Security and Networking Blog

How SASE is Transforming the Manufacturing Industry

The manufacturing industry is constantly evolving. The revolution known as Industry 4.0 is introducing new technologies and innovations that are accelerating digitization and improving efficiency...

Demetris Booth

February 2, 2023

4m read

How SASE is Transforming the Manufacturing Industry The manufacturing industry is constantly evolving. The revolution known as Industry 4.0 is introducing new technologies and innovations that are accelerating digitization and improving efficiency and productivity. One of these new innovations technologies is SASE (Secure Access Service Edge). What is SASE? SASE is an enterprise networking and security category that converges network and security technologies into a single, cloud-native service. Converged functionalities include SD-WAN, Zero Trust Network Access (ZTNA), firewall-as-a-service (FWaaS), cloud-access security broker (CASB), DLP and secure web gateway (SWG). SASE reduces the risk of cybersecurity breaches and enables global access to applications and systems. It also provides enterprises and plants with the ability to remove the cost and overhead incurred when maintaining complex and fragmented infrastructure made of point solutions. As a result, SASE is gaining momentum across multiple industries, including manufacturing.  [boxlink link="https://catonetworks.easywebinar.live/registration-sase-value-and-promise-in-manufacturing"] SASE’s Value in Manufacturing | Go to Webinar [/boxlink] How Manufacturers Benefit from SASE Manufacturers can replace their legacy networking solutions, like MPLS, with SASE, to benefit from the capabilities SASE provides. Main benefits include: Global connectivity: SASE provides the ability to securely connect tens of thousands of employees across dozens of plants around the globe to SaaS and on-premises applications. SASE can connect any network: the internet, MPLS, cellular networks and more. Remote access: SASE supports the shift of workers to home offices by enabling a hybrid work environment. Cloud connectivity: SASE enables users to access any production applications that migrated from on-prem to the cloud, while still supporting on-premises infrastructure. Flexibility: SASE provides the infrastructure that enables producing innovative new products and reinventing outdated manufacturing processes. Speed and performance: SASE enables manufacturers to increase bandwidth. Some manufacturers have been able to achieve 3x their previous WAN bandwidth. Cost reduction: Some manufacturers have saved up to 30% annually by transitioning to SASE. In addition, SASE frees up employees to focus more on strategic projects that can benefit the business. Smooth transition: SASE can be deployed quickly which makes the process nearly hassle-free. Improved user experience and collaboration: SASE improves employee satisfaction and productivity by enhancing connectivity speed and performance. Enhanced security: SASE enables faster detection, identification, response and remediation of cybersecurity incidents. Spotlight: O-I Glass O-I Glass, an Ohio-based glass bottles manufacturer, deployed Cato’s SASE Cloud solution as a replacement to their previous MPLS solution. By transitioning to SASE, O-I Glass was able to provide faster, more secure and higher performing access to their 25,000 employees spread across 70 plants in 19 countries. SASE also supports their employees’ secure connectivity when they work from home. The transition itself took six months and the estimated cost savings are 20% to 30% compared to their previous solutions. By implementing SASE, O-I Glass was also able to deploy innovative methods for improving the manufacturing process. They introduced HoloLens, the Microsoft augmented reality/mixed reality system. These headsets are helping their engineers collaborate. When wearing them, engineers located in different continents can see what the other is seeing, without requiring trans-atlantic flights. Before SASE, their infrastructure could not support such use. In addition, SASE supports their future plans for a modular glass production line as well as plans for plant maintenance and training. To learn more about SASE and manufacturing, listen to the podcast episode “How to implement SASE in manufacturing: A discussion with PlayPower”.

The SSE RFP/RFI Template (or how to evaluate SSE Vendors)

Your SSE project is coming up. As an IT professional, you will soon need to organize the requirements for your enterprise’s security transformation journey. To...

Demetris Booth

January 31, 2023

3m read

The SSE RFP/RFI Template (or how to evaluate SSE Vendors) Your SSE project is coming up. As an IT professional, you will soon need to organize the requirements for your enterprise's security transformation journey. To assist with this task, we’ve created a complimentary RFP template for your use. This template will help you ensure your current and future security threats are addressed and that your key business objectives are met. The RFP template comprises four sections: Business and IT overview: Your business, project objectives, geographies, network resources, security stack, and more. Solution architecture: The architectural elements of the solution, how they operate, where they are situated, scaling abilities, failure resolution capabilities, and more. Solution capabilities: The functionalities provided by the solution. Support and services: The vendor’s support structure and available managed services. You can find the complete template, with more details and guidance, here. Please note, the template covers core SSE requirements alongside extended capabilities like FWaaS, NGAM, IPS and global private backbone. These additions will give you flexibility to expand into these projects in the future. So, let’s examine each one of these sections briefly. [boxlink link="https://www.catonetworks.com/resources/ensuring-success-with-sse-rfp-rfi-template/"] SEE RFI/RFP Made Easy | Get the Template [/boxlink] Business and IT Overview In this section, you will describe your company, including elements like your business and technical goals, other strategic IT projects you are managing, the project scope, your current security architecture and technologies, datacenters geographies, your cloud providers, and more. This section is intended to provide the vendor context about your business. Therefore, it is recommended to elaborate as much as you can. Solution Architecture This section allows the vendor to describe the solution’s architecture and how its services are delivered. In addition, you will get answers to questions about the solution’s architecture strategy. For example, what is their approach to consolidating security capabilities? How is high availability and resiliency provided? How easy is it to scale? These are a few of the many questions this section will help answer. Solution Capabilities This section requires the vendor to describe their SSE security capabilities. These include SWG, ZTNA CASB and DLP, and security management analytics and reporting. Additional requested information can include advanced threat prevention, threat detection and response, east-west security, policy management and enforcement, and non-web port traffic protection. Support and Services This section will enable you to understand the vendor’s support and managed services. You will get answers to support availability, SLAs, professional services and managed services options. In addition to these four sections, the template also provides a fifth section about future expansion options. This forward-looking section helps you understand how easy it will be to transition to SASE, if required. From our experience, for many organizations this is the next step after basic SSE. This section will provide you with information about the migration process, configuration complexity, which technologies are required, and more. How to Use the RFP Template The RFP template can help choose the right SSE vendor for your current and future network security needs. To review and start using the entire template, click here.

Gartner’s Market Guide to Single-Vendor SASE Offerings: The Closest Thing You’ll Get to a SASE Magic Quadrant

Ever since Secure Access Service Edge (SASE) was adopted by every significant networking provider and network security vendor, IT leaders have been waiting for a...

Dave Greenfield

January 24, 2023

5m read

Gartner’s Market Guide to Single-Vendor SASE Offerings: The Closest Thing You’ll Get to a SASE Magic Quadrant Ever since Secure Access Service Edge (SASE) was adopted by every significant networking provider and network security vendor, IT leaders have been waiting for a Gartner SASE Magic Quadrant. And for good reason. The industry has seen widely different approaches to what’s being marketed as SASE. Some companies partnered with each other to offer a joint solution with slightly integrated products. For example, Zscaler and any number of SD-WAN partners. Others simply rebranded their existing solutions as SASE. Think VMware SD-WAN (previously VeloCloud) turning into VMware SASE. Market consolidation has brought together still other companies with disparate services requiring years’ worth of integration. As an example, consider HPE, Aruba and Silver Peak and the integration work ahead of them to make a cohesive SASE product. Meanwhile, we at Cato Networks chose a different path: to build a fully converged, global networking and security solution from the ground up. Gartner calls this “single-vendor SASE.” A SASE Magic Quadrant would clear up the confusion in the industry and separate the leaders from losers. But while Gartner may not yet be ready to issue a SASE Magic Quadrant, the firm has issued the next best thing -- Market Guide for Single-Vendor SASE. The report takes a close look at the SASE market and specifically at single-vendor SASE. The Single-Vendor SASE Market is Projected to Grow Substantially Gartner defines a single-vendor SASE offering as one that delivers converged network and security as-a-service capabilities using a cloud-centric architecture. Cato is the prototypical single-vendor SASE leader. Example services that are part of a single-vendor SASE offering are SD-WAN, SWG, FWaaS, ZTNA, and CASB. All of those service, and this is key, are fully converged together in the underlying architecture, service delivery, and management interface. They truly are one cloud service, which is what separate single-vendor SASE from other approaches.  These converged services might also be the full roster of capabilities for the newest single-vendor SASE entries but they are only the starting point for Cato. In addition to those services, Cato also offers a global private backbone, data loss prevention (DLP), rapid CVE mitigation, managed threat detection and response, SaaS optimization, UC and UCaaS optimization, and a range of other capabilities.  According to Gartner, there should be rapid growth in single-vendor SASE implementation in the next few years. While only 10% of deployments were single-vendor SASE solution last year, Gartner expects a third of all new SASE deployments by 2025 to be single-vendor. By the same timeframe, half the new SD-WAN purchases will be part of a single-vendor SASE offering. The market’s growth is largely being driven by the desire for simplicity by reducing the number of deployed solutions and vendors. Of course, reducing complexity while still offering enterprise-class capabilities is something Cato has been delivering for years.  [boxlink link="https://www.catonetworks.com/resources/gartner-market-guide-for-single-vendor-sase/?utm_medium=blog_top_cta&utm_campaign=gartner_single_vendor_sase"] Gartner® Market Guide for Single-Vendor SASE | Report [/boxlink] Cato Was Ahead of Its Time in This “Adolescent” Market  “A single-vendor SASE must own or directly control (OEM, not service chain with a partner) each of the capabilities in the core category,” according to the report authors. A “well-architected” solution must have all services fully integrated, a single unified management plane and a single security policy, a unified and scalable software-based architecture, and flexibility and ease of use. The report lists core functional requirements in each of the areas of secure web gateway, cloud access security broker, zero trust network access, and software-defined WAN. Gartner points out that there are several vendors in the “adolescent” industry that meet the analyst firm’s minimum requirements. There are more, still, that come close but aren’t quite there with their offerings. Because single-vendor SASE brings together networking and security into one solution with many functions, Gartner recommends that a joint team of network professionals and security experts be appointed to evaluate the solutions based on the organization’s foremost needs. Single-Vendor SASE Has Lots of Benefits The benefits of single-vendor SASE are many. Gartner cites the following as reasons to go this route for a SASE solution:  An improved security posture for the organization – This is based on reduced complexity of the various security functions, a single policy enforced everywhere, and a smaller attack surface. Better use of network and security staff – Deployment times are reduced, fewer skills and resources are needed to manage a unified platform, a single policy is applied throughout the various security functions, and redundant activities go away. Improved experiences for users and system administrators – Performance issues such as latency and jitter are easier to tame or eliminate, it’s easier to diagnose issues end-to-end, and there is a single repository for logs and other event data. Of course, implementing such a solution can have its challenges as well—like how to deal with organizational siloes, and what to do about existing IT investments. Global coverage can be an issue for the early-stage vendors. Fortunately, Cato has extensive coverage with 75+ PoPs around the world today. Gartner says solution maturity can be an issue, but that’s mainly a problem for the neophyte vendors. With more than 8 years in the single-vendor SASE business behind us, Cato is one of – if not the – most mature vendor in the market. Gartner Offers Recommendations As with all Gartner guides, the research firm has recommendations pertaining to strategy and planning, evaluation, and deployment: Establish a cross-functional team including people from both networking and security to increase the potential for a successful implementation. Evaluate single-vendor SASE against the backdrop of multi-vendor and managed offerings to determine which method would provide the most flexibility. “Choose single-vendor SASE offerings that provide single-pass scanning, single unified console and data lake covering all functions to improve user experience and staff efficacy.” (Spoiler alert: Cato provides all of these things.) Do a Proof of Concept project with real locations and real users to see how well an offering can meet your needs. (Cato is happy to set you up with a PoC today.) If you are looking for the most mature and feature-rich single-vendor SASE offering with the largest number of worldwide PoPs, look no further than Cato Networks. Request a demo at https://www.catonetworks.com/contact-us/.  

Remote Access VPNs are a Short-Term Solution

The face of the modern corporate network is changing rapidly. Digital transformation initiatives, cloud adoption, remote work, and other factors all have a significant impact...

A new vulnerability underscores the need for virtual patching. The vulnerability, found in FortiOS, would allow a Remote Code Execution (RCE) attack on multiple firewall...

Etay Maor

December 20, 2022

3m read

New Critical Vulnerability Underscores the Need for Virtual Patching A new vulnerability underscores the need for virtual patching. The vulnerability, found in FortiOS, would allow a Remote Code Execution (RCE) attack on multiple firewall products as well as FortiGate SSL VPN. The vulnerability has reportedly already been exploited by threat actors. Fortinet has issued a patch for this vulnerability. The vulnerability, which was initially reported on December 9th, received a score of 9.3 (Critical) and Fortinet has confirmed at least one instance of it being exploited. Any vulnerability in a system is a potential entry point for a threat actor and must be immediately patched, especially critical vulnerabilities like this one. Threat actors have been known to quickly utilize such vulnerabilities and exploit unpatched systems, while in many cases systems remain unpatched for a very long time giving even the slower-paced adversaries opportunities to exploit them. Vulnerabilities such as Log4j, which coincidently is “celebrating” its one-year birthday, are still being used by different adversaries to target unpatched systems to gain access into networks. Why? Because patching is so hard. [boxlink link="https://www.catonetworks.com/rapid-cve-mitigation/?utm_medium=blog_top_cta&utm_campaign=rapid_cve_mitigation"] Rapid CVE Mitigation | Cato Security Research [/boxlink] The Need for Virtual Patching Having to identify, connect (or physically go to), patch, and test multiple boxes in multiple locations every time a new vulnerability is discovered is no small feat. Organizations need to perform this process very quickly whenever a new vulnerability is discovered as threat actors move quickly on such opportunities. In addition, adversaries do not shy away from utilizing old vulnerabilities that still work. Log4j is one example but not the only. CISA addressed this in their “Top Routinely Exploited Vulnerabilities” alert, writing, “CISA, ACSC, the NCSC, and FBI assess that public and private organizations worldwide remain vulnerable to compromise from the exploitation of these CVEs. Malicious cyber actors will most likely continue to use older known vulnerabilities, such as CVE-2017-11882 affecting Microsoft Office, as long as they remain effective and systems remain unpatched. Adversaries’ use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known.“ The solution to this problem is a cloud-based security architecture that allows for virtual patching. Virtual patching is defined by OWASP as “A security policy enforcement layer which prevents the exploitation of a known vulnerability. The virtual patch works since the security enforcement layer analyzes transactions and intercepts attacks in transit, so malicious traffic never reaches the web application. The resulting impact of a virtual patch is that, while the actual source code of the application itself has not been modified, the exploitation attempt does not succeed.” Only a cloud-based security solution eliminates the need to patch box-by-box and effectively enables a “mitigate-once-protect-everywhere" patching strategy.

An Inside Look at Life Before and After Deploying SASE

SASE (Secure Access Service Edge) is an enterprise networking and security service that converges SD-WAN with multiple security functions – including FWaaS, CASB, DLP, SWG,...

Eyal Webber Zvik

December 15, 2022

4m read

An Inside Look at Life Before and After Deploying SASE SASE (Secure Access Service Edge) is an enterprise networking and security service that converges SD-WAN with multiple security functions - including FWaaS, CASB, DLP, SWG, and ZTNA - into a converged, cloud-native service that is manageable, optimized, secure and easy to use.But what does life after SASE really look like when implemented in an enterprise? To find out, we interviewed Ben De Laat, Head of IT Security at BrandLoyalty, who implemented Cato’s SASE Cloud, together with trusted Cato Partner and IPknowledge’s Managing Director, Steven de Graaf, who assisted with the implementation. This blog post is an abridged version of their insights. For a more detailed account of their experiences, you can read the full eBook, here: “Life after deploying SASE”. SASE Migration Use Cases First, let’s start our SASE journey by understanding when is the best time to transition to SASE? It’s strongly recommended to consider a migration to SASE when: MPLS contracts are up for renewal and can be replaced with a more secure and higher performing alternative at a lower cost. Employees are working at multiple global locations and require a secure and frictionless solution. IT is managing complex networking environments and need a simple-to-use, high-performing and secure substitute. The workforce is employed remotely or in a hybrid manner and needs a scalable and secure solution to connect all employees, but without backhauling and based on least-privileged access. Your SASE Migration Plan The operational migration to SASE is quick and efficient, sometimes requiring only weeks from start to finish! To accommodate and complement this quick shift, it is recommended to prepare a well thought out plan that can help evangelize the transition internally, monitor it and track success. We recommend such a migration plan include: The strategic business value - How SASE will enable employees to focus on their core responsibilities, instead of them having to spend time and become frustrated when dealing with the effects of misconfigured firewalls or URL filters that are blocking valid websites. The technological value - How SASE’s converged architecture and single software stack will eliminate IT and IS overhead and hassle, ensure optimized connectivity and provide an optimal security posture. The financial value - How SASE will reduce the annual costs of networking and security, coupled with the value to the business. [boxlink link="https://www.catonetworks.com/resources/inside-look-life-before-and-after-deploying-sase/?utm_medium=blog_top_cta&utm_campaign=before_and_after_sase"] An Inside Look: Life Before and After Deploying a SASE Service | Whitepaper [/boxlink] Life After SASE: What’s New? What can IT leaders, security professionals and business leaders expect once they’ve migrated to a SASE service? Here are six new SASE-driven organizational achievements that will make you throw your hands in the air and wonder why you didn’t migrate to SASE sooner. Newfound Network VisibilitySASE’s convergence of end-to-end networking and security provides newfound visibility into the network. Rather than having network and security information split between discrete tools and services, IT has a single pane of glass with visibility into the entire network. All security and networking events are stored in a common database, mapped onto a single timeline. With one timeline for networking and security, IT can troubleshoot problems faster, spot anomalies quicker, and enable better operational monitoring. An Optimal Security PostureSASE provides insights into which systems and services are being used by employees and third parties and their vulnerabilities. If necessary, this information can also help IT identify system replacements and eliminate shadow IT. Better IT Services for the Business and for UsersSASE’s seamless, unified service displaces point solutions in a robust and reliable manner. This new architecture enables IT to monitor operational activity so they can optimize line provisioning. In addition, with SASE replacing the grunt work, IT teams have more time to work on strategic business initiatives. Seamless Remote Work UnlockedSASE replaces high latency VPNs. Instead, traffic is routed over a global private backbone and monitored for threats. The result is high-performance and secure connectivity for all users, everywhere. Optimized Connectivity and PerformanceSASE optimizes performance and the user experience by throughput maximization, providing increased and cost-effective bandwidth by routing traffic on a cloud-native, global, private backbone with multiple internet access links and active-active configurations. Peace of MindWith SASE, both end-user and IT and IS can focus their efforts on fulflling business-critical initiatives. No more operational overhead, fretting over updates and lack of visibility into metrics and performance.Are you ready to get started with SASE? Read more about what the transition to SASE looks like in our new eBook “Life after deploying SASE”.

The 5-Step Action Plan to Becoming CISO

If you're a Security professional looking to become a CISO, then you've come to the right place. This five-step guide is your plan of action...

