employees more effectively, whilst giving them the freedom to work from anywhere.”
The company has also developed a long-term partnership with IT service provider, Lantech Solutions, which manages Askoll’s firewalls globally.
“After careful consideration of numerous solutions, we chose Check Point because they had the same approach as us to cyber security: people first. We also trusted their partner, Lantech, when they recommended Check Point.”
With the business expanding, Askoll’s IT team had to ensure users were always connected and protected, on various devices and in any location.
Individual protection and simplified management
Check Point Identity Awareness allows Panetto’s team to create identity-based policies. This simplified the experience for both users and IT management, enabling the IT team to protect users and reduced the number of policies required.
In addition, Check Point’s mobile threat defense solution (MTD) SandBlast Mobile, means Askoll can monitor mobile devices and prevent cyber-attacks. With advanced protection and full threat visibility, even the latest and most unexpected threats are caught.
“We now have a mobile defense system consisting of SandBlast Mobile software and Check Point Identity Awareness,” says Panetto. “This is an efficient and effective way to protect our mobile environment.”Array
Electric Motor Manufacturer Completes Mobile Security with Check Point Solutions
Unisinos is a leading private university, located at Sao Leopoldo, nearPorto Alegre in the south of Brazil. Founded in 1969 with its roots in theJesuit community, it is ranked among the best in the country by theBrazilian Ministry of Education. The university has a strategicorientation towards science, technology and innovation, with 30,000students and more than 1,000 teaching staff.
Modernizing Outdated Security Infrastructure
Unisinos had a firewall solution in place for a number of years. As the university expanded and formed links with other Jesuit colleges across Brazil, it was apparent that this solution had grown increasingly outdated.
The university struggled to cope with the increase in security threats, unable to provide visibility of those threats and lacked the control over content access that the modern Unisinos required.
This vulnerability became clear during the semester registration of new students. Concentrated cyber-attacks during this period left the Unisinos system down for an entire day, causing considerable disruption and inconvenience for everyone.
Targeted Protection and Simplified Management
After consulting with local IT partner, Sentinela Security, Unisinos selected Check Point next generation appliances with Virtual System technology, R80 Security Management, CloudGuard IaaS, and VSX technologies as part of a comprehensive move to help upgrade, protect and manage its IT infrastructure, giving the university’s IT department greater visibility of threats to the network before attacks could occur.
Built on the unique Check Point Infinity architecture, R80 Security Management gives Unisinos a single console with a unified view into all security events allowing them to manage all aspects of cyber security for their physical, virtual and cloud based environments. Check Point Next Generation Security Gateways are designed for high performance and reliability, and support Unisinos’s growing capacity requirements. “Management of the solution was one of the main factors in the purchase decision-making process”, explains Maikon Rodrigo Graeff, a security expert at Unisinos. “The visibility and control provided by the Check Point solution made all the difference when making this decision.”
From a single console, Unisinos can monitor threats and analyze events, turning on automated responses to prevent specific threats. CloudGuard IaaS private cloud ensures that data held in the private cloud is fully protected.Array
Brazilian University, Unisinos, Simplifies Cyber Security Management
Telefónica is one of the largest telecommunications companies in the world by market size and number of customers, supported by a comprehensive offering and the quality of connectivity provided by the best fixed, mobile and broadband networks. It is a growing company that offers a differential experience, based both on the values of the company itself and on a public positioning that defends the interests of the client.
Present in 21 countries and with a client base of more than 327 million connections, Telefónica has a strong presence in Spain, Europe and Latin America, where it concentrates most of its growth strategy.
Ensuring full confidence in a mobile, digital life
ElevenPaths, the global cybersecurity unit of the Telefónica Group, has the remit to act “like a start-up”, according to CEO Pedro Pablo Peréz. It is charged with creating disruptive innovation in cybersecurity that enables clients to gain more confidence in their digital activity.
For ElevenPaths, the challenge is securing clients’ assets in an increasingly interconnected environment. At the same time, the organization has to preach personal responsibility: “One of the principles of a security policy must be co- responsibility: users have to be involved in the security of their own assets,” says Peréz.
Safe mobility is a key area of focus, with unprotected mobile devices offering a backdoor to network breaches. “To complete our value proposition we wanted to evaluate the best defense solutions against mobile threats,” says Perez.
Threat detection to security, research and analysis
Check Point SandBlast Mobile is a complete mobile security solution, which covers all advanced cyber threats to mobile devices, with the highest threat catch rate in the market. It can also be integrated with leading enterprise mobility management solutions (EMMs).
“During the evaluation process, we realized that SandBlast Mobile and Tacyt, our mobile threat cyber intelligence tool, were perfectly compatible,” explains Perez. “This gives our Security Operations Center (SOC) experts a joint and intuitive solution to move from threat detection to response, research and analysis.”
In addition, ElevenPaths is a Check Point Mobility Technology Partner. Its security analysts have been trained and certified to offer and manage the SandBlast Mobile solution to clients.
“We value Check Point’s expertise, support and long track record,” says Perez.Array
Telecoms Giant Telefónica Strengthens Mobile Security with Check Point Sandblast Mobile
Wilkin Chapman LLP solicitors
Wilkin Chapman LLP is the largest law firm in Lincolnshire and the East Riding of Yorkshire, UK. As a full service law firm, Wilkin Chapman provides legal services for both businesses and individuals.
“A solicitors’ practice is built on reputation,” says Dean Hall, Head of Technology and Facilities, Wilkin Chapman solicitors. “If our reputation is damaged as the result of a highly publicized data breach, it would have an adverse impact on the firm.”
For Hall, the challenge is keeping up with a changing threat landscape, especially with the firm’s limited resources to appoint a dedicated cyber security expert.
“From an IT perspective, our focus is on refreshing our infrastructure,” says Hall. “Our teams want to be able to work from any office, share documents, securely access information from mobile devices, and we need to provide a service that allows them to do so.”
In particular, Hall wanted to strengthen the security between branch offices. The web filtering solution was also out of support, he adds: “We wanted to increase our security across the board. We’re not large enough to employ our own security manager, so we needed an external expert to manage security on our behalf and make us aware of solutions and threats.”
Advanced Threat Protection
Wilkin Chapman solicitors implemented Check Point Next Generation Threat Prevention & SandBlast (NGTX) with Check Point R80 Security Management.
The solution, implemented and managed by SJG Digital, a Check Point partner and IT security specialist, ensures the same technology runs across all devices at each Wilkin Chapman location. NGTX delivers a significant performance increase using a wide range of threat prevention techniques, including detecting malware before it enters the network and converting content to a safe format before it is opened. This multi-layered approach ensures Wilkin Chapman is protected from all known and unknown cyber-attacks.
Check Point SmartEvent provides fully integrated threat visibility in R80 giving real time security insights across the entire firm and lowers the complexity of managing cyber security even with multiple devices and branch locations.Array
Wilkin Chapman relies on Check Point for its secure environment and prevention of cyber-attacks
The European Space Agency (ESA) is an international organization, comprised of 22 Member States. Its mission is to shape the development of Europe’s space capability and ensure that investment in space continues to deliver benefits to the citizens of Europe and the world.
The priority for ESA and the Earth Observation Directorate is to protect the different Earth Observation space missions. It must do so across multiple locations and with a changing cast of international partners (including its equivalent in the U.S., NASA). It is a highly complex environment, processing huge volumes of scientific data.
Check Point 64000 scalable Next Generation Firewalls are designed to excel in large data center and telco environments. The ESA selection criteria included management, performance, and flexibility. The multi-bladed, chassis-based security system scales to support the needs of growing networks while offering reliability and performance. The Check Point 64000 currently runs at 100 gigabyte per second. “Check Point has been selected as one of the best products that covers all of our requirements”, Buscemi said.
The European Space Agency Earth Observation Directorate Strengthens Security to Enable Mission-Critical Collaboration
Based in Ramsey, Minnesota, Connexus Energy is Minnesota’s largest electric cooperative, providing electricity and services to member residents and businesses.
Standing Up Under Challenging Conditions
Connexus Energy serves more than 130,000 members across seven counties north of Minneapolis. Energy companies have become significant targets for cyberattackers and malicious nation-states that aim to disrupt vital services. Utilities have relied on Supervisory Control and Data Acquisition (SCADA) and Industrial Control System (ICS) networks for decades to control and monitor devices and data across their distribution networks. As smart grids, smart devices, and Internet of Things (IoT) devices become widely adopted, traditional SCADA and ICS systems often lack the same level of security controls needed to defend against sophisticated cyberattackers who can exploit their vulnerabilities to create widespread damage.
“We have some corporate devices that connect to an external network and we didn’t want them to introduce vulnerabilities to a network where there might also be servers,” says Arcopedico’s Information Technology Department Manager, Serafim Couto.
“Our SCADA system is our bread and butter,” said Jon Rono, Group Leader for Technology Services at Connexus Energy. “We wanted to make sure that it delivers power safely, securely, and without interruption in the face of increasingly malicious cyberattacks. We began looking for a better way to secure it and be alerted to any communication issues that might compromise service.”
Connexus Energy used many different security solutions from multiple vendors, such as Cisco, McAfee, and Palo Alto Networks. Each solution had specific management requirements, which consumed a lot of the team’s technical resources. Individual security team members responsible for cybersecurity, help desk, endpoint security, network security, and server security had to parse logs from different systems to identify issues and respond accurately.
“We wanted one management solution for all of our security needs,” said Rono. “We needed a single pane of glass that would work across all of our systems and streamline visibility.”
Finding a solution for protecting the SCADA system while delivering centralized visibility across the entire security environment was a challenge. Secure gateways for the SCADA system have to operate in extreme physical conditions. They must fit within constrained spaces or locations that are difficult to access. Environments are harsh, with dust, sub-zero temperatures in Minnesota winters, and high heat and humidity in summer months. Many of Connexus Energy’s existing security solutions were not ruggedized at all or only partially ruggedized. Simply keeping everything operating—and trying to make them work together—was consuming a lot of time without delivering the desired results.
Time for a Complete Change
The security team conducted a full RFP to evaluate solutions from existing vendors, as well as Check Point solutions. Only Check Point delivered the single-pane-of-glass management needed with a suite of integrated solutions and additional capabilities, such as historical logging and unified policy management.
Connexus Energy deployed Check Point 15400 Next Generation Security Gateways with high availability for its core security gateway. Check Point 5600 Security Appliances protect the SCADA network and Check Point 3200 Next Generation Security Gateways are deployed at multiple remote sites. Finally, Connexus Energy deployed Check Point 1200R rugged appliances with next-generation threat prevention for its ICS at all substations. A solid- state appliance, the Check Point 1200R protects all critical operational systems.
In addition to security protection, Check Point solutions provide Connexus Energy with a Compliance Software Blade. Based on a library of more than 300 security best practices, the Compliance Software Blade highlights configuration errors, identifies security weaknesses, and validates changes in real time. Not only does it enable real-time security policy audits, it ensures proper configuration and function of Firewall, Antivirus, IPS and Data Loss Prevention protections.
“The Check Point 1200R delivered ruggedization, comprehensive security, and centralized visibility in one product,” said Melissa Kjendle, Cybersecurity and Senior Infrastructure Analyst. “Its footprint is so small that it easily fit in every environment we needed to place it.”Array
Connexus Energy Secures SCADA, ICS, and IT Environments with a Single Integrated Solution
iVRESS provides information security consulting for small-to-medium-sized businesses (SMBs). It builds multilayered security environments for corporate clients, built on Check Point security appliances.
iVRESS offers flexible security solutions to SMBs across multiple industries, with a particular focus on mobile security. A key business challenge iVRESS faces is securing mobility for their corporate customers, especially with the exponential growth in mobile threats.
Yusuke Kubo, iVRESS’s Mobile Threat Prevention Department Manager, explains; “The rapid expansion of mobile devices means they are now a natural part of the business. One advantage SMBs have is agility, and mobile technology is a powerful business tool for them. Unfortunately, there are few companies which have adequate security measures in place. In Japan, everyone was so focused on the convenience of mobile technology, that security was put on the back burner for a while.”
Despite the importance of mobile security, however, iVRESS had trouble finding suitable security solutions to offer its customers. There were few security vendors in the market with native support for Japanese customers. Mobile Device Management (MDM) vendors provided management tools rather than security tools, and they were overly complex, expensive, and took a long time to deploy.
“When I found out about SandBlast Mobile at the sales kick-off meeting organized by Check Point, I thought, ‘this is it!’” explains iVRESS president, Hiromi Toyama. “You could feel the quality of the appliances in the Check Point 700 series products, and SandBlast Mobile was a particularly high-quality solution. It can prevent attacks from malicious apps and has excellent accuracy by using advanced static code analysis and machine learning. It also offers the kind of flexibility we need for fast deployment, easy scaling, and efficient operation. It really is a perfect fit for our business.”
The superiority of SandBlast Mobile lies in its ability to provide comprehensive mobile security. It delivers industry-class threat prevention rates in both iOS and Android mobile devices, while also protecting against hidden threats in operating systems, applications, and networks.PSI is a business ally of iVRESS and a distributor of Check Point products. Tsutomu Ogura, who works in PSI’s Security Solutions Department, says; “SandBlast Mobile provides maximum quality when it comes to mobile technology. We no longer live in an age where convenience and availability are all that is sought after. I believe SandBlast Mobile is a groundbreaking solution thanks to its amazing quality and ease-of-use.”
SandBlast Mobile, strengthening mobile security and protecting against hidden threats
Founded in 1907, Mutua Universal is a voluntary association of non-profit companies established to support the operation of the Spanish social security system. Its workforce of 1,800 provides health services and assistance to 1.3 million employees in 160,000 companies throughout Spain.
Protecting the traditional perimeter is not enough
Cybersecurity is a constant concern for Mutua Universal. In 2014, a security plan was drawn up for implementing a package of initiatives to protect against technology and cybersecurity risks. One of the initiatives, which has been under study since 2017, was the implementation of security and data-protection measures for mobile devices.
Over the last ten years, the company has used various security solutions for its perimeter as part of a multi-layered security strategy. These include innovative software such as Check Point Next Generation Firewall, which provides one of the highest levels of protection in the industry.
Mutua Universal recently decided to provide the corporate mobile devices of over 500 employees (iOS and Android tablets and smartphones) with access to corporate applications. This move is part of a range of digital transformation initiatives, some of which are based on the use of corporate mobile phones.
“The use of mobile technology has diluted the traditional concept of the security perimeter, creating a need for solutions that provide the right technology for the threats we face. The corporate digitization processes we are currently undergoing will make the situation even more critical,” explains Marc Muntañá, Cybersecurity Manager at Mutua Universal.
The new service complements others for accessing data and browsing outside the corporate perimeter. “We immediately saw the need to provide increased security for these devices, firstly to protect the devices themselves from threats on the network and secondly to avoid any problems that could have repercussions on the corporate network,” explains Josep Maria Ezcurra, IT Services Technical Manager at Mutua Universal. “We had to protect mobile devices immediately, with a simple solution that easily integrated with our other security infrastructure.”
Perfect integration and building on past experience
Mutua Universal weighed up a number of options in the market. The Technical Architecture department tested solutions from various suppliers with different devices and users for a period of four months. The trial of Check Point SandBlast Mobile was made easier by the company’s past experience in working with Check Point, resulting in the highest evaluation among the various products. Users highlighted the usability and, in technical terms, the application stood out for its easy adoption among users and its supported integration with any MDM platform, something that was not possible with all the options that were tested. “The integration with AirWatch was a decisive factor in choosing SandBlast Mobile,” remarks Dominique Pérez, Head of the Technical Architecture Department at Mutua Universal.Array
Protecting Mutua Universal’s corporate mobile devices from emerging threats
Headquartered in Los Angeles, Smart & Final Stores, Inc. operates 330 grocery and foodservice stores in California, Oregon, Washington, Arizona, Nevada, Idaho and Utah. It has an additional 15 stores in Northern Mexico operated through a joint venture. Like many retailers, the business is focused on price and customer service. Security is crucial, but IT resources are limited.
