Check Point has been an innovative thought leader in the security space since its founding. The company differentiates itself on technical sophistication, broad heterogeneous interoperability and strong global technical support. Check Point develops, markets and supports Internet security solutions for enterprise and high-end networks, service providers, small and medium-sized businesses and consumers. More recently Check Point has extended its strategy to offer a broader portfolio of security products and to simplify the deployment and operation of its security products. Check Point’s new mantra is the following: provide more security, better security and simple security. The strategy has paid off in steady growth across its entire portfolio in the last few quarters and a part of that growth is fueled by an increasing number of larger deals, suggesting that Check Point is seeing traction among larger enterprises.

The company fields a growing array of threat gateways, content security, integrated client software, NAC, data protection and security management products, which operate on a variety of form factors. In 2009 the company launched its software blade architecture with the R70 release of its software. The architecture allows customers to buy security applications or “blades” in different bundles to meet their specific requirements. The blades are modular, interoperable and can be centrally managed. The company continues to expand the range of blades available to customers, and to date offers over 31 different blades that provide AV, IPS, firewall, VPN and more. The latest blade, launched at the end of August 2010, provides a virtual gateway based on VMware’s VMsafe APIs that provides firewall, VPN and IPS functionality to protect inter-VM traffic. In 2009 Check Point acquired the Nokia security hardware business, which was almost exclusively devoted to running Check Point software. Since the close of the acquisition, Check Point has seen better than expected growth from those appliances. In the spring of 2010 Check Point also entered the DLP market with a gateway product designed to reduce the biggest barriers to broader adoption of DLP: the complexity and high TCO of DLP deployments.

To build awareness of its products Check Point uses a variety of methods to reach potential buyers, including telemarketing, seminars hosted in cities around the globe, print and online advertising, search optimization and participating in trade shows. Check Point also relies heavily on offering free limited time software evaluation licenses. Check Point relies heavily on its strong Firewall-1 and VPN-1 brands to create pull through for other products in its software blade library, introduced in 2009. Although the company has some 520 employees dedicated to sales and marketing, it relies on a lean marketing budget relative to its size and market presence, and it emphasizes cooperative marketing with its channel partners.

Check Point sells its products entirely through an impressive list of indirect channel partners that include over 2200 distributors, OEMs, resellers, MSSPs, ISPs and telcos. Check Point products are sold in 88 countries. Check Point upgraded its channel program a couple of years ago from a flat to a multi-tiered structure. The program, called PureAdvantage Partner Program, has seen subsequent improvements, which emphasize partner education, making it easier for partners to sell Check Point’s products, and selling more of Check Point’s expanding security portfolio. The effort seems to be paying dividends. Check Point claims it has added 400 new channel partners in the last year, and with its expanded line of appliances (including the Nokia IP appliances) has increased margins for channel partners. Check Point in recent years has regularly received high marks for its channel efforts from channel focused publications. Customers have the option to get technical support directly from Check Point, or they can turn to channel partners for installation, training, maintenance and tech support. Check Point provides 24 x 7 support from technical assistance centers located in the U.S., Israel, Japan and Canada. Check Point has 284 employees dedicated to customer service and support.

Check Point maintains a highly successful technology partnership and interoperability program, dubbed OPSEC, which has more than 350 members whose products Check Point has certified as interoperable with its own. Check Point also maintains strategic relationships with numerous hardware vendors to ensure that its software is integrated with leading hardware platforms. These partners include Crossbeam Systems, Dell, Hewlett-Packard, IBM, Siemens AG, Sun Microsystems and the former Nortel. Check Point also maintains a partnership with Sandisk, and more recently it struck a partnership with Riverbed to allow Check Point software blades to operate on Riverbed’s Services Platform, which allows third-party applications to run on its line of WAN optimization appliances.

We are taking a moderate stance on Check Point Software Technologies as a provider of threat gateways, data security, enterprise security and integrated client security, because the company has demonstrated reasonable growth across its entire portfolio. Check Point has maintained a tight focus on meeting customer requirements through both internally developed and acquired security products. Check Point’s appliance business, bolstered through the 2009 acquisition of Nokia, has contributed to Check Point’s steady growth. On the software side, Check Point’s acquisition of FaceTime Communications’ Web 2.0 applications database should help the company to capitalize on enterprise customers’ growing concern over the threat posed by employee use of Web 2.0 applications, which have become a big target for malware creators. But the first product to exploit that database was only recently launched, and only time will tell whether Check Point is successful with that offering.

There are a few concerns, however. The re-architecting of Check Point’s product line with its R 70 software release, which resulted in a growing library of interoperable security software blades that can all be centrally managed, was a bit of a risky bet that the market would respond favorably to a mix-and-match approach to building out a security infrastructure. It requires a significant upgrade for existing customers to the new release, and customers are slowly migrating to that release. In addition, Check Point has taken a rather short term, tactical approach to mobile security with its Abra encrypted USB stick, which does not protect Linux or Mac endpoints. And with the acquisition of the Nokia security hardware appliances, Check Point now maintains three separate hardware lines, which is expensive for Check Point to maintain and is potentially confusing for customers and channel partners.