Vanessa Perplies

December 13, 2022

8m read

The 5-Step Action Plan to Becoming CISO The Path to Becoming CISO Isn't Always Linear There isn’t one definitive path to becoming a CISO. Don’t be discouraged if your career path isn’t listed above or isn’t “typical.” If your end goal is to become a CISO, then you’ve come to the right place. Keep reading for a comprehensive action plan which will guide you from your current role in IT, IS or Cybersecurity and on the path to becoming a world-class CISO. Step 1: Becoming a CISO is About Changing Your Focus The Difference Between IS, IT or Cybersecurity Roles and a CISO Role: Tactical vs. Strategic Making The Shift from Security Engineer to Future CISO The most common mistake that security engineers make when looking to become CISO is focus. To be successful as a security engineer the focus is on problem hunting. As a top-tier security professional, you must be the best at identifying and fixing vulnerabilities others can’t see. How to Think and Act Like a Future CISO While security engineers identify problems, CISOs translate the problems that security engineers find into solutions for C-suite, the CEO and the board. To be successful in the CISO role, you must be able to transition from problem-solver to a solution-oriented mindset. A common mistake when transitioning to CISO is by leading with what’s most familiar – and selling your technical competency. While understanding the tech is crucial when interfacing with the security team, it’s not the skillset you must leverage when speaking with C-suite and boards. C-suite and boards care about solutions – not problems. They must feel confident that you understand the business with complete clarity, can identify cyber solutions, and translate them in terms of business risks, profit and loss. To be successful in securing your new role, focus on leveraging cyber as a business enabler to help the business reach its targeted growth projections. The Skillset Necessary to Become a CISO Translate technical requirements into business requirements Brief executives, VPS, C-level, investors and the board Understand the business you’re in on a granular level(The company, its goals, competitors, yearly revenue generated, revenue projections, threats competitors are facing, etc.) Excellent communication: Send effective emails and give impactful presentations Balance the risk between functionality and security by running risk assessments Focus on increasing revenue and profitability in the organization Focus on a solution-oriented mindset, not an identification mindset [boxlink link="https://www.catonetworks.com/resources/cato-sse-360-finally-sse-with-total-visibility-and-control/?utm_source=blog&utm_medium=top_cta&utm_campaign_sse360"] Cato SSE 360: Finally, SSE with Total Visibility and Control | Whitepaper [/boxlink] Step 2: Getting Clear on the CISO Role: So, What Does a CISO Actually Do? Learn The CISO’s Role and Responsibilities (R&R) The CISO is essentially a translator between the security engineering team and C-suite. Step 3: Set Yourself Up for Success in the Role: Measure What Matters What you measure in your role will ultimately determine your career success. Too often CISOs set themselves up for failure by playing a zero-sum security game. This means any security incident = CISO gets fired = No one wins But successful CISOs know that cybersecurity is a delicate balancing act between ensuring security and functionality. 100% security means 0 functionality, and vice versa Strategic CISOs understand this and set themselves up for success by working with the CEO and board to minimize exposure and establish realistic KPIs of success. Establishing Your Metrics of Success in the CISO Role What makes CIOs so successful in their role? A single metric of success: 5 9s. This allows CIOs to focus on the R&R necessary to achieve this goal. Suggested CISO KPI & KPI Setting Process Run an analysis to see how many attempted attacks take place weekly at the organization, to establish a benchmark. Provide an executive report with weekly attack attempt metrics (i.e., 300.) Create a proposed benchmark of success: i.e., preventing 98% of attacks. Get management signoff on your proposed KPIs. Provide weekly reports to executives with defined attack metrics: attempted weekly attacks + prevented.(Ensuring security incidents are promptly reported to C-suite and board.) Adjust KPIs as necessary and receive management signoff. Step 4 Mind the Gap: Bridge Your Current Technical and Business Gaps Recommended Technical Education GIAC / GSEC Security Essentials CISSP (Certified Information Systems Security Professionals) OR CISM (Certified Information Security Manager) CertificationOR CISA (Certified Information System Auditor) Certification SASE (Secure Access Service Edge) Certification SSE (Security Service Edge) Certification Recommended Technical Experience At least 3-5 years in IS, Cybersecurity, Networking or IT with a strong security focus Recommended Business Education An MBA or equivalent business degree, or relevant business experience CPA or accounting courses Recommended Business Experience Approximately 3-5 years of business experience Business Operations, Business Management, SOC Manager, or roles that demonstrate your business, management and leadership acumen Recommended Understanding Of: Industry security standards including NIST, ISO, SANS, COBIT, CERT, HIPAA. Current data privacy regulations, e.g., GDPR, CCPA and any regional standards. Step 5: How to Get a CISO Job with Limited or No Previous Experience It’s the age-old dilemma – how do I get a job without relevant experience? And how to I get relevant experience without a job? Take On a Virtual CISO Role at a Friend or Family Member’s Small Business Offer 3 hours of virtual CISO service a week. In exchange, ask for 3 recommendations a month and to service as a positive reference. Can you receive mentorship from an existing CISO? Do friends, family or former colleagues know any CISOs you can connect with? Start there. Reach out on LinkedIn to CISOs and invite them to coffee or dinner.Ask them if you can meet up and receive mentorship over dinner once a month (they pick the location, and you pay.) Remember: It’s a numbers game. Don’t get discouraged after a few “no's” or a lack of responses. Getting Your First CISO Job: Your Action Plan for Career Success Applying For Jobs Your resume has one and only one goal – to get you the interview.Week 1: Send out 20 resumes for CISO jobs with your existing resume How many respond and request interviews (within 2 weeks)? If you get under a 50-70% success rate, you need to revise your resume. Your goal is to repeat this process until you get a minimum of 10 positive responses for every batch of 20 resumes you send out (giving recruiters 1.5 - 2 weeks to respond.) Be ready to adapt and adjust your resume as many times as necessary (using the defined process above,) until you hit your benchmarks of success. Revising your Resume for Success If you’re not hitting a 50-70% interview rate on your resume, it’s time to revise your resume.But what do you change? The Most Common Mistakes Found on CISO Resumes (Don’t Fall into a Trap)Your resume should not only highlight your technical abilities but your business acumen.Review the strategic skills highlighted earlier and emphasize those (in addition to any other relevant educational, professional, or career achievements.) Have you briefed executives and boards? Have you given effective presentations? Have you created risk management programs and aligned the entire organization? Do you lead an online forum on Cybersecurity best practices? Think of ways to highlight your business and leadership savvy, not just your de facto technical abilities. The Interview Rounds The CISO interview process is generally between 5-7 interview rounds. Remember:The goal of your first interview is only to receive a second interview. The goal of your second interview is to receive a third interview, and so on. Be prepared for interviews with legal, finance, the CEO, CIO, HR, and more. You’ve Got This: The Road to Landing Your First CISO Role Abraham Lincoln once said, “the best way to predict the future is to create it.” And we hope this guide gives you a running start towards your new and exciting future as a CISO. We believe in you and your future success. Good luck! And feel free to forward this guide to a friend or colleague who’s hunting for a new CISO role, if you feel it’s been helpful. Life After Landing the Coveted CISO Role Congrats! You’ve Been Hired as a CISO You did it. You’ve landed your first CISO role. We couldn’t be prouder of the hard work and dedication that it took to get you to this point. Before you begin in your new role, here are a few best practices to guide you on your way to career success. Ensuring Your Success in the CISO Role: Things to Keep in Mind After speaking with 1000s of CISOs since 2016, it’s important to keep the following in mind: Your Network Security Architecture Will Determine Your Focus and Impact No matter the organization or the scope, your CISO role is dependent on meeting if not exceeding your promised KPIs. So, you’ll need to decide, do you want a reactive or a proactive security team? Do you want your team to spend their time hunting and patching security vulnerabilities and mitigating disparate security policies? Or devoted to achieving your larger, revenue-generating missions through cybersecurity? Accordingly, you’ll need to ensure that your network security architecture minimizes your enterprise’s attack surface, so you and your team can devote your attention accordingly. To achieve this, your team must have full visibility and control of all WAN, cloud, and internet traffic so they can work on fulfilling your business objectives through cybersecurity. Otherwise, your function will revert to tactical, instead of focusing on serving as a business enabler through cybersecurity. Cato SSE 360 = SSE + Total Visibility and Control Disjointed security point solutions overload resource constrained security teams, impacting security posture, and increasing overall risk due to configuration errors. Traditional SSE (Security Service Edge) convergence mitigates these challenges but offers limited visibility and control that only extends to the Internet, public cloud applications, and select internal applications. Thus, leaving WAN traffic uninspected and unoptimized. And an SSE platform that isn’t part of single-vendor SASE can’t extend convergence to SD-WAN to complete the SASE transformation journey. Cato Networks’ SSE 360 service will allow you to solve this. SSE 360 optimizes and secures all traffic, to all WAN, cloud, and internet application resources, and across all ports and protocols. For more information about Cato’s entire suite of converged, network security, please be sure to read our SSE 360 Whitepaper. Complete with configurable security policies that meet the needs of any enterprise IS team, see why Cato SSE 360 is different from traditional SSE vendors.

Gartner Names Top I&O Trends for 2023

Gartner has just issued a press release announcing its Top Trends Impacting Infrastructure and Operations for 2023. Among the six trends that will have significant...

Amit Spitzer, Cato Networks’ CISO, shares his tried and true methods for succeeding as a CISO, while simultaneously balancing both security needs and business requirements....

Amit Spitzer

November 21, 2022

6m read

How to Become a Successful CISO: Advice from Amit Spitzer, Cato Networks’ CISO Amit Spitzer, Cato Networks’ CISO, shares his tried and true methods for succeeding as a CISO, while simultaneously balancing both security needs and business requirements. After more than 15 years in security and IT, I can honestly recommend the CISO position to security or IT professionals who are looking for a demanding, yet satisfying, position. Whether you’re implementing a new technology that will help mitigate zero-day attacks or consulting the board about the security impact of an M&A, there’s rarely a dull moment in the life of a CISO. In this post, I have put together my top tips for being a successful and effective CISO, based on my own experience. I hope you find it helpful on your own career path. For a tactical and hands-on guide to becoming CISO, take a look at our blog post, “The 5-Step Action Plan to Becoming CISO”. Before You Begin: Why Do You Want to Become a CISO? The first step to becoming a CISO is getting clear on why you want to become one. Whether you’re planning to be a CISO at a disruptive technological company or a paper manufacturing facility, the underlying role and responsibilities of the CISO are ultimately the same: protecting the organization from bad actors who are trying to get their hands on sensitive data. If reading this description got your heart beating faster, then security is the right domain for you. Within security, the difference between a C-level security professional (a CISO) and other security professionals is the vision. A CISO envisions how she or he will impact the company’s goals and milestones, contribute to the company’s interests and protect its assets. While this keeps many a CISO up at night, it is also exciting and exhilarating, since you are involved in major company milestones, like IPOs. Are you ready to actively participate in these types of business activities? If the answer is ‘yes’, you’re in the right CISO mindset. [boxlink link="https://catonetworks.easywebinar.live/registration-94?utm_medium=blog_top_cta&utm_campaign=ciso_perspective_masterclass"] A CISO’s Perspective on Security | Cybersecurity Master Class: Episode 5 [/boxlink] Starting Your CISO Journey: Taking a Hands-On Approach In the past, CISOs from legacy enterprises focused on building the organization. This first generation of CISOs was not involved in technologies. Instead, they set the stage for today’s CISOs, who are in the trenches and taking a hands-on technical approach, while also contributing to business-related goals, like their predecessors. Such deep technological experience is gained by building yourself from the bottom-up. While a CISO is a C-level position, a good CISO will still be passionate about learning and understanding technologies. This means learning all the specifics of threats and risks and how to mitigate them. You know you’ve succeeded when you’re able to swap out all members of your team. At the same time, a good CISO also needs to be involved in business aspects like growth, revenue, quarterly sales, etc. Maintaining the Balancing Act Between Security and Functionality The built-in challenge between Security and Business departments revolves around how to ensure an apt layer of security while maintaining business operational agility. Let’s face it, there is no ideal solution or global truth for answering this challenge. If the pendulum swings too far in one direction, either business or security, the risks will be too high or the business won’t be able to function, and the board might as well close the company. In the past, the “block everything” approach was commonly implemented by companies. First generation CISOs piled up security solutions that blocked any technology or traffic that could potentially be a risk. But in a fast-growing startup that needs to be agile, this approach could quickly become the kiss of death to the business. Instead, it is best to understand that there is no security without sales and there are no sales without security. A CISO and the security teams are here to serve the business and be growth enablers. This means understanding that every security decision made can impact the company and its development processes and therefore needs to be taken carefully. When making decisions, I recommend building a decision tree that displays various routes of decision-making and their business outcome. Let’s think of an extreme example. If a CISO needs to determine whether or not to approve Zoom, some of the negative business outcomes of prohibiting Zoom could be: Impacting internal communicationHindering communication with external entities: customers, vendors, partners, etc.Spending more IT resources on finding and procuring a different communication solutionTaking up employee resources for implementing and training on the new communication solution On the other hand, the responsibility for understanding the risks of new technologies and tools is the CISO’s domain. When implementing a solution, don’t settle on visibility through advanced monitoring capabilities. You and your team need to be able to track incidents and mitigate them before they become breaches with a significant blast radius. Goal-setting, Roadmap Creation and KPI Planning A CISO’s goals and KPIs are derived from their main mission: protecting the organization from threat actors who are attempting to access the company’s assets. This means different things in different organizations, which makes it hard to create a global benchmark for CISOs. For example, a KPI in one company could be to reduce the percentage of clicks on phishing emails from 5% to 3%. But in another, phishing emails are not a prominent attack vector, so such a KPI would not be considered a high priority. I recommend you build and approve your CISO goals, roadmap and KPIs with your leadership team and board. This serves two purposes. First, ensuring that these metrics are aligned with business needs. Second, evangelizing the CISO’s role and responsibilities, and therefore creating a higher chance for you to succeed. Tips for Getting Hired as a First-time CISO Finding a first-time CISO role can take some time. Here’s how to make yourself stand out with recruiters and CEOs who are reviewing your CV, comparing you to other applicants or considering you for a first-time role: Become an expert - Specialize in a security or organizational aspect and make yourself the go-to person for that field. This could be a certain application or how a practice is implemented in an organization. This becomes a strong driver for organizations to hire you and want to include you in their organization.Build confidence in your abilities - Create a sense of trust in your abilities to handle various situations, in your technological capabilities and of your business acumen. By doing so, you will be the person who is handed opportunities when they arise.Combine technology and business capabilities - Build up your business experience by taking a business-oriented approach. Don’t be afraid to hop on customer calls, answer customer questions and participate in cross-departmental brainstorming sessions where commercial questions are discussed. You can also become involved with marketing and sales processes to help them streamline their processes. Take projects from idea to execution - Find an idea that can help the business and bring it to execution. This includes research, building rapport with colleagues, resource allocation and project management. Comprehensive project management will not only show off your leadership skills, it will also help you hone your combination of technological and business capabilities, to help you build yourself up for the role. Next Steps for Future CISOs of Tomorrow Your CISO journey might not be the same as your colleagues’, or it might be a textbook career path from security professional to CISO. Either way, your unique characteristics as a CISO are what will make you stand out, not how you got there. By being enthusiastic about what you do, finding creative ways to solve problems and constantly maintaining an understanding of tech and business growth, you will be able to lead security and make the best decisions for your company, which is the real indicator of success.

The 3 Worst Breaches of 2022 That You Should Know About (That Didn’t Get Much Press or Attention)

As security professionals, we are inundated with news stories and articles about cyber attacks and breached companies. Sometimes, attacks become newsworthy because of the attacked...

Eyal Webber Zvik

November 17, 2022

3m read

The 3 Worst Breaches of 2022 That You Should Know About (That Didn’t Get Much Press or Attention) As security professionals, we are inundated with news stories and articles about cyber attacks and breached companies. Sometimes, attacks become newsworthy because of the attacked company, for example when it's a notable enterprise. Other times, the attack technique was so unique, that it deserves a headline of its own. In this blog post, we take a different approach. Instead of naming and shaming, we will review three of the worst breaches and attacker tactics and techniques of 2022 that might have gone by unnoticed, and use them as a way to learn how to better protect ourselves. This blog post is based on episode #9 of the Cato Networks cybersecurity Master Class (“The 3 Worst Breaches of 2022 That You Probably Haven’t Heard Of”). The Master Class is taught by Etay Maor, Sr. Director of Security Strategy at Cato Networks and an industry recognized cyber security researcher and keynote speaker. You can watch all the episodes of the Master Class, here. Attack #1: Ransomware: The Sequel Ransomware as a service is a type of attack in which the ransomware software and infrastructure are leased out to the attackers. In this first case, the threat actors used ransomware as a service to breach the victim’s network. They were able to exploit third-party credentials to gain initial access, progress laterally and ransom the company, all within mere minutes. The swiftness of this attack is unusual. In many cases, attackers stay in the networks for weeks and months before demanding the ransom. So, how did attackers manage to ransom a company in minutes, with no need for discovery and weeks of lateral movement? Watch the Master Class to learn more about the history of ransomware, ransomware negotiation and various types of ransomware attacks. [boxlink link="https://catonetworks.easywebinar.live/registration-the-3-worst-breaches-of-2022?utm_medium=blog_top_cta&utm_campaign=3_worst_breaches_webinar"] The 3 Worst Breaches of 2022 (That You Probably Haven’t Heard Of) | Webinar [/boxlink] Attack #2: Critical Infrastructure: Sabotaging Radiation Alert Networks Attacks on critical infrastructure are becoming more common and more dangerous. Breaches of water supply plants, sewage systems and other such infrastructures could put millions of residents at risk of a human crisis. These infrastructures are also becoming more vulnerable, with tools like Shodan and Censys that enable finding vulnerabilities fairly easily.Let Etay Maor take you on a deep dive into ICS (Industrial Control Systems). Why are attacks moving from IT to OT (Operational Technology)? And, in the Master Class, we discuss security solutions for protecting critical infrastructure, like zero trust and SASE. Attack #3: Ransomware (That Could Have Been Prevented) The third attack is also a ransomware attack. This time, it consisted of a three steps approach of infiltration, lateral progression over the network, and exfiltration. You’ll learn the ins and outs of this attack, including who the victim is and why their point security solutions were not able to block this attack.Etay Maor conducts a full breach analysis, taking us from a “single-point-of-failure” mindset to a holistic and contextual approach that requires securing multiple choke points.To learn more about each of these three attacks, what to expect in 2022-2023 and how a converged security solution can assist in preventing similar attacks in the future, watch the Master Class.

Effective Zero-Day Threat Management Requires Cloud-Based Security

Zero-day attacks are a growing threat to corporate cybersecurity. Instead of reusing existing malware and attack campaigns that are easily detected by legacy security solutions,...

Eyal Webber Zvik

November 14, 2022

5m read

Effective Zero-Day Threat Management Requires Cloud-Based Security Zero-day attacks are a growing threat to corporate cybersecurity. Instead of reusing existing malware and attack campaigns that are easily detected by legacy security solutions, cyber threat actors tune their malware to each campaign or even each target within an organization.  These zero-day attacks are more difficult and expensive to detect, creating strain on corporate security architectures. This is especially true as the growth of corporate IT infrastructures generates increasing volumes of network traffic that must be inspected and secured. Managing cyber risk to corporate IT systems requires security solutions that can scale to meet growing demand.  Zero-Day Threats Are Harder to Detect  Historically, antivirus and other threat detection technologies used signature-based detection to identify malware and other malicious content. After a new threat was identified, a signature was built based on its unique features and added to the signature library. All future content would be compared to this signature, and, if it matched, would be identified as a threat and remediated.  This approach to threat detection requires limited resources and can be highly effective at identifying known threats. However, a signature must first exist for threats to be identified. The growth of zero-day attacks leaves signature-based detection blind to many threats and creates a delay between the emergence of a new threat and solutions’ ability to identify it.  Other approaches to threat detection can identify novel and zero-day threats. For example, anomaly detection identifies deviations from normal behavior that could point to either benign errors or attempted attacks. Behavioral analysis monitors the actions of user accounts, applications, and devices for risky or malicious behaviors that pose a threat to a system.  These forms of threat detection have the ability to provide much more robust protection to an organization’s systems against novel and evolving threats. However, this improved detection comes at a price. In general, anomaly and behavioral detection consume more processing power and require access to larger datasets than traditional, signature-based detection systems. Also, non-signature detection systems have the potential for false positive detections, creating additional alerts for security personnel to sort through. [boxlink link="https://catonetworks.easywebinar.live/registration-enhancing-your-enterprise-network-security-strategy?utm_medium=blog_top_cta&utm_campaign=enhancing_network_security_webinar"] Enhancing Your Enterprise Network Security Strategy | Webinar [/boxlink] Legacy Firewall Security Solutions Can’t Keep Up  Zero-day threat detection is essential for protecting against modern cyber threats, but it is also resource-intensive. As traffic volumes increase, the additional work required to identify novel threats can put strain on an organization’s network security architecture. This is especially true for organizations that rely on legacy next-generation firewalls (NGFWs). Firewall security solutions deployed within an organization’s on-prem data center have limited scalability. If traffic volumes exceed the compute capabilities of an appliance-based solution or software running on a server, then the organization needs to acquire and deploy additional hardware to secure the traffic without compromising network performance. This is especially true if TLS decryption is required for inspection of encrypted traffic as this can exhaust an appliance’s compute capacity. As the cyber threat landscape evolves, organizations will need to identify and respond to more numerous and sophisticated cyber threats, which increases the resource requirements of cyber threat detection. With legacy, appliance-based solutions deployed on-prem, companies are already forced to choose between properly protecting their environments against cyber threats and the performance of their corporate networks. Cloud-based Security is Essential for Modern Threat Management  One of the main limitations of security solutions is that effectively inspecting and securing network traffic is computationally expensive. With limited resources, TLS decryption and in-depth inspection of network traffic can cause performance issues, especially as corporate networks and their traffic bandwidth increase.  The best way for companies to keep pace with the growing resource requirements of security is to take advantage of cloud scalability and adaptability. Cloud-native security solutions can expand the resources that they consume as needed to cope with growing network traffic volumes and the associated cost of security inspection and threat detection and response.  Secure Access Service Edge (SASE) solutions take full advantage of the benefits of the cloud to optimize corporate network security. SASE solutions converge many network and security functions into a single solution, eliminating the redundancy and waste of standalone solutions. Additionally, as cloud-native solutions, SASE solutions elastically scale to meet growing network traffic volumes or the resource requirements of expensive security operations. In addition to solving the problem of the resource consumption of security functions, SASE solutions also provide numerous other benefits, including: Greater Visibility: SASE solutions integrate traffic inspection and threat detection across the entire corporate WAN and not only the internet. This provides improved security visibility and additional context regarding cyber threats. Improved Threat Detection: SASE solutions can also leverage this increased visibility — as well as threat intelligence data — to more accurately identify threats to the organization. Security integration also means that threat response activities can be coordinated across the corporate WAN, providing better protection against distributed attacks. Enhanced Network Performance: SASE solutions are globally distributed and integrate network optimization functions as well as security features. Traffic can be inspected and secured at the nearest SASE point of presence before being optimally routed to its destination.  Cato provides the world’s most robust single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, including ZTNA, SWG, CASB/DLP, and FWaaS into a global cloud service. With over 75 PoPs worldwide, Cato optimizes and secures application access for all users and locations, and is easily managed from a single pane of glass. Learn more about how Cato SASE Cloud’s threat detection capabilities can help protect your organization against zero-day threats with a free demo.

SASE Vendor Selection: Should You Focus on Outcomes or Tools?

Ever since the 1990s, IT has been dominated by appliance-centric architecture. But in 2015, Cato revolutionized this paradigm by envisioning networking and security delivered as...

Eyal Webber Zvik

November 10, 2022

4m read

SASE Vendor Selection: Should You Focus on Outcomes or Tools? Ever since the 1990s, IT has been dominated by appliance-centric architecture. But in 2015, Cato revolutionized this paradigm by envisioning networking and security delivered as a converged, cloud-native service. This evolution was not unlike the massive shift created by AWS’s global cloud service, which provided a new kind of infrastructure that supported scalability, resiliency, elasticity, security, connectivity and global distribution (and more). While AWS is not necessarily the cheapest option, businesses today still choose AWS (or Azure, Google Cloud and other public cloud providers) so they can focus their IT teams on business critical projects and strategic initiatives, instead of requiring them to maintain and manage infrastructure. In other words, AWS became an extension of the IT team, turning it into a business enabler. Cato is following a similar path. The Cato SASE Cloud provides high performance routing and security inspection of enterprise network traffic. To ensure high availability and maximal security posture, the Cato SASE cloud is optimized and maintained by our professionals from DevOps, networking and security. As a result, Cato too is an extension of the IT team, while owning the outcome: a secure and resilient infrastructure. This blog post compares Cato SASE to legacy applications while demonstrating the strategic business value of Cato. A more in-depth comparison can be found in the whitepaper which this blog post is based on. Click here to read it. Cato SASE Cloud vs. Legacy Appliances How is the value of Cato justified? While legacy appliances are tools, Cato SASE Cloud is built for outcomes: highly available, scalable and secure connectivity for everyone, everywhere. Cato ensures: Disruption-free capacity handlingNo infrastructure maintenance24x7 NOC24x7 SOC24x7 Support Tools on the other hand create: Complexity when deploying and planning capacity A capacity vs. usage tradeoffDifficulties maintaining the security postureAn extended attack surface of appliancesLimited support effectiveness and limited customer environment access [boxlink link="https://www.catonetworks.com/resources/outcomes-vs-tools-why-sase-is-the-right-strategic-choice-vs-legacy-appliances/?utm_medium=blog_top_cta&utm_campaign=features_vs_outcomes"] The Pitfalls of SASE Vendor Selection: Features vs. Strategic Outcomes | Whitepaper [/boxlink] Cloud-Delivered vs. Appliance-Delivered Features Features differ in their deployment, management, scalability, and effectiveness. Let’s look at some examples of these differences through the lens of managed vs. standalone features and adaptable vs. rigid features. Managed vs. Standalone Features Managed - Cato’s IPS is always in a fully optimized security posture. We evaluate threats and vulnerabilities, develop mitigations and deploy only after ensuring performance isn’t negatively impacted. Standalone - An IPS from an appliance vendor requires the IT team to deploy, assess the deployment impact on performance and ensure all appliances are kept up-to-date. Consequently, these teams are in “detect mode” instead of “prevent mode”. Adaptable vs. Rigid Features Adaptable - Cato’s cloud-native architectures make inspection capabilities available whenever there are new loads or new requirements, at any scale or location, and seamlessly. Standalone - When locations and capacity are constrained, it’s the customer’s responsibility to predict future inspection capabilities. As a result, new branches, users and applications turn into business disruptors, instead of driving growth. Conclusion “DIY” is a good solution in some cases, but not for enterprises looking to achieve agile and flexible networking and security infrastructure. The required infrastructure expertise coupled with the lack of IT resources make DIY unsustainable in the long haul. Instead, a new partnership model with technology-as-a-service providers is required. This partnership can help organizations achieve the outcomes they need to drive their business and achieve their strategic goals. Read more from the whitepaper “The Pitfalls of SASE Vendor Selection: Features vs. Strategic Outcomes”, for a closer look.