Smart & Final Secures Corporate Data and Reputation, as It Drives Rapid Retail Expansion
Since its inception, Central New Mexico (CNM) Community College has delivered strong career-technical programs. It offers focused curriculum in math, science, and engineering; business and information technologies; applied technologies; and communication, humanities and social services to prepare students for rewarding careers upon graduation.
With eight locations around Albuquerque, CNM has a large attack surface to defend. The IT and security teams work closely to protect users, data, and other assets from cyberthreats. Even though threats continue to proliferate, a higher education institution’s budget cannot increase at the same rate. When it was time to refresh the college’s firewall, the IT and security teams looked for a way to improve defenses while simplifying operations.
“We wanted to combine firewall, IPS, and web security capabilities into one solution and manage them through a single pane of glass,” said Luis Brown, IT Chief Operations Officer/Chief Information Security Officer for CNM. “Having multiple interfaces and systems not only obscured visibility into threats across the infrastructure, but supporting multiple systems was time-consuming and costly.
The team began evaluating possible solutions from Check Point, Cisco, Fortinet, and Palo Alto Networks. Their first consideration was effectiveness in identifying and stopping threats. However, ease of management was also a priority. After conducting proof of concept tests with the solutions, CNM chose Check Point SandBlast Zero-Day Protection with Threat Emulation and Threat Extraction.
“Check Point has delivered great protection, performance and value for the challenges we were facing at CNM,” said Brown. “Management is seamlessly integrated, and we gained features that we never had before, such as application control and identity awareness, which allowed us to maintain better security and prevent attacks.”
Check Point SandBlast Zero-Day Protection increases network security with evasion-resistant malware detection and comprehensive protection from the most dangerous attacks. Check Point SandBlast Threat Emulation monitors CPU-based instruction flow for exploits attempting to bypass operating system and hardware security controls. The Threat Extraction component removes risky content, such as macros or embedded links, and reconstructs documents using only known safe elements and provides sanitized “clean” files in a very quick time without interrupting the business flow.
The team deployed Check Point gateways across its locations to protect the college’s web browsing and Internet traffic. Currently, email traffic is encrypted and goes directly to Microsoft Office 365.
“We worked with the Check Point engineering team to deploy the management console,” said Johnny Garcia, Senior Network Security Administrator. “Check Point’s commitment from presales through deployment was fantastic.”Array
Central New Mexico Community College Improves Security Defenses While Simplifying Operations
Grupo Financiero Multiva
Based in Mexico, Grupo Financiero Multiva is a financial group comprised of Banco Multiva, Casa de Bolsa, and Fondos de Inversión. It provides various personal and commercial financial products and services throughout 25 branches in Mexico.
Securing Customers’ Assets
As a financial institution, Multiva experienced growing security concerns regarding the protection of its customers’ assets, such as customer transactions, account information and personal identification information.
Although the bank could deal with known malware via traditional tools, it remained defenseless against Zero-Day attacks because legacy solutions simply aren’t sufficient any longer for detection and prevention. In addition, Multiva noticed a rise in the frequency of Distributed Denial-of-Service (DDoS) attacks. Facing targeted threats such as these as well as ransomware, APT, and email-borne attacks, Multiva knew it needed a central and manageable security solution with comprehensive protections.
“We realized we needed to enhance our security posture when we had a ransomware attack,“ said Juan Muñoz, Assistant Director of Infrastructure at Grupo Financiero Multiva. “While the attack did minimal damage, we needed to get the strongest protection out there to avoid being a victim again.”
Next Generation Threat Extraction
To find the best solution, Multiva tested Micro Solutions, FireEye, and Check Point SandBlast. Although Micro Solutions and FireEye could detect threats, they were not able to stop them as effectively as SandBlast. Neither were they able to deal with the complex task of remediating encrypted files in cases of ransomware which were a tremendous threat to the bank. FireEye’s solution was too complex and expensive.
“We decided to look for a sandbox solution. We looked at Micro Solutions, FireEye and Check Point,” said Muñoz. “Micro Solutions was out because it could only detect and not prevent. While FireEye could provide the same level of security, it required a separate appliance for each security protocol, making sandbox protection cost prohibitive and difficult to manage.”
Multiva needed a large enterprise solution, and chose Check Point Next Generation appliances for threat prevention with greater performance, uptime, and scalability. NGTX stood out with comprehensive protections including Firewall IPS, Application Control, Anti-Bot, Anti-Virus, Anti-Spam & Email Security, URL Filtering, and the award-winning sandboxing technology in Check Point SandBlast. SandBlast did all that without interfering with the daily business flow of the organization.
With the appliance, Multiva received SandBlast Zero-Day Protection with Threat Extraction and Threat Emulation, ensuring the most advanced protections against unknown malware, vulnerabilities, and Zero-Day attacks. Integrating SandBlast with their email solution allows Multiva to stop email-borne ransomware and APT attacks.
For Multiva, the performance of the equipment and the integration with its Security Information and Event Management services truly stood out.
“We’ve had a really good experience with Check Point Next Generation Appliances and SandBlast technology,” said Muñoz.” We are now confident we are well protected against both known and unknown attacks.”
Fortifying the Perimeter
Since Multiva had experienced a rise in Denial-of-Service attacks, it sought to fortify its perimeter defense with the Check Point DDoS Protector Appliance, an add-on to Multiva’s security architecture. The appliance responds to DDoS attacks quickly using multi-layer protection against volumetric, specific server, and application attacks.
Nowadays, DDoS attacks use new techniques that can circumvent traditional security solutions and cause serious network downtime and negatively impact businesses. The DDoS Protector is built to extend security perimeters to block DDoS attacks before any damage is done, and integrates seamlessly with Check Point Security Management.
When Multiva was recently targeted by a DDoS attack, the DDoS Protector was able to alert the Information Security team and prevent the threat.
“The Anti-DDoS solution is doing great on preventing DDoS attacks. We feel safe because we get alerts and reports in a timely manner,” said Muñoz.“ We actually know when we’re being attacked, thanks to the box.”Array
Grupo Financiero Multiva Safeguards Clients' Financial Assets from Malicious Attacks
Arcopedico is a Portuguese company that produces ergonomic footwear. It exports to around 50 countries and has an annual business turnover of €15 million. It has its own stores and distributors and works directly with the Portuguese and Spanish retail market.
Faced with increasing cybersecurity threats, Arcopedico believed that its corporate firewall had limited functionality and was reaching its end of life. More and more devices were connecting to the corporate network, so Arcopedico decided it needed to partition the network.
“We have some corporate devices that connect to an external network and we didn’t want them to introduce vulnerabilities to a network where there might also be servers” says Arcopedico’s Information Technology Department Manager, Serafim Couto.
The decisive moment came when Arcopedico was faced with a ‘phishing’ incident introduced by an external email account on the network. Fortunately, it had no impact on the business and was quickly contained, but it made it very clear that there was an urgent need for a change in corporate policy.
Greater Speed and Control
Advised by its hardware partner, Pamafe IT, Arcopedico saw a demonstration of the latest Check Point solutions and concluded the best fit would be Check Point’s high-performance security gateway with R80 software version. To ensure complete threat prevention against both known and unknown and zero-day attacks, Arcopedico chose Check Point SandBlast Zero-day Protection.
Check Point Infinity architecture provides the IT department with a new level of security that they never had access to before. “With Check Point Infinity we are now taking a pre-emptive approach to our IT security. We are preventing cyberattacks from entering the network. Plus, we know that every aspect of our business is covered; networks, cloud and mobile.”
Check Point SandBlast agent provides Arcopedico with added reassurance that the business is prepared for even the most advanced threats. Endpoints are protected using Threat Emulation and Threat Extraction and Anti-Ransomware technology blocks ransomware and automatically reverses any damage caused.
The entire Check Point solution is managed via a single console which gives Arcopedico’s IT department not only great visibility, but also complete control over their network security, which makes managing their security more efficient and simple.
“The R80 security management makes it much easier to manage the network in a more centralized way. The logs monitor allows queries to be run succinctly and rapidly and the reporting function lets us see exactly what threats have been prevented and where,” explains Serafim Couto.Array
Check Point Infinity Architecture Prevents Advanced Threats Across Network, Cloud and Mobile with Zero-Day Protection and Consolidated Management
The Mississippi Secretary of State’s Office oversees business formation and services; charities; public lands; elections and voting; regulation and enforcement; securities; education and publications; and policy and research for the state. Check Point’s SandBlast Mobile solution provides protection to employees’ devices to carry out those responsibilities.
Delivering Better Protection for Mobile Users
The Mississippi Secretary of State’s Office supports approximately 100 state executives, department heads, and directors who use their own mobile devices for business. These “high-value targets” usually have access to more sensitive information than lower-ranking employees and travel more often. For determined cybercriminals, they represent the fastest path to valuable data, systems, and assets.
“Mobile users represent a moving attack surface,” said Russell Walker, Chief Technology Officer in the Mississippi Secretary of State’s Office. “Even though we had recently upgraded our security infrastructure, I still wasn’t comfortable with these devices being able to directly access the network, because the antivirus solution on them wasn’t really enterprise-grade.”
The previous solution couldn’t ensure secure connections for mobile devices to the state’s network, which increases the risk of an attacker breaching the device. The antivirus solution also took up space and processing power on the device, which was a nuisance to users. Finally, the entire solution was difficult to manage. It wasn’t integrated with the rest of the network or security infrastructure, and there were different processes required for Android and iOS platforms.
“Just managing 100 devices required a substantial investment of staff time and system resources,” said Walker. “For instance, it took up to 30 minutes just to load it correctly on one mobile device. We needed a more powerful solution that was truly cross-platform and didn’t require any user interaction.”
From Pilot to Production
The Secretary of State’s Office identified three possible solutions, including Check Point SandBlast Mobile, and conducted proof-of-concept testing. Walker’s team initially deployed SandBlast Mobile on a small number of devices to see how it worked.
“SandBlast Mobile worked great,” said Walker. “Users didn’t even know it was there. It took so little effort and worked so well that we took it straight to production.”Array
Mississippi Secretary of State's Office Secures Mobile Devices, Gaining Peace of Mind and Significant Savings
RheinMain University of Applied Sciences offers more than 85 degree programs for 13,000 students at five locations in Wiesbaden and Rüsselsheim. As a family-friendly university, it offers maximum support in balancing studies and careers with family life.
RheinMain University of Applied Sciences Increases IT Security for Students, Teachers and Employees
Low Cost Airline
From America’s favorite small cities to world-class destinations, this airline makes leisure travel affordable and convenient.
On Board for Virtualization
This airline focuses on delivering affordable air travel while also offering related products, such as hotel rooms and rental cars. With 85 aircraft and 350 scheduled routes across the United States, this low cost airline flies out of 120 airports. Across all of these airports, this airline’s IT and information security teams manage network traffic for business-critical systems such as reservations and flight schedules.
In the past, the airline had supplied laptops for staff and deployed physical firewalls at each of their locations. Because traffic was shared over a common network, any security or network problem at one airport could potentially affect all locations. The infrastructure also was costly and difficult to manage consistently. As the threat landscape intensified, the airline’s team wanted to simplify their network design as well as bring more automation into their releases while increasing their ability to prevent attacks across an increasingly virtualized infrastructure.
The airline chose to deploy VMware NSX in their datacenter and implement a virtual desktop infrastructure (VDI) delivered over Internet links to all airports. This dramatically simplified network management, delivered greater agility, and enabled the team to micro-segment traffic with policies specific to each segment for higher resiliency. To secure this dynamic environment, the airline chose Check Point CloudGuard IaaS for VMware NSX.
Extending Protection for Virtual Coverage
“We’ve implemented the Check Point Infinity architecture to help us consolidate and unify security across our networks,” said the airline’s Information Security Manager. “In addition to Check Point CloudGuard IaaS for NSX, it includes Check Point firewalls, Check Point SandBlast Zero-Day Protection, and Check Point R80 Security Management. Together, these solutions have made our lives much easier and our network more secure.”
Check Point Infinity uses unified threat intelligence and open interfaces to protect the airline’s environments against targeted attacks. With Check Point R80 Security Management, the team consolidated security management across all network environments into a single pane of glass. Check Point CloudGuard IaaS for VMware NSX delivers a multi-layered defensive posture to protect east-west traffic in their VMware-deployed datacenters. CloudGuard IaaS transparently enforces security at the hypervisor level and between virtual machines, automatically quarantines infected machines for remediation, and provides comprehensive visibility into all virtual network traffic trends and threats.
Airline Grounds Cyber Threats with CloudGuard IaaS Advanced Security
STLC — Russia’s premier leasing company
STLC was established in 2001 as ZAO Civilian Aviation Leasing Company. It expanded its portfolio in 2005 to include road transport and infrastructure. STLC has evolved into the largest Russian leasing company entrusted with the financing of high-profile civilian aviation and transport projects, such as deliveries of the Sukhoi Superjet 100 passenger plane.
Bolstering corporate network security and easing the workload of system administrators
“Our employees handle all sorts of commercial and sensitive information: says Sergey Rysin, Security Advisor to the STLC Director, adding: “The IT department is tasked with keeping it secure. In the face of increasingly sophisticated security threats and data breach mechanisms, it is vital that we are able to respond quickly to all intrusions and develop systems that can ward off external threats. Since a person is incapable of processing such a vast array of information single-handedly, we have come to rely on a robust solution that can respond to our corporate needs. Check Point gives us the highest level of security.”
In recent years the company has repeatedly faced all kinds of issues concerned with data protection, from unauthorized access to corporate resources and threats posed by ransomware. While the IT team promptly prevented all issues as they came to light, STLC management realized the need for proactive threat prevention in order to avoid damage to the business.
“Prior to Check Point, the IT infrastructure of STLC relied on a solution by another well-known vendor, which failed to solve the task of blacklisting of resources and real-time prevention of cyber attacks. When we decided to take critical action and search for a new solution, we considered offerings by PaloAlto and a number of Russian vendors. Check Point products stood out among the competitors for their ease of configuration, a user-friendly interface and the ability to prevent threats from entering the network more effectively than the competition. Last but not least, they did a good job achieving the requirements identified during the pilot project stage,” Mr Rysin continues.
Effective Integrated Security
The STLC corporate network has a multi- layered architecture. Check Point Next Generation Threat Prevention protects the corporate network perimeter from external threats and prevents user access to potentially malicious websites and services while preserving access privileges essential to performing the user’s duties. When a user attempts to access a potentially malicious external resource, the system automatically blocks the request and notifies the administrator. “Check Point solutions prevent threats of all kinds when users unknowingly access malicious or unknown resources, completely eliminating the very possibility of damage or data theft, and preventing any potential damage,” says Rysin. All network traffic is continuously monitored by SmartEvent, the Check Point SIEM system, which allows to track all network activity and generate reports on demand.
The SandBlast solution is used to protect endpoints on the STLC corporate network. “The SandBlast solution provides quality endpoint protection against any type of malware and other security threats, which makes it all the more easier for the IT department to provide support to users,” Mr Rysin adds.
