MSPs vs Ransomware: Lessons from Check Point (EP 887)

Hello friends, Uncle Marv here with another episode of the IT Business Podcast, the show for IT professionals and managed service providers, where we try to help you run your business better, smarter, and faster. Today, folks, I have an interview that originally we tried to do this on-site while at Pax8Beyond, and my schedule got busy. I probably took a break or two too long, and we weren't able to get this done then, but this person was gracious enough to make some time after the fact, and so we're sitting down. 

We got a lot more runway that we can play with here, and today I'm talking with David Meister, global head of MSP at Check Point Software Technologies. David, how are you? I'm doing fantastic. How are you? I am good, sir. 

So thank you for making time. Sorry we weren't able to meet at the conference. Actually, did you make it to the conference? It's such a whirlwind. 

I don't remember. I did. I did. 

So I was at the conference. I actually had a keynote speaking spot, so we had quite a few Check Point people there. I think we had close to 16 or 17 people there. 

I can definitely understand how we missed each other. There was a lot going on. It was a very fun few days.

Yes, it was. All right. And you are not from the States, so we should probably let people understand your accent there. 

Yes. So I'm not from the US. I'm based in Utah now, but I'm originally from Australia. 

I've been living in the US for a year next week, I think. So I grew up in Australia. I spent the first part of my career in Australia. 

I joined Check Point in Australia. Initially, I joined about three and a half years ago when Check Point made the acquisition of Abenan. I was hired on to launch the email security go-to-market in the Asia-Pacific region. 

And then after a couple of months, after probably about six or nine months, there was an opportunity to take over the global MSP team. And my entire background is working for managed service providers. I was an engineer. 

I was a technical manager. I worked in sales. I ran sales for a couple of different MSPs. 

And so I've lived and breathed this space. And so I took the opportunity to run the global team and did that from Australia for about 18 months. And the time zone's got a little bit too much, and we grew a little bit too much for that to be functional.

So a year ago, my wife and I packed up our three kids and our golden retriever and shifted over here. Oh, wow. That's a big move from Australia to Utah. 

But let me ask this. Did you do that in anticipation of Pax 8 being in Salt Lake City next year? I did not. I did not. 

So Nick Heddy, the president of Pax 8, he let me know after I'd moved here. We were on a meeting, and he's like, oh, let me tell you about some information. So I did know before it got announced at Beyond, but I'm very excited about that. 

This was my third Beyond this year, so I've been at each one. And to be honest, I felt a little bit guilty that it took me an hour flight just up and over the Rockies from Utah over to Denver because the last few times it's taken me 16, 17 hours to get there. So it was nice and quick. 

And then next year, it's going to be a 30-minute drive up the road to get to Beyond. And I don't know. We'll see what happens the year after. 

It'll be nice. It'll be nice to not have to worry about all that travel. So let's go ahead and get into some stuff before we talk about Check Point. 

I sent you a note over. You guys just released, and I'm talking in the last week, a report for the state of ransomware, quarter two for 2025. So I don't know if you even yourself had a chance to look at that, but what did you think of that report? What are some highlights that we should know about? First of all, I love when Check Point does this. 

So Check Point, really, we've got a big research arm here at Check Point. I think we've got about 300 or 400 researchers who are just dedicated to looking at the threat intel that we see across all of our products. We actually feed all of our threat intel into a central threat intelligence platform so we can see all these threats. 

But we also, our threat researchers go through the dark web, look at different things, track different ransomware groups, different hacktivism groups. And they put all of this together in a format that we can look at. So we have mid-year reports, end-of-year reports. 

Earlier in the year, we released an AI report and some security report, and then we've obviously come out with that ransomware report. This one's really interesting to me because ransomware is nothing new to us. It's been around for a while, and it's just interesting that the face of it is the tactics are staying the same, but with the introduction of AI, the speed at which ransomware can be deployed and the barrier to entry to be a malicious actor is just getting lower and lower. 

So we're actually seeing a lot more of it. One of the big standouts for me is what I would call a shift from database threat to extortion. So I remember, if I go back maybe 10 years, maybe a little bit longer, I remember dealing with some of the early stages of ransomware at the MSP I was working at in the form of Crypto Locker.