Driving Into Action: Our New Partnership with the TAG Heuer Porsche Formula E Team

In the new digital world, we’re no longer restricted by borders and can innovate with our colleagues and partners all over the world. ABB FIA...

Shlomo Kramer

November 7, 2022

3m read

Driving Into Action: Our New Partnership with the TAG Heuer Porsche Formula E Team In the new digital world, we’re no longer restricted by borders and can innovate with our colleagues and partners all over the world. ABB FIA Formula E World Championship has been growing year-on-year and has become the testing ground for the latest innovations not only for Motorsport, but the automotive industry as a whole. So, I am thrilled to announce that today we are launching a partnership with the TAG Heuer Porsche Formula E Team as its official SASE partner. Porsche has a rich racing history dating back to the 1950s. In Formula E’s sixth season, Porsche made its long-awaited return to top-flight single-seater racing and has continued to make positive strides over the past three years. Last season saw the team secure their first race win in Formula E with an impressive 1-2 finish in Mexico City. At Cato, we pride ourselves on helping our customers collaborate securely from anywhere on the globe by eliminating the complexities of point solutions and delivering secure network architecture through the power of a single-vendor SASE cloud platform. Global motorsport competitions are often labeled as traveling circuses, as they assemble, race, pack up, and move on to the next country on a weekly and monthly basis. The nature of the Formula E racing season, along with the team’s extensive use of technologies and data, has meant that cloud-native networking and security infrastructure have become a cornerstone of the team’s strategy. Click here to enlarge the image The decisions that the TAG Heuer Porsche team makes are comparable to those of any business organization. When you need to analyze every data point from tire temperatures to battery depletion in real-time and the team’s HQ is located on the other side of the world, it’s vital the team can make split second decisions to make a difference on track. These decisions are informed by vast datasets that the team has collected throughout each Formula E event and the car’s extensive development. These data-informed insights are critical for the team’s on-track performance and must be taken in a way that minimizes security and operational risks as well as optimal application and data access. Cato will play an important role helping the TAG Heuer Porsche Formula E team to optimize operations and provide secure access to the network and SaaS applications all season long. We are excited and optimistic about the season and working together to… WIN! “Join us by supporting the TAG Heuer Porsche Formula E Team when Formula E Season 9 kicks off in Mexico City on January 14th and stay tuned for more details on the partnership in the coming weeks.” Find out more about the TAG Heuer Porsche Formula E team here: https://motorsports.porsche.com/international/en/category/formulae

The OpenSSL Vulnerability: A Cato Networks Labs Update

The new high severity vulnerabilities in OpenSSL — CVE-2022-3602 (Remote Code Execution) and CVE-2022-3786 (Denial of Service) – were disclosed this week. What is OpenSSL?...

Dave Greenfield

November 3, 2022

3m read

The OpenSSL Vulnerability: A Cato Networks Labs Update The new high severity vulnerabilities in OpenSSL -- CVE-2022-3602 (Remote Code Execution) and CVE-2022-3786 (Denial of Service) – were disclosed this week. What is OpenSSL? OpenSSL is a popular open-source cryptography library that enables secured communications over the Internet in part through the generation of public/private keys and use of SSL and TLS protocols. What Are the Vulnerabilities? The vulnerabilities were found in OpenSSL versions 3.0.0. to 3.0.6. They occur after certificate verification and then only after unlikely conditions are met either signing of a malicious certificate by a certificate authority (CA) or after an application continues verifying a certificate despite failing to identify a trusted issuer. [boxlink link="https://www.catonetworks.com/sase-quarterly-threat-research-reports/?utm_source=blog&utm_medium=top_cta&utm_campaign=q_reports"] SASE Quarterly Threat Research Reports | Go to Reports [/boxlink] With CVE-2022-3602, a buffer overrun can be triggered in X.509 certificate verification, enabling an attacker to craft a malicious email address to overflow four attacker-controlled bytes on the stack, which could result in a crash, causing a Denial of Service (DoS), or remote code execution (RCE). With CVE-2022-3786, a buffer overrun can also be triggered in X.509 certificate verification, but specifically in name constraint checking. Again, the attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the “.” Character (decimal 46) on the stack, resulting in a crash causing a DoS. (Read the OpenSSL Security Advisory here for detailed information about the attacks.) What’s the Impact on Cato SASE Cloud? None. While Cato does use OpenSSL neither vulnerability impacts our infrastructure. Neither our cloud assets, the Cato Socket or the Cato Client use a vulnerable version of OpenSSL. What Actions is Cato Taking? Cato Networks Research Labs is investigating the unlikely case of exploitation attempts and considering adding new IPS signatures to block them. Currently, we have not seen incidents or published reports of exploitation attempts in the wild. What Actions Should I Expect from Other Tech Vendors? The attack is severe enough that all vendors should upgrade affected appliances and software. You can see a list of affected software here. While patching and protecting users at Cato can happen instantly, such as with Log4j, that’s not the case with all solutions. Expect exploits of the OpenSSL vulnerabilities to linger as we saw with Log4j. Cato Networks Research Labs will continue to monitor the situation and update accordingly.

How To Identify a Trusted Cloud Provider: The Essential Security Certifications and Practices You Should Look For

Although managing on-premises servers may be costly and time-consuming, businesses at least have some control when it comes to patching say, a newly discovered exploit...

Our list of experts encompasses professionals and leaders who, together, deliver an overarching understanding of the Cybersecurity industry and the evolving nature of security threats....

Eyal Webber Zvik

September 1, 2022

7m read

15 Cybersecurity Experts To Follow on LinkedIn Our list of experts encompasses professionals and leaders who, together, deliver an overarching understanding of the Cybersecurity industry and the evolving nature of security threats. By following them, you can gain deep insights into cybersecurity’s latest developments and trends, deepen your understanding of the hacker mindset and get a glimpse into future predictions. As global cybersecurity leaders who’ve seen the dark side, they have an interesting and unique perspectives that can provide value to anyone working or interested in cybersecurity. Read on to see who the top 15 cybersecurity experts are that we recommend following on Linkedin. 1. Brian Krebs https://www.linkedin.com/in/bkrebs/ @briankrebs Brian is an investigative reporter and journalist who focuses his work on cybercrime and cybersecurity. He is the author of a daily blog that is hosted on his website KrebsOnSecurity.com. For 14 years, (2005 to 2019), Brian reported for The Washington Post. He also authored more than 1000 blog posts for the Security Fix blog. The KrebsOnSecurity blog covers a wide variety of topics, from data breaches to security updates to human stories of cyber scams. They are all reported in an informative, yet personalized, manner; almost as if you were listening to a friend tell you a story. The busy comment section adds an inviting and interactive feeling. 2. Andy Greenberg https://www.linkedin.com/in/andygreenbergjournalist/ @a_greenberg Andy Greenberg is a cybersecurity writer for the online media outlet, WIRED, and an author. Andy’s stories cover cybersecurity, privacy, hackers and information freedom. Some of his recent articles cover the war in Ukraine, how data and organizations are hacked to seize political control and recent cyber attacks. Andy has written two books. The first, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers, was published in 2019. The second, Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency, will be released in November 2022. 3. Mikko Hypponen https://www.linkedin.com/in/hypponen/ @mikko The known security term "if it’s smart, it’s vulnerable” was coined by this security expert and influencer - Mikko Hypponen. Mikko is the Chief Research Officer at WithSecure and the Principal Research Advisor at F-Secure, as well as a researcher, keynote speaker, columnist and author. Mikko’s work covers global security trends and vulnerabilities, privacy and data breaches. Follow him to uncover data-driven analyses of what’s going on in privacy and security, accompanied by his take into what the future of cybersecurity holds. 4. Graham Cluley https://www.linkedin.com/in/grahamcluley @gcluley Graham is a researcher, blogger, public speaker and podcaster. He talks about computer security threats and works with law enforcement agencies on hacker and cyber gang investigations. Graham’s daily blog, grahamcluley.com, focuses mainly on cyber attacks and scams. Reports are bite-sized and include concise explanations coupled with tips for readers. Graham also hosts the Smashing Security podcast, together with Carole Theriault. [boxlink link="https://www.catonetworks.com/cybersecurity-masterclass/?utm_medium=top_cta&utm_campaign=masterclass_lobbypage"] Cybersecurity Master Class | Check it out [/boxlink] 5. Daniel Miessler https://www.linkedin.com/in/danielmiessler/ @DanielMiessler Head of Vulnerability Management and AppSec at Robinhood by day, security writer by night, Daniel creates and delivers security-related content on a regular basis via his website, danielmiessler.com. There, you can find blogs, tutorials and podcasts on information security, often combined with his philosophical and political views. The result is a wealth of candid information, depicting a refreshing and humanistic view of information security. 6. Ido Cohen (Darkfeed) @ido_cohen2 If you’re looking to stay up-to-date on all things ransomware, Ido’s Twitter page is one to follow. Through quick and concise updates, Ido provides all the necessary information about recent attacks, ransomware gangs, ransomware strains and threats. While you might not get in-depth analyses or intense research reports from Ido, you will stay in the know about news, so you can pick and choose what to dig deeper into on your own time. 7. Etay Maor https://www.linkedin.com/in/etaymaor/ An industry-recognized cybersecurity speaker and a Business Insider “IBM Rockstar Employee”, we’re proud to call Etay one of our own, as Senior Director of Security Strategy at Cato Networks. Etay is an adjunct professor at Boston College, and is part of the Call for Paper (CFP) committees for the RSA Conference and QuBits Conference. In addition to following him on LinkedIn, Etay has a dedicated Cybersecurity Masterclass series, designed to teach professionals of all levels the best practices they need to protect their enterprise. Watch his Masterclass series on everything from identifying and mitigating deepfake threats, setting up threat hunting and threat intelligence programs, and more. 8. Kevin Mitnick https://www.linkedin.com/in/kevinmitnick/ @kevinmitnick Convicted-hacker turned security consultant, Kevin is a valuable source of cybersecurity information, especially when it comes to social engineering and system penetration. Kevin now runs a security firm, speaks in the media at cybersecurity events and has authored a number of popular books. Follow him and his blog to (start to) understand the mindset of hackers. 9. Chuck Brooks https://www.linkedin.com/in/chuckbrooks/ @ChuckDBrooks Chuck is a thought leader, speaker and writer for cybersecurity who boasts multiple accolades, like “Top Person To Follow on Tech by Linkedin” and “received Presidential Appointments for Executive Service by two US Presidents”. By following him on Linkedin you will be exposed to his articles and speaking occasions, as well as his commentary on current affairs. 10. Dan Lohrmann https://www.linkedin.com/in/danlohrmann/ @govcso Dan is a renowned cybersecurity speaker, author and blogger, as well as an advisor for government organizations. His blog covers technological trends and global changes from a bird's eye view, while his social channel provides a newsfeed which outlines recent attacks and events from a governmental and geo-political security perspective. Together, they provide a broad overview of cybersecurity needs for the public sector. 11. Magda Chelly https://www.linkedin.com/in/m49d4ch3lly/ @m49D4ch3lly Dr. Magda Lilia Chelly is a cybersecurity leader, influencer and author who appears regularly in the media. She has authored three books and regularly leverages her public stance to promote social issues, like gender equality in the workplace or WLB. By following her, you’ll devour a broad range of cybersecurity topics, from remote work requirements to risk management to cybersecurity trends. Most of her thoughts and content are strategic, and can help any leader looking to design or improve their organizational security. 12. Rinki Sethi https://www.linkedin.com/in/rinkisethi/ @rinkisethi Rinki is the CISO at bills.com and was formerly the CISO at Twitter and the Information Security VP at IBM and Palo Alto Networks. As a security leader, she not only builds and manages cybersecurity strategies, but she also shares her thoughts and knowledge. By following her social channels, you will get access to her curated list of cybersecurity resources as well as a peek into the professional and personal life of a CISO. 13. Tyler Cohen Wood https://www.linkedin.com/in/tylercohen78/ @TylerCohenWood A recognized top cybersecurity influencer, Tyler is a co-founder of a cybersecurity product and a Talk Show host at My Connected Life, which discusses digital health. She is also an author, a writer and a public speaker. Tyler’s work focuses mainly on how to mitigate cyber threats in a digital world, from a unique perspective that combines both personal opinion and  business requirements. 14. Bill Brenner https://www.linkedin.com/in/billbrenner/ @BillBrenner70 Bill is an infosec expert who researches, writes and builds communities. He’s also a VP at CyberRisk Alliance. On his social channels he shares the latest updates about vulnerabilities and security controls. What’s unique about him is that he has a down-to-earth approach to cybersecurity, by understanding that security’s job is not to scare, but to provide practical and feasible assistance to CISOs. 15. Richard Bejtlich https://www.linkedin.com/in/richardbejtlich/ @taosecurity As a security strategist, former computer incident response team lead and martial arts student, Richard definitely knows about defense. In the past, he published a number of books as well as a blog. Today, we recommend following him on Twitter, where he shares his personal (and sometimes tongue-in-cheek commentary) on security-related current affairs. Who Else Should We Follow? Working in cybersecurity often feels like playing a never ending game of Whack-A-Mole. Cybersecurity experts, like those listed above, can help security experts shorten the path to determining what they should focus on strategically, which issues they should pay attention to and how to allocate their resources.Are there any other experts who help you prioritize what to work on? Share with us on Linkedin.

IT Supply Chain Problems? Here’s How the Cloud Helps Get Around Them

During an investor call in February 2022, Arista Network’s president and CEO Jayshree Ullal said that some of the lead times on its sales are...

Hilik Besser

August 30, 2022

4m read

IT Supply Chain Problems? Here’s How the Cloud Helps Get Around Them During an investor call in February 2022, Arista Network’s president and CEO Jayshree Ullal said that some of the lead times on its sales are 50-70 weeks out. Likewise, Cisco is facing extreme product delays. According to Cisco CFO Scott Heron, “The ongoing supply constraints not only impacted our ability to ship hardware, but also impacts our delivery of software such as subscriptions that customers order with the hardware. That undelivered software is also included in backlog until the hardware ships, which is when we begin to recognize the revenue.”  Arista and Cisco are not unique in their sales malaise. Gartner Principal Research Analyst Kanishka Chauhan reported the semiconductor shortage will severely disrupt the supply chain and will constrain the production of many electronic equipment types, including the networking industry.   All of which begs the question, why hasn’t Cato been impacted?  Being a cloud service obviously minimizes the effects of the log-jammed supply chain. Software keeps flowing as long as the developers keep coding. But Cato does have some hardware dependencies, most notably the Cato Socket, Cato’s edge SD-WAN device. And while the Socket is very “thin”, pushing most processing into Cato SASE PoPs, it’s still reliant on the components being impacted by today’s supply chain issues. [boxlink link="https://www.catonetworks.com/resources/socket-short-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=cato_socket_demo"] From Legacy to SASE in under 2 minutes with Cato sockets | Watch Cato demo [/boxlink] Immediate Action: Executive Buy-in is Critical to Addressing Supply Chain Problems To address the problem, we protected ourselves by expanding our supply chain in a series of moves that required buy-in at the highest levels of Cato.  The first order of business was to understand what components in a Socket’s bill of materials (BOM) were at the highest risk of unavailability. The BOM is the list of materials and components required to construct a product, the Cato Socket in this case, and the specific directions needed for procuring and using the materials. In reviewing the BOM, we first identified any chipsets that had an expected delay of one year, which is highly problematic for any supplier.   Our solution was to help our Socket manufacturers source components from alternative component suppliers. Being a cloud service, Cato could be very flexible in the terms and conditions we gave to our manufacturers, enabling them to source components from suppliers with whom normally they might not have been able to negotiate profitable terms. (All suppliers are trusted and certified to ensure quality standards are met.)   The second action we took was in logistics. We changed how we transported goods from the manufacturer in Taiwan to strategic distribution centers around the world. Like most vendors, we normally ship components by sea, which is the most economical approach, but also takes the most time. Instead, we began shipping products by air, eliminating the lengthy sea travel time and long delays at backed-up seaports.  Long Term Action: Increasing Component Supplies Prevents Impact of Forecasted Shortages Recognizing that there’s no quick fix to the component shortage, we took steps to manage the situation over the long term. We decided to increase our production orders with our manufacturer to cover forecasts at least through the next two years. By making this early commitment, the manufacturer could plan for the necessary components and begin stocking them now. We also communicate regularly with the manufacturer to monitor problem areas in acquiring components.  Next, Cato is considering having our Socket manufacturer build “problematic kits” of the major at-risk components. A kit consists of the Socket components with the longest lead times. Cato is willing to commit to purchasing thousands of kits to have on hand. A kit is a fraction of the cost of a complete Socket since it’s just a bunch of parts. It’s worth acquiring these components and stockpiling them as they become available to reduce the lead time of buying them when they are needed. Once again, this increases our agility and reduces our long-term risk. To better prepare for the future, Cato is testing alternative components to the parts of the current Socket that are problematic to source. A replacement part may have the same delivery issues but it’s still worth having options to give us flexibility. If we choose alternative components, they will be certified by both the manufacturer and Cato to ensure they meet our performance standards.  In addition, Cato continually evaluates new manufacturers for multisourcing Socket production. By not relying on any one platform or company, Cato ensures a continuous flow of products.    The Cloud: Cato’s Key Advantage in Weathering the Supply Chain Dilemmas Being a cloud-first company affords Cato great flexibility in weathering supply chain shortages and disruptions. Through some planning and a bit of ingenuity, we’ve been able to ensure continued component and product availability for the foreseeable future.

The Sound of the Trombone

I love Trombones… in marching bands. Some trombones, however, generate a totally different sound: sighs of angst across networking teams around the world. Why “The...

Yishay Yovel

August 25, 2022

3m read

The Sound of the Trombone I love Trombones… in marching bands. Some trombones, however, generate a totally different sound: sighs of angst across networking teams around the world. Why “The Trombone Effect” Is So Detrimental to IT Teams and End Users The “Trombone Effect” occurs in a network architecture that forces a distributed organization to use a single secure exit point to the Internet. Simply put, network traffic from remote locations and mobile users is being backhauled to the corporate datacenter where it exits to the Internet through the corporate’s security appliances stack. Network responses then flow back through the same stack and travel from the data center to the remote user. This twisted path, resembling the bent pipes of a trombone, has a negative impact on latency and therefore on the user experience. Why does this compromise exist? If you are in a remote office, your organization may not be able to afford a stack of security appliances (firewall, secure web gateway or SWG, etc.) in your office. Affordability is not just a matter of money. Distributed appliances have policies that need to be managed and if the appliance fails or requires maintenance – someone has to take care of it at that remote location. Mobile users are left unprotected because they are not “behind” the corporate network security stack. [boxlink link="https://www.catonetworks.com/resources/cato-sse-360-finally-sse-with-total-visibility-and-control/?utm_source=blog&amp;utm_medium=top_cta&amp;utm_campaign=cato_sse_360"] Cato SSE 360: Finally, SSE with Total Visibility and Control | Whitepaper [/boxlink] Do Regional Hubs Mitigate the Impact of “Trombone Effect?” The most recent answer to the Trombone Effect is the use of “regional hubs”. These “mini” data centers host the security stack and shorten the distance between remote locations and security exit points to the internet. This approach reduces the end user performance impact, by backhauling to the nearest hub. However, the fundamental issue of managing multiple instances of the security stack remains as well as the need to set up distributed datacenters and address performance and availability requirements. Solving the “Trombone Effect” with Cato SSE 360 Cato Networks solves the “Trombone Effect” with Cato’s Security Service Edge 360 (SSE 360), which ensures that security is available everywhere that users, applications, and data reside. Rather than making security available in just a few places, Threat prevention and data protection are uniformly enforced via our private backbone spanning over 75+ PoPs supporting customers in 150+ countries. Because the PoPs reside within 25 ms of all users and locations, companies don’t need to set up regional hubs to secure the traffic, alleviating the cost, complexity and responsibility for capacity planning and management, while ensuring optimal security posture without compromising the user experience. Next Steps: Get Clear on Cato SSE 360 If you are a victim of the “Trombone Effect,” then Cato Networks can easily solve this with SSE 360. Visit our Cato SSE 360 product page, to learn about our architecture, capabilities, benefits, and use cases, and receive a thorough overview of our service offering.

Inside SASE: GigaOm Review of 20 Vendors Finds Platforms Are Far and Few

Since the inception of SASE, there’s been a remarkable amount of breast-beating over the number of features offered by SASE solutions. That is a mistake....

Dave Greenfield

August 23, 2022

4m read

Inside SASE: GigaOm Review of 20 Vendors Finds Platforms Are Far and Few Since the inception of SASE, there’s been a remarkable amount of breast-beating over the number of features offered by SASE solutions.   That is a mistake. SASE innovation has always been about the convergence of security and networking capabilities into a cloud service. The core capabilities of SASE are not new. Their convergence in appliances isn’t new either; that’s what we call UTMs. It’s the delivery as a secure networking global cloud service that is so revolutionary. Only with one cloud service connecting and securing the entire enterprise – remote users sites, and cloud resources – worldwide can enterprises realize the cost savings, increased agility, operational simplicity, deeper security insight and more promised by SASE.   Too often, though, media and analyst communities miss the essential importance of a converged cloud platform. You’ll read about vendor market share without consideration if the vendor is delivering a converged solution or if it’s just their old appliances marketed under the SASE brand. You’ll see extensive features tables but very little about whether those capabilities exist in one software stack, managed through one interface – the hallmarks of a platform.   GigaOm’s Radar Report Accurately Captures State of SASE Platform Convergence  Which is why I found GigaOm’s recent Radar Report on the Secure Service Access (SSA) market so significant. It is one of the few reports to accurately measure the “platform-ness” of SASE/SSA/SSE solutions. SSA is GigaOm’s terms for the security models being promoted as SSE, SASE, ZTNA, and XDR along with networking capabilities, such as optimized routing and SD-WAN. The report assesses more than 20 vendor solutions, providing detailed writeups and recommendations for each. (Click here to download and read the report.)   [boxlink link="https://www.catonetworks.com/resources/gigaoms-evaluation-guide-for-technology-decision-makers/?utm_source=blog&utm_medium=top_cta&utm_campaign=gigaom_report"] GigaOm’s Evaluation Guide for Technology Decision Makers | Report [/boxlink] Those hundreds of data points are then collapsed into the GigaOm Radar that provides a forward-looking perspective of the vendor offerings. GigaOm plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. Vendors are characterized based on their degree of convergence into a platform (feature vs. platform play) and their robustness (maturity vs. innovation). The length of the arrow indicates the predicted evolution over the coming 12-18 month:  The GigaOm Radar for SSA found Cato and Zscaler to be the only Leaders who were outperforming the market.  The Findings: Platform Convergence is Not a Given in the SASE Market The report found Cato SASE Cloud to be one of the few SSA platforms capable of addressing the networking and security needs for large enterprises, MSPs, and SMEs.    The Cato SASE Cloud provides outstanding enterprise-grade network performance and predictability worldwide by connecting sites, remote users, and cloud resources across the optimized Cato Global Private Backbone. Once connected, the Cato SSE 360 pillar of Cato SASE Cloud enforces granular corporate access policies on all applications -- on-premises and in the cloud – and across all ports and protocols, protecting users against threats, and preventing sensitive data loss.    Of GigaOm’s key SSA Criteria, the Cato SASE Cloud was the only Leader to be ranked “Exceptional” in seven of eight categories:   Defense in Depth Identity-Based Access Dynamic Segmentation Unified Threat Management ML-Powered SecurityAutonomous Network Security Integrated Solution  And the company found a similarly near-perfect score when it came to the core networking and network-based security capabilities comprising SSA solutions: SD-WAN, FWaaS, SWG, CASB, ZTNA, and NDR.   “Founded in 2015, Cato Networks was one of the first vendors to launch a global cloud-native service converging SD-WAN and security as a service,” says the report. “Developed in-house from the ground up, Cato SASE Cloud connects all enterprise network resources—including branch locations, cloud and physical data centers, and the hybrid workforce—within a secure, cloud-native service. Delivering low latency and predictable performance via a global private backbone”   To learn more, download the report.