All major companies face the same common problems associated with the use of removable drives, internet access and external mail services used by employees. The Check Point Sandblast Endpoint Security enables administrators to flexibly configure access privileges, prohibit downloads and transmission of specific file types, and protect users against both common threats and zero-day attacks such as ransomware. The intuitive interface and ease of administration enables the company to respond to changing conditions and requirements promptly while maintaining the much-needed flexibility with a high level of security.Array
State Transport Leasing Company (STLC) chooses Check Point to create a new standard for cyber security
Edel AG is one of Europe’s leading independent media groups which employs around 1,000 people. optimal media GMBH is one of the most modern and innovative media service providers. The company specializes in the production of high quality printed materials and packaging, as well as the production of CDs, DVDs, Blu-ray discs and records. optimal also has a full-service print shop, digital distribution centers, a logistics and fulfilment center, an audio mastering studio and an Authoring Studio. Its customers include well-known music labels and distributors, software companies, film studios and distributors, media and book publishers, agencies, artists and industrial customers from Germany and worldwide.
Preventing data breaches
As the technical service provider of the group, optimal media’s IT Department is responsible for network and IT security systems for all eight of Edel AG’s European offices.
“Cyber security is very important to us. The production data our customers send us for their new CDs or records contains incredibly sensitive information and intellectual property that must be protected,” says Christoph Andreas, Team Leader, IT Systems & Support at optimal media. The international recording industry network, the IFPI, audits the IT security systems at optimal media each year – and so far it has passed every time. “But the threat level is becoming ever more critical, and the time it was taking to prepare for the audits had become unmanageable. Our existing, outdated firewall solution was not going to be enough for us in the long term, as it could not handle unknown threats,” says Andreas.
Comprehensive protections and visibility for all network traffic
The results of a one month evaluation of Check Point technology impressed the Edel AG board. The solution covered many loopholes and weak-points that the IT team had not even been aware of. “Comparing the results with other solutions showed us that Check Point was by far the only solution able to provide comprehensive protection and visibility for all network traffic, identify and block all types of threats in real-time and classify all applications and protocols,” says Andreas.
Check Point Infinity powered by R80 – A new standard of security
With Check Point Infinity architecture optimal media achieved a new standard of security. Using Check Point’s high performance security gateway, powered by Check Point Infinity R80 version, and using R80 security management, all networks, users, applications and data are controlled leveraging a unified security policy. The DLP prevents sensitive information from leaving the organization from any application and protocol, while SandBlast, Check Point’s zero-day threat prevention solution, prevents advanced threats and cyberattacks in real time – keeping them outside the network. Consolidating the entire security into a single platform managed by a unified, single-pane-of-glass management, optimal media now covers all aspects of security for complete protection – now and in the future.Array
Optimal Media protects digital assets with Check Point Infinity
U.S. Public Health Services Provider
As a leading West Coast provider of emergency health services, this organization has over two million patients and runs over 90 locations, with two major trauma and rehabilitation centers. The organization provides critical, life-saving services in emergency cases.
Being a large-scale healthcare provider, the organization is responsible for securing its patients’ highly sensitive data. Information such as patients’ medical information, social security numbers, and personal addresses makes the organization a prime target for malicious actors. Entry of any bad actor could have disastrous results for patients and the hospital including identity theft, insurance fraud, data manipulation leading to mistreatment and more.
With important medical devices that require internet connectivity, it is
absolutely crucial that the organizations’ network is protected. If an attack compromises connectivity, downtime to life-saving devices could result in serious repercussions to patients receiving emergency care. This could lead to delays in treatments, patients getting sicker or even death.
To ensure patients receive the emergency services they need, the organization needed a solution that would not just detect advanced threats to its network, but ultimately prevent them from coming in.
“I believe in the Check Point product, SandBlast, because we believe in
prevention and not just monitoring. So we use it in line, and it works really well,” said the Information Security Manager at the Public Health Service Provider.
Advanced Threat Prevention
To protect its network, the health services provider chose Check Point
SandBlast with Zero-Day Protection. The organization uses Check Point
Firewall IPS, App Control, Anti-Bot, and Anti-Spam capabilities, as well as Threat Emulation and Threat Extraction technologies. Check Point’s unique CPU-level exploit detection capability enables Threat Emulation to block malware designed to bypass regular sandboxing technologies, ensuring security against advanced threats such as WannaCry.
With Check Point SandBlast, the organization has been able to prevent
countless attacks through email and web thanks to the Threat Emulation technologies. According to the organization’s Information Security team, event logs show that CPU-level evasion detection has been highly effective in catching malware.
The team also found Threat Extraction to be highly useful.
“Threat Extraction was very promising, as we could deliver a cleansed
document while the file actually gets checked in the background to see if it’s malicious,” said the Information Security Manager.
U.S. Public Health Services Provider Safeguards Network Ensuring Quality Health Care Delivery to Millions
Present everywhere in Belgium as well as in Grand Duchy of Luxembourg and France, Laurenty is a family group specialising in cleaning, road sweeping, building and green spaces. With an annual turnover of more than €120 million, the company serves around 5,000 clients thanks to its 4,300 employees.
Simplify Management and Increase Security
In 2015, Laurenty realized that its IT security infrastructure was technically outdated and fragmented. Several point products were used to address specific security challenges. Using products from multiple vendors means several consoles, different approaches and no global visibility. “Instead of renewing the existing licenses, you might as well investigate the market to find the very best solution to secure both the network and the endpoints,” says Laurent Grutman, CIO at Laurenty.
Responding to Strict Regulations
From May 2018, all European companies will need to demonstrate, at any given time, that all personal data held by them is protected and, in particular, that it could not be used in the event of theft. This new European regulation is known as the GDPR (General Data Protection Regulation) and, if it is contravened, the company in question may have to pay severe penalties of up to 4% of its annual turnover.
To protect its laptops against data breaches Laurenty needed a strong encryption solution.
Advanced Threat Prevention
With the help of Shinka, an IT security integrator and a recognized Check Point partner, a global solution was implemented, protecting both endpoints and network while incorporating the principles of Check Point Infinity architecture.
The first priority was to protect the company’s endpoint devices against zero day and other advanced threats. Check Point SandBlast Agent protects Laurenty against all kinds of unknown malware, bots, phishing and ransomware attacks. Anti-ransomware is part of SandBlast Agent and doesn’t only stop the spread of ransomware, it also recovers your data in case some files were already encrypted.
Next to antimalware that is still needed to protect against known viruses, Laurenty was also looking for a good solution to protect themselves against data breaches caused by stolen or lost laptops. By using full disk and media encryption and port protection, all endpoint security requirements were met, which help Laurenty achieve GDPR compliancy.
Laurenty chose Check Point’s Complete Endpoint Protection Suite as it brings them data security, network security, advanced threat prevention, forensics and remote access VPN for complete endpoint protection in one package and it’s manageable with one console. Phase two was the replacement of the old gateways with the new Check Point 5600 appliances with SandBlast Next Generation Threat Prevention (NGTX) to defend the company’s network against zero-day threats.
SandBlast incorporates two technologies, explains Laurent Verhees of Shinka. Each email attachment, such as Excel, PDF, etc., is now forwarded to Check Point SandBlast cloud for inspection. SandBlast emulates and scans the attachment for malware and only if the file is clean, sends it back to Laurenty. While this process can take a few minutes, Threat Extraction strips out any active content that can be malicious and delivers a clean version of the attachment in a matter of seconds without business delay to the end user.
Email recipients have access to a safe, “static” version of the attachment only. “This static file is generally all that our employees need, so there is no delay in getting our work done. We just know that data is secure,” adds Laurent Grutman of Laurenty.
Laurenty was one of the first customers in Belgium to implement the newest version of Check Point security management R80. The installation went flawlessly and R80 brings a lot of advantages, such as consolidated security into one place with one console, integrated threat management and a unified policy.Array
Laurenty Unifies Security to Comply with General Data Protection Regulation (GDPR)
OpenLink is the global leader in trading, treasury, and risk management solutions for energy, commodities, corporate, and financial services companies. More than 37,000 users from 600 clients use the company’s highly sophisticated software for activities such as hedging commodity prices, automating logistics, forecasting raw material needs, and trading derivatives.
Moving to the Cloud
OpenLink’s solutions power decision-making and operations for many of the world’s largest oil companies, banks, and utilities. Each client’s OpenLink implementation is tailored specifically to their unique business needs. Until recently, OpenLink solutions were typically deployed in clients’ own data centers. Each deployment was built with high amounts of excess processing capacity to handle peak periods of demand. As an example, a client might need 10 compute systems for most of the day, but during a peak processing period, complex transactions would require 100 systems to handle the computational load and minimize delay.
OpenLink’s large clients also maintain multiple development and testing (DevTest) environments and staff. Due to the complexity of customized software implementations, these teams work continuously to keep their solutions upgraded with release levels and to develop customized plug-ins. The production and DevTest environments represent high capital investment, maintenance, and support costs, yet they are mission-critical to the company’s operations.
For smaller clients that don’t have large data centers, OpenLink began hosting customer workloads and data in its own data center. Using its private cloud, OpenLink essentially began functioning as a service or hosting provider, processing large amounts of client data.
“We saw an opportunity to reach more customers with OpenLink solutions through a cloud model,” said Michael Lamberg, VP and Chief Information Security Officer for OpenLink. “If we could progress from private cloud to a public cloud model, we could gain significant advantages.”
OpenLink chose Azure based on compatibility with OpenLink technologies, robust regional coverage, pay-per-minute pricing model and a mature security stack.
Adopting a service delivery architecture that included public cloud would enable OpenLink to support more clients with less physical infrastructure and with the added flexibility to scale on demand for peak usage periods. Clients would only pay for the resources they use—enjoying substantial savings and higher performance. OpenLink also would reduce its physical infrastructure costs. The public cloud accelerates OpenLink implementations for new clients because with the proper tools, it is much simpler to manage. By providing DevTest environments in the cloud, OpenLink can provide rapid access to versions of its application, giving everyone a competitive advantage and offering an affordable solution for many more potential clients.
“Security in the cloud is paramount,” said Lamberg. “We chose Microsoft Azure for our cloud, but wanted in-depth control over security. I need the ability to see and verify the layers of security deployed. We chose CloudGuard IaaS for Microsoft Azure to meet our security requirements. In addition, CloudGuard Iaas is cloud agnostic making us less dependent on the cloud provider’s native security controls giving us the flexibility to choose where we could host our workloads in the future.”
CloudGuard IaaS Secures Client “Bubbles”
OpenLink’s Azure cloud consists of multiple single-tenant environments defined as bubbles. Each client’s solution operates in its own “bubble,” which is securely linked to a cloud-based management hub and the client access portal. Private peering links connect back to the OpenLink physical data centers, which operate separately. OpenLink had previously deployed Check Point 5600 Next Generation Security Gateways in two of its data centers. Now it deployed Check Point CloudGuard IaaS for Azure to secure its public cloud environment, thus moving towards significant security deployments on Check Point solutions.
“In my experience, Check Point is one of the only security solutions that can easily and efficiently scale to hundreds of gateways,” said Lamberg. “I can be assured that no client environment (bubble) can talk to any other bubble, and nothing can pass through CloudGuard IaaS for Azure into the OpenLink cloud unless I configure it to do so. That’s an extra level of assurance for us and our clients.”
CloudGuard IaaS for Microsoft Azure extends advanced threat prevention security to protect customer Azure cloud environments from malware and other sophisticated threats. As a Microsoft Azure certified solution, CloudGuard IaaS enables customers to easily and seamlessly secure their workloads, data and assets while providing secure connectivity across their cloud and on-premises environments. It
provides the full protections of Check Point’s Advanced Threat Prevention security, including firewall, IPS, antivirus, anti-bot protection, application control, data loss prevention, and more.
The decision to utilize CloudGuard IaaS to secure their cloud environment means that every OpenLink client bubble enjoys the same comprehensive next-generation threat prevention capabilities.
“Our partnership with Check Point is one of the most valuable aspects of the solution,” said Lamberg. “Check Point works very well with Azure, and we get great support from both vendors. The adoption of public cloud challenged us in verifying the security layers offered by the cloud provider, also given limited visibility into the layers of the Azure stack, CloudGuard IaaS helped us overcome these challenges.”Array
Secure Move to the Cloud Delivers Savings, Flexibility and Confidence to OpenLink and Its Clients
Edenred introduced the Ticket Restaurant meal voucher to the French market in 1962—one of the first employee benefits adopted by organizations across the country. Today, Edenred connects 43 million users with 1.4 million merchants and manages trusted transactions for 750,000 companies.
Edenred provides digital solutions by giving companies and employees the ability to perform a variety of everyday transactions worldwide. Corporate employees use Edenred payment cards or their mobiles to buy lunch or groceries. Fleet drivers fuel up, pay parking fees, and get their trucks serviced with Edenred cards. Merchants use Edenred to accelerate customer checkout and reimbursement. Companies use Edenred services to improve expense management, reduce operations costs, and minimize risks involved in complex transactions. With more than 2 billion transactions managed every year, Edenred has to meet the highest security and compliance standard to protect its customers’ privacy and data.
Protecting Client Security and Privacy
“We know our corporate clients and their employees,” said Romain Dayan, IT Security and Telecommunications Director at Edenred. “Because we process personal and financial data, security and privacy are our topmost concerns.”
Edenred has been a Check Point customer for many years, using Check Point solutions to protect its corporate networks and data centers worldwide. As the company continues to evolve, so do its data transport, storage, and security needs. As a financial organization, it is also subject to the Payment Card Industry Data Security Standard (PCI DSS), banking regulations, transaction authorization requirements, and General Data Protection Regulation (GDPR) laws. One of the most important requirements for Edenred was to create security and compliance standards that encompass its operations in North America, Europe, Brazil, and Singapore. In order to achieve it, Edenred needed a solution that provides not only the best protection but also can meet the most demanding compliance standards.
Edenred was seeing a growing amount of malware arriving with email. Its antispam solution wasn’t enough to protect against advanced threats, so the security team chose SandBlast Zero-Day Protection for complete protection against zero-day and targeted attacks. Unlike other sandbox solutions, SandBlast’s Threat Emulation technology with CPU-level inspection can stop the most sophisticated threats. Using evasion-resistant malware detection techniques, SandBlast can look into exploits that try to bypass OS security controls and stop the attack even before it tries to launch and evade detection. In addition to that, SandBlast’s Threat Extraction component removes malicious active content and embedded objects and delivers a clean file to end users.Array
Edenred Protects Its Prepaid Card Services with Check Point SandBlast
A U. S. regional bank was expending many hours and resources every week remediating issues caused by infections on the network and endpoints. Advanced threats coming in through email and web were getting past the bank’s existing firewall and negatively impacting the business. To protect their assets, The Bank chose Check Point SandBlast and SandBlast Agent. With these products the bank is able to proactively detect and prevent zero-day attacks and unknown malware from the web and email, significantly reducing remediation efforts.
Protecting Users from Malware
Before choosing Check Point, the bank had been expending resources and man-hours every week remediating issues caused by malware entering the network and infecting the endpoints.
The bank’s network security was jeopardized when internal users visited websites that were malicious or had been compromised. The websites would download malicious content, some of which they had never seen before, infecting the users’ machines.
In addition, spam emails and embedded word documents were getting through the Bank’s firewall and reaching the end users. When users opened the malicious files, it was already too late. The executable code in them would enable attacks on the endpoints. The IT security team had to engage remediation procedures which could take hours or even days. The bank needed to find a solution that would detect the malicious files before they arrived at the endpoints and reduce the time spent on remediation.