For anyone who was in the MSP industry, 2015, 2016, Crypto Locker, 2017, Crypto Locker was everywhere. It was a nightmare. Huge, yes. 

It was the attack. Yeah. It's like if you had an on-prem server, somebody had left port 8080 open or something like that to RDP, and somebody gets into the environment and just locks everything down, it was a nightmare. 

So I remember that, and I remember they would get in there and they would lock it all down. They would leave us a ransom node and transfer us X amount of Bitcoin, and Bitcoin wasn't that expensive back then. Within 24 hours, they were going to double it, and then if you don't do it the next day, and it continues to go up. 

And off the back of that, our industry started getting really, really good at backups and disaster recovery and things like that. What's interesting now is that we don't see as many of them locking files down. So people coming in and encrypting files doesn't happen as often anymore. 

We did, I think as an industry, we got so good at restoring things from backups that it's not as... The attackers know that we can just delete everything and restore. We'll lose a couple of hours of data, but things will be okay. What we see now is more extortion-based. 

So they'll come in, they will get into the environment and sit in the environment and stay there for a while. And what they'll try and do is do two things. Number one is they'll exfiltrate data and tell you, go to you and say, hey, I've got this data.

If you want me to give it back to you, then you need to pay a ransom. Or if you don't give it back to me, I'm going to go publish it somewhere publicly. Or the other thing that we're starting to see as well is that I'm going to get hold of your data, and if you don't pay me, and I'll publish it publicly, but then I'm also going to go after your suppliers. 

I'm going to go after your customers. I'm going to go after your employees at an individual level and hold them to ransom and say that I'll release their data if they don't pay me. So you're going to pay me because I'm going to release it, or you're going to pay me so I give it back, or I'm going to go after people in your supply chain so they can pay me. 

So the tactic is changing because we've adapted so much as an industry. And so for me, that's been a really, really interesting evolution. You sometimes hear it referred to as different ways. 

I've heard it be ransomware 1.0 to 2.0 to 3.0 as we kind of go through this chain, but it's just very interesting to see how these tactics have changed. And again, the introduction of AI has allowed the barrier for these malicious actors to come right, right down. If we look at phishing emails as an example, you don't need to have command of a language anymore. 

The phishing emails we see today aren't the Nigerian prince with grammatical errors and things like that. They are sophisticated. They are well-written.

They can come from somebody who doesn't speak English because you can just go to a large language model or a chatbot and just say, hey, create this email after this person. It's just so easy now to get in that once they get in, they're going to try and extort people. So this new version is almost a throwback to the old mafia mob days where they're like, listen, you're going to pay me or I'm going to take out your family.

That's kind of what they're doing. And the fact that they sit in the environment, that gives them all the time in the world to kind of discover what's there and gather that information and start to put out those tentacles of especially employees. If they're able to watch how they email, watch who they email and stuff, they got all that information.

Yeah, exactly. And it's just learning. The motivation hasn't changed. 

It's all just somebody wants to get paid. If people didn't get paid, they wouldn't do this. They have to make money for it. 

If you think of other types of attacks, if you look at malware, for example, what we've been seeing over a number of years now is that if there is a zero-day vulnerability or if there is a new bit of malware, a lot of these malicious groups, these malicious actors, it costs them money to go purchase it. They'll go purchase it on the dark web and then they're almost operating like an organization in and of themselves or a dark MSP where they've got a P&L that they have to deal with. They have staff that they have to pay. 

They've got to pay for their cost of goods, which is the actual vulnerability or the bit of malware. They've got to execute it. They've got a short window of time to try and make that money back and make that profit. 

They're running it like a business. Absolutely. Now, in this report around ransomware, it does go into the ransomware ecosystem and we are starting to see a fragmentation of these groups. 

It's not one single group that we're seeing anymore when it comes to ransomware as a service. We're starting to see it a lot wider now. The entire ecosystem, I suppose, has become commoditized and we're seeing groups pop up that maybe we haven't heard of before, but there's no one single group like we've seen in previous years where you've got a dominant player in the market. 