Cato SASE Cloud: Enjoy Simplified Configuration and Centralized, Global Policy Delivery

In this article, we will discuss some of the various policy objects that exist within the Cato Management Application and how they are used. You...

The Information Revolution and The Growing Importance of Data We have all heard about the information revolution, but what does it actually mean and how...

Boaz Avigad

July 20, 2022

6m read

Are You Protecting Your Most Valuable Asset with a Data Loss Prevention (DLP)? The Information Revolution and The Growing Importance of Data We have all heard about the information revolution, but what does it actually mean and how profound is it? An interesting way to understand this is by looking at how it has impacted modern enterprises. A company's assets can be divided into two types: tangible vs intangible. Simply put, tangible assets are those with a physical form factor (or which represents something physical). Intangible assets are those which do not really exist in the conventional sense, such as a company's Intellectual property. Research by Ocean Tomo1 covering the leading 500 companies in the US (S&P 500) shows that in 1975, intangible assets accounted for 13% of their total value. By 2015 it grew to 84% and by 2020 it reached 90%. Figure 1: The value of intangible assets  Simply put, 90% of the value of a modern-era company comes from what it knows, only 10% from what it has. When looking at how these numbers shifted over the last 45 years, we can see how information has become the single most valuable asset for the modern enterprise. Most enterprises, however, do not have the necessary means to effectively protect their data. Let's take a look at why this is, what protecting enterprise data means, and how to choose the right solution for your enterprise. Protecting Your Company's Data With DLP Information has critical value to an enterprise. It is, however, quite difficult to protect, especially considering a great part of it typically resides in the cloud. There are numerous tools aimed at restricting access to enterprise assets, but the most efficient solution to protect the movement of information to and from enterprise assets is Data Loss Prevention (DLP). While DLP solutions have been around for 15 years, their adoption has been limited and mostly by high-end enterprises. The complexity, prohibitive costs and expertise required to obtain and effectively manage DLP solutions has left them beyond the reach of most enterprises. The increasing value of information, the growing adoption of cloud computing, and continued rise in cybercrime, are driving enterprises to the realization that they need to do a better job protecting their data. The need for DLP is clear and imminent, and market interest is rising. Gartner saw a 32% rise in DLP inquiries in 2020 vs the previous year2. But how can enterprises overcome the current adoption barriers and enable DPL protection for their assets? Let us start by looking at the types of DLP solutions and their respective advantages and shortcomings. [boxlink link="https://www.catonetworks.com/resources/protect-your-sensitive-data-and-ensure-regulatory-compliance-with-catos-dlp/?utm_medium=blog_top_cta&utm_campaign=cato_dlp"] Protect Your Sensitive Data and Ensure Regulatory Compliance with Cato's DLP | Whitepaper [/boxlink] DLP isn't one thing Gartner recognizes three types of DLP solutions2: Enterprise DLP (EDLP)Integral DLP (IDLP)Cloud Service Provider Native DLP (CSP-Native DLP) The above solutions all have their pros and cons, and the acquiring decision-makers need to decide which solution attributes are more important for their use-cases, and which can be compromised. Let us take a deeper look into each one. Enterprise DLP (EDLP) - An enterprise level solution which covers all relevant traffic flows, and which is implemented as a stand-alone solution. EDLPs require adding (yet) another solution to an organization’s security toolbox. This typically requires an expansive project plan and additional expertise, adding complexity and cost to the project. While an EDLP offers a single console and policy management interface for the entire network, it is typically a separate console from the other network security tools (FW, IPS, AM, SWG, etc.). EDLPs will typically add another hop in the security service chain, and thus add latency and impact performance. Figure 2: Enterprise DLP  Integrated DLP (IDLP) - DLP functionality that is added on top of a pre-existing security product such as a Secure Web Gateway (SWG). IDLPs simplify the deployment process and are regarded as a quick win to get DLP up and running quickly and at a reduced cost. IDLPs, however, are limited to the traffic and use cases the base product is intended for. Piggybacking on a SWG, for example, will cover only Internet-bound traffic and may not inspect IaaS traffic. Gaining wider coverage will require adding DLP to additional security products, which will lead to fragmented consoles and policy management. Figure 3: Integrated DLP  CSP-Native DLP - A cloud-based DLP which is deployed in, or provided by, a cloud service provider (CSP). This type of solution is also simple to adopt as it is delivered as a Software as a Service (SaaS) and doesn't require deployment. It is, however, limited to the traffic sent to or from the specific CSP proving it. As most enterprises using cloud platforms are adopting a multi-cloud strategy, getting complete coverage will require using DLP services from several CSPs. Also, this type of solution will typically not cover all SaaS applications and is typically limited to sanctioned applications only. Figure 4: CNP-Native DLP Choosing The Right DLP For Your Enterprise EDLPs typically offer better coverage and enhanced protection, however, the complexity and cost concerns drive security leaders to shy away and look for simpler and cheaper options. An IDLP offers this, but the limited coverage and disjointed consoles and policy management impact their effectiveness and level of protection. CSP-Native DLPs are also simpler to onboard but are cumbersome for multi-cloud deployments and do not cover the critical use-case of unsanctioned applications (AKA Shadow IT). All the above DLP types come with compromises. Ideally, we would want a solution that is easy to deploy and manage, has complete coverage and optimal protection, does not impact performance, and covers unsanctioned applications. The rise of SASE DLP A true Secure Access Service Edge (SASE), or its Secure Service Edge (SSE) subset, offers the best of all worlds. Cato's SASE Cloud, for example, covers all fundamental SASE requirements: All edges - Cato SASE Cloud covers all enterprise users, on-prem or remote, and all applications and services, on-prem, IaaS and SaaS. This means that Cato's SASE-based DLP will have complete coverage of all traffic and all use-cases. Single pass processing - Cato SASE Cloud utilizes Cato's proprietary Singe-Pass Cloud Engine (SPACE), which is based on a modular software platform stack that executes the networking and network security services in parallel. This enables a shared context, enhancing overall protection, and minimizes latency. Adding DLP to a Cato deployment is done by a flip of a switch and requires no additional deployment. Cloud-native - Cato DLP is delivered fully from the cloud and offers all the benefits of a cloud-native solution, including unlimited scalability and inherent high-availability. Since it is part of the Cato SASE Cloud, it is completely CSP-agnostic and supports all leading cloud service providers, making it a true multi-cloud solution. Converged - Cato SASE runs and manages all services as a single solution, enabling configuration, management, and visibility from a single-pane-of-glass management console. Figure 5: SASE/SSE DLP The pros and cons of the different DLP solution types: Figure 6: DLP types, pros and cons The DLP that's in your reach A true SASE solution enables enterprises to adopt a DLP solution that benefits from all the advantages mentioned above, and more. The reduced complexity and costs, lower the traditional barrier of adoption, enabling enterprises of all sizes and levels of expertise to better protect their data. It also eliminates the dilemma of what to compromise on when looking to adopt DLP within your environment. A SASE DLP requires no compromises. Protecting your enterprise's most valuable asset is just a flip of a switch away. To learn more about Cato DLP, read our DLP whitepaper. 1 Harvard Business Review2 DLP market guide 2021 - Gartner

A CISO’s Guide: Avoiding the Common Pitfalls of Zero Trust Deployments

The Role of the CISO Post-Pandemic The world has evolved… Prior to recent global events, many organizations viewed digital transformation as a slow-moving journey that...

Demetris Booth

July 12, 2022

12m read

A CISO’s Guide: Avoiding the Common Pitfalls of Zero Trust Deployments The Role of the CISO Post-Pandemic  The world has evolved... Prior to recent global events, many organizations viewed digital transformation as a slow-moving journey that would be achieved gradually over time. However, Covid turned this completely on its ear, forcing most organizations to accelerate that journey from 2-3 years down to 2-3 months, and doing so without a well-thought-out strategy. Couple this with the rapid rise of Work-From-Anywhere (WFA) and CISOs have realized their traditional security architectures, specifically VPNs, are no longer adequate to ensure only authorized users have access to critical resources. Collectively, this has made the role of CISO ever more important because, as a result of this accelerated journey, we now have applications everywhere, people everywhere, leading to increased cyber threats everywhere.  The role of CISO has one core imperative: mapping out the company’s security priorities and strategy, then executing this flawlessly to ensure the strongest possible security posture to protect access to critical data.   Zero Trust Is Just a Starting Point This is why Zero Trust has now become top-of-mind for all CISOs. The concept of Zero Trust has been around for more than a decade since first being introduced. Zero Trust mandates that all edges, internal or external, cloud, branch or data center, to be authenticated, authorized and validated before granting or maintaining access to critical data. In short, Zero Trust is a framework for building holistic security for the modern digital infrastructure and associated data. Considering cyber threats continue to rapidly expand, and chasing down data breeches have become a daily activity, Zero Trust is uniquely equipped to address the modern digital business architecture: WFA workers, supply chains, hybrid cloud, and evolving threats. It must be noted that Zero Trust is not a single product solution, and CISOs would be well advised to consult the three main standards (Forrester ZTX, Gartner Carta, NIST SP-800-207) as guidance for developing their Zero Trust strategy. Of the three, to date, NIST SP-800-207 as pictured below, is the most widely adopted framework. Figure 1. In general, the NIST model is a discussion of 2 key functions:  Data plane – this is the collector of data from numerous sources.  These sources can be application data, user device information, user identity information, etc. Control plane – this is the brains of the model as this is responsible for making decisions upon what is considered good, bad, or requiring further clarification.  Together, the control plane and data plane collaborate to determine whether a user should be granted access permissions at any point in time to the resource for which they are requesting. Critical for this to be viable, effective, and scalable, is the context that informs decisions to be made around access and security. As each business varies in its data flows and security concerns, this context consists of data feeds, as depicted in figure 1, that includes compliance data, log data, threat intelligence feeds and user and application data, as well as other data sources captured across the network. The more context you have, the better decisions your Zero Trust deployment will make. The 5 Most Common Pitfalls in Zero Trust Projects The concept of Zero Trust is often misunderstood, potentially resulting in misaligned strategies that don’t meet the organization’s needs. Gartner defines Zero Trust as a ‘mindset that defines key security objectives’ while removing implicit trust in IT architectures. This implies that today’s CISOs would be well-advised to pursue their Zero Trust strategy thoughtfully, to ensure they avoid common pitfalls that impede most security initiatives. Pitfall 1: Failing to Apply the Key Tenants of Zero Trust Zero Trust came to life as a resolution for overly permissive access rights that created broad security risks throughout networks. The concept of implicit deny is perceived as the catch all terminology for a better security architecture, assuming it to be the fix-all for all things security. Considering this, it may be easy for CISOs to inadvertently disregard the core purpose of Zero Trust and overlook some key architectural tenants that influence Zero Trust architectures. While each of the Zero Trust frameworks call out a number of architectural attributes of Zero Trust, for the purpose of this section, we will highlight a few that we feel should not be overlooked. Dynamic policy determines access to resources – dynamic polices focus on the behavioral characteristics of both the user and devices when determining whether access will be granted or denied.  A subset of these characteristics can include location, device posture, data analytics and usage patterns.  For example, is the user in a restricted location, or are user and device credentials being used correctly? Any of these should determine whether access should be granted and at what level.  Continuous monitoring and evaluation – no user or device should blindly be trusted for access to network or application resources. Zero Trust dictates that the state of both the resource and the entity requesting access to be continually monitored and evaluated. Those deemed to be risky should be treated accordingly, whether it is limited access or no access.  Segmentation & Least Privileges – Zero Trust should eliminate blind trust and by extension, blanket access to targeted resources from all employees, contractors, supply chain partners, etc.  and from all locations.  And when access is granted, only the minimal amount of access required to ensure productivity should be granted. This ensures the damage is limited should there be a breach of some kind.  Context Automation – For Zero Trust to deliver the desired impact, organizations need to collect lot of data and contextualize this.  This context is the key as without context, well-informed decisions for user or device access cannot be made.  The more context, the better the decisions being made.  Cato SASE Cloud Approach: The Cato SASE Cloud takes a risk-based approach to Zero Trust, combining Client Connectivity & Device Posture capabilities with more holistic threat preventions techniques. Because we have full visibility of all data flows across the network, we utilize this, as well as threat intelligence feeds and user and device behavioral attributes to pre-assess all users and devices prior granting access onto the network. This in-depth level of context allows us to determine their client connectivity criteria and device suitability for network access, as well as continually monitor and assess both the user and device throughout their life on the network. Additionally, we use AI & Machine Learning algorithms to continually mine the network for indications of malware or other advanced threats and will proactively block these threats to minimize the potential damage inflicted upon the network. [boxlink link="https://www.catonetworks.com/resources/the-hybrid-workforce-planning-for-the-new-working-reality/?utm_source=blog&utm_medium=top_cta&utm_campaign=hybrid_workforce"] The Hybrid Workforce: Planning for the New Working Reality | EBOOK [/boxlink] Pitfall 2: Treating Zero Trust a Like a Traditional VPN When deploying Zero Trust, many organizations tend to rely on legacy security processes that are no longer applicable or select the shiny new toy that equates to a less viable solution. In 2021, Gartner noted that some organizations reported initially configuring their Zero Trust deployments to grant full access to all applications, which ironically, mirrored their VPN configuration. One of the intrinsic shortcomings of traditional VPNs, beyond the connectivity issue, is the challenge of least privilege user access to critical applications once a user has been authenticated to the network. Traditional VPNs cannot provide partial or specific access to selected applications or resources.  So, deploying Zero Trust like their old VPN leaves us to wonder what problems they are truly solving, if any.    CISOs must remember that existing security architectures are based on the concept of implicit trust, which leads to unknown, yet ever-increasing risk to modern enterprise environments. The ultimate goal of Zero Trust is to ensure that users and their devices prove they can be trusted with access to critical resources. Hence, the ultimate goal for any CISO in creating a Zero Trust strategy is to reduce the risk posed by users and devices, and in the event of a successful breach, limit the spread and impact of the attack.   Cato SASE Cloud Approach: Cato Networks realizes that existing VPN architectures are too inadequate to provide the depth of access protections for critical enterprise resources.  The Cato approach to Zero Trust invokes consistent policy enforcement everywhere to ensures least privilege access to all enterprise & cloud resources, while also taking a holistic approach to preventing cyber threats. We consume terabytes of data across our entire SASE Cloud backbone, and this informs how we apply additional protections once users and devices are on the network.  Pitfall 3: Not understanding the true impact on the user, IT and Security Unfortunately for many CISOs, IT and Security departments do not always operate with aligned priorities and desired outcomes. IT departments may have critical projects they deem to have a higher priority than Security. Security teams, being tasked with strengthening the organization’s security posture may view Zero Trust as the only priority. In such cases of mis-aligned priorities, Zero Trust efforts may result in incomplete or mis-configured deployments, expanding security gaps and increasing blind spots. And let’s not forget the end user. When IT organizations finally makes significant changes to networks, security, or other systems, if priorities aren’t aligned, the end results will produce adverse user outcomes.    When it comes to Zero Trust, CISOs must ensure they are mapping out the journey. In doing so, IT and Security teams should establish a “Hippocratic Oath” of “first, do no harm”, similar to that of the medical community. This could make it easier to map the journey to Zero Trust where the solution is simple to deploy, easy to manage, easily scales at the speed of the business, and provides positive outcomes for all parties impacted.  Critical to this is the user – Zero Trust must not impede their ability to get things done.   Cato SASE Cloud Approach: At Cato Networks, our entire approach to Zero Trust is to ensure the most holistic user experience with zero impact on productivity. Often when deploying or upgrading to new security technologies, security teams will inadvertently have policy mis-matches that result in inconsistent policy enforcement in certain segments of the network. Zero Trust, if not implemented correctly, increases the risk level for negative user experiences, which will reflect poorly upon the CISO and their teams. With the Cato SASE Cloud, Zero Trust & Client Access policies are applied once and enforced everywhere. This ensures specific and consistent policy treatment for all users and devices based upon identity and user and devices access criteria. "The hallmark of Zero Trust is Simplicity"John Kindervag Pitfall 4: Inadequately Scoping Common Use Cases CISOs are so inundated with everyday security concerns that identifying all possible use cases for their Zero Trust initiative, while seemingly straight-forward, could be easily overlooked. It is easy to drill down into the core requirements of Zero Trust, approaching from a broad enterprise perspective, yet neglect smaller details that might derail their project.  While there are numerous use cases and each would depend on the individual organization, this document calls out (3) use cases that, if not properly planned for, will impact all non-HQ based or non-company users.  Multi-branch facilities – It is common that today’s enterprises will comprise of a single headquarter with multiple global locations. More commonly, these global locations exist in a shared space arrangement whereby the physical network and connectivity is independent of the company. In such cases, these employees still require access to enterprise applications or other resources at the HQ or company data center.  In other cases, a user may be a road warrior, using unmanaged personal devices, or be located in restricted locations. Given this, great care and consideration must be given in determining if, when and how to grant access to necessary resources while denying access or restricting actions to more sensitive resources.  Multi-cloud environments – More enterprises are utilizing multi-cloud providers to host their applications and data. There are occasions whereby the application and data source exist in different clouds. Ideally, these cloud environments should connect directly to each other to ensure the best performance.  Contractors and 3rd party partners – Contractors and 3rd party supply chain partners requiring access to your network and enterprise resources is very common these days.  Often these entities will use unmanaged devices and/or connect from untrusted locations. Access can be granted on a limited basis, allowing these users and devices only to non-critical services.  CISOs must factor in these and other company specific use cases to ensure their Zero Trust project does not inadvertently alienate important non-company individuals.  Cato SASE Cloud Approach: At Cato Networks, we acknowledge that use cases are customer, industry, and sometimes, location dependent. And when Zero Trust is introduced, the risk of inadvertently neglecting one or more critical use cases is magnified. For this reason, we built our architecture to accommodate, not only the most common use cases, but also obscure and evolving use cases as well. The combination of our converged architecture, global private backbone, single policy management, and virtual cloud sockets ensure we provide customers with the most accommodating, yet most robust and complete Zero Trust platform possible. Pitfall 5: Not having realistic ROI expectations ROI, for many IT-related initiatives is rather difficult to measure, and many CISOs often find themselves twisted on how to demonstrate this to ensure company-wide acceptance. Three questions around ROI that are traditionally difficult to answer are:  What should we expect?  When should we expect it?  How would we know?   Like many things technology-related, CISOs are hesitant to link security investments to financial metrics. However, delaying a Zero Trust deployment can yield increased costs, or negative ROI over time that can be measured in increased data breaches, persistent security blind spots, inappropriate access to critical resources, and misuse of user and resource privileges, just to name a few.   CISOs can address these ROI concerns through a number of strategies that extend beyond simple acquisition costs and into the broader operational costs. With the right strategy and solution approach, a CISO can uncover the broader strategic benefits of Zero Trust on financial performance to realize it as an ROI-enabler.  Cato SASE Cloud Approach: It is easy to appreciate the challenge of achieving ROI from Security projects. As mentioned, CISOs like CIOs are hesitant to link security investments to financial metrics. However, with an appropriate Zero Trust strategy, organizations will assure themselves enormous savings in IT effort and vendor support. Organizations deploying a Zero Trust solution based off a converged, cloud-native, global backboned SASE Cloud like Cato can expect more efficient cost structures while achieving greater performance. By converging critical security functions, including Zero Trust, into a single software stack within the Cato SASE Cloud, organizations are able to immediately retire expensive, non-scalable, maintenance-intensive VPN equipment. This approach delivers ease of deployment and simplistic management, while drastically reducing maintenance overhead and IT support costs. Achieving Your Organization’s Zero Trust Goals with Cato SASE Cloud Justifying a security transformation from implicit trust to Zero Trust is becoming easier and easier. However, determining the right approach to achieving an organization’s Zero Trust goals can be daunting. It is challenging when factoring in the broad paradigm shift in how we view user and device access, as well as numerous use case considerations with unique characteristics. Zero Trust Network Access is an identity-driven default-deny approach to security that greatly improves your security posture. Even if a malicious user compromises a network asset, ZTNA can limit the potential damage. Furthermore, the Cato SASE Cloud’s security services can establish an immediate baseline of normal network behavior, which enables a more proactive approach to network security in general and threat detection in particular. With a solid baseline, malicious behavior is easier to detect, contain, and prevent. "The Zero Trust is a security model based on the principle of maintaining strict access controls and not trusting anyone by default; a holistic approach to network security, that incorporates a number of different principles and technologies.” Ludmila Morozova-Buss The Cato SASE Cloud was designed for the modern digital enterprise. Our cloud-native architecture converges security features such as Zero Trust Network Access (ZTNA), SWG, NGFW, IPS, CASB, and DLP, as well as networking services such as SD-WAN and WAN Optimization across a global private backbone with a 99.999% uptime SLA. As a result, Cato is the only vendor currently capable of delivering seamless ZTNA on a true SASE platform for optimized performance, security, and scalability. Zero Trust is a small part of SASE. The Cato SASE Cloud restricts access of all edges – site, mobile users and devices, and cloud resources – in accordance with Zero Trust principles. Click here to understand more about Cato Networks’ approach to Zero Trust.

Not All Backbones are Created Equal

It’s no secret that many enterprises are reevaluating their WAN. In some cases, it might be an MPLS network, which is no longer suitable (or...