Zero Day Protection for both Network and Endpoints
The regional bank chose Check Point SandBlast Network Security to protect its network as it was the market leader and determined after a detailed process of its own tests to be the best in terms of preventing malware. With SandBlast, the bank secured its network from malicious content accessed by users.
As the bank was satisfied with the performance of SandBlast Network Security, it chose Check Point SandBlast Agent to protect its endpoints.
“We went with SandBlast Agent because it was more effective than the agent we were using; there were things slipping through it,” said the Network Security Administrator at the Regional Bank.
In order to test SandBlast Agent, the Network Security administrator threw a lot of malware at it, all of which was blocked.
“You couldn’t really get anything by it”,” said the Network Security Administrator.
Since implementation, SandBlast Agent has been immensely effective in protecting the bank’s users.Array
U.S. Regional Bank gains operational efficiency while preventing advanced attacks
The company serves more than 19 million clients worldwide with industry-leading retirement plans, Employee Stock Ownership Plans (ESOPs), deferred compensation plans, and insurance offerings. Businesses, governments, institutions, and individuals turn to it to help them achieve their financial goals. Founded in the U.S., the company operates in Asia, Europe, Australia, Latin America, and North America.
Investing in the Cloud for Added Agility
Financial services organizations, such as insurance companies, investment banks, and asset managers, realize that extracting value from “big data,” will make them more successful and competitive driving new revenue streams and cost efficiencies. With this vision or goal, in-house development teams are creating new financial models and algorithms by tapping into unstructured data sources, machine learning, and predictive analytics capabilities. This helps asset manager’s development teams as they needed more agility and flexibility as they developed and tested new applications in short time frames.
“Our developers want to be able to quickly spin up a virtual environment for testing or Quality Assurance (QA) purposes and then spin them down just as quickly,” said the Senior IT Network Analyst for the asset management firm. “They need workloads at some times and not others, so we’re moving to a private cloud model for more hosting flexibility to service these dynamic compute requirements.”
The firm’s security infrastructure team already managed firewalls and rules, proxies, and remote access using Check Point solutions. However, as they deployed a VMware NSX private cloud environment, they needed to secure it while maintaining security for their existing data center applications.
“We have a number of home-grown, proprietary applications that we will not move to the cloud,” said the Senior IT Network Analyst. “We wanted the ability to segment and protect applications, regardless of whether they are hosted in our traditional data center or in the cloud without compromising security for either environment.”
Orchestrating the Migration
The team looked at several potential solutions for securing their private cloud environment before choosing Check Point CloudGuard for VMware NSX, which protects internal data center (east-west) traffic with multi-layered protections. It transparently enforces security between virtual machines at the network level, automatically quarantines infected machines for remediation, and provides comprehensive visibility into virtual network traffic patterns and threats.
“Check Point CloudGuard for VMware is a more robust solution than others we evaluated,” said the Senior IT Network Analyst. “CloudGuard IaaS gives us the deep packet inspection we wanted, as well as the orchestration and automation we’re looking for.”
What’s more, the team deployed VMware NSX ahead of schedule, deciding to deploy Check Point CloudGuard for NSX without vendor or partner assistance. With the help of the administrator’s guide, they had the NSX cloud environment secured in under an hour. In addition, they transformed existing physical Check Point gateways into CloudGuard IaaS gateways using the Check Point R80 Hotfix feature for CloudGuard IaaS.
“We wanted to leverage the existing rule set and management orchestration that we already had,” said the Senior IT Network Analyst. “Now we’ve automated the entire NSX infrastructure to enable automated traffic redirection through the CloudGuard IaaS gateways simply by assigning resources to security groups.”Array
Global Asset Management Company
This regional credit union is one of the largest financial cooperatives in the U.S., offering various business and personal banking products and services through its many regional branches such as deposit accounts, credit cards, loans, insurance, and wealth management services.
Protecting Users from Malicious Emails
Entrusted with billions of dollars in assets, the credit union’s highest priority is keeping their members’ hard earned money safe. As a financial institution, it has a lot of sensitive data to protect, ranging from its customers’ private information— names, addresses, and social security numbers— to credit card numbers and financial information. Protecting this data requires taking strict measures to prevent unauthorized access attained through malware infections, defending against zero-day vulnerabilities that can lead to ransomware attacks, and eliminating phishing emails that target the bank’s unsuspecting users.
The bank’s Information Security team, consisting of only 4 people, was spending up to 20 hours a week remediating problems. The previous solution, a firewall and email security gateway using signature-based detection, had been letting various Zero-Day malware through its perimeter. Users would receive emails with infected attachments or links that once clicked would cost the bank a lot of overhead.
“We were constantly rebuilding PCs that were getting infected with malware, having to go and investigate and make sure the malware didn’t spread to other places,” said the bank’s Manager of Information Security. “It really became a lot of manual effort that was related to some of these infection events.”
The company knew it had to find a solution that significantly reduced the time spent on remediation of email-borne infections, and made management of security simpler and more effective. It sought a security solution that would stay one step ahead of the curve and be able to defend against advanced threats such as Zero-Day and ransomware attacks.
“Our Check Point SmartEvent console consolidates monitoring, logging, reporting, and event analysis to correlate data and give us actionable attack information,” said Honnold. “Our security analysts can see malicious events, attack entry points, scope of damage, and data about infected devices so that we can respond quickly.”
Regional Credit Union Protects Users with Enhanced Network Security
Helvetia provides a comprehensive range of insurance services to more than 4.7 million customers with a presence in Switzerland, Germany, Italy, Austria, Spain, France, Luxembourg, and Jersey. In Switzerland alone, Helvetia serves more than 750,000 private and business customers with 6,700 employees.
Achieving high customer satisfaction and trust is one of Helvetia’s primary goals. The company is committed to delivering high-quality, secure services for customers and its employees. Therefore, having a secure IT environment is a critical part of Helvetia’s operations.
“The insurance business is based on trust,” said Andreas Hagin, Head of Corporate Network & Unified Communication Engineering in Corporate IT Operations at Helvetia. “Focusing on customers is firmly anchored in our values and we set very high standards for ourselves and our IT security.”
Next Step: Automation
Like most IT organizations, Helvetia’s IT team is always looking for ways to handle a rapidly growing volume of work with the same number of employees. That means minimizing the number of manual tasks required of team members, reducing the need to retrain and redeploy teams, and find new ways to deliver services as efficiently as possible. Helvetia sees automation and adopting a Software Defined Data Center (SDDC) strategy as the means to increased efficiency.
“We have been pursuing the vision of automation for years,” said Hagin. “Check Point CloudGuard IaaS is the perfect solution for this.”
Security with Flexibility
As Helvetia began its SDDC project, it had several challenges: create a new internal IT team structure, extend its VMware virtualized environment, and find a solution to secure it. Helvetia initiated a proof of concept to test its first steps toward a new SDDC based on VMware NSX.”
“We built a virtual team comprised of storage, security, VMware, and network specialists,” Hagin said. “Then we scouted the market for a suitable security product and found what we were looking for with Check Point CloudGuard for VMware NSX.”
Helvetia chose VMware NSX to reproduce its data center networking environment functionality in the hypervisor layer. Check Point CloudGuard IaaS integrates with VMware NSX to deliver multi-layered defenses. Check Point CloudGuard IaaS protects east-west traffic within the VMware-deployed data center. It transparently enforces security at the hypervisor level and between virtual machines, automatically quarantines infected machines for remediation, and provides comprehensive visibility into virtual network traffic trends and threats.Array
Helvetia provides insurance services to more than 4.7 million customers
The Mississippi Secretary of State is comprised of eight divisions, each with specific responsibility for delivering information and services to its constituencies. The divisions include Business Formation and Services; Charities; Public Lands; Elections and Voting; Regulation and Enforcement; Securities; Education and Publications; and Policy and Research.
Looking for Stronger, Broader Protection
The Mississippi Secretary of State faces the same cyber threats that target large enterprises and other levels of government. Security is a high priority, and recently, the agency upgraded its security infrastructure to achieve a number of goals.
“We have a much broader range of threats to defend against,” said Russell Walker, Chief Technology Officer in the Mississippi Secretary of State. “Ransomware was a huge concern, and we needed stronger protection against everything from viruses, bots, and general malware to zero-day attacks and phishing.”
The solutions deployed previously lacked capabilities, such as sand boxing, that could accurately stop and analyze a potential threat. Endpoint protection was a traditional, signature-based antivirus product that not only missed malware and advanced threats, but also took a toll on users’ PC performance. None of the solutions delivered adequate visibility into threats that they did catch, nor did they give Russell and his team actionable information for fighting them.
“We began looking for an endpoint protection solution that did a much better job of preventing and detecting malware with fewer resources,” said Russell. “We also wanted a better Intrusion Protection System (IPS) and anti-bot solution—all in one package.”
Starting with the SandBox
Russell’s team evaluated potential solutions, including Check Point, from the perspective of being able to sandbox threats.
“Check Point Sandblast Zero-Day Protection was on a level by itself,” said Russell. “Check Point was one of the only companies that could do Threat Emulation and Threat Extraction—and they were the best.”
Check Point SandBlast Zero-Day Protection provides complete protection against zero-day and targeted attacks. Threat Emulation technology monitors CPU-based instruction flow for exploits trying to bypass OS security controls, allowing it to stop attacks before they can evade detection. Threat Extraction removes exploitable content, including active content and embedded objects, reconstructs files to eliminate potential threats, and promptly delivers sanitized content to users. To protect its endpoints, the Office chose Check Point SandBlast Agent, which gave them a complete set of real-time anti-ransomware, anti-bot, zero phishing, and automated incident analysis features.
“We could use Check Point’s threat cloud, which eliminated the need for another appliance,” said Russell, “and we got protection with visibility that isn’t available from other products in a single offering. Wow.”
Mississippi Secretary of State Gains End to End Advanced Threat Protection for Its Data
Since it was established in 1961, Tecnun has maintained a balance between teaching, research and its contribution to society. Tecnun has two campuses in San Sebastián—the Ibaeta District and the Miramón Technology Park. Both campuses focus on the teaching and research of mechanical engineering, industrial engineering, telecommunications, electrical and energy engineering and biomedical engineering.
Boost Perimeter Protection and Simplify Security Management
“The progressive and unstoppable transition to a digital university, where students and teachers increasingly depend on the internet, the rise of social networks, increased voice and video traffic and the migration of applications and services to the cloud were pushing our network infrastructure to its limits and the time had come to make a decision,” explains Enrique Reina, Head of IT at the University of Navarra Technology Campus in San Sebastián.
“Like all organizations of a certain size, we were being targeted by numerous attacks of all kinds,” adds Enrique Reina. “We had been implementing solutions from different vendors that provided partial coverage. Security management had become highly complex, with a requirement to simultaneously manage and monitor various sites. We didn’t have the capacity to correlate or analyze all the information generated by the various protection systems in place.”
Complete and Effective Security
“The best way forward was to redesign our perimeter security to ensure adequate protection against the new security challenges and advances in technology,” explains Reina. “After discussing our needs with various security vendors, we chose Check Point – with whom we have worked for over 20 years – whom we felt stood out from the crowd. In just three days, the Check Point team performed a full Security CheckUp, showing us our risks and vulnerabilities and allowing us to view network activity in real time. Just one week after the CheckUp, working in partnership with Telefónica Solutions, Check Point provided a full demo installation that allowed us to see the solution they proposed.”
Tecnun decided to replace equipment from other vendors and consolidate its entire network protection with Check Point, installing a high availability cluster of devices on each campus. At the Miramón campus, which employs about 90 teachers and researchers and around 200 students, two Check Point 4600 appliances with Next Generation Threat Prevention (NGTP) were selected. In Ibaeta, where 300 people work and more than 800 students study, two Check Point 12200 appliances were installed, as well as the management console and Next-Generation SmartEvent.
“The Next-Generation Check Point appliances are completely different from the pure firewalls we used before. They have evolved into a full security platform with an advanced range of features, including safe browsing, secure email, URL filtering, antivirus, protection from intrusions, anti-bot protection, mobile access and application control, and all this in a single appliance,” explains Reina. “Instead of having various independent applications, the Check Point Next-Generation SmartEvent console offers a single view and unified management of campus security.”Array
Tecnun Secures Its Digital Campus with Check Point Next Generation Threat Prevention
Located in Créteil, France, this local authority manages all public services for the area’s 1.4 million inhabitants across 47 cities.
Daily Cyber Attacks
The Conseil Départemental computers and those in the IT Department were experiencing attacks regularly. They were mostly caused by suspicious email attachments containing either known or new malicious code. Despite having antivirus programs installed, this malware was so clever that it was capable of evading detection. The IT team had to find a way to halt this growing problem and ensure a secure environment to work in.
Detecting Unknown Attacks
In 2015, the Council’s IT Department researched existing solutions dealing with advanced threats and “Zero-Day” attacks, which were not recognized by traditional antivirus solutions. They then approached Check Point to perform a Security CheckUp.
“We asked Check Point to test their SandBlast solution. Like other government organizations, we have to manage IT attacks. We wanted to increase our security by adding the SandBlast product to complement our suite of IT protection tools,” explained Mikaël Auzanneau, Networks and Security Engineer at the Conseil Départemental. “The result? The management immediately gave us the green light to purchase several SandBlast blades.”Array
The Conseil Départemental du Val de Marne Blocks Threats in Real Time
With more than 20 years of experience in microbial fermentation for oral- and injectable-grade, microbial-derived biopharmaceuticals, Gnosis is a leading manufacturer of active and functional ingredients. The company has locations in Italy, Switzerland, the U.S., and China.
A Growing Attack Surface
Gnosis has grown rapidly, and with growth comes an increased attack surface. Zero-day and other advanced threats were increasing, and as a pharmaceutical company, Gnosis must comply with strict government security regulations. Authorities are increasing their focus on system security to include facilities such as laboratories and manufacturing facilities, but Gnosis’ legacy systems were not able to prevent advanced threats from gaining access.
Because Gnosis had expanded dramatically, it needed to implement a more efficient, consolidated security solution that could protect the network, data, and communications between headquarters and other sites. It began looking for a next-generation solution as protection from advanced threats against employees, visitors, and suppliers, as well as websites and outgoing communications, such as email.
Choosing Comprehensive Protection
Gnosis evaluated the cybersecurity providers that are listed in the Gartner Magic Quadrant. After narrowing its choices, Gnosis chose Check Point SandBlast Zero- Day Protection to secure its networks and data with protection against zero-day threats. It also deployed Check Point Next Generation Threat Prevention (NGTP) with multi-layered protection from known, signature-based threats.
Gnosis uses Check Point firewall services, app control, intrusion prevention, perimeter antivirus, antibot, antispam and URL filtering capabilities. It also adopted Threat Emulation and Threat Extraction technologies, which include evasion-resistant CPU-level exploit detection, machine learning, and Push-Forward Adobe Flash emulation.
In addition to the Next Generation Threat Prevention capabilities that protect against all known threats, Gnosis chose SandBlast Zero-Day Protection, which protects SMTP, HTTP, and HTTPS traffic from all unknown threats—zero-day, cryptolocker, Advanced Persistent Threats (APT), and others. CPU Level Protection blocks malwares intended to bypass sandbox technologies protection. These features ensure a high level of protection for Gnosis.
Threat Extraction delivers an immediate, preemptive, 100% sanitized version of a file, allowing business continuity in a secured environment, ensuring Gnosis’ high level of customer experience.Array
Security is Gnosis’ Active Ingredient
Starkey Hearing Technologies is a world leader in advanced hearing solutions, as well as the largest U.S. manufacturer. Its evidence-based design process results in products that make a dramatic difference in people’s ability to hear the world around them.
