Nir Zuk’s Palo Alto Networks Is Blowing Up Internet Security8 min read
“They don’t like me,” says Nir Zuk of his old bosses. As one of the earliest employees at Check Point Software Technologies in the 1990s he wrote parts of the world’s first commercial firewall. He later built essential chunks of the firewall sold by Juniper Networks. But at both companies, Zuk (pronounced “zook”) ended up quitting in a huff–and, in one case, walking away from millions of dollars in unvested stock options. Why? The Israeli engineer felt his best ideas were being blocked by incompetence and office politics. All he ever wanted, he insists, was to build new things.
Zuk’s revenge is Palo Alto Networks, which sells the first new class of firewall in 11 years. The company successfully IPOed in July 2012, bringing in $260 million. Its products are crushing the competition. Palo Alto has only 4% of the $10 billion network security market, but it’s rapidly gaining share. In the most recent quarter its revenue was up 70% to $96 million, an increase of $40 million, equal to the entire revenue gain for all other firewall companies. Check Point, which has 15% of the market, grew by $12 million, up only 3%.
With a chip on his shoulder the size of Mount Sinai, Zuk never misses an opportunity to poke fun. He pulls out his iPhone and shows me a photo of a Palo Alto billboard just outside of Check Point’s offices in Tel Aviv. In Hebrew, it reads: “You just passed Check Point. So have we. Palo Alto Networks.” At a March investor conference in New York, Zuk led a live demonstration to prove the speed and ease of updating his firewall. While Palo Alto’s product took five seconds to update, Zuk was able to brew and drink a double espresso in the time it took to update Check Point’s. The rivalry goes deeper than stunts. Palo Alto’s board has two major defectors: Shlomo Kramer, a Check Point cofounder, and Asheem Chandna, a former Check Point vice president who bankrolled Palo Alto as a partner at venture capital firm Greylock.
The firewall battle has never been more relevant. The past few years have brought an acceleration in the number and sophistication of cyberattacks. In 2011 a U.S. government report accused China and Russia of trying to build their economies on stolen intellectual property. The job of protecting a network has grown more complicated as employees increasingly demand to use their iPads and smartphones at work, and clamor for external Web applications like Dropbox, Skype, Google Docs and Salesforce. These devices and apps are common entry points for hackers and thieves. Quantifying the IP and research losses from cyber-raids is difficult, but the damage could be as high as $400 billion annually. Attacks come from the inside, too. At Valspar an employee downloaded paint formulas that he planned to take to China. That theft was valued at $20 million, one-eighth of Valspar’s annual profit.
Firewalls are designed to keep this sort of thing from happening. They prevent malware from getting into a network, and they prevent sensitive data from getting out. The problem is that traditional firewall software, like the kind sold by Check Point, Juniper and Cisco, relies on something called stateful inspection. Stateful inspection specifies the kinds of data packets it will accept or drop. Everything is either “good” or “bad.”
This presents a tough choice to the many firms that have become dependent on Web apps. Stateful inspection offers only two options: Block the apps to mitigate risk exposure, or let them in and hope for the best.
Palo Alto’s next-generation firewall cuts through the impasse. It can parse all the components of a Web application like Facebook to selectively allow, for instance, the reading of News Feeds while blocking Chat and Games features . Employees can read Twitter feeds but not tweet; they can share Dropbox documents without worrying about attached malware. Conversations between IT security and other departments no longer have to begin and end with “No.” “Our competitors agree on the problem,” Zuk says. “They agree that Dropbox is dangerous. Their solution to Dropbox being dangerous is to block Dropbox. Our solution is to make Dropbox safe.”
Palo Alto, founded in 2005, now has 11,000 customers, including 500 among the Global 2000. More than 60% of its customers use Palo Alto as its primary firewall, a portion that climbs to 75% if you count only customers signed up since August. Independent analysts confirm Zuk’s claim of being out in front. “All their competitors are stuck in a rut, and they tend to drop their pants,” Forrester Research analyst John Kindervag says. “They are several years away from catching up. Some are bringing next-generation firewalls to market. Some are good. Some are more marketing than reality. They discount significantly.”
How’s all this sitting with Check Point, the Israeli firm whose billionaire cofounders, Gil Shwed and Marius Nacht, invented the original commercial firewall? Check Point declined to comment for this story, but when FORBES talked with Shwed in November, he avoided mentioning both Zuk and Palo Alto by name: “I think it’s sad that good people try and do things like that. This person was a disgruntled employee from Check Point–a very smart guy, I’m not trying to take that away,” he continued. “They’ve got good things, too. I like to think that we have much, much better things, much better technology.”