Dave Greenfield

July 7, 2022

7m read

Not All Backbones are Created Equal It’s no secret that many enterprises are reevaluating their WAN. In some cases, it might be an MPLS network, which is no longer suitable (or affordable) for the modern digital business. In other cases, it might be a global SD-WAN deployment, which relied too much on the unpredictable Internet.   Regardless of why the company needs to transform its enterprise network, the challenge remains the same: How do you get secure connections with the same service level of predictability and consistency as MPLS at an Internet-like price point? This calls for a SASE service built on a global private backbone.   Why a Global SASE Service?   Even enterprises who previously thought of themselves as regional operations find they need global reach today. Why? Because users and data are everywhere. They can (and probably do) sit in homes (or cafés) far from any place an office might be situated, accessing cloud apps across the globe. Pulling traffic back to some site for security inspection and enforcement adds latency, killing the application experience. Far better is to put security inspection wherever users and data sit. This way they receive the best possible experience no matter where that executive might be sitting in the world.   Why Private?  Once inspected, moving traffic to a private datacenter or other sites across the global Internet is asking for trouble. The Internet might be fine as an access layer, but it’s just too unpredictable as a backbone. One moment a path might be direct and simple; the next your traffic could be sent for a 40-stop visit the wrong way around the globe. With a private backbone, optimized routing and engineering for zero packet loss makes latency far lower and more predictable than across the global Internet.  Why Not Private Networks from Hyperscalers?   All major public cloud providers – AWS, Azure, and GCP -- realize the benefits of global private networks and offer backbone services today. So why not rely on them?  Because while a hyperscaler backbone might be able to connect SD-WAN devices, it lacks the coverage to bring security inspection close to the users across the globe. Only a fraction of the many hyperscaler PoPs can run the necessary security inspections and only a smaller fraction can act as SD-WAN on-ramps. At last check, for example, only 39 of Azure's 65 PoPs supported Azure Virtual WAN. And then there's the question of availability. The uptime SLAs offered by cloud providers are too limited, only running 99.95% uptime, while traditional telco service availability typically runs at four nines, 99.99% uptime. [boxlink link="https://www.catonetworks.com/resources/global-backbone-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=global_backbone_demo"] Global Backbone | Watch Cato Demo [/boxlink] Why Cato’s Global Private Backbone? For those reasons and more, enterprises are replacing their legacy network with Cato’s global private backbone. Today, it’s the largest private SASE network spanning 70+ PoPs worldwide.   Built as a cloud-native network with a global private backbone, Cato SASE Cloud has revolutionized global connectivity. Using software, commodity hardware, and excess capacity within global carrier backbones, we provide affordable SLA-backed connectivity at global scale.   And every one of our PoPs runs the Cato Single Pass Cloud Engine (SPACE), the converged software stack that optimizes and secures all traffic according to customer policy.  Our simple edge devices combine last mile transports, such as fiber, cable, xDSL, and 4G/5G/LTE. Encrypted tunnels across these last-mile transport carry traffic to nearest PoP. The same goes for our mobile clients (and clientless access). From the PoP, traffic is routed globally to the PoP closest to the destination using tier-1 and SLA-backed global carriers.   This model extends to cloud services as well. Traffic to cloud applications or cloud data centers exit at the PoP closest to these services, and in many cases within the same data center hosting both PoP and cloud service instance.   Key Benefit #1 – Optimized Performance  With built-in WAN optimization, Cato increases data throughput by as much as 40x. Advanced TCP congestion control enables Cato edges to send and receive more data, as well as better utilize available bandwidth. Other specific optimization improvements include:   Real-time network condition tracking to optimize packet routing between PoPs. We don’t rely on inaccurate metrics like BGP hops, but rather on network latency, packet loss, and jitter in the specific route.  Controlling the routing and achieving MPLS-like consistency and predictability anywhere in the world. For example, the path from Singapore to New York may work better through Frankfurt than going direct, and Cato SASE Cloud adapts to the best route in real time.  Applying dynamic path selection both at the edge and at the core – creating end-to-end optimization.  Accelerating bandwidth intensive operations like file upload and download through TCP window manipulation.  Key Benefit #2 – Self-Healing and Resiliency To ensure maximum availability, Cato SASE Cloud delivers a fully self-healing architecture. Each PoP has multiple compute nodes each with multiple processing cores. Each core runs a copy of Cato SPACE, which manages all aspects of failure detection. Failover and fail back are automated, eliminating the need for dedicated planning or pre-orchestration. More specifically, resiliency capabilities include:    Automatically working around backbone providers in case of outage or degradation to ensure service availability. Ensuring that if a compute node fails, tunnels seamlessly move to another compute node in the same PoP or to another nearby PoP. And in the unlikely event that a tier-1 provider fails or degrades, PoPs automatically switch to one of the alternate tier-1 providers. Specialized support for challenging locations like China. Cato PoPs are connected by private and encrypted links through a government-approved provider to Cato's Hong Kong PoP.  A great example of Cato resiliency at work was the recent Interxion datacenter outage in London housing Cato’s London PoP. The outage disrupted trading on the London Metal Exchange for nearly five hours. And for Cato? A few seconds. Read this first-hand account from Cato’s vice president of operations, Aviram Katzenstein.  Key Benefit #3 – Secure and Protected Cato’s global private backbone has all security services deployed in each of the Cato PoPs. This means that wherever you connect from, your traffic is protected by a full security stack at the PoP nearest to you. From there, Cato’s backbone carries your traffic directly to its destination, wherever it may be. This enables full security for all endpoints without any backhauling or additional stops along the way.   Extensive measures are taken to ensure the security of Cato SASE Cloud. All communications – between PoPs, with Cato Sockets, or Cato Clients – are secured by AES-256 encrypted tunnels. To minimize the attack surface, only authorized sites and remote users can connect and send traffic to the backbone. The external IP addresses of the PoPs are protected with specific anti-DDoS measures. Our service is ISO 27001 certified.  Key Benefit #4 – Internet-like Costs  We reduce the cost of enterprise-grade global connectivity by leveraging the massive build-out in IP capacity. All Cato PoPs are connected by SLA-backed transit capacity across multiple tier-1 networks. The Cato software monitors the underlying, capacity selecting the optimum path for every packet. The result: a network with far better performance than the public Internet at a far lower cost than global MPLS.  A Proven Solution for Global Connectivity  Cato’s backbone delivers better performance, availability, and coverage than any single carrier. A single tier-1 carrier can’t reach all parts of the globe, and a single tier-1 carrier can’t provide the predictability of MPLS. Just as enterprises use SD-WAN to aggregate Internet services and overcome the limitations of any one service, SASE leverages SD-WAN to aggregate tier-1 carriers to overcome the limitations of any one network. “Opening new stores now goes smoothly, pricing is affordable, the cloud firewall and private backbone provide a great experience, and services are easy to set up.”  Steve Waibel, Director of IT, Brake Masters “We no longer had to have a separate IDS/IPS, on-premises firewalls, or five different tools to report on each of those services. We could bring our cloud-based services directly into Cato’s backbone with our existing sites and treat them all the same.” Joel Jacobson, Global WAN Manager, Vitesco Technologies  “The fast backbone connection most of the way to its ACD cloud service was a big plus. QOS was always a struggle before Cato. It’s pretty awesome to hit that Cato network and see that traffic prioritized all the way through to the cloud, rather than just close to our site.” Bill Wiser, Vice President of IT, Focus Services  Thanks to the low cost of the Cato solution, Boyd CAT more than doubled branch bandwidth, by moving from 10 to 25 Mbits/s - to dramatically improve application performance together with Cato's optimization and global private backbone. “The branches were just loving it. They started fighting over who would transition to Cato next. We were able to discontinue all our MPLS connections.”Matt Bays, Communications Analyst, Boyd CAT  With Cato SASE, office and remote and home workers connect to the same high-speed backbone. Mobile and home users benefit from the same network optimizations and security inspections as office workers. “This year, the entire WAN and Internet connectivity will be running on Cato.”  Eiichi Kobasako, Chief of Integrated Systems, Lion Corporation 

Evaluating SASE Vendors? Here’s Why You Should Compare Apples and Oranges

There is a common cliché that is often thrown around during SASE vendor discussions “you are comparing apples to oranges.” This phrase is typically used...

ZTNA is a Good Start for Security Zero trust has become the new buzzword in cybersecurity, and for good reason. Traditional, perimeter-focused security models leave...

Boaz Avigad

June 2, 2022

5m read

ZTNA Alone is Not Enough to Secure the Enterprise Network ZTNA is a Good Start for Security Zero trust has become the new buzzword in cybersecurity, and for good reason. Traditional, perimeter-focused security models leave the organization vulnerable to attack and are ill-suited to the modern distributed enterprise. Zero trust, which retracts the “perimeter” to a single asset, provides better security and access management for corporate IT resources regardless of their deployment location. In many cases, zero trust network access (ZTNA) is an organization’s first step on its zero trust journey. ZTNA replaces virtual private networks (VPNs), which provide a legitimate user with unrestricted access to the enterprise network. In contrast, ZTNA makes case-by-case access determinations based on access controls. If a user has legitimate access to a particular resource, then they are given access to that resource for the duration of the current session. However, accessing any other resources or accessing the same resource as part of a new session requires re-verification of the user’s access. The shift from unrestricted access to case-by-case access on a limited basis provides an important first step towards implementing an effective zero trust security strategy. Adopting ZTNA Alone Is Not Enough The purpose of ZTNA is to prevent illegitimate access to an organization’s IT resources. If a legitimate user account attempts to access a resource for which they lack the proper permissions, then that access request is denied. This assumes that all threats originate from outside the organization or from users attempting to access resources for which they are not authorized. However, several scenarios exist in which limiting access to authorized accounts does not prevent attacks. [boxlink link="https://www.catonetworks.com/resources/ztna-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=ztna_demo"] Secure zero trust access to any user in minutes | ZTNA Demo [/boxlink] Compromised or Malicious Accounts ZTNA limits access to corporate resources to accounts that have a legitimate need for that access. However, an account with legitimate access can be abused to perform an attack. One of the most common cyberattacks is credential stuffing attacks in which an attacker tries to use a certain individual’s compromised credentials for one account to log into another account. If successful, the attacker has access to an account with legitimate access whose requests may be accepted by a ZTNA solution. If this is the case, then an attacker can use this compromised account to steal sensitive data, plant malware, or perform other malicious actions. Additionally, not all threats originate from outside of the organization. An employee could cause a data breach either via negligence or intentionally. For example, 29% of employees admit to taking company data with them when leaving a job. Legitimate users could also accidentally deploy malware on the corporate network. In 2021, 80% of ransomware was self-installed, meaning that the user opened or executed a malicious file that installed the malware. If this occurred on the corporate network, it would be within the context of a legitimate user account. Infected Devices Users access corporate resources via computers or mobile devices. While a ZTNA solution may be configured to look for a combination of a user account and a known device, this device may not be trustworthy. Devices infected with malware may attempt to take advantage of a user’s account and assigned permissions to gain access to the corporate network or other resources. If malware is installed on a user’s device, it may spread to the corporate network via legitimate accounts. ZTNA’s access control policies alone are not enough to protect against infected devices. Solutions also need to include device posture monitoring to provide more information about the risk posed by a particular device. Common device posture monitoring features include identifying the security tools running on the device, the current patch level, and compliance with corporate security policies. Ideally, a ZTNA solution should provide the ability to tune device posture access requirements based on the requested resources and to incorporate other valuable information, such as the device OS and location. ZTNA Should Be Deployed as Part of SASE ZTNA is an invaluable tool for providing secure remote access to corporate resources. Its integrated access controls and case-by-case grants of access offer far greater security than a VPN. However, as mentioned above, ZTNA is not enough to implement zero trust security or to effectively secure an organization’s network and resources against attack. An attacker with access to a legitimate account - via compromised credentials or an infected device - may be granted access to corporate IT assets. Effective zero trust security requires partnering ZTNA’s access control with security solutions capable of identifying and preventing abuse of a legitimate user account. Next-generation firewalls (NGFWs), intrusion prevention systems (IPS), cloud access security brokers, and other solutions can help to address the threats that ZTNA misses. These capabilities can be deployed as standalone solutions, but this often results in a tradeoff between performance and security. Deploying perimeter-based defenses requires routing traffic through that perimeter, which adds unacceptable latency. On the other hand, most organizations lack the resources to deploy a full security stack at all of their on-prem and cloud-based service locations. Secure Access Service Edge (SASE) provides enterprise-grade security without sacrificing network performance. By integrating a full network security stack into a single solution, SASE enables optimized performance by ensuring that expensive operations - such as decrypting a traffic stream for analysis - are only performed once. Its integrated network optimization capabilities and cloud-based deployment ensure high network performance and reliability, especially when backed by Cato’s network of dedicated backbone links between PoPs. ZTNA as a standalone solution doesn’t meet corporate network security goals or business requirements. Deploying ZTNA as part of a SASE solution is the right choice for organizations looking to effectively implement zero trust.

Cato Protects Against Microsoft Office Follina Exploits

Cybersecurity researchers are lighting up Twitter with a zero-day flaw in Microsoft Office enabling attackers to execute arbitrary code on targeted Windows systems. Earlier today...

Dolev Moshe Attiya

May 31, 2022

3m read

Cato Protects Against Microsoft Office Follina Exploits Cybersecurity researchers are lighting up Twitter with a zero-day flaw in Microsoft Office enabling attackers to execute arbitrary code on targeted Windows systems. Earlier today Microsoft issued CVE-2022-30190 that describes the remote code execution (RCE) vulnerability within Office. It can be exploited when the Microsoft Support Diagnostic Tool (MSDT) is called using by a URL from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. The vulnerability was discovered by nao_sec, the independent cybersecurity research team, who found a Word document ("05-2022-0438.doc") uploaded to VirusTotal from an IP address in Belarus. The Microsoft post explained how to create the payload and various work arounds. Describing the vulnerability, nao_sec writes on Twitter, “It uses Word's external link to load the HTML and then uses the 'ms-msdt' scheme to execute PowerShell code." The Hackernews quotes security researcher Kevin Beaumont, saying that “the maldoc leverages Word's remote template feature to fetch an HTML file from a server, which then makes use of the "ms-msdt://" URI scheme to run the malicious payload.” Beaumont has dubbed the flaw "Follina," because the malicious sample references 0438, which is the area code of Follina, a municipality in the Italian city of Treviso. [boxlink link="https://www.catonetworks.com/cybersecurity-masterclass/?utm_source=blog&utm_medium=top_cta&utm_campaign=masterclass"] Join one of our Cyber Security Masterclasses | Go now [/boxlink] Cato Immediately Protects Users Worldwide Within hours of Microsoft’s reporting, Cato researchers were already working on implementing protections for Cato customers worldwide. Already, Cato’s multilayered security defense fully protected Cato-connected users. While no further action is needed, Cato customers are advised to patch any affected systems. There are currently three ways attackers can exploit this attack: Users can download a file or application containing the payload that will invoke the MSDT locally. Users can download a file or application containing the payload that will get the invocation from the Internet (from the attacker’s sites) User’s browser receives the payload in the response to direction from a malicious site, runs MSDT. All three approaches are already blocked using the Cato Advanced Threat Prevention (ATP) capabilities. Cato’s anti-malware inspects and will block downloading of files or applications with the necessary payload to execute Follina. Cato IPS will detect and prevent any invocation from across the network or the Internet. As we have witnessed with Log4j, vulnerabilities such as these can take organizations a very long time to patch. Log4j exploitations are still observed to this day, six months after its initial disclosure. With Cato, enterprises no longer see the delays from patching and are protected in record time. Demonstration of Attack Exploiting CVE-2022-30190

What Others Won’t Tell You About MPLS

MPLS (Multiprotocol Label Switching) has been an industry-standard in enterprise networking for decades. But with modern enterprises relying more and more on public cloud services...

Eyal Webber Zvik

May 26, 2022

3m read

What Others Won’t Tell You About MPLS MPLS (Multiprotocol Label Switching) has been an industry-standard in enterprise networking for decades. But with modern enterprises relying more and more on public cloud services like Office 365, Salesforce and SAP Cloud, is MPLS enough? Perhaps there’s another solution that can meet the capacity, security, and agility requirements of the next-generation enterprise network. 5 Considerations for Evaluating MPLS and Its Alternatives 1. Agility: Can Your Network Move at the Speed of Business? Modern enterprises need a solution that enables them to expand their business quickly and connect new sites to their existing networks. But traditional MPLS requires rolling out permanent infrastructure, which can take months and keeps businesses dependent on telco service and support. 2. Cost: Is Your Cost Per Megabit Too High? The modern enterprise network is internet-bound, which makes it bandwidth-intensive. Enterprises need a solution that is priced in an internet-friendly manner since counting every megabit is counter-productive. But MPLS costs are megabit-based, and each megabit is pricey. Redundant circuits, resilient routing and WAN optimization drive the bill even higher. 3. Flexibility: Can The Business Transition Between On and Off-site Work? New, post-pandemic workplaces have to be able to automatically transition between remote and on-site work. But in case of connectivity issues, transitioning to MPLS backups could cause significant delays that impede productivity. 4. Security: Can Enterprise Users Access Resources Anywhere? To support remote work and a distributed workforce, resources, users, data and applications need to be secured wherever they are. But MPLS VPNs are hard to manage and backhauling traffic to the data centers adds latency, making the network vulnerable. 5. Management: Do You Have Visibility and Control of Your Network? Modern businesses need co-managed networks so they can have visibility and control without having to take care of all the heavy lifting. But MPLS requires businesses to control the entire network or hand it all over to telcos. [boxlink link="https://www.catonetworks.com/resources/what-telcos-wont-tell-you-about-mpls/?utm_source=blog&utm_medium=top_cta&utm_campaign=other_mpls"] What Others Won’t Tell You About MPLS | Download eBook [/boxlink] Is SD-WAN the Solution for MPLS’s Shortcomings? SD-WAN can replace some types of MPLS traffic, saving businesses from many of MPLS’ costs. However, MPLS doesn’t answer all business needs, including: Cloud - SD-WAN focuses on physical WAN. Security - SD-WAN employs only basic security features. Remote and Hybrid Work - SD-WAN is a branch-oriented solution that cannot support remote work on its own. Visibility - SD-WAN requires adding more vendors, which creates fragmented visibility. How SASE Answers All Future WAN Needs The solution for all future enterprise network needs is a converged solution that includes SD-WAN, a global backbone, pervasive security, and remote access in a single cloud offering. A SASE platform offers just that: A single platform for all capabilities, which can be activated separately at the flip of a switch. A global WAN backbone over the cloud, ensuring traffic runs smoothly with minimal latency across global PoPs. A unified security-as-a-service engine by converging ZTNA with SD-WAN. A single pane of glass for all policies, configurations, monitoring, and analytics. Flexible management - self-service, co-managed, or fully managed. Read more about MPLS vs. SASE in the complete eBook, What Others Won’t Tell You About MPLS.

Azure SD-WAN: Cloud Datacenter Integration with Cato Networks

As critical applications migrate into Microsoft Azure, enterprises are challenged with building a WAN that can deliver the necessary cloud performance without dramatically increasing costs...

Dave Greenfield

May 24, 2022

6m read

Azure SD-WAN: Cloud Datacenter Integration with Cato Networks As critical applications migrate into Microsoft Azure, enterprises are challenged with building a WAN that can deliver the necessary cloud performance without dramatically increasing costs and complexity. There’s been no good approach to building an Azure SD-WAN — until now. Cato’s approach to Azure SD-WAN improves performance AND simplifies security, affordably. Let’s see how. Azure SD-WAN’s MPLS and SD-WAN Problem When organizations start relying on Azure, two problems become increasingly apparent. First, how do you secure your Azure instance? Running virtual firewalls in Azure adds complexity and considerable expense, necessitating purchase of additional cloud compute resources and third-party licenses. What’s more, virtual firewalls are limited in capacity, requiring upgrades as traffic grows. Cloud performance may suddenly decline because the firewall is choking the network. Adding other cloud instances requires additional tools, complicating operations. You can continue to rely on your centralized security gateway, backhauling traffic from branch office inspection by the gateway before sending the traffic across the Internet to Azure. You can even improve the connection between the gateway and Azure with a premium connectivity service, such as Azure ExpressRoute. But, and here’s the second issue, how do you deal with the connectivity problem? Branch offices that might otherwise be a short hop away from an Azure entrance point must now send traffic back to the centralized gateway for inspection before reaching Azure. The approach does nothing for mobile users who sit off the MPLS network regardless. And what happens as your cloud strategy evolves and you add other cloud datacenter services, such as Amazon AWS or Google Cloud? Now you need a whole new set of security and connectivity solutions adding even more cost and complexity. Nor does edge SD-WAN help. There’s no security built into edge SD-WAN, so you haven’t addressed that problem. There’s also no private global network so you’re still reliant on MPLS for predicable connectivity. Edge SD-WAN solutions also require the cost and complexity of deploying additional edge SD-WAN appliances to connect to the Azure cloud. And, again, none of this helps with mobile users, which are also out of scope for edge SD-WAN. [boxlink link="https://www.catonetworks.com/resources/migrating-your-datacenter-firewall-to-the-cloud/?utm_source=blog&utm_medium=top_cta&utm_campaign=cloud_datacenter"] Migrating your Datacenter Firewall to the Cloud | Download eBook [/boxlink] How Azure SD-WAN Works to Connect Cato and Azure Cato addresses all of the connectivity and security challenges of Azure SD-WAN. Cato’s global private backbone spans more than 75+ points of presence (PoPs) across the globe, providing affordable premium connectivity worldwide. Many of those Cato PoPs collocate within the same physical datacenters as entrance points to Azure. Connecting from Azure to Cato is only matter of crossing a fast, LAN connection, giving Cato customers ExpressRoute-like performance at no additional charge. To take advantage of Cato’s unique approach, Cato customers do two things. First, to connect Cato and Azure, enterprises take advantage of our agentless configuration, establishing IPsec tunnels between the two services, establishing the PoP as the egress point for Azure traffic. There’s no need to deploy additional agents or virtual appliances. Cato’s will then optimize and route Azure traffic from any Cato PoP along the shortest and fastest path across Cato Cloud to destination PoP. Second, sites and mobile users send their Azure traffic to Cato by establishing encrypted tunnels across any Internet connection to the nearest Cato PoP. Sites will run a Cato Socket, Cato’s SD-WAN appliance or establish IPsec tunnels from an existing third-party security device, and mobile users run the Cato mobile client on their devices. Alternatively, if you’d like to leverage all of Cato’s SD-WAN capabilities in Azure, you can easily deploy Cato’s virtual socket instead of IPsec tunnels, which includes automatic PoP selection, high availability, and automatic failover. The beauty of Cato’s virtual socket is that you can easily deploy it in minutes instead of hours. To get started with Cato virtual socket, search for Cato Networks in the Azure marketplace. Then, click Get It Now, and follow the outlined configuration guidelines. How Azure SD-WAN Secures Azure Resources In addition to connectivity, Cato’s Azure SD-WAN solution secures cloud resources against network-based threats. Every Cato PoP provides Cato’s complete suite of security services, eliminating the need for backhauling. Cato Security as a Service is a fully managed suite of enterprise-grade and agile network security capabilities, that currently includes application-aware next-generation firewall-as-a-Service (FWaaS), secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAM), IPS-as-a-Service (IPS), and Cloud Access Security Broker (CASB). Cato can further secure your network with a comprehensive Managed Threat Detection and Response (MDR) service to detect compromised endpoints. Azure instances and all resources connected to Cato, including site, mobile users and other cloud resources, are protected through a common set of security policies, avoiding the complexity that comes with purchasing security tools unique to Azure or other cloud environments. Azure SD-WAN Benefits The bottom line is that Azure SD-WAN delivers connectivity and security with minimal complexity and cost: Superior Microsoft Azure performance The combination of global Cato PoPs, a global private backbone and Microsoft Azure colocation accelerates Microsoft Azure application performance by up to 20X vs. a typical corporate Internet-based connection. Not only is latency minimized but Cato’s built-in network optimizations further improve data transfer throughput. And all of that is done for branch offices as well as mobile users. The result is a superior user experience without the need for premium cloud provider transport services. Security and deployment simplicity With Cato, organizations don’t have to size, procure and manage scores of branch security solutions normally needed for the direct Internet access critical to delivering low latency cloud connectivity. Security is built into Cato Cloud; cloud resources are protected by the same security policy set as any other resource or user on the enterprise backbone. Cato’s agentless configuration also means customers don’t have to install additional SD-WAN appliances in the Azure cloud. These benefits are particularly significant for multi-cloud enabled organizations which normally would require separate connectivity solutions for each private datacenter service. (However, if you’d like to leverage additional capabilities in Azure, you can deploy the integration in minutes with Cato’s virtual Socket.) Networking and security agility Cato’s SD-WAN’s simplicity, Azure integration, and built-in security stack enable branch offices and mobile users to get connected to Microsoft Azure in minutes or hours vs. weeks or months for branch office appliance-based SD-WAN. Affordable and fast ROI Enterprises get superior cloud performance without paying for the high-cost cost of branch office SD-WAN hardware, carrier SD-WAN services, or Microsoft Azure ExpressRoute transport. Nor do companies need to invest in additional security services to protect cloud resources with Cato. For more information on how Cato integrates with the cloud, contact Cato Networks or check out this eBook on Migrating your Datacenter Firewall to the Cloud.