Getting—and Staying—a Step Ahead
Hearing care professionals worldwide order Starkey products through the company’s online ordering and payment system. Starkey must meet Payment Card Industry (PCI) compliance requirements in addition to securing its business with other solutions, such as Data Loss Prevention (DLP), antivirus, and other network security tools.
“Technology changes quickly, which makes it a real challenge to keep up,” said Joe Honnold, IT Manager of Network Services at Starkey Hearing Technologies. “We’re trying to minimize the impact of change and still provide a secure environment for employees and customers.”
Honnold’s job became even more challenging when Starkey was hit by an unknown advanced malware attack that started communicating with a command and control server. The team later learned that the malware was Gatak, a type of Trojan. Gatak hides data in image files. When it installs on a computer, it tries to download an image from any number of URLs that are hard-coded into the malware. The image contains encrypted data in pixel data. Next, Gatak deploys a lightweight capability that performs detailed fingerprinting on the infected machine and can also install additional payloads. A second Trojan component persists on the machine and steals information.
That persistence led to three or four advanced malware incidents per week. The attacking malware gathered valuable data that enabled it to escalate access privileges to network assets and spread laterally. It infected 2,000 machines in just two weeks. Under external control, the data could have been exfiltrated or encrypted and held for ransom. When employees took their laptops home and were no longer behind the corporate gateway, they became much more vulnerable. It was obvious that Starkey’s antivirus solution was no longer enough.
“Modern malware changes every day,” said Honnold. “We needed more advanced capabilities to protect our laptops and other edge devices. We called Check Point and asked how we could better leverage our Check Point gateway infrastructure to increase our protection.”
Protection That Lives on the Edge
Starkey chose Check Point SandBlast Agent to protect the company’s desktops and laptops. SandBlast Agent uses a complete set of advanced endpoint protection technologies—both on-premises and remote—to defend endpoints against zero-day malware and targeted attacks. Starkey deployed SandBlast Agent on 4,000 systems across 34 facilities worldwide.
SandBlast Agent detects and blocks attacks from email, removable media, spear phishing, watering holes, and command-and-control communications, even when users work remotely. SandBlast Agent also stops data exfiltration to prevent sensitive information from leaking, and it quarantines infected systems to prevent malware from spreading. Starkey gains valuable protection across enterprise file types, such as Microsoft Office, Adobe PDF, Java, and multiple Windows operating system environments.
“We use SandBlast Agent’s Threat Emulation capability to discover malicious behavior,” said Honnold. “It even uncovers new types of malware and threats hidden in SSL and TLS encrypted communications.”
SandBlast Agent Threat Emulation quickly inspects files in a virtual sandbox. Suspicious-looking files are flagged for deeper analysis and then Threat Emulation sends a signature to the Check Point ThreatCloud database, which documents and shares information on newly identified malware.
SandBlast Agent’s automated forensics capability gives Honnold’s team a deeper understanding of security events, faster. When a malware event occurs, a combination of advanced algorithms and deep analysis of raw forensic data in SandBlast Agent builds a comprehensive incident summary with a complete view of the attack flow.
“Our Check Point SmartEvent console consolidates monitoring, logging, reporting, and event analysis to correlate data and give us actionable attack information,” said Honnold. “Our security analysts can see malicious events, attack entry points, scope of damage, and data about infected devices so that we can respond quickly.”Array
Starkey Hearing Technologies Amplifies Visibility into Advanced Threats
Italy’s Fondazione Telethon is a nonprofit organization with headquarters in Rome and Milan. Founded in 1990, Telethon fosters research that leads to cures for rare genetic diseases. The organization prioritizes its focus on diseases that are so rare that they do not attract sufficient research investment. It then matches Italy’s top researchers with the most promising projects and promotes public involvement through a television fundraising marathon, a partner and volunteer network, and other initiatives.
Protecting Sensitive Data and a Stellar Reputation
Security at Telethon is critical because of the large amount of sensitive, high-quality research and medical data it handles. In addition to requiring information safety and business continuity, Telethon has a strong reputation for excellence. Any security breach could cause irreparable damage to its future fundraising campaigns and limit its ability to support research.
Today’s cyber threats are escalating and exposing Telethon to significant risk. Telethon needed a threat protection solution that could secure its network at the edge. Email protection was also crucial, since email is a primary attack vector. It needed better insight into cyber threats to analyze attacks, infections, and impact. Telethon also wanted to improve visibility and incident analysis capabilities.
Gaining Virtualized In-Depth Protection
To defend its network against advanced threats, Telethon evaluated several possible solutions. After careful consideration, it chose Check Point. Through Grafidata, a trusted Check Point partner in Rome, Telethon implemented Check Point virtual appliances, which are completely hardware-independent. Telethon implemented Check Point Software Blade architecture, initially using the Firewall, Intrusion Prevention System (IPS), URL Filtering, and VPN Software Blades. This deployment gave Telethon integrated security for its network gateway, connections to remote locations, web security enforcement features, and intrusion prevention.
Later, it added Application Control for creating granular security policies, Anti-Bot Software for defending against bot and C&C communications, and the Antivirus Software Blade to defend against incoming malicious files.
“Check Point solutions give us 360° security and have proven to scale up to any situation,” said Marco Montesanto, Head of Information Systems at Telethon. “The Check Point products are very flexible and adaptable to any business need, giving us an important competitive edge.”Array
Fondazione Telethon Supports Its Mission with Added Protection
The Australian non-profit is a community service organization that helps people regain their independence. More than 3,500 staff members work across Australia on initiatives that include affordable housing, reducing homelessness, early learning and youth services, family support, employment, and skills development.
Securing the Azure Cloud
Moving mission-critical applications to the cloud can be a major undertaking for even large enterprises. For a non-profit with a lean IT team, moving applications and data to the cloud and securing them was essential to its goals. The non-profit’s Architecture and Engineering teams had launched the first phase of a cloud-based project designed to improve access to the organization’s CRM application. Much of the CRM data is sensitive, relating specifically to the organization’s clients.
“We’re moving to the cloud to give our staff improved accessibility to the applications they need,” said the Infrastructure Architect at the Australian non-profit.“ As we implement our cloud strategy, we also need to build security around users, instead of devices, to better protect data.”
The non-profit chose Microsoft Azure, an enterprise-grade offering for its cloud computing infrastructure and wanted to implement the highest level of security possible to protect applications and data. The team looked for a security solution that delivered intelligence, simplicity, and manageability. According to the architect, the traditional approach of the Microsoft cloud using the built-in controls of port groups and static firewall rules was just not sustainable over time for the small IT team. The organization also needed scalability with cost-effectiveness.
Finding Check Point CloudGuard IaaS for Microsoft Azure
“The standard Microsoft approach didn’t work for our security approach,” said the architect. “We wanted a smart firewall with high availability deployed between the Internet and our servers. We didn’t want our servers accessible directly on the Internet.”
As the team researched the firewall vendor landscape, they found that some of the firewall vendors didn’t have offerings for Azure. Others couldn’t provide supporting information about how to integrate with Azure. Still others either lacked experience being new to the security industry. When they discovered the Check Point CloudGuard IaaS for Microsoft Azure solution, it caught the team’s attention.
“I had worked with Check Point products in the past, and our network architect was familiar with Check Point,” the architect said. “The brand familiarity gave us confidence, so we began testing the solution and that’s what we chose.”
Check Point CloudGuard IaaS for Microsoft Azure extends security to the Azure cloud infrastructure with the full range of protections delivered by the Check Point’s industry-leading threat prevention architecture. CloudGuard IaaS for Microsoft Azure prevents network attacks and data breaches while enabling secure connectivity to Azure public cloud environments. As the team began to deploy Check Point, they quickly realized that they had to change their application design, because of the way Azure works.
“We were pushing the envelope in Australia by deploying in Azure,” the architect explained. “Very few organizations had deployed both internal and public-facing services in Azure, especially with a security appliance deployed in the middle. That integration was challenging, blazing a new trail with little reference deployments or knowledge to draw upon as no one had done it before.”Array
Australian Non-Profit Secures Its Microsoft Azure Cloud
Ultima Business Solutions provides end-to-end IT services and solutions to customers in the United Kingdom. The company’s “cloud-first” focus helps customers securely migrate to the cloud with best-of-breed technologies, consulting, and managed services—freeing them to focus on their core businesses.
We Use It First
Ultima uses new solutions and technologies itself before recommending them to its customers. That strategy has paid off over the past 25 years as customers repeatedly turn to Ultima as their trusted advisor. Ultima also is a Check Point partner and has used Check Point firewalls, endpoint security solutions, and other technologies to secure its own business, as well as its customers’ organizations.
As the company moved its operations to the cloud, it wanted to extend protection to its mobile devices. When salespeople and consultants were in the office, devices are well-protected through Ultima’s on-premises firewall and other security solutions. When users returned to the office from being in the field and the on-premises solutions detected malware, they would alert the security team, which could remediate the device. But when users were out in the field, the security team had no visibility into these devices. Even more worrisome, users weren’t aware if their devices were being attacked, because there were few obvious symptoms.
“We know of the advanced threats that our devices face when they leave the office,” said Chris Watkins, Solutions Architect in Security at Ultima. “We needed visibility into what’s going on with them and the ability to extend the same level of on-premises protection to them in the field.”
Extending Protection with Capsule Cloud
Colin Prime-Moore, Chief Technology Officer at Ultima and the Ultima security team collaborated to find the best way of protecting mobile devices. They chose Check Point Capsule Cloud to extend their existing on-premises Check Point capabilities to all Windows and Mac devices that aren’t attached to internal systems.
Check Point Capsule Cloud provides network perimeter security as a cloud service. Laptop traffic is sent to the cloud where the traffic is inspected for zero-day malware, filtered for inappropriate sites and content and policies are enforced and logged, giving Ultima always-on, always-updated protection for users off the company network.
The Ultima team conducted a proof of concept with Capsule Cloud, and immediately found viruses, began blocking malicious sites, and analyzing suspicious files on the company’s mobile devices. It deployed Capsule Cloud through Microsoft System Center Configuration Manager and gained immediate, centralized visibility into all covered devices.
“Deployment was easy—we didn’t have to do anything,” said Watkins. “It was completely automated. Now we can protect multiple devices for 450 employees.”Array
Ultima Enables Employees with On-the-Go Security
Daymark architects and implements complex data center solutions providing deep technical knowledge, extensive experience, and proven methodologies to help clients make educated decisions, streamline the acquisition process, and successfully implement cost-effective solutions and service. Daymark challenges itself to continuously understand customers’ changing needs and to meet them with the right technologies. As its customers wanted to embrace cloud services with advanced security, Daymark searched for a solution that could address the security challenges of migrating workloads to the cloud.
Securing Cloud Applications and Workloads
Daymark’s business customers have begun their journeys to the cloud in order to achieve specific objectives—reduce infrastructure footprint and associated CAPEX costs, simplify management, accelerate service delivery or improve application performance. Daymark had chosen Microsoft Azure as its cloud delivery platform because it met the broadest range of customer requirements, was enterprise-ready and easy to use. About the same time, Daymark was refreshing its core infrastructure platforms so it made sense that the company also adopt the cloud that it advises customers to use. Daymark began moving core assets into Microsoft Azure as well.
“We work closely with customers to help them avoid unforeseen issues while deploying complex IT solutions,” said Corey Roberts, Director of Technology at Daymark. “As we moved our environment and helped customers deploy workloads in Azure, we knew that security was a critical capability and challenge. We began looking for a solution.”
Visibility and Protection Inside The Cloud
Daymark’s intellectual property—its documentation and processes—are critical assets. The company needed to protect these assets together with customers’ cloud data. Protecting the perimeter with advanced threat prevention, data leak prevention and intrusion prevention was essential. Customers also were experiencing malware and ransomware in their cloud environments. At the same time, the Daymark team needed much better visibility into the Azure environment for troubleshooting, forensics and reporting purposes. Specifically, they couldn’t see traffic that the firewall blocked or captured at the network perimeter or inside the cloud.
“We began looking at next-generation firewalls on the market,” Roberts said. “We wanted a solution that could inspect at Layers 4 through 7, deliver in-depth analytics, and prevent threats—not just detect them. It had to work with Azure, and it had to protect customers’ highly detailed, micro-segmented workloads.”
Comprehensive Cloud Security with Ease of Deployment
The Daymark team conducted extensive evaluations of next-generation firewall solutions and identified Check Point as an industry leader. After testing several solutions in the lab, the team was impressed by Check Point’s ease of use and superb visibility. They chose CloudGuard IaaS for Microsoft Azure for both on-premises and cloud environments.
The Check Point CloudGuard IaaS solution extends security to the Azure cloud infrastructure with a full range of protections offered by the Check Point Threat Prevention Security architecture including anti-malware, zero-day protection using sandboxing technology. CloudGuard IaaS for Microsoft Azure prevents network attacks and data breaches while enabling secure connectivity to Azure environments. The deployment of Check Point CloudGuard IaaS was straightforward for the team. They deployed CloudGuard IaaS in Daymark office locations and connected them together in the Azure environment.
“During deployment, we contacted Check Point support for guidance and they were amazing,” said Roberts. “They understood the deployment from both the Microsoft and Check Point perspectives. We just dropped the license keys into our Check Point portal, rolled out the appliances, and were up and running within a day.”Array
Daymark Solutions Secures Its Microsoft Azure Cloud
Koch Media is a leading independent producer and marketer of digital entertainment products in Europe and North America. It distributes movies, video games, and software products, and publishes games under the Deep Silver label.
Protecting Intellectual Property—and Revenue
Koch Media is a trusted publisher and marketer for a wide range of media products, including games. Moving products through development with multiple partners can potentially expose them to risk. For example, games are unprotected code while they are being developed. If a developer is attacked, code could be lost or exposed to the world, which would mean loss of revenue and trust. Securing game code, sensitive business data, and other assets is challenging across more than 25 locations—each of which has its own security rules and policies.
In the past, Koch Media used Cisco Adaptive Security Appliances (ASA) in each location. Company locations often need to change a firewall rule to accommodate a business process. For example, when the Koch Media office in Milan needed to use a specific web conferencing solution to collaborate with a partner, the IT team had to physically go to the firewall, change the rule, and manually reconfigure the firewall. With only a Command Line Interface (CLI), the team had to work through 100 lines of code just to change one line. Because this was a manual process, it was open to human error, and requests for changes arrived daily.
Sharing large files safely also became a concern. As applications are now critical, securing ports or IP addresses is no longer enough. Koch Media needed the ability to secure the application layer, especially with assets such as game code. In addition, the IT team was seeing a growing amount of malware that its antivirus missed.
“We needed protection against zero-day threats,” said Juri Vaisman, Director of IT International at Koch Media GmbH/Deep Silver. “We also needed to centrally manage all locations and the flexibility to change rules without disrupting the network by having to reconfigure firewalls.”
Simple, Effective, and Pervasive
Koch Media already had deployed Check Point Next Generation Threat Prevention (NGTP) with multi-layered protection from known, signature-based threats. With Check Point SandBlast Zero-Day Protection, it gained real-time protection against zero-day attacks using sandboxing and Threat Extraction.
“Check Point SandBlast was easy to deploy,” said Laing Zhang, Director of Networking and Security at Koch Media GmbH/Deep Silver. “It automatically joined our secure VPNs that connect each location and gives us end-to-end protection against attackers. It also gives us a number of other controls that we needed to better secure our stock in trade—applications.”Array
Koch Media Levels Up Security to Protect Intellectual Property Against Attackers
This company is an independent, not-for-profit organization that has provided health care services in its state for more than 30 years. When it experienced a growing number of cyber-attacks, it quickly moved to add another layer of security.