There was a time when Zuk and Shwed were brothers-in-arms. Three years Zuk’s elder, Shwed began his required service in the Israeli Defense Forces in 1986. He entered into Unit 8200, an elite electronic intelligence arm, at age 18. It was there that he built the world’s first packet-filtering device that screened traffic based on Internet Protocol address.
Zuk was a natural for Unit 8200. He learned to read and write before entering school. He got his first pair of glasses in the third grade after years of fooling school nurses by memorizing the vision chart. In the sixth grade he became chess champion of Israel’s eighth-grade-and-under division. Zuk begged his parents to get him a Dragon 64 computer for his bar mitzvah. He went on to create some of the world’s first computer viruses. “Just for fun,” he insists.
He joined Shwed’s unit in 1990. They worked together closely for a year, until Shwed’s time was up. Shwed went off and founded Check Point in 1993 with fellow military men Shlomo Kramer and Marius Nacht. Zuk served in the IDF through 1994, spending an extra year in officer training, and started overseeing a small group of engineers. He realized he didn’t like managing people. He was recruited by Check Point and helped build its flagship product, Firewall-1.
Possessing the best English skills on the engineering team, Zuk moved to California in 1997 to run Check Point’s new-product staff. He bought a house with his wife in Redwood City and enjoyed the autonomy of his new role. He was especially excited about new software his team created that would eliminate network congestion. But when the project was done he learned that the Israeli engineers were disgruntled because the American team was producing new products while they maintained old ones. His new product was killed off. Nacht told Zuk to return to Israel. “I had just bought a house,” he says. ” ‘Are you crazy?’ I was like, ‘I get it. Adios.’ ” He left Check Point in March 1999.
Zuk went on to start OneSecure, the first intrusion-detection and prevention outfit. After two quarters’ sales the tech bubble burst, and the company was sold over Zuk’s objections to Netscreen for $40 million in 2002. “ They didn’t have the stones to keep supporting the company,” he says.
When Juniper Networks bought Netscreen in 2004 for $4 billion, Zuk was eager to lead the effort to completely revise its firewall . But he says his requests were ignored. “They were focused on cutting costs and moving engineering to China and India,” he says. He left the company and gave up 300,000 unvested shares worth about $6 million, in early 2005.
Zuk’s life took a turn south after Juniper. His ten-year marriage dissolved along with the small fortune he had cobbled together from stints at four different companies. He moved into a small apartment in Mountain View, on the periphery of Palo Alto. He faced the unenviable task of starting his life over at the age of 35.
Rescue came in the form of a phone call from Chandna, who had left Check Point two years earlier to become a partner at Greylock. Chandna had been following Zuk’s career all the way to its sad slump. “Check Point had an exceptional engineering team,” Chandna says. “But Nir was by far the brightest. He’s arguably the most accomplished individual in network security on the planet.”
Chandna and Zuk started hashing out a security idea that would be “dominant, lasting, with multibillion-dollar revenues,” Chandna says. Greylock and Sequoia Capital gave Zuk $250,000 to come up with the product. Working out of offices at Greylock and Sequoia, he came back with the next-generation firewall.
The next year the two VC firms put up $9 million more. Another $400,000 came from Zuk, Check Point cofounder Kramer and others. “If I screw up on Palo Alto there is no family, no money, no nothing,” he remembers. “I will stay in that crappy apartment in Mountain View for the rest of my life.”
Palo Alto got its firewall to market quickly by drawing on kibbutz-style redistributionism. Zuk significantly diluted his equity to 5% so early hires could have a healthy stake in the company. “There’s no justification for a founder getting to an IPO with 25% of the company,” Zuk says. “The Greylock and Sequoia partners said it would come out of my share. I said that is fine.” That decision cost him. His 4.7% ownership is worth roughly $180 million today. He’d be a billionaire if he had kept a more standard 25%.
In August 2011 the board brought in Mark McLaughlin, an executive at security firm Verisign, to be its Wall Street-friendly CEO. Zuk, now chief technology officer, doesn’t manage anyone and acts as the firewall against bureaucracy. Even though the firm is adding 100 employees per quarter, Zuk refuses to hire project managers. “They don’t produce anything,” he says. “All they do is coordinate. The people who do the work should coordinate.” It’s nice to know that success hasn’t changed Zuk one bit.
[This story appears in the April 15, 2013 issue of Forbes]