That's another big trend that we're seeing, which has been quite interesting to observe. It's almost as if a few years ago, there were the big players and they would invite people to join in or invest. If you become a part of our group, we'll give you a piece of the pie of the money that we get. 

Now, with AI and automation, people are splintering off and saying, I don't need to be a part of an organization. I can do this myself. I can do it cheaper because I can find AI stuff to do this for me.

Let me ask another question about what I saw. It did mention that the ransomware payments are down. I haven't heard anybody really talk about that because part of me thinks that as MSPs, we'll take credit and say payments are down because we're so much better at protecting our clients.

We've seen in the news, even with the hospital that got hit a couple of weeks ago, they're at $18 million in recovery costs because they didn't pay their ransomware. Then their cyber insurance was denied because of that stuff. It's a mixed message that we're getting there. 

I think it's a really good point to raise. I think there's a number of factors that are contributing to this. If you think of the intent of the malicious actors, the malicious actors in most cases, when you're talking about ransomware, aren't actually looking for notoriety. 

They don't want to necessarily be published what they're doing. If you're dealing with a hacktivism group, they're going to be looking for notoriety. They're going to be looking to make a statement. 

With ransomware, it's not really the case. They want to get paid. This is a financial motivation. 

They're coming in, and I think what they've realized is that it's not like it was a couple of years ago. In a lot of cases, cyber insurance companies aren't willing to pay a ransom. It's a bit of a judgment call for a business is that, hey, if this is a bit lower, if this is something that I can just go pay, it might only be $50,000. 

For a smaller group, it might only be a couple of thousand dollars. It's easier for me to do that and get paid quickly than draw attention to myself and have somebody like the FBI or different law enforcement agencies actually coming and looking at what I'm doing. I think they're trying to reduce the payments because they're trying to draw less attention to themselves. 

That's an interesting point. You're right, because why draw attention? If you can make less money more often, it piles up in the long run. That's cool. 

Let me ask this from your standpoint now in terms of Check Point, Avanon, and stuff. Are you guys seeing a ton of BEC attacks, the business email compromise, as the way for all of these things to happen, or are they still finding ways to get in through other means? We're definitely seeing a lot of business email compromises. Email is continuing to be the number one threat vector. 

The reason why we're seeing it is that, a couple of reasons, but the main reason is it's just such an easy point of entry. The weakest part of an environment, more often than not, is the user. If you can create a malicious email that is going to bypass controls that a user is unlikely to click on and then give you their credentials, that's a lot easier than trying to scan for open ports or those types of things. 

It is continuing to be that number one threat vector. There's a couple of different tactics that we're seeing here that have been quite successful. A lot of it's come around from two mitigating factors. 

Number one being the shift to 365, which has been an ongoing thing over the 10 years, where organizations haven't adapted to the style of security required to secure cloud-based email. They've retained on-premise gateways or virtualized gateways which can be bypassed, which aren't looking at internal to internal traffic, aren't looking at contextual information around where people are logging in, who they're communicating with, what style they're communicating with. That shift to cloud-based email has definitely been a contributing factor.

I think the second contributing factor to that as well is, I think the second contributing factor isn't just the cloud-based email, but the second contributing factor, as much as it gets talked about a lot, is around AI and the fact that, as I mentioned earlier, you don't have to have a good command of a language anymore. You don't even really need to do that much study of somebody anymore. I mean, I can go to an AI chatbot, be it Grok, Perplexity, ChatGPT, Copilot. 

I can go and say, hey, look at this organization, identify who the executives are, go search the web to see if they've done any media interaction anymore, find out who their partner is, who they interact with, and then build a profile on them. That's really, really easy to do. And then from there, you can say, hey, create me an email to communicate with this person. 

And what we're starting to see is that the attack methods, they are trying to get a little bit more sneaky. So we see, and this got reported, I don't remember the exact statistics, but in the Verizon Breach Report from earlier this year, they spoke about the growth of something called pre-texting, which is actually where we're seeing organizations be attacked, and that first interaction with the malicious actor isn't actually malicious. So they'll send an email through. 

