How Palo Alto Network's Shaking Up the Internet Security Market

They don’t like me,” says Nir Zuk of his old bosses. As one of the earliest employees at Check Point Software Technologies in the 1990s, he wrote parts of the world’s first commercial firewall. He later built essential chunks of the firewall sold by Juniper Networks. But at both companies, Zuk ended up quitting in a huff—and, in one case, walking away from millions of dollars in unvested stock options. Why? The Israeli engineer felt his best ideas were being blocked by incompetence and office politics. All he ever wanted, he insists, was to build new things.

Zuk’s revenge is Palo Alto Networks, which sells the first new class of firewall in 11 years. The company IPOed in July 2012, bringing in $260 million. Its products are crushing the competition. Palo Alto has only 4 percent of the $10 billion network security market, but it is rapidly gaining share. In the most recent quarter, its revenue was up 70 percent to $96 million, an increase of $40 million, equal to the entire revenue gain for all other firewall companies. Check Point, which has 15 percent of the market, grew by $12 million, up only 3 percent.

With a chip on his shoulder the size of Mount Sinai, Zuk never misses an opportunity to poke fun. He pulls out his iPhone and shows me a photo of a Palo Alto billboard just outside of Check Point’s offices in Tel Aviv. In Hebrew, it reads: “You just passed Check Point. So have we. Palo Alto Networks.” At a March investor conference in New York, Zuk led a live demonstration to prove the speed and ease of updating his firewall. While Palo Alto’s product took five seconds to update, Zuk was able to brew and drink a double espresso in the time it took to update Check Point’s. The rivalry goes deeper than stunts. Palo Alto’s board has two major defectors: Shlomo Kramer, a Check Point co-founder, and Asheem Chandna, a former Check Point vice president who bankrolled Palo Alto as a partner at venture capital firm Greylock.

The firewall battle has never been more relevant. The past few years have brought an acceleration in the number and sophistication of cyber attacks.  In 2011, a US government report accused China and Russia of trying to build their economies on stolen intellectual property. The job of protecting a network has grown more complicated as employees demand to use their iPads and smartphones at work, and clamour for external web applications like Dropbox, Skype, Google Docs and Salesforce. These devices and apps are common entry points for hackers and thieves. Quantifying the IP and research losses from cyber-raids is difficult, but the damage could be as high as $400 billion annually. Attacks come from the inside, too. At Valspar, an employee downloaded paint formulas that he planned to take to China. That theft was valued at $20 million, one-eighth of Valspar’s annual profit.

Firewalls are designed to keep this sort of thing from happening. They prevent malware from getting into a network, and sensitive data from getting out. The problem is that traditional firewall software, like the kind sold by Check Point, Juniper and Cisco, relies on stateful inspection, which specifies the kinds of data packets it will accept or drop. Everything is either ‘good’ or ‘bad’.

This presents a tough choice to firms that have become dependent on web apps. Stateful inspection offers only two options: Block the apps to mitigate risk exposure, or let them in and hope for the best.

Palo Alto’s next-generation firewall cuts through the impasse. It can parse all the components of a web application like Facebook to selectively allow, for instance, news feeds while blocking chat and games. Employees can read Twitter feeds but not tweet; they can share Dropbox documents without worrying about attached malware. Conversations between IT security and other departments no longer have to begin and end with “No”.

“Our competitors agree on the problem,” Zuk says. “They agree that Dropbox is dangerous. Their solution to Dropbox being dangerous is to block Dropbox. Our solution is to make Dropbox safe.”

Palo Alto, founded in 2005, has 11,000 customers, including 500 among the Global 2000. More than 60 percent of its customers use Palo Alto as its primary firewall. Independent analysts confirm Zuk’s claim of being out in front. “All their competitors are stuck in a rut, and they tend to drop their pants,” Forrester Research analyst John Kindervag says. “They are several years away from catching up. Some are bringing next-generation firewalls to market. Some are good. Some are more marketing than reality. They discount significantly.”

How’s all this sitting with Check Point, the Israeli firm whose billionaire co-founders, Gil Shwed and Marius Nacht, invented the original commercial firewall? Check Point declined to comment for this story, but when Forbes talked to Shwed in November, he avoided mentioning both Zuk and Palo Alto by name: “I think it’s sad that good people try and do things like that. This person was a disgruntled employee from Check Point—a very smart guy, I’m not trying to take that away,” he continued. “They’ve got good things, too. I like to think that we have much, much better things, much better technology.”