The Only SASE RFP Template You’ll Ever Need

Why do you need a SASE RFP? Shopping for a SASE solution isn’t as easy as it sounds… SASE is an enterprise networking and security...

Vanessa Perplies

May 19, 2022

4m read

The Only SASE RFP Template You’ll Ever Need Why do you need a SASE RFP? Shopping for a SASE solution isn’t as easy as it sounds... SASE is an enterprise networking and security framework that is relatively new to the enterprise IT market (introduced by Gartner in 2019.) And less than 3 years young, SASE is often prone to misunderstanding and vendor “marketecture.” Meaning: If you don’t ask the right questions during your sales and vendor evaluation process, you may be locked into a solution that doesn’t align with your current and future business and technology needs. A Quick Note about Cato’s RFP Template Do a quick Google search and you’ll find millions of general RFP templates. That being said, Cato’s RFP template only covers the functional requirements of a future SASE deployment. There are no generic RFP requirements in our template, like getting the vendor details of your vendor companies. So, What Must a SASE RFP Template Include? Cato Networks has created a comprehensive, 13-page SASE RFP template, which contains all business and functional requirements for a full SASE deployment. Just download the template, fill in the relevant sections to your enterprise, and allow your short-listed vendors to fill in the remainder. While you may see some sections that are not relevant to your particular organization or use case, that's all right. It’s available for your reference, and to help you plan any future projects. A Sneak Peek at Cato’s RFP Template If you’d like a preview of Cato Networks’ SASE RFP template, we’re providing you with a high-level outline. Take a look at this "quick-guide", and then download the full SASE RFP template to put it into practice. [boxlink link="https://www.catonetworks.com/resources/sase-rfi-rfp-template/?utm_source=blog&utm_medium=top_cta&utm_campaign=sase_rfp_template"] SASE RFI/RFP Made Easy | Get the Template [/boxlink] 1. Business and IT overview You’ll describe your business and IT. Make sure to include enough details for vendors to understand your environment so they can tailor their answers to your specific needs and answer why their solution is valuable to your use case. 2. Solution Architecture Understand your proposed vendors architecture, what the architecture includes, what it does and where it is placed (branch, device, cloud.) Comprehending vendor architecture will allow you to better determine how a vendor scales, how they address failures, deliver resiliency, etc. 3. Solution Capabilities Deep dive into your proposed vendor functionalities. The idea is to select all selections relevant to your proposed SASE deployment, and have the vendor fill them out. SD-WAN Receive a thorough exploration of a proposed vendor’s SD-WAN offering, covering link management, traffic routing and QoS, voice and latency-sensitive traffic, throughput and edge devices, monitoring and reporting, site provisioning, gradual deployment / co-existence with legacy MPLS networks. Security Understand traffic encryption, threat prevention, threat detection, branch, cloud and mobile security, identity and user awareness, policy management and enforcement, as well as security management analytics and reporting. Cloud Determine vendor components needed to connect a cloud datacenter to the network, amongst other areas. Mobile (SDP / ZTNA) Understand how vendors connect a mobile user to the network, their available mobile solutions for connecting mobile users to WAN and cloud, and other key areas. Global Explore your vendor’s global traffic optimization, describe how they optime network support to mobile users, and more. 4. Support and Services Evaluate service offering and managed services. This is the perfect time to ask and understand whether your proposed vendor uses “follow-the-sun" support models and decide whether you want a self-managed, fully managed, or co-managed service. Support and Professional services Understand if vendors abide by “follow-the-sun,” support, their hours of support and more. Managed Services Get a sense of vendor managed services in several key areas. Next Steps: Get the Full SASE RFP / RFI Template Whether you’re new to SASE or a seasoned expert, successful SASE vendor selection starts with asking the right questions. When you know the correct questions to ask, it’s easy to understand if a SASE offering can meet the needs of your organization both now and in the future. Download Cato Network’s full SASE RFP / RFI Made Easy Template, to begin your SASE success story.

Don’t Ruin ZTNA by Planning for the Past

Zero trust network access (ZTNA) is an integral part of an enterprise security strategy, as companies move to adopt zero trust security principles and adapt...

Boaz Avigad

May 18, 2022

5m read

Don’t Ruin ZTNA by Planning for the Past Zero trust network access (ZTNA) is an integral part of an enterprise security strategy, as companies move to adopt zero trust security principles and adapt to more distributed IT environments. Legacy solutions such as virtual private networks (VPNs) are ill-suited to the distributed enterprise and do not provide the granular access controls necessary to protect an organization against modern cyber threats. However, not all ZTNA solutions are created equal. In some cases, ZTNA solutions are designed for legacy environments where employees and corporate resources are located on the corporate LAN. Deploying the wrong ZTNA solution can result in tradeoffs between network performance and security. Where ZTNA Can Go Wrong Three of the primary ways in which ZTNA goes wrong are self-hosted solutions, web-only solutions, and solutions only offering agent-based deployments. Self-Hosted Solutions Some ZTNA solutions are designed to be self-hosted or self-managed. An organization can deploy a virtual ZTNA solution on-prem or in the cloud and configure it to manage access to the corporate resources hosted at that location. These self-hosted ZTNA solutions are designed based on a perimeter-focused security model that no longer meets the needs of an organization’s IT assets. Self-hosted ZTNA is best suited to protecting locations where the virtual appliance can be deployed, such as in an on-prem data center or an Infrastructure as a Service (IaaS) cloud service. However, many organizations use a variety of cloud services, including Software as a Service (SaaS) offerings where a self-hosted ZTNA solution cannot be easily deployed. This and the fact that expanding self-hosted ZTNA to support new sites requires additional solutions or inefficient routing, means that these solutions are less usable and offer lower network performance than a cloud-native solution. Web-Only Solutions Often, security programs focus too much on the more visible aspects of an organization’s IT infrastructure. Web security focuses on websites and web apps instead of APIs, and ZTNA is targeted toward the protection of enterprise web apps. However, companies commonly use various non-web applications as well. For example, companies may want to provide access to corporate databases, remote access protocols such as SSH and RDP, virtual desktop infrastructure (VDI), and other applications that do not run over HTTP(S). A ZTNA solution needs to provide support for all apps used by an enterprise. This includes the ability to manage access to both web and non-web enterprise applications. [boxlink link="https://www.catonetworks.com/resources/ztna-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=ztna_demo"] Secure zero trust access to any user in minutes | ZTNA Demo [/boxlink] Only Agent-Based Deployment Some ZTNA solutions are implemented using agents that are deployed on each user’s endpoint. These agents interact with a self-hosted or cloud-based broker that allows or denies access to corporate resources based on role-based access controls. By using agents, a ZTNA solution can provide a more frictionless experience to users. While an agent-based deployment has its benefits, it may not be a fit for all devices. The shift to remote and hybrid work has driven the expanded adoption of bring your own device (BYOD) policies and the use of mobile devices for work. These devices may not be able to support ZTNA agents, making it more difficult to manage users’ access on these devices. Support for agent-based deployments can be a significant asset for a ZTNA solution. However, implementing ZTNA only via agents deployed on the endpoint can result in some devices being unable to access corporate resources or being forced to use workarounds that could degrade performance or security. Choose the Right ZTNA Solution ZTNA provides a superior alternative to VPNs for secure remote access. However, the success of an organization’s ZTNA deployment can depend on selecting and deploying the right ZTNA solution. Some key requirements to look for when evaluating ZTNA solutions include: Globally Distributed Service: ZTNA solutions that are self-managed and can only be deployed in certain locations create tradeoffs between the performance and security of corporate applications. A ZTNA solution should be responsive everywhere so that employees can easily access corporate resources hosted anywhere, which can only be achieved by a globally distributed, cloud hosted, ZTNA solution. Wide Protocol Support: Many of the most visible applications used by companies are web-based (webmail, cloud-based data storage, etc.). However, other critical applications may use different protocols yet have the same need for strong, integrated access management. A ZTNA solution should offer support for a wide range of network protocols, not just HTTP(S). Agentless Option: Agent-based ZTNA solutions can help to achieve better performing and more secure remote access management; however, they are not suitable for all devices and use cases. A ZTNA solution should offer both agent-based and agentless options for access management. Cato SASE Cloud offers ZTNA as part of an integrated Secure Access Service Edge (SASE) solution. By moving access control and other security and network optimization functions to cloud-based solutions, Cato SASE Cloud ensures that ZTNA services are accessible from anywhere and support a range of protocols. Also, with both agent-based and agentless options, Cato SASE Cloud ensures that all users have the ability to efficiently access corporate resources.

Talking SASE to Your Board: A CIO’s Guide to Getting to ‘Yes’

Introduction: Discussing Transformation with the Board Technology is a strategic requirement for every global organization and its board of directors, regardless of industry. No one...

Demetris Booth

May 16, 2022

7m read

Talking SASE to Your Board: A CIO’s Guide to Getting to ‘Yes’ Introduction: Discussing Transformation with the Board Technology is a strategic requirement for every global organization and its board of directors, regardless of industry. No one is immune from the machinations of technological evolution and the associated disruption that follows. As a result, we can no longer separate business strategy from technology strategy, forcing corporate boards to converge their decision-making processes around a strategic agenda of innovation and risk-mitigation. So, CIOs must take an innovative approach when discussing any transformational change with the board. How to Position Network Transformation to the Board Network transformation is a game-changing strategy that helps drive business growth and market acquisition. So, if not positioned effectively to address board-level concerns, it will impact the long-term ability to execute and advance business objectives. When addressing the board, CIOs must position such technology strategies with critical board-level concerns in mind and discuss them in the context of: Can this strategy help us improve IT responsiveness and ability to support business growth? What value will the business realize through this initiative? What is the security impact of this strategy on our critical applications? How would this strategy enable IT organizations to better mitigate increasing security risk? What would be the short- and long-term financial impact of this initiative? What is the impact of our current and next-gen IT talent? Core to discussing these strategies is articulating the necessity of simplification, optimization, and risk-mitigation in delivering business outcomes through network transformation. And this is where Secure Access Service Edge (SASE) becomes that strategic conversation for board-level engagement. [boxlink link="https://www.catonetworks.com/resources/your-first-100-days-as-cio-5-steps-to-success/?utm_source=blog&utm_medium=top_cta&utm_campaign=first_100_days_cio"] Your First 100 Days as CIO: 5 Steps to Success | EBOOK [/boxlink] SASE is the network transformation strategy that addresses board-level concerns around risk, growth, and financial flexibility. SASE converges networking and security capabilities into a single high-performing cloud-native architecture that allows organizations to scale core business operations through efficiency and performance, while extending consistency in policy and protections. So, presenting a SASE strategy to the board requires CIOs to be crisp and clear when highlighting key business benefits. [caption id="attachment_25242" align="alignnone" width="724"] Figure 1[/caption] A Conversational Guide to Engaging the Board on SASE In February 2019, Deloitte defined a 3-dimension conversation model for CIOs when engaging technology boards. This engagement model defines the thought processes of board members when evaluating technology initiatives for sustaining business growth and maximizing balance sheets. [caption id="attachment_25244" align="alignnone" width="724"] Figure 2[/caption] To influence the board’s decision-making process, CIOs can lean on this model to guide their discussion of SASE’s positive impact on business growth and sustainability. While SASE may not speak specifically to each sub-dimension of the Deloitte model, the core focus on Strategy, Risk and Financial Performance can be adapted as a conversation guide when discussing SASE and Network Transformation. Highlight the Strategic Value of SASE Disruptive technology drives business growth and market share acquisition. However, CIOs should emphasize SASE not as a disruptive technology, rather as a disruptive approach to existing technologies. When positioning SASE to boards, CIOs should emphasize the strategic potential of SASE’s disruptive approach to simplifying network operations, which by extension, accelerates business growth. CIOs must articulate the strategic business benefits of converging networking and security functions into a single cloud-native software stack with unlimited scalability to support business growth. An obvious benefit is how SASE accelerates and optimizes access to critical applications, enhancing the collection, analysis, and securing of data, while improving user experiences and efficiency. Another benefit is how SASE eliminates scaling challenges when more capacity is required to service business growth and expansion. An imperative for CIOs is to highlight use cases where SASE proves its strategic value across the entire enterprise. Successful SASE implementations makes it easier to pursue Cloud Migration, Work-From-Home (WFH), UCaaS, and Global Expansion projects, just to name a few. Through these, we observe how SASE not only eliminates networking and security headaches, but it also streamlines the efforts of IT teams, allowing them to place more focus on these strategic initiatives. SASE has now become that true platform for digital transformation and an enabler of business growth. In short, CIOs must emphasize how SASE enables the network to scale at the speed of business, instead of the business being limited by the rigid, inflexibility of the network. This approach allows CIOs to demonstrate SASE’s strategic value to the overall business by removing technical challenges that limit growth. Conversation Tips SASE as a disruptive approach to simplifying network operations SASE as a “Growth Enabler” – optimized access improves business operations Unlimited scalability at the speed of business [caption id="attachment_25250" align="alignnone" width="724"] Figure 3[/caption] Present the Risk-mitigation Value of SASE No one is immune to cyber risk, and boards will naturally question cyber readiness for critical projects that support business growth. Typically, discussions around risk are fragmented along network support for new initiatives, and security risk to data and privacy. This overlooks the obvious linkage between the two, but SASE allows CIOs to blend these conversations to address critical board-level concerns. Considering this, presenting the risk-mitigation value of SASE requires CIOs to address a key imperative of most boards – SASE must help overcome increased complexity and mitigate cyber risks today and well into the future. Years of acquiring point products to solve point problems have bloated technology environments, resulting in security blind spots, increased complexity, and unmanageable risk. SASE proves its risk mitigation value by simplifying protection schemes, increasing visibility, improving threat detection and response, unifying security policies, and facilitating easier auditing. CIOs must also emphasize SASE’s simplistic Zero-Trust access approach to critical applications, delivering consistent policy enforcement across the entire network. Finally, CIO’s must outline how SASE enable organizations to meet regulatory and compliance mandates and policies. This conversational approach re-enforces SASE’s risk-mitigation value and alleviates one of the biggest board-level concerns – the risk of ransomware and business disruption. Conversation Tips Highlight cyber risks without SASE –complexity, blind spots, and reputation loss Risk Mitigation value – holistic data protection schemes True SASE is a platform that enables compliance mandates [caption id="attachment_25252" align="alignnone" width="724"] Figure 4[/caption] Discuss SASE as a Financial Performance Enabler Boards are laser-focused on the long-term financial performance goals of the business. The board needs to understand how network transformation will improve their balance sheets and customer retention. While many CIOs hesitate to link technology investments to financial performance metrics, articulating the positive impact of SASE on financial performance can position it as an ROI-enabler. In our whitepaper, “ROI of Doing Nothing”, we highlight the long-term financial impact of delaying network transformation with SASE. Becoming a Stage 1 company – transition early to anticipate challenges vs. being a Stage 2 company – delay results in increased requirements and subsequent costs, comes down to the overall financial burden organizations are prepared to withstand. CIOs must promote the positive ROI of SASE in securing the long-term financial structure of the business. When evaluating the feasibility of network transformation with SASE, CIOs must speak to the business and talent efficiencies to be gained. Today, most enterprises exhaust considerable resources running and maintaining inefficient infrastructures. This often produces outages across the network, which impacts operations across the entire business. The financial impact of this is not only measured in maintenance contracts and renewal/upgrade fees, but also in application availability, performance, and scalability. SASE reduces costs by retiring expensive and inefficient systems, and this also directly impacts their IT talent performance. Similar to the strategic value, less time spent on mundane technical support activities enables IT teams to direct their support efforts towards strategic, revenue-generating initiatives. This increases revenue generated per-head, thus improving the operational cost model. Highlighting key performance metrics related to revenue and ROI will gain broad consensus for SASE projects. Mapping key performance requirements into business ROI gained via SASE, demonstrates how it not only transforms networking and security, but also overall IT and business operations that impact the bottom-line. Conversation Tips SASE as an ROI enabler – lower TCO Delaying SASE – impacts long-term cost structures IT support for revenue-generating initiatives [caption id="attachment_25254" align="alignnone" width="724"] Figure 5[/caption] A SASE Engagement Model Allows for CIO-Board Partnership Justifying network transformation can be challenging considering it requires a paradigm shift towards a new way of viewing IT operations and its impact on the broader business. By following a simple board-level engagement model focusing on Strategy, Risk and Performance, CIOs can build a more compelling discussion on the numerous advantages in SASE that extend far beyond simple network and security efficiencies. It is important to develop that CIO-Board partnership that explores these through a business outcome lens. SASE pursued with strategic business enablement in mind alleviates the key board-level concerns, while empowering CIOs to deliver the resilient, cost-effective converged platform that enables optimal IT operations, mitigates risk, and produces long-term ROI. Engaging the board on new technology approaches such as SASE does not have to be scary. SASE provides a new way to envision the Digital Infrastructure of the Future, and highlighting the main concerns of most board members, is the most direct approach to discuss this topic. This writing provides a simple guide for mapping board-level concerns to the intrinsic advantages of SASE, while providing a roadmap to realizing the key benefits. To learn more about how CIO’s succeed in this digital era, download our “First 100 Days as a CIO” guide.

Cato Expands to Marseilles and Improves Resiliency Within France

Cato just announced the opening of our new PoP in Marseilles, France. Marseilles is our second PoP in France (Paris being the first) and our...

Dave Greenfield

May 16, 2022

3m read

Cato Expands to Marseilles and Improves Resiliency Within France Cato just announced the opening of our new PoP in Marseilles, France. Marseilles is our second PoP in France (Paris being the first) and our 20th in EMEA. Overall, Cato SASE Cloud is comprised of 70+ PoPs worldwide, bringing Cato’s capabilities to more than 150 countries. As with all our PoPs, Marseilles isn’t just a “gateway” that secures traffic to and from the Internet. Cato PoPs are far more powerful. Like the rest of our PoPs, Marseilles will run Cato's Single Pass Cloud Engine (SPACE), Cato's converged cloud-native software. Cato SPACE provides enterprise-grade threat prevention, data protection, and global traffic optimization for East-West traffic to other Cato PoPs and North-South traffic to the Internet or the cloud. Cato SPACE sets speed records in the SASE world by processing up to 3 Gbps of traffic per site with full decryption and all security engines active at line rate. Cato SPACE is so effective and reliable, that enterprises can replace legacy MPLS networks and security appliances. The Marseilles PoP, like all of our PoPs, is equipped with multiple compute nodes running many SPACE engines. When a site’s traffic hits the Marseilles PoP, the traffic flow is immediately assigned to the most available SPACE engine. Should a SPACE engine fail within a PoP, flows are automatically processed by another SPACE instance. Should the datacenter hosting a Cato PoP fail, users and resources automatically reconnect to the next available PoP as all PoPs are equipped with enough surplus capacity to accommodate the additional load. [boxlink link="https://www.catonetworks.com/news/cato-networks-strengthens-sase-presence-in-france-with-new-point-of-presence-pop-in-marseilles/?utm_source=blog&utm_medium=top_cta&utm_campaign=marseilles_pop_pr"] Cato Networks Strengthens SASE Presence in France with New Point of Presence (PoP) in Marseilles | News Release [/boxlink] A case in point was the recent Interxion datacenter outage. The datacenter housed the London Metal Exchange and Cato's London PoP. The outage disrupted the Exchange for nearly five hours. Cato customers were also impacted – for 30 seconds – as London-connected sites, and users automatically and transparently moved over to Cato's Manchester and Dublin PoPs. In the case of Marseilles, Cato's self-healing architecture automatically and transparently moves sites and users to the next best PoP, likely the one in Paris. "Before Cato, there were outages, complaints, and negative feedback from several internal teams about the service from our major international MPLS provider," said Thomas Chejfec, Group CIO of Haulotte, a global manufacturer of materials and people lifting equipment. Haulotte moved to Cato after facing three years of delays and cost overruns, rolling out MPLS to its more than 30 offices across Western Europe, North America, South America, Africa, and Asia Pacific. "Since deploying Cato, the network is no longer a topic of discussion with users," says Chejfec. "We never hear about it anymore." Of course, delivering a great cloud platform means having great partners. Cato's complete range of networking and security capabilities are available today from numerous partners across France, including Ava6, ADVENS, Anetys, Hexanet, IMS Networks, OCD, NEOVAD, Nomios, Rampar, Sasety, and Selceon. Cato continues to work hard to deliver and grow our global network. Marseilles is our latest launch, but hardly our last. Expect us to continue adding PoPs and growing our global footprint so you can connect and secure your offices and users wherever they may be located.

Don’t Turn a Blind Eye to TLS Traffic

TLS or Transport Layer Security is the evolution of SSL, and the terms are often used interchangeably. TLS is designed to increase security by encrypting...

