What is our primary use case?
With every new firewall that we're purchasing, we're deploying the SandBlast Agent. At the moment we're only running it on about 20 firewalls, just because the licensing isn't retroactive. What we need to do is produce a proof of concept to say, "This is the stuff we're getting." We're looking at it in a learning mode and then we can consider getting into a more aggressive mode of stopping everything. At the moment, we're trying to use it to give us information rather than to fully stop everything.
It's deployed on our physical firewalls, on-prem.
How has it helped my organization?
We have seen some attempted ransomware in our network. With the firewall we've already got IPS, but we wanted to integrate the endpoints into that as well. That's something we are seeing. Our IT risk team are getting those reports and seeing them and seeing fewer potential attacks.
It reduces potential downtime through ransomware by reducing risk. I don't think I would go to the CEO and say, "Hey, we've completely eradicated this and that," but it certainly complements other Check Point products that we have. It gives us some more information about what is happening and where it's happening on the network, on-prem, on the applicable firewalls. It's hard to say exactly what it has improved because it just works very well with what we've got. Certainly, with our Windows environment and our VPN, we do see a lot more. But I don't know if there's just more of a focus on the reporting, as a whole, that we're getting.
We have had previous ransomware attacks, and while we can't necessarily quantify any downtime or loss, there certainly was risk around that. This has reduced our risk in that environment. That's one of the big focal points. From a network operational point of view, could you ask, "Well, has it reduced things?" and the answer is "no," but from an IT-risk point of view, our IT risk team have certainly seen less impact from attacks. We're more proactive than reactive, compared to how we were doing things before.
We don't see it leading to a reduced number of security engineers. What we do envisage is information and empowerment. Rather than manually having to check this, that, and the other, we're looking at having these tools available and for them to produce actual results. We definitely see this tool helping us do that.
What is most valuable?
It's pretty complete for preventing threats to endpoints. Its capabilities are great.
The solution's automated detection and response capabilities are pretty good. It really depends on how aggressive we want to be with it. We've not deployed it in the most aggressive way you can, such as shutting down everything, because we've not deployed it in a greenfield site. It has not been deployed with that in mind. It has been deployed as an add-on service. As such, we don't want to be as aggressive as some top security firms would recommend we should be.
What needs improvement?
We do like the product, although there are quite a few things that we're asking our Check Point account team to enhance, where we think we probably could get more features from it.
We use a couple of Check Point products, like SmartEvent, and SandBlast Agent is not really integrated into that. We haven't gotten the reports working yet. We are working with the account team and trying. As I said, it's still relatively new in terms of what we're trying to achieve. We probably should have had more Professional Services come and help us. But, from our company's point of view, especially at this time in the market, the finances are just not there. But from what I've seen so far, I don't think there's enough integration into SmartEvent. That's something that I've asked our account team to try to focus on in the next versions or as an enhancement request.
Integration and deployment are probably the weakest points, and maybe service as well, although they are still at the high end. Would we go out to market and buy this on its own? Probably not, is the honest answer. But because it is a Check Point product and the licensing comes as part of it, it gives us this time to go and prove that, when it's together with all the other products that we have from Check Point, it certainly integrates very well. Would I go and buy this just as a standalone service if we didn't have Check Point firewalls? Probably not.
For how long have I used the solution?
We're relatively new to Check Point SandBlast Agent, once they put it onto their firewall platform with the new environment. It comes built-in for the first year, including the cost. We've sampled it, starting about four months ago.
We had seen it work before. We had demos with it, but it was always something that seemed would be a nice feature to use, but not something the business wanted to buy into, per se. Now that it comes as part of the package for the first year, we thought we'd give it a go and see how it gets on.
What do I think about the stability of the solution?
I've had no problems from a stability point of view. It just seems to work.
What do I think about the scalability of the solution?
It's definitely scalable. It's whether there is a business appetite. When we get a new firewall, we'll enable it and run it through the service. It's scalable to retrofit. We could do that and we could run that very easily, but that would involve a commercial spend, which at the moment, no one wants to do. We understand that, but the solution is certainly something that is of interest to various people.
