Monthly Archives: June 2013

PAN and ‘The Pepsi Challenge’

I think I have figured something out that has been bugging me for quite a while now.  We have all seen products, especially if we’re techies, which develop this cult type following.  I always find it interesting and of course am sometimes directly a part of it.  Yes, I was a preorder for TiVo back in the day and as a DirecTV customer suffered for years between their partnership split and DirecTV’s DVR improvements that took what seemed like and was nearly a decade to equal.  When I moved to London England for a few years in the mid 2000’s, the only thing I missed more than a real American hamburger was my TiVo.  Little did I know at that time that when I did come home the nightmare that was the Sky+ DVR interface would follow me.  I’m still a little peeved at Mr. Murdoch for that twist of fate.

But the real fascination for me is the products that gain this following but you can’t really pin down why exactly.  I could name plenty but I don’t want to draw any undue lines between them and the current topic of my fascination.  And then there is the fact that these are mostly fad products so most won’t remember them anyway.  So if the product is truly great, I get it.  But what if it’s not?

So onto my latest cult of product fascination, Palo Alto Networks.  This time, I am not actually apart of the cult as I was so passionately with TiVo.  Now I am kind of an observer.  In full disclosure, I am a Security Engineer with Check Point Software, a competitor to PAN.  So I am certainly somewhat directly involved in this one just from another angle.

Before I really get into what I think I have figured out, I do want to briefly set the stage a bit.  Yes, I work for Check Point but that doesn’t mean I think all our competitors are all horrible and that all we do is perfect or always great.  Obviously I do believe in our products and vision that drives them but I don’t believe in them because I work for Check Point, I work for Check Point because I believe in them.  There is a big difference between those.

My background is mainly in IT Management, so most of my experience in years with Check Point was as a customer.  I left my last IT Management position in 2007 where I was the head of IT at a global engineering firm.  It was a fantastic job that I truly loved but unfortunately I had to leave for two reasons.  One, I just didn’t want to live in Southeast Texas anymore.  Love you Texans!!  Honestly I do, but it was the heat that I just couldn’t handle anymore.  Two, I was losing my technical edge and getting way too good at spreadsheets, gantt charts and budgeting.  I am not saying one is worth more than the other and there are plenty of aspects of IT Management I miss but for me, losing my technical edge was very unsettling.

So from there I went to work for the company that managed my networking and security at the engineering firm and moved to a more acceptable climate.  One of our biggest vendors was Check Point.  I did pre-sales consulting and also started a training division where we eventually offered Check Point training in 22 cities across the country.  It was there that I first heard of Palo Alto Networks.  Like a lot of people in 2007-2008 it certainly sounded intriguing to me.  We even considered taking them on as a vendor at one point.  In fact, it was around 2008-2009 that I went to RSA at the Moscone Center in San Francisco and I got my first live demo of the product.

So there I am in the Palo Alto booth getting my first demo from Nir Zuk himself.  Just me and Mr. Zuk, with a few people watching a bit in and out, going through the capabilities.  After about a half hour or so, I left feeling fairly befuddled as the message was very perplexing.  I was really interested in how the product was secure without stateful inspection, as their motto is stateful inspection is dead.  But the general message was Check Point sucks and PANs capabilities were more the pepper sprinkled on top of that general theme.

OK, fine, I am here in the booth and this is clearly a smart dude who is telling me all I know is wrong.  Now, I was all ears for something different but we did over 3 million a year in Check Point.   I won’t name our customers at the time but let’s just say that they did everything from nuclear power to space exploration.  And of our customer list, which was honestly fairly impressive, they were all pretty happy.  So I am trying to go along here but with the meat of the message being Check Point sucks, contrary to all my experience as a customer and then partner it was..well…distracting.

The answer I really needed and never got was how was PAN secure without Stateful inspection.  I am thinking that if anyone was supposed to know and be able to answer it was this guy right?  I did hear a lot about how well it performed.  That was the big advantage, past I assume not sucking.  That’s all well and good but I need something quite a bit more if I am going to even suggest it at a nuclear facility or customer that puts things in space.  Of course I got the ADD ID pitch but I wasn’t seeing it.  At the time, I just assumed I didn’t know enough to understand how it worked but I had concerns.

So in 2010 my company gets acquired by a larger re-seller that guess what??, wants me to move back to Southeast Texas.  So I didn’t have to leave but I certainly didn’t want to go back to Texas.  I wanted to go to a company that I could stay with awhile, or should I dare, maybe the rest of my career.  Is that too much to desire nowadays??  So I had a very shortlist of companies that I knew I believed in most, if not all, of what they did.  Yada yada yada, I went to work for Check Point.

So over the years since there has been this following that seem to be buying this message that the world is upside down everywhere except this one vendor that has figured it all out.  Personally, I have experienced it in sales situations.  So as an SE at Check Point, am I getting clobbered by this fascinating new company with this futurist technology?  No… actually, it has mostly been a positive thing.  I personally haven’t lost a single customer to them and early on they really helped me.  I have lost a few deals to them but they weren’t Check Point customers, they were new opportunities.  But even that has only been a couple and they were all fairly small.  I have had current customers buy them here and there but none that I know of actually displace us, but they have kicked the tires.  Surely it has happened some out of my area but if you look at the overall revenue it is obvious they aren’t stealing our customers on any significant scale if much at all.