It has no link, no attachments, no QR code, and it just comes through from Gmail or Hotmail or something like that. And so it's not going to fail, necessarily fail, DKM, DMARC, or SPF. And then they just establish a communication pattern.

And then once they've established communication back and forth, that's when they'll try and release a malicious payload. Or we'll see things like QR codes embedded inside of attachments or links that go through five or six different redirects. And all of these different types of approaches that we're seeing where they can get the information because there's so much information available online, and you can use an eye to go find that information and then try to bypass native controls or legacy controls like gateways to be able to get in and protect and attack that user. 

It's a lot of stuff for us to pay attention to. Let me ask you a kind of a side question that just came to mind. And part of me thinks that a lot of folks listening to this show are, I'll say, proficient. 

We're all some sort of IT service provider, managed service provider. So we see a lot of these things. We hear a lot of these things. 

We know all of the actionable tips that we need to do. But organizations like yours still are having to educate about this. Because of that, what do you think is probably the most common frustration that you see that is allowing these attachments to continue to grow and thrive? It's a really good question. 

I think there's probably two assumptions that come to mind. One is that a number of years ago, I was presenting at an event with Matt Leigh from PAX 8. And he got up and he basically asked everybody to rank themselves out of 10 when it comes to their cybersecurity skills. And he's very, very good at what he does.

And there were some people who rated themselves as sevens, rated themselves as eight, rated themselves as nines. And I think he rated himself at like a three. And that's always stood out to me. 

Because I think that we make an assumption that we know a lot more than what we actually do. And that's where leveraging people who specialize on specific types of technology, specific types of attacks, and utilizing the education that comes from Check Point research or whoever you want to work with is so important. Because it's moving so quickly, it's really difficult to actually stay on top of everything. 

Even for myself working in a vendor, I'm constantly, our research team, our developers, our spread intel team are constantly releasing stuff every single week about new types of threats, new types of things that we have to develop to address. So understanding that as much as we all think that we're experts in this, it's changing so quickly that we need to understand that, have, I suppose, an element of humility and say, hey, there's definitely things that I don't know. And I think that goes on to the second point in that there can be, and we see this a lot actually coming from customers and as MSPs, we can fall into this habit as well, is we make assumptions that our platforms or our tools that we're using cover a lot more than what they actually do.

And so I'll give you a really simple example from an email security point of view. One of the points that we talk to partners a lot about when they're deploying that tool is that out of the box, we're doing protection on inbound emails, outbound emails, and also internal emails, so east-west emails. And you'd be amazed about the number of partners that we speak to that didn't realize that they weren't doing any protection east-west from an email point of view. 

They just assumed that, oh, it's inside my environment, there's no threats. But if an account gets compromised or if, yeah, if an account gets compromised, you can send malicious payloads internally. And we see that regularly. 

And so there's an assumption, that's one example from an email point of view, but there's definitely an assumption that tools can do a lot more than what they can actually do. But there's also an assumption that those things are configured correctly as well. And so that kind of the two things that I think about when it comes to service providers is service providers are extremely intelligent. 

I absolutely love learning from our partners, but I think an element of humility and understanding that we all don't, myself included, and even our research team, we don't know everything. We're all trying to do our best and we should be learning together as a community as we address this. And second of all, actually identifying what our tools are doing versus what they're not doing, and have we actually configured them to do the thing that we're paying for them to do. 

I want to ask you a bit more about your tools. But before we do that, I want to ask this question, because you spent a little time working in the MSP world before you, as we would say, went to the dark side. Now you're in a vendor. 

How different is it for you to see this same fight from a different side? It's been a really interesting learning curve. Like I spent, when I was working for MSPs, I was an engineer. I ran an engineering team. 

I've been out called under desks and fixed computers, racked servers, all of that type of stuff. And then I moved into sales and ran sales teams as well. And so I like to think I've got a fairly well-rounded experience with my time with managed service providers. 

What I tried to do coming over to the vendor side is to take a partner-first mentality in understanding that there's just certain things that vendors do that annoy the living daylights out of partners. And I remember it myself. I remember being a vendor calling me up a day before the end of quarter saying, hey, get this deal in. 