Protecting Patient Data
Like other organizations in the health care sector, insurance companies have experienced intensified cyber-attacks within the past 12 to 18 months. Patient care data and financial data are at stake, so the company took decisive steps early in 2015 to boost its defenses. Over time, it had acquired multiple point solutions, each with its own set of capabilities. Now the company wanted to add layers of security and new features to close some gaps, such as improving Data Loss Prevention (DLP) coverage.
“We were seeing high volumes of zero-day and other advanced threats,” said the Chief Executive Security Officer (CISO) for the company. “We needed to increase our capabilities and reduce our security infrastructure support and maintenance burden at the same time.”
The company had multiple, separate firewalls for web filtering, content filtering, and Intrusion Prevention System (IPS) protection. As the CISO and his team evaluated their options, they looked at Palo Alto Networks, F5, FireEye, and several niche solutions. However, none of them offered the unique combination of comprehensive features, high scalability, centralized threat visibility, and low IT overhead that they wanted.
“We have a small team supporting a large number of technologies and programs,” the CISO said. “It was important to simplify as much as possible so that we can focus on strategic security projects instead of multiple, point solutions.
Proof of Protection
After conducting a proof-of-concept evaluation with one other vendor, the company chose Check Point’s SandBlast Zero-Day Protection solution. Check Point SandBlast protects networks from even the most sophisticated malware and zero-day threats, using Threat Emulation sandboxing and Threat Extraction technologies.
“Check Point met our requirements of being able to consolidate capabilities into one solution,” the CISO said. “We also liked the fact that we can deploy it on premises for more control.”
The health insurance company migrated to SandBlast over several months to avoid disrupting its existing environment. It gained consolidated Check Point firewall, IPS, Virtual Private Network (VPN), DLP, zero-day protection, web filtering, and anti-bot protection capabilities in a single, easily manageable solution.Array
Health Care Insurance Company Boosts Its Defenses While Minimizing Complexity
A leading regional hospital in the Northeastern U.S. offers a variety of clinical services, from cardiology, critical care, and oncology, and surgical procedures to fitness, wellness, and education programs. The hospital is proud to be accredited by the Joint Commission, and has received a variety of awards, including recognition by the American Nurses Credentialing Center.
“We are a community-based hospital with about 100 beds, and are highly rated, with numerous certifications and awards,” says the healthcare provider’s IT security engineer.
Protect Patient Data in an Evolving Threat Landscape
Like most healthcare providers, the hospital relies on its network to support its most important patient services and business operations. Maintaining maximum security is a top priority. Approximately 1,200 users depend on the network, and the facility is dedicated to complying with the Health Insurance Portability and Accountability Act (HIPAA) and other industry regulations.
“We send and receive a lot of sensitive information through our network and firewall, including payment processing with our business partners,” says the IT engineer. “We have concerns about data being breached, patient security, and our own security for our employees and files.”
The hospital’s IT team stays educated on the security landscape, and zero-day malware has emerged as a major threat over the past few years. According to the 2016 Check Point Security Report, the number of unknown malware downloaded per hour in 2015 was nine times greater than the previous year. The stakes are high, since even a brief security lapse could compromise business systems or even impact healthcare services.
“Our patient systems are generally separate from our patient care systems, but we are still in a connected environment,” says the engineer. “If a threat gets through, there is the potential that it could impact large parts of the network.”
The technology team understands that effective security needs to protect the network not only from external threats, but from issues that originate inside the hospital as well.
“One of our biggest worries is about what happens internally,” says the IT engineer. “A problem could arise from something as simple as a user bringing in an infected file on a thumb drive. Research has shown that oftentimes employee behavior can increase risk.”
Preventing New and Unknown Attacks Before They Strike
The hospital has employed Check Point security solutions for years, and depends on redundant 12400 Appliances to provide complete, high availability protection against evolving threats.
To help the organization complement its firewall and IPS solutions, Check Point recommended the cloud-based SandBlast Threat Emulation Service. This convenient, zero-day sandboxing solution not only offers the protection the healthcare provider requires, but is simple to set up and manage.
“I like the cloud-based service because Check Point can take care of it and keep the environment up to date better than we can,” says the IT engineer. “That eliminates the worry of having to maintain OS upgrades, patches, and other updates. And we can still configure the rules, so we can control it the way we want to and use it the way we want to.”
The Check Point SandBlast Threat Emulation service lets the hospital discover and stop new threats and zero-day attacks using emulation in a virtual sandbox. The solution focuses on email attachments and file downloads, and works smoothly without impacting the hospital’s existing environment.
“Our SandBlast Threat Emulation runs in the cloud, and I have to say it’s fast,” says the engineer. “It examines about 1500 files a day, and you would think that there would be a delay, but we tested it, and the performance is fine.”
Next-Generation Prevention, Protection, and Performance
For additional protection against external threats, the regional hospital also relies on the Check Point IPS Software Blade, which combines with the other capabilities on the 12400 Appliances to deliver proactive, best-of-breed security. Its advanced monitoring provides deep insight into attacks, their targets, and their sources.
Simple, Complete Security Management
The healthcare provider has a small technology organization, and making the most of its limited resources is important. The Check Point solution includes central unified management that gives the IT team complete control over their entire security environment from a single, intuitive dashboard.Array
Regional Hospital Protects Critical Healthcare Data and Improves Compliance
Ensuring a Clean, Safe Water Supply
The Hunze en Aa Water Resource Board is responsible for ensuring that communities in eastern Groningen and northeastern Drenthe, the Netherlands, enjoy access to sufficient, clean water. The water resource board also builds and maintains dikes to protect against flooding, and ensures that waterways are navigable. It’s a challenging responsibility, because much of the area is below sea level, and pumping stations regularly pump high water into the Wadden Sea.
In this sensitive environment, maintaining robust security is essential for the board—particularly for its Supervisory Control and Data Acquisition (SCADA) systems. Even a short network downtime could jeopardize the safety and lives of people throughout the region.
Protecting Water Management Environments for Compliance and Reliability
To help ensure safe operation of its pumping stations and other key systems, the Hunze en Aa Water Resource Board needed a solution that was reliable and provided complete control. The water resource board wanted to minimize risks in its SCADA environment and replace its eight year old, mixed environment of security tools with a central, manageable solution.
“The Information and Communications Technology (ICT) team is responsible for both office IT and industrial process automation, in particular the technical management of the applications and connections,” says Rudi Boets, Head of the ICT Team at Hunze en Aa’s Water Resource Board. “We ensure that the SCADA systems can send their data to the main entry system via the VPN connections. The managers can then consult the data by means of visualization.”
The Board was also looking to improve compliance with guidelines from the Baseline Information Security Water Board (BIWA). This Dutch water board union has established recommendations to secure utilities’ physical environments as well as digital information.
The stakes were high, and the water board needed a solution that could provide thorough protection against today’s advanced threats.
“Imagine that a large pump in one of our pumping stations suddenly goes off-line,” says Boets.
“In such a case, we run the risk that a large area will be flooded. That could lead to life-threatening situations and major economic damage.”
Delivering Full Visibility
To gain the network insight and security it needed, the Board decided to implement a total upgrade of its network environment. After evaluating a variety of products, the organization deployed Check Point 12400 NGTX Appliances with SandBlast Zero-Day Protection. The appliance-based solution helps the Board increase visibility into its SCADA application data. Check Point helps the water resource board reduce the risks in its SCADA environment to a minimum and replace its mixed assortment of old security tools with a central manageable cluster.
“During the proof of concept phase, the Check Point solution was the best of the bunch when it came to monitoring and developing an inventory of SCADA traffic,” says René van Hes, System and Network Manager at Hunze en Aa’s Water Resource Board.
Consolidating for Control
Check Point 12400 Appliances offer a complete, consolidated security solution available in five Next Generation Security Software Blade packages. Migrating from its outdated multi-vendor environment to a consolidated solution also helps the Board enhance control over its network environment.
“We wanted a security solution with a central control option,” says Van Hes. “Above all, it had to have more functionality than our existing solution. When it came to making a choice, we paid attention primarily to how our various tools could be combined in a single solution. The central control feature is very clear, which makes our work a great deal simpler.”
Powering Sophisticated Threat Prevention
At the outset of the deployment, Check Point and its partners performed a Security Checkup, then tested the solution for three weeks on the organization’s network.
The process involved activation of all the appliance’s software blades, as well as the cloud-based SandBlast Threat Emulation Service to protect against zero-day and unknown malware. Using the SandBlast sandboxing capability to analyze files, the water resource board is able to secure its network against the more sophisticated malwares that might bypass traditional security solutions like Antivirus.
Ensuring Consistent Compliance
Hunze en Aa’s Water Board deployed the Check Point solution to free the organization from its legacy security systems. The new solution delivers granular visibility and control it needs, as well as advanced security requirements to meet demanding BIWA standards—while also ensuring optimum security for its SCADA systems.Array
Dutch Water Resource Board Enhances Network Security and SCADA Systems
Headquartered in Topeka, Kansas, SE2 provides third party administration services to life and annuity insurance carriers, helping them launch products rapidly, improve efficiencies and maximize profits while improving the customers’ experience and enabling a shift to a variable cost model.
There Has to be a Better Way
Insurance carriers maintain large stores of sensitive client information, financial data, and proprietary analysis information. But as competition increases, many carriers are turning to third party administrators (TPAs) to reduce costs, improve customer service, and become more agile.
“We’re definitely growing,” said Saul Schwartz, Enterprise Security Engineer at SE2. “As our customer base grows, so does the amount of sensitive financial data that we have to protect. We’re responsible for multiple carriers’ business-critical data, so defending it is a top priority.”
Keeping up with new threats was a constant challenge, consuming a significant portion of the security team’s time. Every day they monitored logs, reviewed events, and simultaneously tried to advance new security projects. But it never seemed to be enough. Schwartz was spending tens of hours every week triaging alerts and instructing technicians on virus and malware remediation. SE2 had an existing sandboxing solution, but it took up to 10 minutes to alert the team after malware hit a workstation. By then, it was too late to stop, resulting in additional effort to remediate any impact.
“I don’t want to have to explain to my CIO that we’ve just had a million life insurance policies made inaccessible by cryptolocker,” said Schwartz. “That’s one of my biggest concerns. And it’s why I began looking for a better threat emulation (sandboxing) solution.”
Schwartz’s list of requirements included faster emulation—as close to real time as possible. He wanted a way to block threats, instead of just alerting him after the fact. He also wanted to consolidate everything to a single pane of glass, eliminating the need to manage multiple appliances and policies. List in hand, he and his team began evaluating alternative solutions.
A Simple Ounce of Prevention
The security team tried several solutions, including Check Point SandBlast. To compare them, Schwartz ran the solutions simultaneously in detect mode. In just one week, the competitive appliance missed several instances and failed to alert Schwartz, but SandBlast caught all of them.
“We checked with our compliance team to see if we could operate SandBlast in the cloud, and they had no restrictions,” said Schwartz. “It was so simple to activate using our existing Check Point gateway. We literally activated a license and turned it on.”
With SandBlast zero-day protection deployed, Schwartz gained superb threat prevention capabilities. He no longer has to spend time tracking down alerts, because machines are not being infected, and he rarely has to activate the incident response plan anymore.Array
SE2 Insures Itself Against Advanced Threats.
The Community Newspaper Group’s (CNG’s) seventeen regional newspapers and associated websites provide readers in Western Australia with the latest local news, sports, entertainment and more.
No Time for Downtime
More than 700,000 readers rely on their daily Community Newspaper Group content to stay informed about local news and events. In today’s fast-moving publishing world, readers expect near real-time information even at the local level, so downtime that affects CNG reporters and employees or the network is not an option. Advertising is still the primary revenue source for CNG, so any interruptions that could prevent timely rollout of physical or online editions translate to lost revenue and potentially dissatisfied clients.
Until recently, Community Newspaper Group protected end-user systems and digital assets with Trend Micro and Microsoft security solutions. However, the software was aging, and IT needed better visibility into threats. The existing solutions required IT to navigate multiple dashboards to gather data from various areas of the network and then piece together a picture of what was happening.
“Visibility is everything,”’ said Michael Brine, Infrastructure Manager, Community Newspaper Group. “If you know about a problem, you can do something about it. But we suspected that there were vulnerabilities and events we didn’t even know about.”
Beyond Basic Protection
At the start of his search, Brine evaluated multiple security vendors in search for a new antivirus solution. At this time, he also looked to upgrade his existing Check Point Firewall and chose Check Point’s 4600 Appliance with Next Generation Threat Prevention. It was then that Brine learned about SandBlast Agent for endpoint security. His task of selecting the right advanced endpoint security solution became much simpler.
Having had great experience with Check Point Threat Prevention solutions on the network side, Brine felt confident that SandBlast Agent was the right choice to provide him with a deeper level of protection and visibility into threats on his endpoints that he needed.
Advanced Endpoint Protection
CNG chose Check Point SandBlast Agent to protect the company’s desktop and laptop systems. SandBlast Agent uses a complete set of advanced endpoint protection technologies to secure CNG’s users from threats, regardless of whether they are connected within their corporate network or working remotely.
Community Newspaper Group has seen an increase in attacks that use social engineering techniques such as phishing to deliver malware, including recent ransomware. SandBlast Agent helps CNG detect and block these attacks, whether originating from email, removable media, or web-based threats. By blocking any command and control communications, it also limits damage in case of infection, by preventing movement of sensitive information externally and restricting spread of the attack to other systems.
Community Newspaper Group relies on the Threat Emulation capability within SandBlast Agent to discover malicious behavior—even new, unknown malware and targeted attacks—preventing infection by quickly inspecting files in a virtual sandbox. It even uncovers threats hidden in SSL and TLS encrypted communications, while providing protection for the various files types used to share information at CNG, including Microsoft Word and Excel and Adobe PDF.
Files that look suspicious are flagged for deeper analysis. Threat Emulation sandboxing detects and stops attacks before they have a chance to evade detection, preventing systems from becoming infected. In cases where new malware is discovered, Threat Emulation sends a signature to the Check Point ThreatCloud database, which documents and shares information on the newly identified threat.
Improved Threat Visibility
SandBlast Agent’s forensics capability gives Brine and his team a deeper understanding of security events by automatically generating an incident report when any abnormal activity is tracked on any of their systems. The report summary provides actionable attack information, including evidence of malicious events, attack entry point, elements used in the attack, scope of damage, and data about devices that are infected. The combination of having the relevant attack diagnostics and visibility enables Brine and his team to respond quickly and remediate their systems in the case of a security event.Array
Community Newspaper Group Gives Threats Nowhere to Hide
Terma provides mission-critical solutions for aerospace, defense, and security customers. Based in Denmark, Terma operates subsidiaries around the world and has 1,300 employees.
Securing Mobile Connections to Corporate Resources
Security is paramount when developing and customizing components for complex defense systems like military aircraft, radar, and surveillance. Not only do Terma employees routinely work with highly confidential information, the company must also meet customers’ specific security requirements before they can collaborate on projects. As a result, Terma’s IT team implemented multiple layers of security—such as firewalls, filters, encryption, and others—to protect devices and information in all of its product areas. When mobile devices became essential to employees, Terma needed to ensure that the devices and remote connections to corporate assets were just as secure as desktop systems and connections.