So how was it positive impact early on?  Well, they did a really good job educating people on UTM or Next Generation firewalling.  It didn’t bother me to hear a customer had been talking to PAN, well maybe at first, but it didn’t take long to see that they just made my job easier.  After that, it was more annoying.  The customer was educated but I had to undo the rotten fodder they had been fed.  Now, I look forward to it because I’ve got their number.

So what about the deals I did lose?  I am in sales; of course I’m not going to win every deal.  It wasn’t losing the deals that was the problem, it was why I lost.  I really had a hard time with the answers.  One was, “we like your management, logging and reporting better but we just think that PAN is a better fit for us now.  But if we grow we will certainly be talking again.”  Really?  You like our management, logging and reporting better, ohh and apparently you’re worried about their ability to scale but their a better fit?  Another one was, “We really like your product but we just want to go with something new and innovative.”  Better, I guess but still, really?  I was left to guess that being secure didn’t make the shortlist.

These deals were fairly far apart and not really big so they certainly didn’t keep me up at night but then again they kind of did.  I want to quantify a loss.  I want to know why I failed.  I want good data to take up the chain about a missing feature or an area for improvement.  What is my take away here?  What are my lessons learned?  Why did they win?  What is it about this product that makes them buy it but not be able to explain exactly why?  What is it about PAN that sometimes tastes so good at first?  And, it is at first.  Enough time has passed now that we are hitting the first refresh cycles of the early adopters.  Not surprisingly and very much unlike TiVo customers, they aren’t so cultish anymore, sometimes quite the contrary.

Well, I think I have figured it out.  I want to start, if I can ‘start’ this far in, with the following blog posts; they are quite good and validated some of my thoughts.

PAN’s technology is OK, but nothing really special and as we know from, and it also has some fairly serious architectural flaws.

So why does PAN taste good?  And don’t mistake it, it does taste good.  Their sweet nectar is a combination of several things I believe which on the surface are all fairly obvious.

One as we all know, Marketing Marketing Marketing as mentioned better than I can one of the blogs above.  Their marketing is so effective, they got Gartner to create a category Check Point actually coined years ago and Gartner already had called UTM.  Remember Check Point NG and NGX back in the day, the NG stood for the same thing PAN magically reinvented years later.  We called it Next Gen a decade ago, the industry decided it was UTM, PAN reinvented it as NextGen again.  But why is their marketing so good, is it really ‘good’?  Is theirs that good and Check Point’s that bad?  I think no and no, unlike most companies I’ve ever dealt with, PAN seems to have no problem just lying.  Or at minimum stretching reality beyond what a reasonable person would consider truth.  If you remove the requirement to be truthful, marketing is easy.

Two, demo equipment, they’ve got it and they aren’t afraid to drop ship it anywhere anytime.  Check Point is trying to improve our processes as it has been weak in this area but the way we are doing it I truly think is much better.  Throwing boxes at anyone and everyone doesn’t work for us, it just doesn’t.  That being said, the fact remains that from the new customer perspective, PAN has got the gear and they are making it rain.

Third, they have a Web Based UI.  Like number two, Check Point has a far superior approach but PAN’s WebUI sips very sweet as a first impression.  Outlook Web Access is great until you actually try to live with it every day.  But, OWA demos great.

Lastly, PAN has honed their approach in combination with the above.  They are using their marketing to make the customer think they are getting something NO ONE else offers.  Even down to the ‘Virtual Wire Mode’ during their demo, it tastes different and to a Cisco type customer it seems very easy and highly visible and takes little effort.

So you are interested in PAN this is typically what happens I think, demo box is drop shipped to you.  Typically, this is a smaller box than possibly needed as it is going in ‘Virtual Wire Mode’ so the requirement is lower.  PAN does do very well in this mode, their performance issues come into play from basic inline functions like NATing.  A smaller PAN box in Virtual Wire Mode can handle much more than it will once placed inline.  If it is a smaller opportunity they tend to send instructions and have the customer do everything which is fairly simple, larger ones get an SE or remote help/partner.

From the new prospect perspective, you get a new box plug it in in a matter of minutes and go to its WebUI to see all this visibility you have never seen, assuming you’re a Cisco/Juniper type customer.  Very simple… very clean… tastes very sweet.

In contrast, you look at Check Point, if that even happens.  Check Point has more complications around getting the demo gear, they likely hear the distress in the SEs voice when the need for gear arises, then the need to install a Windows based GUI adds more complexity and we don’t wrap these ‘challenges’ in a neat bow of gimmicky marketing.  It is a simple fact, we don’t taste as sweet… on the first sip, this is VERY important to realize.  The first sip is where it all begins and in some cases most unfortunately ends.