I'm going to give you an extra 20%. Get the deal. I hated stuff like that or bypassing me and going straight to my customer without engaging. 

The list went on and on and on that vendor reps did that annoyed the living daylights out of me. And so coming over to this side, I've tried to put a lot of effort into the way that I approach our program, the way that I've educated my team, and the way that we approach partners into keeping them front of mind, because there is a very specific way that every managed service provider is a little bit different, but there's very specific ways that MSPs want to work that we as a vendor need to be able to adapt to that, because it's not a standard sales motion that you would see with dealing with an enterprise customer or something like that. And so that's been a big learning curve for me is understanding that that information that I learned working in the channel, working for partners, doesn't necessarily always get translated into the vendor side. 

And so it's been a little bit of a mission of mine over the last couple of years to try and share that knowledge. And I think that generally vendors are starting to see that a little bit more. I was going to say, are you having to share more from the vendor saying, hey, look, I came from this side, let me explain why there's that frustration, or do you find yourself going back to MSPs and saying, okay, look, I was with you, I complained a lot. 

Here's why, stuff like that. Do you find yourself going back and forth over that fence? A little bit, I'd probably call it 80-20. I think I spent 80% of the time talking to the vendor about the way that we should approach things versus 20% going to partners and be like, look, let me open the kimono a little bit and explain what's going on and give you a higher level of transparency.

And a lot of the times partners do understand it because they run a business as well. Sometimes some partners don't, and that's their prerogative, and we love them anyway, and we still want them to be partners. We'll just figure out a way to work through it.

But I think it's when there's a recognition that we're all actually in the same community, when we're all actually trying to achieve the same goal, it works a lot better. Very nice. Very nice. 

Let me turn to Check Point. And I want to say this, for the most part, I think most of the listeners probably recognize the name Avanon because they used it as email protection. They didn't realize that Check Point had been around much longer than Avanon.

So when people hear now Check Point, the name Avanon is gone. It's kind of been rolled into your stuff there. Explain what else Check Point does.

Yeah, great question. And I think the way I want to describe it is actually talk a little bit about the journey that we've been on. I think when I started at Check Point, I joined just after the acquisition of Avanon, and I joined in the Avanon team. 

And to be honest, I think at the time Check Point, not very many people at Check Point could spell MSP. It's probably the way to think about it. It was very much that big firewall, a lot of other products as well, but that big firewall enterprise government style vendor. 

When they made the acquisition of Avanon, there was a ready-made managed services team, and we experienced fantastic growth. We're very grateful for the partnership of all of our partners and distributors over the last few years to fuel this growth that we've had. On the back of that, I think that gave Check Point paid a lot more attention to managed services initially, because they were like, well, this is really interesting. 

Check Point then went and made the acquisition of Perimeter81, which also had a managed services team, and a very well-growing managed services team. And so what we did is we sat down, myself running the Avanon team, the Check Point team, and the Perimeter81 team, and we said, okay, well, we want a single experience here. We want a single platform that includes all of the products. 

We want a single experience for the MSPs. And so we started, we took the best of the Avanon platform and the Avanon program. We took the best of the Perimeter81 platform and the Perimeter81 program, and obviously the experience and the backing of Check Point and all the other products. 

And we've tried to build it into this single platform, format of service providers, covering everything from obvious email security and SASE with Perimeter81 and Avanon, but also external risk management and dark web monitoring from the acquisition of Cyberint, endpoint security, mobile security, firewalls, cloud security, MDR, browser security. We're actually, in the next couple of weeks, we're releasing a new version of our browser security, where it's got Gen AI protection, meaning we can actually protect people from entering specific information into, like, ChatGPT and Grok and things like that. And so we're trying to basically take every, we built this foundational program that's taken the best of Avanon, the best of Perimeter81, and then we're going out through the rest of Check Point, and we're finding the products that we think are going to serve MSPs well, and then we're bringing them into the program. 