“Customers must be able to trust that we handle all information securely,” said Jørgen Eskildsen, Chief Information Officer at Terma. “We choose best-of-breed solutions to meet different security needs. This is why we considered Check Point Capsule Workspace.”
Terma has used Check Point solutions as part of its security toolbox for many years. When it came to identifying a solution for securing mobile access to data for its 600 mobile users, Terma chose Check Point Capsule Workspace (Workspace).
Simplifying Mobile Protection
“We chose Workspace to meet three requirements,” said Eskildsen. “We were looking for a product to provide security, good usability, and ease of maintenance.”
Workspace includes a secure container that isolates corporate data on iOS and Android mobile devices. It provides users with one-touch access to corporate email, calendars, contacts, documents, and applications, and it enables remote access to internal corporate resources. For IT, Workspace encrypts business data and applications seamlessly to ensure secure access for authorized users.
Terma liked the Workspace architecture because, unlike competing solutions, it communicates directly with Terma’s existing Check Point firewall. Shared trust certificates on devices and the Check Point firewall eliminated the need for a synchronization server in the DMZ to ensure secure connections from the DMZ to the internal system and back to mobile devices. The direct connection reduced potential points of failure while improving the user experience by making data access faster and more efficient.
“We tested Workspace for several weeks,” said Eskildsen. “Then one of the IT team members allowed a sales manager to use it, and we quickly realized the product’s outstanding usability. That made our decision to move forward easy.”Array
Terma Boosts Mobile Security and IT Productivity
Opticians Gain Top-End Capabilities and Protection
Optix is the leading provider of practice management software for optical professionals in the U.K. Optix solutions are designed for cloud delivery, enabling opticians to securely access and use management, clinical, and administrative capabilities online. More than 800 independent opticians rely on Optix for seamless, leading-edge capabilities to take their practices to the next level of efficiency.
As healthcare providers, opticians treat patients and have the same requirements for managing patient, scheduling, and clinical data as other healthcare providers. Ensuring patient privacy and meeting other compliance regulations are critical. As businesses, they also need business and administrative tools for stock control, payment, ordering, and marketing. More than 800 opticians in the U.K. turn to Optix solutions to gain high-quality practice management tools without the worries of having to deploy, manage, upgrade, or support IT equipment and applications themselves. From single-doctor practices to global retail organizations with optical services departments—all need secure management, clinical, and administrative capabilities.
When Optix began delivering cloud-based services almost a decade ago, Secure Socket Layer (SSL) protocol sufficiently protected connections. However, SSL is no longer enough to secure patient, clinical, confidential business, and payment information. Optix began looking for a more secure way to connect each doctor to the Optix cloud.
“Our customers need as much throughput as they can get,” said Trevor Rowley, Managing Director at Optix Business Management Software. “We wanted to provide a secure connection without excessive overhead and have the ability to manage and support connections ourselves.”
Securing a Solution
Optix evaluated a number of security solutions for small and medium-sized businesses, but either they were not robust enough, or they lacked features that allowed Optix to easily manage hundreds of connections.
“We are committed to using top-drawer networking solutions from vendors that we can trust,” said Rowley. “Check Point is a leading security vendor, and so we turned to their offerings and chose Check Point 700 Appliances. The Check Point Small Business Appliances give us enterprise-grade security in an all-in-one security solution.”
The Check Point 700 Appliance is designed specifically to protect small business employees, networks, and data from cyber threats through integrated, multi-layered security in a quiet, compact desktop form-factor.
Optix uses the firewall, Virtual Private Network (VPN), Intrusion Prevention System (IPS), and URL filtering capabilities to secure connections with its clients. When an optician subscribes to the Optix service, Optix pre-configures the appliance using the Check Point Zero-Touch Configuration feature before sending it to the optician’s practice. The client simply plugs it in. Optix also uses the Check Point Security Management Portal to manage all of the appliances. The Security Management Portal provides a central management and service-provisioning platform for zero-touch operations. An intuitive web-based user interface enables Optix to deploy client appliances remotely, eliminating the need to travel to each client location. The Optix team can easily view and edit service plans, clients, VPN connections, and security policies in seconds—even for hundreds of appliances.Array
Optix Protects Clients’ Business Data While Gaining Visibility
Gaining In-Depth Threat Defense—and Peace of Mind
Samsung Research America is a wholly owned subsidiary of Samsung Electronics Company. The organization researches and builds new core technologies to enhance the competitive edge of Samsung products. Headquartered in Silicon Valley, Samsung Research occupies locations in key technology centers across North America.
Securing Devices In the Wild
As an industry-leading manufacturer of consumer electronics, Samsung is committed to forward-looking innovation and bringing new products to market ahead of competitors. An extensive portfolio of patented intellectual property forms the core of Samsung innovation. Human resources, legal, and research and development employees routinely work with confidential product plans and proprietary information. The last thing Samsung needs is leaked confidential information, which could significantly compromise its market advantage and the company’s bottom line.
Like many organizations, Samsung employees increasingly work on smartphones, tablets, and their own devices. The IT team must support approximately 800 corporate-owned and 400 employee-owned devices. A couple of years ago, Steven Lentz, CISSP, CIPP/US, Director Information Security at Samsung Research America, recognized the potential security threat to sensitive information on mobile devices.
“Mobile devices don’t operate behind a security infrastructure like corporate PCs, laptops, and servers do,” said Lentz. “Mobile devices are out in the wild, creating potential security issues and enabling malware to enter the network. There’s no mobile firewall to prevent cyber threats from getting in through emails and apps.”
Lentz viewed the problem from two sides. First, he wanted to proactively prevent data leaks from mobile users. Second, he wanted to defend against cybercriminals trying to break in from the outside via phishing emails and other tactics. He set out to find a solution that would meet rigorous requirements.
A new solution had to guarantee that no compromised device could get on the corporate network to begin with, nor could any compromised device access company applications and sensitive data. Once a clean device is allowed on the network, it must be defended. Lentz also needed to protect devices with multiple operating systems, and he needed a way to integrate protection with Samsung’s existing AirWatch by VMWare mobile device management (MDM) and Splunk security information and event management (SIEM) platforms. Integration was essential to enabling full visibility of mobile threats and automatically enforcing security policy across the enterprise.
“Defense in depth is needed because traditional antivirus is not enough for advanced threats,” explained Lentz. “We needed multiple layers of protection and critical features like application-based malware coverage, enterprise integration, and zero-day malware firewall protection for mobile devices.”
New In-Depth Protection
Lentz and his team considered numerous consumer and enterprise antivirus products, but they all fell short. Next, they talked to peers and began evaluating vendors that provided solutions for advanced threats, one of which was Check Point. During a demo, Check Point SandBlast Mobile quickly identified several mobile devices that had malware infections. SandBlast Mobile provides multiple layers of defense against exploits, targeted network attacks, mobile malware, and commercially available mobile remote access Trojans (mRATs) that enable spyware and data theft. Samsung chose SandBlast Mobile for its ability to protect devices from app-based zero-day malware and other threats.
“Check Point had more up-to-date information and automated delivery of the latest malware-related intelligence,” said Lentz. “Check Point SandBlast Mobile offers the closest thing to zero-day detection on mobile devices. I like it when a product does what it is supposed to do—and more. Check Point did exactly that.”
SandBlast Mobile also integrated seamlessly with VMware AirWatch, enterprise mobile management (EMM) and Splunk security information and event management (SIEM) platforms. Now Samsung gained comprehensive visibility into mobile threats and automated enterprise-wide security policy enforcement.
Protection in Action
Check Point SandBlast Mobile defends against threats on devices, in apps, and in the network, many of which use phishing emails, text messages, and browser downloads to attempt entry. It correlates and analyzes device, application, and network information in the cloud to deliver real-time threat intelligence.
The Check Point solution runs a copy of the mobile app without data in a sandbox environment to see if it operates suspiciously. It performs advanced code analysis on the network communication link without actually inspecting the data. Check Point also applies behavioral heuristics for advanced rooting and jailbreak protection. If a user downloads something malicious and Check Point identifies it as malware, it notifies the MDM system to quarantine the device, removes the security profile from the infected device, and prevents the device from accessing the corporate network.
Fast, Straightforward Deployment
“The deployment took just 3 weeks,” said Lentz. “We deployed SandBlast Mobile on the network and automatically activated it on devices using our MDM. It’s easy for administrators to manage.”Array
Samsung Research America Secures Intellectual Property from Advanced Mobile Threats
SF Police Credit Union (SFPCU) serves more than 34,000 members. The organization offers a full set of financial services, including loans, savings and checking accounts and insurance and investment products. Founded in 1953, the SFPCU has grown to over $760 million in assets.
Like most financial institutions, SFPCU takes security extremely seriously. Even a brief lapse in security can expose its members’ most important financial data, damaging the credit union’s reputation and creating liability risks. Compliance with government and industry organizations such as the National Credit Union Administration (NCUA) is also critical. “If we fall out of compliance with the NCUA, we risk losing our rating and, in extreme cases, regulators can take over operations to resolve the failed corporates,” says Victor To, Director of Network Security at SFPCU.
Although the SFPCU’s firewall had provided adequate protection for ten years, an internal audit showed that the aging system had major compliance issues.
“The previous legacy firewall lacked a good reporting system, and we had no management transparency,” says To. “This made my job really difficult when I needed a security posture report.”
SFPCU needed to upgrade to a security solution that could deliver:
The Check Point Solution
Check Point Next Generation Threat Prevention is a unified next generation solution that gives SFPCU comprehensive threat protection to keep sensitive member and company data safe. And the solution supports detailed reporting that’s essential for regulatory compliance. Check Point Partner Dataway worked closely with the credit union to build a solution that was optimized to provide protection against a wide range of external and internal threats, plus secure connectivity for the firm’s mobile workforce. Having a complete solution running on one platform gives the credit union complete peace of mind, and helps the firm save money on management.
Complete Protection Against Sophisticated External and Internal Threats
To enhance security across its organization, the SFPCU replaced its legacy firewall with the Check Point Next Generation Threat Prevention solution at its headquarters as well as at a branch site. The solution is packed with an array of Check Point Software Blades to safeguard the network perimeter and to fight today’s advanced threats, like bots and malicious emails, and to deliver proactive intrusion prevention. The solution also helps the credit union control remote access and gain visibility into internal network traffic through unified management and monitoring.
“The Check Point Data Loss Prevention (DLP) Software Blade helps alert us about activities that could be overlooked, like transmission of account information over email,” says To. “Check Point can discover and block these events. It generates a report to alert an administrator, who can educate employees about best practices. Our previous solution didn’t support this capability.”
Detailed Security Reporting Enables Full Regulatory Compliance
The SFPCU had to meet specific guidelines to safeguard its information and demonstrate the effectiveness of its security systems to government and industry auditors. The Check Point Next Generation Threat Prevention solution delivers up-to-date reporting that the credit union’s IT staff can use to document its security best practices.
“Since the financial crisis in 2008, auditors have been examining financial institutions’ IT security much more closely,” says To. “We didn’t have strong reporting mechanisms in the past. The Check Point solution provides a foundation for my reports, so we can stay in compliance.”
Simple, Complete Security Management
The Check Point solution lets SFPCU monitor and manage all of its security via a single pane of glass and a single intuitive interface. This streamlined management is especially beneficial to the credit union’s small IT staff, which can save time by rapidly drilling down and examining security issues that occur.
“Check Point gives us a single dashboard view that lets us quickly zero-in on critical threats and events,” says To. “Having a solution that’s easy to manage is also hugely helpful when we have staff augmentation. We can train them to use the dashboard easily, without a major learning curve, so they can get started fast.”Array
Check Point Next Generation Threat Prevention Software Blade Solution
Independence Care System (ICS) operates a nonprofit Medicaid managed long-term healthcare plan serving residents in the New York City area. Founded in 2000, the organization supports more than 6,000 adults with physical disabilities and chronic conditions. The 350 ICS employees are committed to serving members whose needs are unmet in other long-term care facilities.
For Independence Care System, safeguarding the integrity of its network and member records is a sacred trust. The nonprofit organization works closely with local healthcare providers to serve members of the community with severe disabilities or mobility issues. To protect member privacy, as well as its own reputation, ICS has made regulatory compliance a top business priority.
“If we’re not compliant with the Health Insurance Portability and Accountability Act (HIPAA), we risk being heavily fined,” says Felix Castro, Director of IT at ICS. “And whenever you have a compliance issue, such as a security breach, you have to report that to your members, which impacts their confidence in us. These people are giving us their data, and they expect us to keep it safe. Security has direct business implications for us.”
Maintaining business continuity is also crucial for ICS, because the organization relies on its network to support its most important business applications throughout its five locations.
“If our network goes down, it takes all of our business processes down with it,” says Castro. “All of our appointment and scheduling systems are network-based, and they contain all of our member records, prescription information and physician information. Our network is simply mission critical.”
To meet these needs, ICS was seeking a complete security solution that would simplify regulatory compliance, and protect the organization against security threats that could impact network performance. The solution would have to be easy to expand and modify to meet changing needs, and provide centralized management to simplify and streamline network administration for the firm’s IT staff.
The Check Point Solution
ICS has an ongoing initiative to be 100 percent HIPAA compliant, and is continually looking at ways to improve the security and manageability of its network. As part of this initiative, the firm decided to replace its aging firewalls with Check Point 4600 and 2200 Next Generation Security Appliances. ICS added a full array of Check Point Software Blades to protect the organization against suspicious web threats, viruses, bots and other security issues. Each appliance also includes the Check Point Compliance Software Blade, a dedicated solution to help ensure compliance best practices.
Best Practices and Deep Visibility for Compliance
The Check Point Compliance Software Blade monitors management, software blades and security gateways to constantly validate that the ICS Check Point environment is configured in the best way possible. Designed specifically for environments where industry or government compliance is a top concern, the blade provides 24/7 security monitoring, security alerts on policy violations and out-of-the-box audit reports.
“Our compliance software blade brings together all the best practices we need for HIPAA compliance,” says Castro. “We have hired security consultants to audit our network, and they have advised us that the fact that we own and use the Compliance Software Blade is a major plus.”
To further enhance its proactive threat protection, ICS is also adding the Check Point SmartEvent Software Blade to its solution. SmartEvent correlates events on the firm’s network for greater visibility and faster remediation.
“SmartEvent will help enhance our compliance,” says Castro. “We can identify patterns and alert specific IT staff if a security issue occurs. We need to be able to report when a security issue occurs, and what our remediation was.”
Highest Level of Business Continuity
Without dependable network performance, ICS would quickly grind to a halt. To maintain the highest level of business continuity, the organization employed a resilient, cost-effective architecture that can quickly recover in the event of a gateway outage.
“We are a nonprofit organization, and it would be costly to license a separate Compliance Software Blade at each site,” says Castro. “So I decided to virtualize it so that I can replicate it to my other sites. My biggest concern had been the ability to manage a gateway in the event my links go down. This solution takes care of the issue, and we have been very happy with it.”
Simple, Complete Security Management
Centralized management was a top objective for ICS, and the Check Point solution lets the organization monitor all of its activity from a single dashboard. This consolidated view helps Castro and his team to spot potential issues faster and fix them before they impact the rest of the organization.
“With Check Point, I have one set of logs for all the different departments in our organization, so I can see what the trends are,” says Castro. “For example, if a specific office is streaming lots of video, I may want to cap the bandwidth in that office. Check Point gives me great visibility into what is happening across the organization. I didn’t have that before.”Array
Check Point Next Generation Security Appliances and Compliance Software Blade Solution
Hotel Nikko offers 532 guest rooms for business and leisure travelers. Luxury hotel located in San Francisco’s Union Square offers rich amenities, including an expansive heated indoor pool, meeting and event space, an elegant restaurant and 24-hour fitness center. For over 25 years, Hotel Nikko has hosted weddings, galas, major fundraisers and other special events. Hotel Nikko received the prestigious Four Diamond Award from AAA and a four star rating in the 2013 Forbes Travel Guide.