If we get approval then it will move from a PoC to across-the-board. At that point, there would be between 100 and 200 people using it and thousands of agents. It could be scaled out to our whole organization. Again, it's funding-dependent.
How are customer service and technical support?
We have Diamond Support, so it's very good, but we pay for the privilege. We have one engineer and a separate TAC team.
Which solution did I use previously and why did I switch?
We had a solution but it wasn't really a similar solution. This is the first of its kind for us, for what it does. We do have antiviruses, so that the machines aren't just dead, and we do have our own hybrid package of something that, if you add four of them together, maybe adds up to half of this, but no similar package.
How was the initial setup?
It's relatively easy to set up. There's plenty of documentation out there for how you do it. The way we've done it is probably the easiest way of doing it. We're not going all-out. We've gone with a small approach, mainly due to commercial reasons.
Our implementation strategy is just to switch it on in our new firewalls and see what happens, honestly. That's not always the best approach, but we switch it on in learning mode to give us information on what's out there and to see what we didn't know.
It took us about three weeks with the first two firewalls, and that doesn't include the firewall build time. That's just setting up everything else and the integration piece. There were two of us involved, me and a colleague. There were "dotted lines" into others, such as our IT risk team where we were asking, "Hey, is this what you want to see?" We're not really offering it as a full service, it's a PoC. If it goes live with a view to deploy it to all of our firewalls and all of our endpoints, I wouldn't say we would need any more people. It would be part of our operational team. The same is true for the risk team. I don't think we would need to get more people, although we see the IT risk team having more of an input.
What about the implementation team?
We did it ourselves. Potentially, if I had an open wallet and a blank cheque book, would we use a third-party? Yes, of course we would, but at the moment that option is just not there.
What was our ROI?
Return on investment would be not being attacked. Have we seen any? No. Has it identified certain things? Yes. The way we've got to look at return on investment is, all of a sudden we're less vulnerable to attacks. That's a hard measurement to define. Ultimately, not being attacked, and our reputation, is worth a lot more than just a dollar figure.
The cost-effectiveness of SandBlast is knowledge and understanding what is happening on our network. Do we have some infections? Are we seeing certain things which, without this tool, we would be exposed to? Yes, we are seeing that.
What's my experience with pricing, setup cost, and licensing?
Licensing comes free in that first year or is included in the base package. From a commercial point of view, it really just is the renewal cost, rather than a one-time fixed cost or buy-in. That's for new firewalls. For existing firewalls, we haven't even gotten to that point yet. They don't even want us to look at the pricing. First, we need to think about what the product does. Does it do what it says on the tin? And if it does, then it's a commercial thing. We have quite a good commercial model with Check Point, so we don't really need to worry about that too much. The pricing should be good.
The licensing, the way they've changed it, is a positive and a negative. Ultimately, Check Point has changed how it operates and now we have to go back and retrofit.
Which other solutions did I evaluate?
If this does everything it says it does, I don't see any reason that we would use a different product, because this integrates so well with existing Check Point products.
What other advice do I have?
What we've gained is more of an understanding of what's on our network. If I were to go and do this again from scratch, I probably would have looked to integrate more with our Check Point sales team and would have gotten more help from them.
My advice would be to involve your SE. He can help you through a lot more of the options when you deploy.
We don't use the solution’s Management Platform for the creation of virtual endpoint management services in the cloud. We haven't got to that cloud point yet. It's something we could do, potentially. We're going to work with our account team about that. But that's the one of the lessons learned: We did it by just playing around with it rather than doing a full deployment.
I would rate it at nine out of 10. What comes to mind is its effectiveness. Normally, I don't get involved in the costing too much. Is it doing everything that it said it was going to do? Yes it is, at the moment. Could it be enhanced more? Sure. But we have a relationship with Check Point and they do deliver on the RFEs for us. If we say we want it to do this, they'll get their engineering team looking at that.
Which deployment model are you using for this solution?