Evin Safdia

May 12, 2022

4m read

Don’t Turn a Blind Eye to TLS Traffic TLS or Transport Layer Security is the evolution of SSL, and the terms are often used interchangeably. TLS is designed to increase security by encrypting data end-to-end between two points, ideally preventing bad actors from having visibility into the traffic of your web session. However, threat actors have also come to see the value in utilizing TLS encryption for delivering malware and evading security controls. This can be indirect via the leveraging common sanctioned SaaS applications (Office365, Box, Dropbox, GDrive, etc.) as delivery vectors or direct by using free certificates from Let’s Encrypt. Let’s Encrypt is a free and open certificate authority created and run for the benefit of the public. Despite being designed for good, threat actors wasted no time in leveraging the advantages of free encryption in their activities. The point here is that most traffic, good and bad, is now TLS encrypted and can create challenges for IT and security teams. TLS Inspection to the Rescue TLS inspection is almost completely transparent to the end-user and sits between the user and their web applications. Like the malicious activity known as a man-in-the-middle attack, TLS inspection intercepts the traffic, enabling inspection by security engines. For this to work without disruption to the end-user, an appropriate certificate must be installed on the client device. TLS inspection has been available for some time now but isn’t widely used due to a variety of reasons, primarily cost and complexity. Historically NGFW or other appliances have been the source of TLS inspection capabilities for organizations. With any appliance, there is a fixed amount of capability, and the more features you enable, the lower the throughput. TLS inspection is no different and often requires double (or more) hardware investment to accomplish at scale. Additionally, TLS inspection brings up privacy concerns about financial and health information that are not always easily addressed by legacy products. [boxlink link="https://www.catonetworks.com/resources/tls-decryption-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=tls_demo"] Cato Demo | TLS Inspection in Minutes [/boxlink] SASE Makes it Possible SASE or Secure Access Service Edge removes most of the challenges around TLS decryption, allowing organizations to secure their users and locations more effectively. SASE offers TLS inspection capabilities as product functionality, with no need to size and deploy hardware. Simply create desired exceptions (or alternatively specify what traffic to inspect), deploy certificates to endpoints, and enable the feature. This easy alternative to NGFW TLS decryption makes it possible for organizations to gain visibility into the 95% of their traffic that is hiding in TLS. There are still some challenges, primarily certificate pinned websites and applications. Most SASE providers will manage a bypass list of these for you, but you can always improve your security posture by blocking un-inspectable traffic where it makes sense. Gain Visibility Today The question remains, if you are not inspecting TLS today, why aren’t you? You have most likely invested in security technologies such as IPS, CASB, SWG, Next-Generation Antimalware, DLP, etc., but without complete visibility, these tools cannot work effectively. Security engines are a bit like the x-ray machine at airport security, they reveal the contents of luggage (packets) to identify anything bad. Now imagine if you are in the security line and they are only inspecting 5 out of every 100 bags. How secure does this make you feel, would you still get on the plane? SASE has removed many of the obstacles to adopting TLS inspection and provides complete visibility to all security engines to maximize their value. If you have not considered SASE yet, now may be the time. If you already have SASE and do not know where to start with TLS inspection, start small. You should be able to selectively enable the capability for risky categories of URLs and applications and then increase the scope as your comfort level grows. See this quick video demo on how easy it is to enable TLS inspection with Cato Networks!

Planning for the Distributed Enterprise of the Future

In the past, most of an organization’s employee and IT resources were located on the enterprise LAN. As a result, enterprise security models were focused...

Boaz Avigad

May 10, 2022

5m read

Planning for the Distributed Enterprise of the Future In the past, most of an organization’s employee and IT resources were located on the enterprise LAN. As a result, enterprise security models were focused on defending the perimeter of the corporate network against external threats. However, the face of the modern enterprise is changing rapidly. Both users and IT resources are moving off of the corporate LAN, creating new employee and service network edges. Distributed Employee Edges The most visible sign of the evolution of the modern enterprise is the growing acceptance of remote work. Employees working remotely is nothing new, even for organizations without formal telework programs. Business travel, corporate smartphones, and other factors have led to corporate data and resources being accessed from outside the enterprise network, often without proper support or security. The pandemic normalized remote work as businesses found that their employees could effectively work from basically anywhere. In fact, many businesses found that remote work increased productivity and decreased overhead. As a result, many businesses plan to support at least hybrid work indefinitely, and telework has become a common incentive for hiring and retaining employees. Scattered Service Locations While the rapid growth and distribution of employee edges can be attributed to the pandemic, service edges have been expanding for years. The emergence of cloud-based data storage and application hosting has transformed how many organizations do business. The cloud provides numerous benefits, but one of its major selling points is the wide range of service options that organizations can take advantage of. Companies can move enterprise data to a cloud data center, outsource infrastructure management to a third-party provider for hosted applications, or take advantage of Software as a Service (SaaS) applications that are developed and hosted by their cloud service provider. Nearly all organizations use at least some cloud services, even if this is simply cloud-based email and data storage (G-Suite, Microsoft 365, etc.). However, many companies have not completely given up their on-prem infrastructure, hosting some data and applications locally to meet business needs or regulatory compliance requirements. This mix of on-prem and cloud-based infrastructure complicates the corporate WAN. Both on-site and remote workers need high-performance, reliable, and secure access to corporate data and applications, regardless of where the user and application are located. [boxlink link="https://www.catonetworks.com/resources/how-three-enterprises-delivered-remote-access-everywhere/?utm_source=blog&utm_medium=top_cta&utm_campaign=3_enterprises_delivered_remote_access"] How Three Enterprises Delivered Remote Access Everywhere | EBOOK [/boxlink] Legacy Infrastructure Doesn’t Meet Modern Needs Many organizations’ security models were designed for the era where employees and corporate IT assets were centralized on the corporate LAN. By deploying security solutions at the perimeter of the corporate network, organizations attempt to detect inbound threats and outbound data exfiltration before they pose a threat to the organization. The perimeter-focused security model has many shortcomings, but one of the most significant is that it is designed for an IT infrastructure that no longer exists. With the expansion of telework and cloud computing, a growing percentage of an organization’s IT assets are now located outside the protected perimeter of the corporate LAN. A major challenge that companies face when adapting to the growing distribution of their IT assets is that many of the tools that they are trying to use to do so are designed for the same outdated model. For example, virtual private networks (VPNs) were designed to provide point-to-point secure connectivity, such as between a remote worker and the enterprise network. This design doesn’t work when employees need secure access to resources hosted in various places (on-prem, cloud, etc.) Trying to support a distributed workforce with legacy solutions creates significant challenges for an organization. VPNs’ design and lack of built-in security and access control result in companies routing all traffic through the corporate network for inspection, resulting in increased latency and degraded performance. It also creates challenges for IT personnel, who need to deploy and maintain complex and inflexible VPN-based corporate WANs. ZTNA Enables Usable, Scalable Security As companies’ workforces and infrastructure become more distributed, attempting to make the corporate WAN work with legacy solutions is not a sustainable long-term plan. A switch away from perimeter-focused technologies like VPNs is essential to the performance, reliability, and security of the enterprise network. Zero trust network access (ZTNA) offers a superior alternative to VPNs that is better suited to the needs of the distributed enterprise of the future. Some advantages of a cloud-based ZTNA deployment include: Global Accessibility: ZTNA can be hosted in the cloud, making it globally accessible. Once access decisions are made, traffic can be routed directly to its destination without a detour through the corporate network. Granular Access Controls: VPNs are designed to provide legitimate users with unrestricted access to corporate resources. ZTNA provides access to a specific resource on a case-by-case basis, enabling more granular access management and better enforcement of least privilege. Centralized Management: A VPN-based WAN for an organization with multiple sites and cloud-based infrastructure requires many independent links between different sites. ZTNA does not require these independent tunnels and can be centrally monitored and managed, simplifying network and security configuration and management. Private Backbone: Cato’s ZTNA uses a private backbone to route traffic between sites. This improves the performance and reliability of network traffic beyond what is possible with the public Internet. Solutions like VPNs are designed for an IT architecture that no longer exists and never will again. As companies adopt cloud computing and remote work they need infrastructure and security solutions designed for a distributed IT architecture. By deploying ZTNA with Cato, companies can improve network performance and security while simplifying management.

Overcoming ZTNA Deployment Challenges with the Right Solution

Zero-trust network access (ZTNA) is a superior remote access solution compared to virtual private networks (VPNs) and other legacy tools. However, many organizations are still...

Boaz Avigad

May 3, 2022

5m read

Overcoming ZTNA Deployment Challenges with the Right Solution Zero-trust network access (ZTNA) is a superior remote access solution compared to virtual private networks (VPNs) and other legacy tools. However, many organizations are still relying on insecure and non-performant solutions rather than making the switch to ZTNA. Why You Might Not Be Using ZTNA (But Should Be) Often, companies have legitimate reasons for not adopting ZTNA - and below we take a closer look at some of the most common concerns: “A VPN is Good Enough” One of the simplest reasons why an organization may not want to upgrade their VPN to ZTNA is that they’ve always used a VPN and it has worked for them. If remote users can connect to the resources that they need, then it may be difficult to make a compelling case for a switch. However, even if an organization’s VPN infrastructure is performing well, there is still security to consider. A VPN is designed to provide a remote user with unrestricted, private access to the corporate network. This means that VPNs lack application-level access controls and integrated security. For this reason, cybercriminals commonly target VPNs because a single set of compromised credentials can provide all of the access needed for a data breach, ransomware infection, or other attacks. In contrast, ZTNA provides access on a case-by-case basis decided based on user and application-level access controls. If an attacker compromises a user’s account, then their access and the damage that they can do is limited by that user’s permissions. “ZTNA is Hard to Deploy” Deploying a new security solution can be a headache for an organization’s security team. They need to integrate it into an organization’s existing architecture, design a deployment process that limits business disruption, and perform ongoing configuration and testing to ensure that the solution works as designed. When an organization has a working VPN solution, then the overhead associated with switching to ZTNA may not seem worth the effort. While installing ZTNA as a standalone solution may be complex, deploying it as part of a Secure Access Service Edge (SASE) solution can streamline the process. With a managed SASE solution, deployment only requires pointing infrastructure to the nearest SASE point of presence (PoP) and implementing the required access controls. [boxlink link="https://www.catonetworks.com/resources/ztna-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=ztna_demo"] Secure zero trust access to any user in minutes | ZTNA Demo [/boxlink] “VPNs are Required for Compliance” Most companies are subject to various data protection and industry regulations. Often, these regulations mandate that an organization have certain security controls in place and may recommend particular solutions. For secure remote access, VPNs are commonly on the list of acceptable solutions due to their age and widespread adoption. However, regulations are changing rapidly, and the limitations of VPNs are well known. As regulators start looking for and mandating a zero-trust approach to security within organizations, solutions like VPNs, which are not designed for zero trust, will be phased out of regulatory guidance. While regulations still allow VPNs, many also either explicitly recommend ZTNA or allow alternative solutions that implement the required security controls. ZTNA provides all of the same functionality as VPNs but also offers integrated access control. When deployed as part of a SASE solution, ZTNA is an even better fit for regulatory requirements due to its integration with other required security controls and adoption of a least privileges methodology commonly required by regulatory frameworks such as UK NCSC Cyber Essentials and NIST. For organizations looking to achieve and maintain compliance with applicable regulations, making the move to ZTNA as soon as possible will decrease the cost and effort of doing so. “We’ve Already Invested in Our VPN Infrastructure” VPNs have been around for a while, so many organizations have existing VPN deployments. When the pandemic drove a move to remote work, the need to deploy remote work solutions as quickly as possible led many organizations to expand their existing VPN infrastructure rather than investigate alternatives. As a result, many organizations have invested in a solution that, to a certain degree, meets their remote work needs. These sunk costs can make ripping out and upgrading VPN infrastructure an unattractive proposition. However, the differential in functionality between a VPN and a ZTNA solution can far outweigh these costs. ZTNA provides integrated access management, which can reduce the cost of a data breach and simplify an organization’s regulatory compliance strategy. A ZTNA solution that successfully prevents a data breach by blocking unauthorized access to sensitive data may have just paid for itself. “Our Security Team is Already Overwhelmed with Our Existing Solutions” Many organizations’ security teams are struggling to keep up. The cybersecurity skills gap means that companies are having trouble finding and retaining the skilled personnel that they need, and a sprawling array of security solutions creates overwhelming volumes of alerts and the need to configure, monitor, and manage various standalone solutions. As a result, the thought of deploying, configuring, and learning to use yet another solution may seem less than appealing. Yet one of the main advantages of ZTNA is that it simplifies security monitoring and management, especially when deployed as part of a SASE solution. By integrating multiple security functions into a single network-level solution, SASE eliminates redundant solutions and enables security monitoring and management to be performed from a single console. By reducing the number of dashboards and alerts that analysts need to handle, SASE reduces the burden on security teams, enabling them to better keep up with an accelerating threat landscape and expanding corporate IT infrastructure. ZTNA is the Future of Remote Access Many organizations have solutions that - on paper - provide the features and functionality that they need to support a remote workforce and provide secure access to corporate applications. However, legacy solutions like VPNs lack critical access controls and security features that leave an organization vulnerable to attack. As the zero trust security model continues to gain momentum and is incorporated into regulations, organizations will need solutions that meet their security needs and regulatory requirements. ZTNA meets these needs, especially as part of a SASE solution.

How to Buy SASE: Cato Answers Network World’s 18 Essential Questions

Last December, Network World published a thoughtful guide outlining the questions IT organizations should be asking when evaluating SASE platforms. It was an essential list...

Dave Greenfield

April 28, 2022

10m read

How to Buy SASE: Cato Answers Network World’s 18 Essential Questions Last December, Network World published a thoughtful guide outlining the questions IT organizations should be asking when evaluating SASE platforms. It was an essential list that should be included in any SASE evaluation. Too often, SASE is a marketing term applied to legacy point solutions, which is why we suspect these questions are even needed. By contrast, The Cato SASE Cloud is the world's first cloud-native SASE platform, converging SD-WAN and network security in the cloud. Cato Cloud connects all enterprise network resources including branch locations, the mobile workforce, and physical and cloud data centers, into a global and secure, cloud-native network service. With all WAN and Internet traffic consolidated in the cloud, Cato applies a suite of security services to protect all traffic at all times.  In short, Cato provides all of the core SASE capabilities identified by NWW. We are pleased to respond point-by-point to every issue raised. You should also check out our SASE RFP template to help with the valuation. 1. Does the vendor offer all of the capabilities that are included in the definition of SASE? If not, where are the gaps? If the vendor does claim to offer all of the features, what are the strengths and weaknesses? How does the maturity of the vendor offerings mesh or clash with your own strengths, weaknesses, and priorities? In other words, if your biggest need is Zero Trust, and the vendor's strength is SD-WAN, then the fit might not be right. Yes, Cato provides all of the core capabilities NWW defines for SASE – and more. On the networking side, the Cato Global Private backbone connects 70+ PoPs worldwide. Locations automatically connect to the nearest PoP with our edge SD-WAN device, the Cato Socket. Cloud datacenters are connected via an agentless configuration, and cloud applications are connected through our cloud-optimized routing. Remote users connect in by using the Cato Mobile Client or clientless browser access.On the security side, Cato Security as a Service is a fully managed suite of enterprise-grade and agile network security capabilities, directly built into the Cato Global Private Backbone. Current security services include firewall-as-a-Service (FWaaS), secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAM), IPS-as-a-Service (IPS), and Cloud Access Security Broker (CASB), and a Managed Threat Detection and Response (MDR) service. 2. How well integrated are the multiple components that make up the SASE? Is the integration seamless? The Cato SASE Cloud is completely converged. The Cato SPACE architecture is a single software stack running in our PoPs. Enterprises manage and monitor networking, security, and access through a single application. All capabilities are available in context via a shared user interface. Objects created in one domain (such as security) are available in other domains (such as networking or remote access). (To see what we mean by seamless, check out this detailed walkthrough of the Cato Management Application.) [boxlink link="https://www.catonetworks.com/resources/5-questions-to-ask-your-sase-provider/?utm_source=blog&utm_medium=top_cta&utm_campaign=5_questions_for_sase_provider"] 5 Questions to Ask Your SASE Provider | eBook [/boxlink] 3. Assuming the vendor is still building out its SASE, what does the vendor roadmap look like? What is the vendor's approach in terms of building capabilities internally or through acquisition? What is the vendor's track record integrating past acquisitions? If building internally, what is the vendor's track record of hitting its product release deadlines? Cato has demonstrated its ability to develop and bring capabilities to market. Since its founding in 2015, Cato has successfully developed and delivered the global SASE cloud, which is used today by more than 1000 enterprises. We regularly add new services and capabilities to our platform, such as December's announcement of more than 103 frontend improvements and updates to our backend event architecture. (Other additions included a Cloud Application catalog, a Threats dashboard, an Application Analytics dashboard, CASB launch, and updates to our managed detection and response (MDR) service that automated security assessments.) 4. Whose cloud is it anyway? Does the vendor have its own global cloud, or are they partnering with someone? If so, how does that relationship work in terms of accountability, management, SLAs, troubleshooting? Cato owns and maintains the Cato SASE Cloud. The PoPs are on our hardware hosted in tier-3 datacenters, running Cato's cloud-native software stack. Every PoP is connected by at least two and many by four tier-1 carriers, who provide SLA-backed capacity. Cato's custom routing software constantly evaluates these paths identifying the shortest path for each packet. Question for MSPs Network World also included a series of questions specific to managed service providers (MSPs) that we'd like to address as well. Cato in addition to building a SASE platform is also a service provider so we took the liberty of responding to these questions as well. 1. How many PoPs do they have and where are they located? Does the vendor cloud footprint align with the location of your branch offices? The Cato Global Private backbone currently serves 140 countries worldwide from more than 70 PoPs that we continue to expand each quarter. 2. Does the vendor have the scale, bandwidth, and technical know-how to deliver line-rate traffic inspection? Thanks to our highly scalable cloud-native architectures, the Cato Cloud delivers line-rate performance regardless of whether traffic is encrypted or unencrypted or the number of security operations performed. PoPs have enough spare capacity to accommodate traffic surges. Case in point was how our Manchester PoP accommodated additional traffic during the Interxion outage. 3. For the cloud-native vendors: How can you demonstrate that your homegrown SASE tools stack up against, say, the firewall functionality from a name-brand firewall vendor? Cato can fully replace branch office firewalls and, usually, datacenter firewalls. Moreover, the convergence of capabilities allows us to deliver security capabilities and visibility impossible with legacy point solutions. For example, we can use data science and machine learning algorithms on networking data to spot security threats before they can exfiltrate data. The company was founded by security luminary Shlomo Kramer, co-founder of Checkpoint Software. It taps some of the brightest minds in cybersecurity that Israel has to offer. You're welcome to try out our platform and see for yourself. 4. Is there a risk that the vendor might be an acquisition target? As the market continues to heat up, further acquisitions seem likely, with the bigger players possibly gobbling up the cloud-native newcomers. Cato is a well-established company with well over 1,100 enterprise customers committed to serving the needs of those customers for the long term. We've raised over $500 million in venture capital resulting in a private $2.5 billion valuation. 5. For the traditional managed services powerhouses like AT&T and Verizon, do they have all the SASE capabilities, where did they get them, and how well are they integrated? What is the process for troubleshooting, SLAs, and support? Is there a single management dashboard? Cato just like any cloud service provider enables organizations to co-manage their own Cato implementation while Cato maintains the underlying infrastructure. IT teams can opt to manage infrastructure themselves, outsource a subset of responsibilities to a Cato partner, or have a Cato partner fully manage the infrastructure. There's always 24x7 support available. 6. Is there flexibility in terms of policy enforcement? In other words, can a consistent SASE security policy be applied across the entire global enterprise, and can that policy also be enforced locally depending on business policy and compliance requirements? Yes, customers apply a consistent security policy across the enterprise. In fact, enterprises have full control over their security policies. We instantiate the most commonly used security policies at startup, so most customers require little or no changes. The policy set is instantly applied across the global enterprise or to a specific site or user depending on requirements. Enterprises can, of course, add/change policies as necessary. 7. Even if enforcement nodes are localized, is there a SASE management control plane that enables centralized administration? This administrative interface should allow security and network policy to be managed from a single console and applied regardless of the location of the user, the application, or the data. Cato provides centralized administration via our management application. Both security and network policies are managed from the same interface for all Cato-connected users and resources, whether they exist in the office, on the road, at home, or in the cloud. 8. How is sensitive data handled? What are the capabilities in terms of visibility, control and extra protection? Cato encrypts and protects all data in transit and at rest within the Cato network. Designated applications or data flows that contain sensitive information can also remain encrypted if required in a way that bypasses Cato inspection engines. 9. Is policy enforced consistently across all types of remote access to enterprise resources, whether those resources live in the public internet, in a SaaS application, or in an enterprise app that lives on-premises or in an IaaS setting? Part of what makes Cato unique is that all inspection engines and network capabilities operate on both northbound traffic to the Internet or east-west traffic to other Cato-connected resources. Our CASB, for example, inspects all Internet and cloud-based traffic. Security capabilities continue to perform well on East-West traffic regardless of the user's location due to the Cato global private backbone and our distributed cloud architecture. 10. Is policy enforced consistently for all possible access scenarios--individual end users accessing resources from a home office or a remote location, groups of users at a branch office, as well as edge devices, both managed and unmanaged? Cato uses a single policy set for all access scenarios. 11. Is the network able to conduct single-pass inspection of encrypted traffic at line rate? Since the promise of SASE is that it combines multiple security and policy enforcement processes, including special treatment of sensitive data, all of that traffic inspection has to be conducted at line speed in a single pass in order to provide the user experience that customers demand. Cato uses a single-pass inspection engine that can operate at line rate even on encrypted traffic. Thousands of Cato SPACEs enable the Cato SASE Cloud to deliver the full set of networking and security capabilities to any user or application, anywhere in the world at cloud scale using a service that is both self-healing and self-maintaining. 12. Is the SASE service scalable, elastic, resilient, and available across multiple PoPs? Be sure to pin the service provider down on contractually enforced SLAs. The Cato SASE Cloud is a fully distributed, self-healing service, that includes many tiers of redundancies. If the core processing a flow fails, the flow will be handled by one of the other cores in the compute node. Should a compute node fail, other compute nodes in the Cato PoP assume the operation. Should the PoP become inaccessible, Cato has 70+ other PoPs available that enable users to automatically reconnect to the next best available PoP. Enterprises do not need to do any high availability (HA) planning that is typically required when relying on virtual appliances to deliver SASE services. We have 99.999% uptime SLAs with our carriers. Should one of the tier-1 carriers connecting our PoPs experience an outage or slowdown, Cato's routing software detects the change and automatically selects the next best path from one of two other carriers connecting our PoPs. Should the entire Cato backbone -- that's right all 70+ PoPs somehow disappear, one day -- Cato Sockets will automatically bring up a peer-to-peer network. 13. One of the key concepts of zero trust is that end-user behavior should be monitored throughout the session and actions taken to limit or deny access if the end user engages in behavior that violates policy. Can the SASE enforce those types of actions in real time? Cato inspects device posture first upon connecting to the network, ensuring the device meets predefined policy requirements and then continues to monitor the device once connected. Should a key variable change, such as an anti-malware engine expire, the device can be blocked from the network or provided limited access depending on corporate requirements. As users connect to cloud application resources, Cato inspects traffic flows. Dozens of actions within applications can be blocked, enabled, or otherwise monitored and reported, such as uploading files or giving write access to key applications. 14. Will the SASE deliver a transparent and simplified end user experience that is the same regardless of location, device, OS, browser, etc.? The Cato experience remains consistent regardless of operating system. Mobile users can be given clientless access or client-based access with the Cato Mobile Client. The Cato Mobile Client is available for all major enterprise platforms including Windows, macOS, Android (also supported for ChromeOS), iOS, and Linux. Users within the locations connected by Cato Sockets, Cato's edge SD-WAN device, log into their network as usual with no change. Once connected to the Cato SASE Cloud, all security inspection is done locally at the connected PoP, eliminating the traffic backhaul that so often degrades the performance of mobile users situated far from their offices. The Cato Global Private Backbone uses optimized routing to minimize latency and WAN optimization to maximize throughput. The result is a remote user experience that's as close as possible to being inside the office. Other Questions to Explore We applaud Network World for raising these issues. Some other questions we might encourage IT teams to ask MSPs include: High Availability (HA): Take a close look at how HA is delivered by the vendor. What's the additional cost involved with deploying the secondary appliance? How are the SD-WAN devices configured and deployed? With most enteprises, HA has become the defacto edge configuration to ensure the high uptime they're looking for particularly when replacing MPLS. What happens when there is a lockup rather than just an outage, will the system failover properly? What about the underlying memory, storage, and server system underpinning what are often virtual appliances? What happens if the PoP itself becomes inaccessible? The list goes on. The secure Cato SASE platform is based on a fully distributed self-healing network built for the cloud era that we manage 24/7 on behalf of our customers. Anything less than that from our perspective simply isn't SASE.