There was a time when Zuk and Shwed were brothers-in-arms. Three years Zuk’s elder, Shwed began his required service in the Israeli Defense Forces (IDF) in 1986. He entered Unit 8200, an elite electronic intelligence arm, at age 18.  There he built the world’s first packet-filtering device that screened traffic based on Internet Protocol address. Zuk was a natural for Unit 8200. He learned to read and write before entering school. He got his first pair of glasses in the third grade after years of fooling school nurses by memorising the vision chart. In the sixth grade, he became chess champion of Israel’s eighth-grade-and-under division. Zuk begged his parents to get him a Dragon 64 computer for his bar mitzvah. He went on to create some of the world’s first computer viruses. “Just for fun,” he insists.

He joined Shwed’s unit in 1990. They worked closely for a year, until Shwed’s time was up. He founded Check Point in 1993 with fellow military men Shlomo Kramer and Marius Nacht. Zuk served in the IDF through 1994, spending an extra year in officer training, and started overseeing a small group of engineers. He realised he didn’t like managing people. He was recruited by Check Point and helped build its flagship product, Firewall-1.

Zuk moved to California in 1997 to run Check Point’s new-product staff. He bought a house with his wife in Redwood City and enjoyed the autonomy of his new role. He was excited about new software his team created that would eliminate network congestion. But when the project was done, he learnt that the Israeli engi- neers were disgruntled because the American team was producing new products while they maintained old ones. His new product was killed off. Nacht told Zuk to return to Israel. “I had just bought a house,” he says. “‘Are you crazy?’ I was like, ‘I get it. Adios.’” He left Check Point in March 1999.

Zuk went on to start OneSecure, the first intrusion-detection and prevention outfit. After two quarters’ sales the tech bubble burst, and the company was sold over Zuk’s objections to Netscreen for $40 million in 2002. “They didn’t have the stones to keep supporting the company,” he says. When Juniper Networks bought Netscreen in 2004 for $4 billion, Zuk was eager to lead the effort to revise its firewall. But he says his requests were ignored. “They were focussed on cutting costs and moving engineering to China and India,” he says. He left the company and gave up 300,000 unvested shares worth about $6 million, in early 2005.

Zuk’s life took a turn south after Juniper. His 10-year marriage dissolved along with the small fortune he had cobbled together. He moved into a small apartment in Mountain View, on the periphery of Palo Alto. He faced the unenviable task of starting his life over at the age of 35.

Rescue came in the form of a call from Chandna, who had left Check Point two years earlier to become a partner at Greylock. Chandna had been following Zuk’s career all the way to its slump. “Check Point had an exceptional engineering team,” Chandna says. “But Nir was by far the brightest. He’s arguably the most accomplished individual in network security on the planet.”

Chandna and Zuk started hashing out a security idea that would be “dominant, lasting, with multibillion-dollar revenues”, Chandna says. Greylock and Sequoia Capital gave Zuk $250,000 to come up with the product. Working out of offices at Greylock and Sequoia, he came back with the next-generation firewall.

The next year, the two VC firms put up $9 million more. Another $400,000 came from Zuk, Check Point co-founder Kramer and others. “If I screw up on Palo Alto, there is no family, no money, no nothing,” he remembers. “I will stay in that crappy apartment in Mountain View for the rest of my life.”

Palo Alto got its firewall to market quickly by drawing on kibbutz-style redistributionism. Zuk significantly diluted his equity to 5 percent so early hires could have a healthy stake in the company. “There’s no justification for a founder getting to an IPO with 25 percent of the company,” Zuk says. “The Greylock and Sequoia partners said it would come out of my share. I said that is fine.” That decision cost him. His 4.7 percent ownership is worth roughly $180 million today. He’d be a billionaire if he had kept a more standard 25 percent.

In August 2011, the board brought in Mark McLaughlin, an executive at security firm Verisign, to be its Wall Street-friendly CEO. Zuk, now chief technology officer, doesn’t manage anyone and acts as the firewall against bureaucracy. Even though the firm is adding 100 employees per quarter, he refuses to hire project managers. “They don’t produce anything,” he says. “All they do is coordinate. The people who do the work should coordinate.” It’s nice to know that success hasn’t changed Zuk one bit.