I think what is happening is that PAN is winning ‘the Pepsi Challenge’  The first sip is sweet and most people really like it.  But if they truly test, do they want the whole can?  I think this answer to this is a big no in most cases.

Just for a little history, Coca-Cola was so effected by their loss in ‘the Pepsi Challenge’ they actually changed their formula in 1985 with New Coke. It was a total commercial flop of rarely seen proportions.  In a matter of just a few months, the original formula was brought back as Coca-Cola Classic.

Coca-Cola, arguably one of the greatest marketing companies in the history of the world, was burned by simply not understanding their own product and why people liked it.  If it can happen to Coke, it can happen to ANYONE.

Malcom Gladwell in Blink points out the how Pepsi won, ‘the Pepsi Challenge’.  Simply put, people prefer sweeter drinks when they are only taking a sip.  But, this is the big one, they prefer less sweet drinks if they have to drink the whole can.  Coke missed this in one of the largest commercial blunders of all time.  Blinks subtitle is ‘The Power of Thinking Without Thinking’.  This is the ideal customer PAN is looking for in their quest, and they are finding them.  They want them to take a little sweet sip and then quickly commit to the whole can of even a case.  They remind me of the elixir sales in the past.

It is very easy for us to assume Check Point needs to beat them at their own game.  Let’s improve our sales ops so we too can drop a box on a dime, let’s honed our processes so that we taste just as sweet.  I’m not saying doing some of this is a bad idea.  But honestly, our sales ops has greatly improved and potentially approaching acceptable levels.  Our 3D Report is very quick, I average 10-15 minutes per install, and generally it tastes pretty sweet.  But I think we need to focus on why our ‘classic formula’ is superior and will remain so.  In contrast to their elixir sales we need to emphasize the value in the double-blind study approach.

When going against PAN, we have to sell our philosophy, the whole can.  Coke forgot this…  Their number one mistake was painfully simple.  They forgot that they don’t sell soda in sips; they sell it in cans, big gulps and cases.  We have all the info.  It is everything we know, like Coke knew their soda formula was good and popular for 100 years.  It is the 3D approach, our Management, Logging and Reporting.  It is our holistic approach.  It is all of these things that we know and have been likely doing, so what’s the problem when we lose against PAN?

We aren’t making people drink a while can or if we do we might be unintentionally forcing it down their throat.  If we try and force it, they can feel overwhelmed.  When overwhelmed, positives can become negatives.  Take the following example:

Customer asks, where can I see Anti-Bot activity?  That’s easy…  You can see an overview in SMART Dashboard, detailed logging in SMART View Tracker, you can more easily search those logs in SMART Log and you can get a great high-level picture in SMART Event.  Then look at the pieces involved.  In a ‘proper’ install most SE’s will recommend, there is a gateway, likely a cluster, a manager, a SMART Event box and a GUI Install.  This is a lot steps.  We recommend this multi-tiered architecture because it is much better to live with.  We show them all these tools because they’re great and we feel it’s our job to educate them on all the potential and power of the product.  When you live with it, you are drinking to whole can so through our excitement we want them to chug it down as we know how much they’ll enjoy living with it.  But early on, they only want to sip it.

So how do we keep our superior approach but also make it taste sweeter?  We can’t, won’t and don’t want to emulate PAN’s approach.  Our approach, architecture and tools are simply better.  It is what makes them better that also tend to make them overwhelming when someone unfamiliar with them takes only a sip.

So in my opinion, we can improve our tactics.  When setting up a PoC, especially for a Cisco/Juniper type customer that is new to Check Point, every IP we ask for, every U in their rack, every minute it takes matters.  They are judging us from the first moment and making future assumptions.  Ask for too much more, take too much longer and from the first sip we are a not so sweet.  It might not be our fault, but it is our problem.

But strategically we double down.  Stateful Inspection is dead???  Tell that to a PCI auditor.  How do you virtualize ASIC processors?  Do they have a comprehensive and holistic approach to security and a variety of products that match this strategy?  The list goes on and on…

The reason to attack at a strategic level is because that is what they are doing to us.  They attack us where they know they are weak, classic negative campaigning.  If PAN has been in before Check Point, that is exactly what they are doing.  They aren’t attacking our technology anymore, they are attacking our philosophy.  They change the subject away for price/performance as they know it is a loser for them.   We then come in, and either don’t attack because we want to take the high road, which I do respect, or we simply point out technical weaknesses and talk price/performance.  From the customer perspective, it took them one appliance and 10 minutes to setup with a single management tool and no install.  We came in with several appliances possibly, 6 or 7 seemingly different but same management tools installed on Windows and took half a day.  Price/performance isn’t their main concern anymore; PAN actually seems easier to live with than us if you can believe that.

Check Point simply needs to shorten the time and install in a way that doesn’t overwhelm prospects or customers.  Then we have to attack their strategy by promoting ours which is counter to everything PAN has told them.  If promote why we will never leave stateful inspection, why we are using CISC level processors and ASIC on higher-end appliances for encryption where it makes sense, then they will generally choose Check Point.