One of San Francisco’s premier hotels, Hotel Nikko prides itself on its exceptional service, appealing amenities, and comfortable guest rooms. Located in historic Union Square, the hotel offers 532 guest rooms for business and holiday travelers. Like most hotels, Hotel Nikko relies on its network to support guest services, reservation systems, property management, and other critical business operations. Keeping the network safe and secure is key, and even a brief outage means lost revenue, disappointed guests and damage to the hotel’s reputation.
“Our goal is to provide the best possible service to everyone, from guests to employees. You can’t provide superior service without investing in superior solutions,” says Manuel Ruiz, Director of IT, Hotel Nikko.
Although Hotel Nikko had a firewall in place from another vendor, the device was difficult to manage and provided only limited protection against today’s sophisticated network threats. When a virus invaded the hotel’s network and impacted some of its most critical business systems, Ruiz and his team knew that they needed more complete security.
“If any of our network systems go down, it’s chaos — and big time revenue losses,” says Ruiz. “People don’t want to wait for you to fix your network so they can make a reservation. We had to protect our brand and meet our customer expectations.”
Hotel Nikko was seeking a complete security solution that would identify and mitigate the latest online threats — all in a single solution that was easy for its IT team to set up and use.
The Check Point Solution
Following a colleague’s recommendation, Ruiz installed and evaluated a Check Point 4200 Appliance to gain better visibility into the state of the network. “The management console gave us a level of visibility that we had never had before,” says Ruiz. “It was like someone turning on a light in a dark room. You don’t realize what’s really happening on your network unless you have that kind of visibility.”
Working closely with technology partner Dataway, Ruiz deployed a Check Point Secure Web Gateway Blade Solution. This comprehensive security solution gives the hotel real-time, multi-layered protection against web-borne malware, plus advanced granular control and intuitive, centralized management. Dataway helped the hotel define and implement the policies it needed, and fine-tuned the services for the best combination of performance and security.
Real-Time, Multi-Layered Protection
The Check Point Secure Web Gateway goes well beyond Hotel Nikko’s legacy security device to provide next-generation protection. A full array of Check Point Software Blades provide protection against viruses, bots, malicious web content and other external and internal security issues.
“Our previous device was basically just a firewall,” says Ruiz. “With Check Point, we can take advantage of all kinds of filtering for all layers. Using the different software blades, the protection is virtually unlimited. And our clustered environment gives us complete business continuity, so the network is never down.”
Simple, Complete Security Management
With the Check Point solution, Hotel Nikko can gain deep insight into all network activity with a single, easy-to-use dashboard interface. Instead of spending time tracking down network issues, Ruiz and his team can focus on improving performance and delivering a better experience for guests and employees.
“The dashboard is very intuitive, and really saves us time,” says Ruiz. “I can go to the application filtering window and it will show me right away if we have any network issues. I can do the same thing with DLP, IPS, and threat prevention.”
Flexible Solution That’s Built for Growth
The threat landscape is constantly changing, and Hotel Nikko wanted a solution that could evolve and grow when new challenges emerged. With Check Point’s extensible Software Blade architecture, the hotel can expand its security services whenever it’s ready — without purchasing expensive new hardware or making management more complex.
“The Check Point Software Blade architecture lets me consolidate multiple disparate systems on a single platform that’s easy to scale when our needs change,” says Ruiz. “It’s much easier than going through multiple vendors and purchasing, deploying, and configuring different devices.”Array
Hotel Nikko SF Uses Secure Web Gateway
The Melbourne Convention and Exhibition Centre (MCEC) hosts more than 1100 events each year, including meetings, conventions and exhibitions, concerts, tradeshows and gala dinners. MCEC’s range of in-house technology across lighting, audio, vision and IT creates memorable experiences for event attendees. MCEC offers the latest IT networking capabilities for both fixed and wireless telecommunications and computing.
Providing reliable public wireless Internet service to thousands of visitors daily, MCEC required network security and control over content and applications, without being overly restrictive. MCEC needed a solution that would:
The Check Point Solution
The Check Point Software Blade Architecture meets the need for a reliable, secure public network.
Managing network service through application control
MCEC required a solution that would ensure a secure wireless environment for thousands of users. The Check Point Application Control Software Blade allows MCEC to modify the online applications available to users at different times, helping manage the bandwidth consuming apps to control costs and keep the service available for all users.
Software Blade Architecture consolidates technologies, creating simplicity and flexibility
The Check Point Software Blade Architecture allows MCEC to run the many features of multiple software blades from a single device, enabling the company to simplify and reduce management time while maintaining high levels of security. “The other solutions we looked at couldn’t offer us the option of consolidating all our appliances, which would have resulted in wasted management time.” – Daniel Johnston, Information and Communications Technology Manager, MCEC.
URL filtering protects and enables granular web control
MCEC needed to put controls in place to protect online users while still allowing visitors access to information that was relevant to their jobs. With up to 10,000 visitors at the venue at any given time from a wide variety of industries, many users needed access to sites that were traditionally restricted or blacklisted. The Check Point URL Filtering Software Blade has allowed MCEC to enforce inspection of all traffic.Array
Melbourne Convention and Exhibition Centre: Check Point Gateway and Management Appliance with Software Blades
Courtagen Life Sciences, Inc. offers innovative genomic and proteomic products and services for physicians and the diagnostics industry. Its tools and resources help clinicians make better decisions regarding patient care. Founded in 2012, Courtagen is privately-held and based in Woburn, MA.
Courtagen Life Sciences has decades of experience as a leader in genomic services. The organization is relentlessly focused on applying next-generation sequencing technology to help patients and doctors drive personalized, precision medicine. To free its staff to concentrate on this key mission, Courtagen outsources its network and communications infrastructure. Amazon Web Services play an integral role in supporting the firm’s operations. This cloud-based solution provides agility and cost savings, along with scalability and support for users worldwide. But to be successful, the solution must also provide comprehensive security and support regulatory compliance.
“There is a great deal of scrutiny in terms of how ePHI (electronic protected health information) data is managed in the cloud,” says Timothy Olcott, Compliance Officer and Director of Manufacturing, Courtagen Life Sciences. “We needed technology partners that would meet all of the compliance and regulatory scrutiny for patient records stored in a cloud environment.”
Courtagen required a security solution that would work smoothly with its cloud environment and provide:
The Check Point Solution
With the Check Point CloudGuard IaaS for Amazon Web Services, Courtagen can extend robust security to the cloud with the full range of protection using Check Point Software Blades. Easy to set up and use, the CloudGuard IaaS is a security gateway for virtual environments in the Amazon Cloud. It lets Courtagen prevent network attacks and data breaches, while enabling secure connectivity to Amazon’s cloud computing environment, which supports the majority of Courtagen’s computing power.
Robust Security to Support Cloud-Based IT
Courtagen needed a cloud-based environment that could provide accessibility to its own employees, as well as physicians and other healthcare organizations, yet incorporate strong security to safeguard patient records and other sensitive information. The organization initially selected an AWS Elastic Compute Cloud, and then migrated to Amazon’s Virtual Private Cloud. Courtagen connects directly to the AWS cloud through an Ethernet Private Line (EPL) provided by Level 3 Communications. Three Check Point Virtual Appliances for Amazon Web Services provide secure connectivity to the cloud environment.
Support for Dispersed and Mobile Employees and Partners
Many of Courtagen’s employees work offsite or on the move, so the firm needed a solution that provided secure access for people from any location. Courtagen’s cloud-based solution, safeguarded by the Check Point CloudGuard IaaS for AWS, lets the firm deliver the ubiquitous access it needs with complete peace of mind.
“Courtagen has three primary sites—one in Bermuda, one in California and our headquarters near Boston,” says McKernan. “We also have a field sales organization with about a dozen people, all of whom need secure access into our network. Mobility plays a very important role at Courtagen, and we wanted our outsourced solution to provide access anywhere, at any time.”
Reliable Operation for Critical Business Operations
With its key business operations residing in the cloud, Courtagen needed to be sure that its solution would provide highly available performance. The firm’s Check Point representative worked closely with the firm to develop a highly redundant solution with failover capabilities.
“Our Check Point engineer helped us ensure that the solution worked with Amazon’s Virtual Private Cloud with multiple availability zones, a direct connection from Level 3 Communications and a public Internet connection that allowed doctors to access data,” says McKernan. “It involved a complex, challenging network architecture. Check Point helped us ensure that the connections were dependable, and compliant with proper audit trails.”Array
Virtual Appliances for Amazon Web Services (Cloud Security)
A major enterprise software developer with deep tradition of leadership and innovation in its field, this company has 3000 employees and dozens of sites worldwide, serving tens of thousands of end customers.
Like most large organizations, the software developer relies on its data center to power its most critical business processes and store essential data. DDoS attacks are a serious threat for companies of all kinds, and even a small amount of downtime could cause serious damage to the organization’s daily operations and customer reputation. However, the organization’s existing security appliance could not provide the level of security and manageability the company required. To address these concerns, the organization needed to:
The Check Point Solution
The Check Point DDoS Protector Appliance enables the software developer to discover and block Denial of Service attacks in seconds, while streamlining its network administration and improving insight into the network.
Intelligent, Accurate Attack Prevention
The previous security appliance was difficult to manage and align to the company’s security needs. Incoming traffic from its Internet content delivery network often fluctuated, but its security system lacked the intelligence to determine which traffic was legitimate. Legitimate traffic was often dropped. “Now, if we experience a spike in legitimate traffic, the Check Point DDoS Protector Appliance automatically increases the traffic threshold without intervention from our team,” says the Senior Network Engineer. “I’m extremely happy with the box, especially after the problems we experienced with our previous solution.”
Comprehensive Solution Improves Network Insight
The developer installed a DDoS Protector Appliance at each of its two Internet routers. Each router has a multimode fiber Gigabit Ethernet uplink to the company’s ISP, and is fully protected by the appliance. Built-in intelligence enables the solution to quickly distinguish between attacks and legitimate traffic. “The detection is immediate, and the solution lets us discover threats without manual intervention and troubleshooting,” says the Senior Network Engineer.
Flexible Deployment and Scalability for Changing Needs
Designed to smoothly accommodate a wide range of network environments, the Check Point DDoS Protector Appliance fits seamlessly into the software developer’s topology, while providing plenty of room to grow. “We are considering extending deployment of our solution to three or four more sales offices, and are confident that our solution can easily scale to handle additional sites or bandwidth,” says the Senior Network EngineerArray
Leading Software Developer – Check Point DDoS Protector Appliances
Carmel Partners acquires, creates and markets properties by combining cutting edge innovation with bold investment. The company operates and invests in select markets through the U.S. including California, Colorado, Hawaii, New York, Washington, and Washington, D.C.
With a growing multi-faceted organization, Carmel Partners was looking for a way to ensure business productivity which includes securing network traffic, protecting against data loss, and providing secure site-to-site connectivity.
4000 Appliances provide robust integrated connectivity and protection
Carmel Partners relies on the Check Point 4600 and 4200 appliances for robust multi-layered security and connectivity across its distributed environment. With eight offices and datacenters, Carmel Partners was looking for a way to securely connect all locations to share data, applications, and other resources via IPsec VPN tunnels as well as secure its connections to the Internet. They chose to rely on Check Point’s 4000 series appliances configured in a mesh environment to deliver advanced functionality and performance in a robust, scalable, and centrally managed solution. “Check Point enables us to have stable, permanent IPsec VPN tunnels with the ability to dynamically reroute traffic through different offices if needed; it’s like a self-healing network.” – Dan Meyer, Vice President – Business Intelligence and Technology, Carmel Partners.
Software Blade Architecture delivers increased security and flexibility
The Check Point Software Blade Architecture enables Carmel Partners to consolidate multiple Software Blades including Firewall, IPsec VPN, DLP, Application Control, URL Filtering, Identity Awareness, and Mobile Access on individual, centrally managed appliances. These integrated technologies allow the company to protect its network against malicious traffic and intrusions, block or limit access to potentially harmful or productivity draining applications and Websites, and protect against data loss while enabling employees to efficiently communicate and access resources across all offices or in the field via their PC, smartphone, or tablet. “All of these Software Blades, tying them together has really allowed us to safeguard the network from both internal and external threats; the modular capability of Check Point allows us to run so much more efficiently.” – Meyer
Comprehensive security management increases visibility and reporting
To manage its complex security infrastructure, Carmel Partners relies on the Check Point Smart-1 25 security management appliance. With features such as the Logging and Status Software Blade, the company has real-time visibility into all its Check Point gateways and Software Blades enabling its IT staff to manage all aspects of the solution including advanced analysis into billions of logs—all from a single centralized console. This not only simplifies management for Carmel’s IT staff, but also improves security through consistent policies and unified administration across all Software Blades. “It gives us better, insight, better visibility into our network, into our company operations, and what’s going on within the network, what more could I ask for.” – MeyerArray
Carmel Partners – 4000 Appliances and Software Blades
CRIF is a leading provider of added-value solutions and information services for the financial services industry to support decision-making and prevent fraud. Based in Italy, with a staff of approximately 1,450, CRIF offers its services to more than 1,900 financial institutions worldwide.
CRIF had undertaken an extensive virtualization project across its entire infrastructure, ultimately extended to the security layer with the following specific goals:
Check Point VSX Appliances to Match Security and Flexibility
CRIF has deployed four VSX appliances, running dozens of virtual firewall instances, to gain control over its new virtual infrastructure. Deployment has been carried out gradually, in order to meet the growing needs of the company, as well as the growing presence of virtualization within the enterprise. Aside the VSX appliances, CRIF also counts on five clusters of physical UTM-1 appliances, running a set of software blades, providing a comprehensive and flexible security solution for the whole network. Goal of the company is to gradually increase virtualization, in order to fully reap its management and economic benefits.
Centralized Control Eases Management, Increases Security
Centralized management is extremely important for CRIF, due to the highly confidential nature of the business-critical information that the company handles. Therefore, CRIF puts a great value on both real-time visibility over transactions and the ability to run a variety of analytics. The company deployed Eventia Log Analyzer to have a further level of management and control over data and information which run on the corporate network. Both real time and historical reports are now available to the IT staff for a more comprehensive visibility over the complete system.
Easier Management to Open New Development Perspectives
Through the virtualization of security, ongoing management has become significantly easier and more effective. Systems, application and transactions can be easily monitored for a single point of control, gaining an ongoing, comprehensive visibility over the complete infrastructure. This has allowed the IT staff to redistribute and streamline its available resources to focus on critical tasks: a Business Continuity project has been defined and deployed, in order to further increase system availability and to ensure operations also in case of technical failure.Array
CRIF – Virtual Appliances and Software Blades
Hospital 9 de Julho is one of the most important private health institutions in Brazil. Founded in 1955, in São Paulo, SP, Brazil, it cares for over 9,000 patients a month in the Emergency Room. The hospital has 4,000 registered doctors and 1,700 people on staff.
Hospital 9 de Julho only used to have a “home-made” solution. It was simple and did not offer complete security or efficient controls to protect data and information leakage. With the difficult task of managing without an effective system, the hospital often faced critical situations without having information or complete visibility of what was going on in its system.
Security Gateway Software Blades:
Hospital 9 de Julho – Data Loss Prevention Software Blade