• Check Point has done an admirable job of building on its strong base of IPSec VPN and firewall business into new functional areas through a combination of acquisition, internal development and partnerships. At the same time it is exploiting its strong network security brand to build share in other security segments by leading with its new software blade architecture. That architecture delivers greater flexibility and choice for customers and lowers the barrier to adoption by making it initially at least less expensive while offering centralized management to lower operating overhead.

• Check Point’s expanding product portfolio, along with its efforts to help channel partners sell a broader range of its products, has led to a steadily increasing number of larger deal sizes. In Q2 2010, for example, Check Point signed deals worth over $1 million with 25 customers – four more than the same quarter a year earlier. With a better range of security offerings and performance options based on different appliance platforms, Check Point is seeing good growth among large enterprises. Its expanded portfolio allows it to better serve those enterprises as they seek to consolidate the number of security vendors in play.

• Check Point in August 2010 announced its Application Control software blade, which is based on the FaceTime Communications application database it acquired in late 2009.The database, which Check Point continues to expand, offers the most comprehensive application classification and signature database in the market, with over 4,500 Internet applications and 50,000 Web 2.0 widgets. The product comes at a critical time in the market, as enterprises grapple with the issue of enabling Web 2.0 usage for business aims, while protecting enterprise assets from attacks that target those less-than-secure Internet applications.

• Check Point has seen significant traction with its security appliance business – especially the Nokia line of appliances it acquired in 2009. The portfolio, which includes the Power-1, IP and UTM-1 line of appliances, was bolstered last year with a line of Nokia-based appliances that run Check Point’s security blades, a new Intel Xeon 5500 processor-based appliance that boosts firewall performance to 25 Gbps and IPS performance to 15 Gbps, and two new UTM-1 appliances that combine firewall, virtual private network (VPN), IPS, SSL VPN, antivirus, anti-spyware, Web filtering, Web security and anti-spam under common management.

• Check Point recently became only the second major security vendor to deliver more integrated security for virtual server environments by releasing its new Security Gateway Virtual Edition, which supports the VMsafe APIs. That gives it the opportunity to become a thought leader in helping enterprises to secure their VMware vSphere environments through its combination of firewall, VPN and IPS functionality for securing inter-VM traffic.

• Check Point has a unique and potentially compelling approach to involving end users in the decision making with the UserCheck feature in its new DLP offering. When a user attempts to perform an action that potentially violates corporate policies, the system automatically asks the user whether they actually intended to violate that policy. That tells the user they are being watched, and it helps to eliminate false positives by teasing out what should be exceptions through actual usage. That capability is unique, and could result in a much tighter DLP solution that is less operationally intensive.

• CheckPoint was late to market with its own internally developed DLP product when it launched its CheckPoint DLP gateway. While the new gateway addresses the complexity issue that has held back wider adoption of DLP technology, it is coming from a vendor that has no visibility in the market. Check Point is not an aggressive marketer, and that will work against it as it tries to build awareness of the product. At the same time, it is missing an end point DLP capability, although that is in the works. Check Point hopes to create a new category of DLP with its simplified and end-user involved product, but it has little inclination to put much marketing muscle behind that effort.

• The effort to consolidate the number of vendors – security in particular – on the part of larger enterprises benefits Check Point rivals such as Cisco Systems, McAfee, Symantec and Juniper to a greater extent than it aids Check Point. Those vendors can put together large, cross-function deals with such customers, leaving Check Point without a place at the table. While Check Point now has a much broader portfolio, it’s reliance on its network security brand does not help to improve market awareness of its data security and application control products.

• Check Point is putting considerable resources behind its integrated security client, but today it remains a very small player in the market segment and faces a serious challenge in gaining market share among buyers it has not traditionally served. Check Point was late to market with an integrated client security offering and has not seen the kind of growth it had hoped for with the client. The company has added an overlay, dedicated sales force focused on the endpoint product and has created some differentiation with encryption and its new browser virtualization feature, but that has not helped to boost sales of the consolidated client.

• Check Point now maintains three separate hardware appliance product families, which is expensive to maintain and which can potentially confuse prospects and channel partners. Although the acquisition of Nokia’s security appliances has paid good dividends to Check Point, it may eventually have to rationalize those separate lines, especially given the different operating systems used in those products.

• Check Point’s network access control story is fairly limited. The company focuses chiefly on leveraging its VPN technologies to deliver a solution for remote access control. The product is stronger than the company’s market presence would suggest, however. The company has not done a good a job as it might have in promoting its capabilities in this market.

• Check Point has taken a very tactical approach to addressing mobile security in its new Abra secure USB, based on its partnership with Sandisk. The offering is limited to Wintel endpoints, ignoring Linux and Mac endpoints. It’s likely that the total cost of ownership of the solution, which prices the USBs at either $120 or $210 for a 4GB or 8GB encrypted USB, could also make it an expensive offering to implement.