And we've basically got a set of criteria that they have to meet to be able to be a part of the MSP program. Is it consumption-based, per user per month, no minimums, no lock-ins? Are there NFRs available? Is it self-service provisioning? All of those types of things that we saw a lot of success with, with Avanon and with Perimeter81, we're just going to apply that. We are in the process of applying that to all of the other products to make sure they are, in what I would consider, MSP-ready, so that the MSPs can go and do business the way that they want to do it, rather than us needing to dictate it to them.

Right. So, yeah, when I was looking this up, so a much more simplified model for all of the products, streamlined portal. So did you have to rebuild the portal? Yeah, we did. 

It took a lot of effort. We, I was actually, when we were working on this, we were, a lot of our developers are based out of Israel, and a lot of our R&D is based out of Israel. And I was still in Australia at the time when we started developing this. 

And so it worked quite well for me, because we would, I would jump on kind of 3pm to 5, 6pm at night, and we'd be on the R&D team, and the developers, and we'd riffleflart what Avanan was doing, and be like, right, we like this, we don't like this, we like this, we don't like this. And then we've been working to build this platform. And there's still things we've got to develop in it. 

We've got a dedicated dev team and product management team, and we're continuing to iterate to make it better and better and better. But a lot of work went into it. And it's kind of a mixture of taking the best of what we saw, plus what we wanted, plus, you know, keeping in mind that Check Point's a 31-year-old cybersecurity giant. 

And then kind of bringing those things together to deliver the outcome that we wanted for partners. So a lot of effort went into it, and a lot of effort's going to continue to go into it. All right. 

You mentioned that, you know, Check Point was kind of seeing itself as this enterprise. Now that you've adapted, you know, the channel and the MSP. How much more growth opportunity do you think is there? I mean, because MSPs are going to want to know, hey, are you going to stay here for the long haul for us? Or are you going to dump us when the price hits the right point to sell? No. 

So Check Point's a listed company. So all of our financials are completely transparent. We're not a startup. 

I suppose the MSP part of the business is the startup inside the bigger organization. But we're very committed to this. We are very, very committed to this. 

We've got a new CEO who's extremely committed to this. We have made a lot of significant investments internally in regards to people, R&D, development of the platform. We are in this for the long haul. 

And we have some pretty lofty goals over the next five years of where we want to be and how we want to service this industry. So we are embedded here for a while. And we don't plan to go anywhere. 

We want to be one of the best fit providers and one of the largest providers for the managed services industry when it comes to security and AI. And we're going to make a lot of investments to do that. All right. 

Well, you're saying all the right stuff. And for people that want to find out more information, you can obviously head to Check Point.com. It's pretty simple there. Talk to an expert and check out the platform and look at... Now, first of all, going to the website, there's a lot of stuff. 

If you put products, if you click on that, you've got network products, SASE products, cloud, workspace, security operations. Where should an MSP go first? I would suggest going to... There's an MSP section of the website or MSSP section of the website. I'd suggest going there first.

So even if you just Google Check Point MSSP, go there first. That comes directly through to my team. You can jump in. 

My team are all specific to MSP. We've got a very, very large team that dedicated just to MSPs and MSSP. So we'll be able to help you out and not just look at showing you the products but try and understand how you want to go to market and how we can support you in that. 

And if you've got a little bit more of a personal touch, hit me up on LinkedIn. I'm always happy to chat to partners. All right. 

And I will have his information in the show notes, folks, so you can reach out. David, good to see you. Sorry, we couldn't meet at the conference, but I like this better.

I appreciate you taking the time out. It's been great and I appreciate your time. All right. 

And we will see you in Salt Lake City next year for PAX 8 Beyond. By then, I think you will have probably had the run of the town. You'll know all the places to go. 

So people are going to be hitting you up with, hey, where should we go to dinner? Right? Yeah. You want to talk dinner, hikes? Hit me up. I'm happy to give my recommendations.

Okay, great. All right, folks, there you go. David Meister, Global Head of MSP at Check Point, and check him out clicking the links in the show note or heading to Check Point.com. That's going to do it, folks, for this episode. 

Thank you, David, for joining me. And that's a wrap, folks. We'll see you soon. 

Until next time, holla.