Check Point adds endpoint capacity to SandBlast Zero Day protection

Check Point SandBlast Agent both protects mobile devices from zero day attacks, and provides an automated report and tools to remediate it. Check Point will also soon be introducing certifications for the channel specifically for SandBlast.


Andy Feit, Head of Threat Prevention Marketing at Check Point

Check Point Software Technologies has announced Check Point SandBlast Agent, which extends the company’s advanced perimeter security and zero-day protections introduced last year to mobile devices.

“Check Point Sandbox, which we announced last September, has a unique sandboxing technology which we obtained through our Hyperwise acquisition,” said Andy Feit, Head of Threat Prevention Marketing at Check Point. “It made possible threat prevention at the CPU level.  Unlike other sandboxes, which open a file, detonate it and watch what happens, this catches it earlier, before it can run its evasion code, so even the most highly evasive malware can be caught. The other thing that was new, and is still unique, is Threat Extraction. While the sandboxing is running, which takes about 10 minutes, we can create a clean snapshot reconstruction of the document, minus potential dangers like the .doc file and macros, so you can read it.”

Check Point SandBlast Agent extends these same capabilities down to the endpoint.

“Agent protects against the same zero day threats in more endpoint-related use cases,” Feit said. “Most  people don’t do much more than AV on their endpoint, so they only have protection against known viruses on endpoints, not unknown. This is because sandboxing on endpoints would eat up a lot of CPU. Agent, on the other hand, is very lightweight. We intercept the file, send it to the SandBlast cloud service, and do the sandboxing there, so it’s non-intrusive.”

The other element of Agent, which Feit said was the harder to develop, was the smart automated incident reporting, together with remediation tools.

“This forensics capability figures out what the malware did, which is tricky because  modern malware is good at covering its tracks,” Feit said. “If an event occurs, we automatically generate an incident report where new algorithms automatically understand what happened, and the intelligence builds remediation scripts for you.”

Feit said that while sales of CheckPoint SandBlast since it came on the market have been heavily vertical-focused, including banks and financial service, healthcare, retail and big government, the 12-15 companies in the early access for Agent were more diverse.

“There is a wide range of use cases, including smallish 400-500 endpoint customers,” he said. “Agent is not an SMB product although we will see 50-100 endpoints in some areas  like small law firms with highly sensitive data; it’s mainly for mid-sized and enterprise scale customers.”

“We expect most of our customers who have purchased SandBlast will purchase this as well,  but some early access customers were not already SandBlast customers, who were focused more on endpoints and only coming around to the network after the fact.”

The products are sold separately, so one does not need SandBlast to use Agent, although Feit said he expects there will be a lot of crossover.

The two elements of Agent can also be purchased separately.

“Forensics only is $15 per endpoint, while the  full suite is $35 per endpoint,” he said. “We think both are pretty aggressive in the market, for an endpoint solution.”

Check Point sells entirely through the channel, and the newness of the market presents partners with a strong opportunity, Feit said.

“We are really excited about the channel opportunity here, because the channel hasn’t made a decision yet on who to back in this space, “ he added. “Unlike with sandboxing itself, we are in the market early in the market. There are not a lot of tools beyond anti-virus for endpoints, and they will see names they don’t know, some of which are well financed startups and some not so well financed, which are riskier.”

Partners should also be pleased with the imminent arrival of a new SandBlast certification program.

“Up to now we would thread those leads through the channel generally based on geography,” Feit said. “However in the next 90 days, we will be certifying partners to represent SandBlast specifically. They will be required to certify a min of two sales and technical people, and in exchange they get premier listing, access to the SandBlast leads, and we do joint marketing with them.”