• Just because Check Point built a simpler to deploy and operate DLP product that involves the user in decision making does not mean the market will come to its new DLP “category.” Creating a new market segment requires a greater marketing effort than Check Point has historically been inclined to execute. Educating channel partners on the benefits of its approach is not enough. Check Point has to create pull for its approach to work, and that requires creating awareness of its differentiated approach.

• Check Point should build on its lead over rivals in addressing hypervisor level protection for virtual server environments by extending security to other leading hypervisors – especially Citrix – because Citrix is further along the development chain in enabling tighter security integration with its XenServer as well as XenClient. Microsoft’s HyperV is also important, although it offers little in the way of APIs. At the same time, it can position itself as a thought leader among large security providers, given its lead in addressing that nascent market over rivals such as Symantec and McAfee.

• As Check Point gains traction among its customer base with the new blade architecture, it should build out a stable of reference customers as well case studies that document the reduction in TCO that actual customers experience as a result of the integrated blade architecture. Check Point tends to rely on customer surveys, but concrete examples will make a better case for prospects looking to consolidate their security toolset.

• As Check Point competes with Cisco for endpoint security, it should cast doubts about Cisco’s commitment to endpoint security, given its decision to end-of-life the Cisco Security Agent. At the same time, Check Point should aggressively seek to convert Cisco’s CSA customers over to its relatively new integrated client security offering.

• Check Point has delivered a much better end to end security story over the last 18 months, but it’s not clear that the company is communicating its new value proposition and positioning very accurately. Insuring that its marketing messages are clear and communicated accurately should be job one for Check Point as it seeks to build market share.

• While Check Point appears to be gaining traction in large enterprises, it’s not clear how well its mid-market efforts are paying off. Its new software blade architecture is aimed at altering the perception that Check Point carries a higher price tag than competitors, but rivals can paint the new, more flexible options as confusing and potentially difficult to configure.

• Cisco, TippingPoint, Sourcefire and other IPS rivals should not take Check Point for granted in the market. Although it has not been a significant threat in the market, the company is trying to seed the market with its revamped IPS by offering it for free with upgrades to its R70 software release. Check Point puts a lot of stock in the new IPS, and although it’s too soon to tell, once the free period is up for the new IPS blade, Check Point believes customers will clamor to pay for it.

• Network access control competitors, such as Cisco, Microsoft and others, should deride Check Point’s Total Access Protection initiative as simply a loose collection of existing Check Point products, stitched together to provide rudimentary network access control capabilities.

• Integrated client security vendors such as Symantec and McAfee should characterize Check Point’s Endpoint Security product as a fragmented product that is not well integrated, does not yet offer complete centralized management, and provides limited reporting.

• Customers should feel confident that their technology investments in Check Point products are secure. The company remains a thought leader in the security market and continues to invest heavily in product development. The company, in fact, views itself as a product company. Customers looking to create an overall security architecture that spans multiple touch points should question Check Point on its security architecture.

• Customers should consider Check Point as a provider of security products outside of its traditional expertise in the firewall and VPN markets. Check Point has a broad set of products that provide strong endpoint security and IDS/IPS capabilities.

• Enterprises that have stayed away from DLP technologies because of their complexity and long deployment times should evaluate Check Point’s new offering. It holds some promise to bring DLP within reach of enterprises that could not afford an expensive DLP project, and offers unique end user involvement that can go a long way towards simplifying policy creation and reducing operational overhead.

• Although Check Point maintains it intends to continue to offer all of the hardware choices in its portfolio, it is expensive to maintain separate appliance lines with different operating systems. Customers should carefully question Check Point on how it intends to rationalize overlapping technologies between internally developed platforms and Nokia’s hardware platforms.

Recent News/PR [Apr 13, 2011] Zacks Investment Ideas feature highlights: Check Point Software Technologies, Oracle, Waters Corporation, and Netease [Apr 13, 2011] Zacks Investment Ideas feature highlights: Check Point Software Technologies, Oracle, Waters Corporation, and Netease 4 Stocks from the Most Profitable Sector Margin expansion has been a huge source of earnings growth as companies emerged from the recession lean and mean. However, the real driver of income growth came from expanding profit margins. (PRNewswire) More News/PR from YellowBrix...

Financial Summary Stock Symbol: CHKP Quarterly ($ mil) 1Q 03/2011 4Q 12/2010 3Q 09/2010 2Q 06/2010 1Q 03/2010 Sales 281.3 318.5 273.2 261.1 245.1 CGS 27.0 18.0 27.2 23.4 22.2 SG&A Exp. 72.5 79.9 69.9 74.6 68.1 Operating Income 254.2 300.5 246.0 237.7 222.9 Operating Margin 91.6% 91.7% 91.5% 91.9% 92.0% Net Income 122.1 137.4 114.5 102.9 98.0 Profit Margin 42.1% 41.2% 40.4% 39.7% 38.4% Worldwide, aggregate corporate financial data Content provided by YellowBrix More Financial and Stock Information from YellowBrix...