Why Moving to ZTNA Provides Benefits for Both MSPs and Their Customers

The pandemic underscored the importance of secure remote access for organizations. Even beyond the events of these past years, remote work has been normalized and...

Boaz Avigad

April 26, 2022

5m read

Why Moving to ZTNA Provides Benefits for Both MSPs and Their Customers The pandemic underscored the importance of secure remote access for organizations. Even beyond the events of these past years, remote work has been normalized and has become an incentive and negotiating point for many prospective hires. However, many organizations are still reliant on legacy remote access solutions, such as virtual private networks (VPNs), that are not designed for the modern, distributed enterprise. Upgrading to zero trust network access (ZTNA) provides numerous benefits to these organizations. Main Benefits of ZTNA for MSPs For Managed Service Providers (MSPs) offering remote access services, making the move to ZTNA can significantly help their customers. However, it is not just the customer who benefits. An MSP that makes ZTNA part of its service offering can reap significant benefits, especially if it is deployed as part of a Secure Access Service Edge (SASE) offering. Let’s take a closer look at some of the key benefits: Tighter Security Controls VPNs are designed solely to provide a secure network link between two points. VPNs have no built-in traffic inspection capabilities and provide users with unrestricted access to corporate resources. By using VPNs for secure remote access, organizations expose themselves to various cyber threats. Cyber threat actors commonly target VPNs with credential stuffing attacks, hoping to take advantage of compromised credentials to gain full access to the enterprise network. VPNs are also prone to vulnerabilities that attackers can exploit to bypass access controls or eavesdrop on network traffic. ZTNA provides the same remote access capabilities as VPNs but does so on a case-by-case basis that allows effective implementation of least privilege access controls. By deploying ZTNA to customer environments, MSPs can reduce the occurrence and impact of security incidents. This results in an improved customer experience and reduced costs of recovery. [boxlink link="https://www.catonetworks.com/resources/poor-vpn-scalability-hurts-productivity-and-security/?utm_source=blog&utm_medium=top_cta&utm_campaign=poor_vpn_scalability"] Poor VPN Scalability Hurts Productivity and Security | EBOOK [/boxlink] Improved Visibility and Control VPNs provide unrestricted access to the corporate network, providing a user experience similar to working from the office. Since VPNs don’t care about the eventual destination of network traffic, they don’t collect this information. This provides an organization or their MSP with limited visibility into how a VPN is being used. ZTNA provides access to corporate resources on a case-by-case basis. These access decisions are made based on the account requesting the access, the resource requested, and the level of access requested. Based on this data and an organization’s access controls, access is permitted or denied. ZTNA performs more in-depth traffic inspection and access management as part of its job, and these audit logs can provide invaluable visibility to an MSP. With the ability to see which accounts are remotely accessing various resources, an MSP can more easily investigate potential security incidents, identify configuration errors and other issues, and strategically allocate resources based on actual usage of IT infrastructure and assets. Improved Customer Satisfaction During the pandemic, the performance and scalability limitations were laid bare for all to see. Many organizations needed to rapidly shift from mostly on-site to remote work within a matter of weeks. To do so, they often deployed or expanded VPN infrastructure to support a workforce much larger than existing solutions were designed to handle. However, VPNs scale poorly and can create significant performance issues. Remote access deployments built on VPNs overwhelmed existing network infrastructure, created significant latency, and offered poor support for the mobile devices that remote workers are increasingly using to do their jobs. During the pandemic, employees experienced significant network latency as traffic to cloud-based applications and data storage was backhauled through on-prem data centers by VPN appliances. As a result, employees commonly sought workarounds - such as downloading sensitive data to devices for easier access or using unapproved services - in order to do their jobs. ZTNA solutions provide optimized performance and better security by moving away from the perimeter-focused security model of VPNs. As corporate infrastructure and resources move to the cloud, employees need high-performance access to SaaS solutions, and routing traffic to these solutions via the corporate network makes no sense. ZTNA makes it possible to perform access management in the cloud and improve the user experience. For MSPs, improving the end user experience also improves the experience of their customers, who need to listen to employees’ complaints about performance and latency issues. Additionally, ZTNA enables an MSP to eliminate inefficient routing, which creates unnecessary load on their infrastructure and can make it more difficult to meet customer expectations for network performance. Value-Added Functionality VPNs provide bare-bones network connectivity for remote users. If an organization wants additional access control or to secure the traffic flowing over the VPN connection, this requires additional standalone solutions. By making the move from VPNs to ZTNA for secure remote access, an MSP can expand the services offered to their customers with minimal additional overhead. ZTNA offers access management, and so can an MSP. The data generated by ZTNA can be processed and displayed on dashboards for customers looking for additional insight into their network usage or security. MSPs can provide ongoing support services for the management and maintenance of ZTNA solutions. SASE Supercharges ZTNA Making the move to ZTNA for their secure remote access offerings makes logical sense for MSPs. ZTNA provides more functionality, better performance and security, and simpler management and maintenance than VPN-based infrastructure. However, the benefits of ZTNA can be dramatically expanded by deploying it as part of a SASE solution. SASE is deployed as a network of cloud-based points of presence (PoPs) with dedicated, high-performance network links between them. Each SASE PoP integrates ZTNA with other security and network optimization features, providing high-performance and reliable connectivity and enterprise-grade security for the corporate WAN. Making the move to ZTNA streamlines and optimizes an MSP’s remote access services offering. Deploying it with SASE does the same for an MSP’s entire network and security services portfolio.

IT Managers: Read This Before Leaving Your MPLS Provider

Maybe you’re an IT manager or a network engineer. It’s about a year before your MPLS contract expires, and you’ve been told to cut costs...

Vanessa Perplies

April 21, 2022

5m read

IT Managers: Read This Before Leaving Your MPLS Provider Maybe you’re an IT manager or a network engineer. It’s about a year before your MPLS contract expires, and you’ve been told to cut costs by your CFO. “That MPLS – too expensive. Find an alternative.” This couldn’t have come at a better time... Employees have been blowing up the helpdesk, complaining about slow internet, laggy Zoom calls and demos that disconnect with prospects. Naturally, it’s your job to find a solution... There actually could be several reasons why it’s time to pull the plug on your MPLS, or at least, consider MPLS alternatives. 1. Get crystal clear on your WAN challenges: Do any of these challenges sound familiar? A. You’ve been told to cut costs It’s no secret that MPLS circuits cost a fortune – often 3-4x the price of MPLS alternatives (like SD-WAN,) for only a fraction of the bandwidth. But the bottom line isn’t the only factor to take into consideration. Lengthy lead-times for site installations (weeks to months,) upgrades, and never-ending rounds of support tickets must all factor into the TCO of your MPLS. In short, MPLS is no longer competitively priced for today’s enterprise that needs to move at the speed of business. B. Employees constantly complain about performance While traditional hub-and-spoke networking topology comes with its advantages, when users backhaul to the data center they clog the network with bandwidth-heavy applications like VOIP and file transfer. Multiplied by hundreds or thousands of simultaneous users and you choke your network, creating performance problems which IT is tasked to solve. Wouldn’t it be nice if IT was free to solve business-critical issues instead of recurring network performance issues? [boxlink link="https://www.catonetworks.com/resources/what-telcos-wont-tell-you-about-mpls/?utm_source=blog&utm_medium=top_cta&utm_campaign=wont_tell_you_about_mpls"] What Others Won’t Tell You About MPLS | EBOOK [/boxlink] C. You’re “going cloud” and migrating from on-prem to cloud DCs and apps Migrating from on-prem legacy applications to cloud isn’t generally an “if” but a “when” statement. And the traditional hub-and-spoke networking architecture creates too much latency on cloud applications when the goal is ultimately improved network performance. Additionally, optimizing and securing branch-to-cloud and user-to-cloud access can’t be done efficiently with physical infrastructure, instead of requiring advanced cloud-delivered cybersecurity solutions like SWG, FWaaS and CASB. D. IT now needs to support work from anywhere, with no downtime Prior to COVID, work from anywhere was more the exception, rather than a rule. In the “new normal,” enterprises need to the infrastructure to support work from the branch, home, and everywhere else. Traditional remote-access VPNs weren’t designed to support hundreds, or thousands of users simultaneously connecting to the network, while supporting an optimum security posture, like ZTNA can. So, should you stay with MPLS or should you go? Ultimately, it’s time to decide whether to stick with your incumbent MPLS provider or consider the alternatives to MPLS... Whether it’s cost, digitization, performance or secure remote access - is your MPLS “good enough” to support today’s hassles and headaches (not to mention tomorrows?) 2. You’ve decided to look for MPLS alternatives: Do all roads lead to SD-WAN? You’ve decided that your MPLS isn’t all it's cracked up to be. Now what? While an SD-WAN solution seems like the natural choice, SD-WAN only addresses some of the challenges that you’ll inevitably face at a growing enterprise. True, SD-WAN will lower the bill and optimize spend by leveraging internet circuits’ massive capacity and availability everywhere. However, SD-WAN was designed to optimize performance for site-to-site connectivity, with architecture that isn’t designed to support remote users and clouds. Additionally, SD-WAN's security is basic at best, lacking the advanced control and prevention capabilities that enterprises need to secure all clouds, datacenters, branches, users and, appliances. Not to mention, adding SD-WAN to existing appliance sprawl is only going to further complicate your network management, adding more products to administrate, and more hassle surrounding appliance sizing, scaling, distribution, patching and upkeep. And who needs that headache? So, how do you solve all the above four challenges, while upgrading your networks and achieving an optimal security posture that allows your enterprise to grow, scale, adjust and stay prepared for “whatever’s next”? 3. Ever Heard of SASE? No, SASE isn’t just a buzzword or industry hype. It’s the next era of networking and security architecture which doesn’t focus on adding more features to the complicated pile of point solutions, but targets “operational simplicity, automation, reliability and flexible business models,” (Gartner, Strategic roadmap for networking, 2019.) According to Gartner, for a solution to be SASE, it must “converge a number of disparate network and network security services including SD-WAN, secure web gateway, CASB, SDP, DNS protection and FWaaS,” (Gartner, Hype Cycle for Enterprise Networking 2019.) Gartner is extremely clear that these requirements aren’t just “nice-to-have,” but non-negotiables; the solution must be converged, cloud-native, global, support all edges, and offer unified management. SASE actually combines SD-WAN and security-as-a-service, managed via a single cloud service, which is globally distributed, automatically scaled, and always updated. So, instead of opting for more network complexity with SD-WAN, plus all the setup, management, sizing, and scaling challenges that come with it – why not consider SASE? It’s time to think strategically: Move beyond the limitations of SD-WAN No matter if you need to solve one, two, three or all four of the above WAN challenges, SD-WAN is a short-sighted point solution to any long-term organizational challenge. This means that only a SASE solution with an integrated SD-WAN which includes a global-private backbone (over costly long-haul MPLS,) ZTNA (to serve remote access users and replace legacy VPN) and secure cloud access (which allows you to migrate to the cloud,) allows you to successfully grow the business while maintaining your sanity. If you’re interested in replacing your MPLS beyond the limits of short-sighted solutions like SD-WAN, then you’ll love Cato SASE Cloud. Check out this Cato SASE E-book to understand: Why point products like SD-WAN won’t solve long-term architectural problems What you need to look for in a SASE solution Why Cato is the only true SASE solution in enterprise networking and security

How to Protect from Ransomware with SASE

With corporations paying ransoms of seven figures and upwards to restore business continuity, cyber attackers have turned to ransomware as a lucrative income. But in...

Eyal Webber Zvik

April 19, 2022

4m read

How to Protect from Ransomware with SASE With corporations paying ransoms of seven figures and upwards to restore business continuity, cyber attackers have turned to ransomware as a lucrative income. But in addition to the immediate cost, which could reach millions of dollars, ransomware will also leave organizations with significant long-term damage. This blog post will explain the four main areas of impact of ransomware on organizations, and how Cato SASE Cloud can help prevent ransomware and protect businesses. This blog post is based on the e-book “Ransomware is on the Rise - Cato’s Security-as-a-Service Can Help”. 4 Ways Ransomware Affects Organizations 1. Immediate Loss of Productivity Organizations depend almost entirely on data and applications for their daily operations, including making payments, creating products and delivering and shipping them. If this comes to a halt, the loss of productivity is enormous. For some global enterprises, this could even mean losing millions of dollars per hour. Recovering backups and attempting data recovery could take IT teams weeks of work. To restore productivity, some businesses prefer to pay the ransom and get operations back on track. 2. Data Encryption According to Cybercrime Magazine, the global cost of ransomware damages will exceed $20 billion in 2021 and $265 Billion by 2031. One of the ways attackers gain these amounts is encrypting organizational data, and requiring a payment for instructions on how to decrypt it. To motivate victims to pay, attackers might threaten to destroy the private key after a certain amount of time, or increase the price as time passes. To view the entire list and additional ways ransomware impacts organizations, check out the ebook. [boxlink link="https://www.catonetworks.com/resources/ransomware-is-on-the-rise-catos-security-as-a-service-can-help/?utm_source=blog&utm_medium=top_cta&utm_campaign=ransomware_ebook"] Ransomware is on the Rise – Cato’s Security as a Service can help | eBook [/boxlink] How Cato SASE Cloud Prevents Ransomware By converging network and security into a global, cloud-native service, Cato’s SASE platform provides visibility into traffic, edges and resources, which enables building a comprehensive and unique security solution that protects from malware while eliminating false positives. Here’s are six ways Cato SASE Cloud protected organizations from ransomware: 1. Reputation Data & Threat Intelligence Cato leverages threat intelligence feeds from open-source, shared communities and commercial providers. In addition, after finding that 30% of feeds contain false positives or miss IoCs, Cato built a complementing system that uses ML and AI to aggregate records and score them. 2. Blocking Command and Control Communication Cato IPS prevents delivery of ransomware to machines, which is the primary way perpetrators gain hold of systems prior to the attack. If an attacker is already inside the network, Cato prevents the communication that attackers use to encrypt files and data. 3. Blocking Suspicious SMB File Activity Cato IPS detects and blocks irregular network activity, which could be the result of attackers using SMB to rename or change extensions of encrypted files. 4. Zero Trust Network Access Cato SASE Cloud provides a zero-trust approach to ensure users and hosts can only access applications and resources they are authorized for. This reduces the attack surface, limiting ransomware's ability to spread, encrypt and exfiltrate data. 5. Stopping Known and Zero-Day Threats Leveraging machine learning, Cato’s advanced anti-malware solution defends against unknown threats and zero-day attacks, and is particularly useful against polymorphic malware designed to evade signature-based inspection engines. 6. An IPS that Sees the Full Picture, Not a Partial One Cato’s IPS has unique capabilities across multiple security layers, including: layer-7 application awareness, user identity awareness, user/agent client fingerprint, true file type, target domain/IP reputation, traffic attributes, behavioral signature and heuristic, and more. Scale Your Security Team with Cato MDR Cato can offload the resource-intensive process of detecting compromised endpoints from organizations’ already-busy IT and security teams. This eliminates the need for additional installations as Cato already serves as the customer’s SASE platform, supplying unparalleled visibility into all traffic from all devices. Capabilities provided: Automated Threat Hunting Human Verification Network-Level Threat Containment Guided Remediation Reporting & Tracking Assessment Check-Ups Cato MDR service can help you identify and contain ransomware and suspicious activities before they activate and impact your business. Through lateral movement detection and baselining host behavior, Cato MDR service gives your network an extra set of eyes to detect, isolate and remediate threats. Contact us to learn more. See the e-book “Ransomware is on the Rise - Cato’s Security-as-a-Service Can Help”.    

Lipstick on a Pig: When a Single-Pane-of-Glass Hides a Bad SASE Architecture

The Secure Access Service Edge (SASE) is a unique innovation. It doesn’t focus on new cutting-edge features such as addressing emerging threats or improving application...

Yishay Yovel

April 14, 2022

4m read

Lipstick on a Pig: When a Single-Pane-of-Glass Hides a Bad SASE Architecture The Secure Access Service Edge (SASE) is a unique innovation. It doesn’t focus on new cutting-edge features such as addressing emerging threats or improving application performance. Rather, it focuses on making networking and security infrastructure easier to deploy, maintain, manage, and adapt to changing business and technical requirements. This new paradigm is threatening legacy point solution incumbents. It portrays the world they created for their customers as costly and complex, pressuring customer budgets, skills, and people. Gartner tackled this market trend in their research note: “Predicts 2022: Consolidated Security Platforms are the Future.” Writes Gartner, “The requirement to address changing needs and new attacks prompts SRM (security and risk management) leaders to introduce new tools, leaving enterprises with a complex, fragmented environment with many stand-alone products and high operational costs.” In fact, customers want to break the trend of increasing operational complexity. Writes Gartner. “SRM leaders tell Gartner that they want to increase their efficiency by consolidating point products into broader, integrated security platforms that operate as a service”. This is the fundamental promise of SASE. However, SASE is extremely difficult for vendors that start from a pile of point solutions built for on-premises deployment. What such vendors need to do is re-architect these point solutions into a single, converged platform delivered as a cloud service. What they can afford to do is to hide the pile behind a single pane of glass. Writes Gartner: “Simply consolidating existing approaches cannot address the challenges at hand. Convergence of security systems must produce efficiencies that are greater than the sum of their individual components." [boxlink link="https://www.catonetworks.com/resources/5-questions-to-ask-your-sase-provider/?utm_source=blog&utm_medium=top_cta&utm_campaign=5_questions_for_sase_provider"] 5 Questions to Ask Your SASE Provider | eBook [/boxlink] How can you achieve efficiency that is greater than the sum of the SASE parts? The answer is: core capabilities should be built once and be leveraged to address multiple functional requirements. For example, traffic processing. Traffic processing engines are at the core of many networking and security products including routers, SD-WAN devices, next generation firewalls, secure web gateways, IPS, CASB/DLP, and ZTNA products. Each such engine uses a separate rule engine, policies, and context attributes to achieve its desired outcomes. Their deployment varies based on the subset of traffic they need to inspect and the source of that traffic including endpoints, locations, networks, and applications. A true SASE architecture is “single pass.” It means that the same traffic processing engine can address multiple technical and business requirements (threat prevention, data protection, network acceleration). To do that, it must be able to extract the relevant context needed to enforce the applicable policies across all these domains. It needs a rule engine that is expandable to create rich rulesets that use context attributes to express elaborate business policies. And it needs to feed a common repository of analytics and events that is accessible via a single management console. Simply put, the underlying architecture drives the benefits of SASE bottom-up -- not a pretty UI managing a convoluted architecture top-down. If you have an aggregation of separate point products everything becomes more complex -- deployment, maintenance, integration, resiliency, and scaling -- because each product brings its unique set of requirements, processes, and skills to an already very busy IT organization. This is why Cato is the world’s first and most mature SASE platform. It isn’t just because we cover the key functional requirements of SD-WAN, Secure Web Gateway (SWG), Firewall-as-a-Service (FWaaS), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA). Rather, it is because we built the only true SASE architecture to deliver these capabilities as a single global cloud service with simplicity, automation, scalability, and resiliency that truly enables IT to support the business with whatever comes next.    

The Value of Security Simplicity

A Complex Landscape As time passes, technology and human innovation have advanced rapidly. This is not only in terms of available connectivity, bandwidth, and processing...

Evin Safdia

April 12, 2022

6m read

The Value of Security Simplicity A Complex Landscape As time passes, technology and human innovation have advanced rapidly. This is not only in terms of available connectivity, bandwidth, and processing power but also in terms of the networking and security landscape as well. For every technological advancement in consumer and business productivity, IT systems, operations and security must also try and keep pace. We must consider not only the speed and capacity at which these tools must operate, but also the emergence of entirely new technical domains. The industry has moved away from castle and moat designs and replaced them with cloud platforms for a variety of services, effectively moving from endpoint security to network security and finally to cloud security and cloud-delivered network security. But with each new need and technical area, a multitude of vendors and products emerge only adding to the complexity.   [caption id="attachment_24677" align="alignnone" width="3000"] Momentum CyberScape Source[/caption]   IT and security leaders must consider multiple security product categories such as network & infrastructure, web, endpoint, application, data, mobile, risk & compliance, operations & incident response, threat intelligence, IoT, IAM, email/messaging, risk management, and more. Adding to the challenge, for each category there are multiple vendors with different product sets, architectures and capabilities. It can be time consuming and challenging to prioritize security investments while selecting the ideal vendor for your business. While each product that you purchase and implement is intended to strengthen your security posture and reduce risk, these products may also be increasing the complexity of your environment. [boxlink link="https://www.catonetworks.com/resources/ransomware-is-on-the-rise-catos-security-as-a-service-can-help?utm_source=blog&utm_medium=top_cta&utm_campaign=ransomware_ebook"] Ransomware is on the Rise – Cato’s Security as a Service can help | Get the eBook [/boxlink] Complexity Erodes Security Many have considered it a best practice to purchase products based on the perception in the market as “best of breed.” This approach seems logical but can be detrimental as getting these products to work together can be difficult or impossible. Even products from the same vendor can be lacking in integration, especially if the product was the result of an acquisition. Furthermore, even with out-of-the-box integrations, getting everything to work as desired can still be very time-consuming. You may have already learned through experience that integration is not convergence. If you are still questioning the difference between the two, here are two examples. A converged solution will have a single management application for all functions of the platform. Separate consoles or a pseudo-unified console that requires downloading, installing, and managing plugins are not converged. For cloud-delivered offerings, a converged solution will offer all capabilities at all PoPs. A vendor that uses some PoPs for capabilities like DLP and remote access and other PoPs for things like NGFW and SWG is not converged. Non-converged solutions can drastically increase management touch, increasing administrative overhead and cost while eroding security value. How does this happen? For every new product and management application, the opportunity for misconfiguration increases as does the number of policies. Misconfigurations can easily lead to high profile security incidents, while multiple sets of separate policies can lead to gaps that are difficult to identify. A converged security platform provides holistic visibility into your organization’s policies and even makes it easier when you need to conduct compliance audits. Of course, the market has responded to this, and you can spend more money on third-party integration and management tools, or developers that can build custom integrations for you. However, CISO’s live in the real world and do not have unlimited budget, nor do they typically want to own a software development life cycle for home-built integrations. Just remember, more vendors and more products can easily mean more problems. Is Your Security Stack Weighing You Down? In addition to hurting your organization’s budget and security posture, point-security products also reduce your ability to be agile and innovate. You may need to manage an update schedule for each of your devices and products. While most vendors have automatic update options, the best practice is to test updates before putting them into production and monitor impacts after production. For example, a content update on a Palo Alto Networks PA-220 Firewall is estimated to take up to 10 minutes.* If you have 1,000 PA-220s, that is more than 166 hours of update time, not including downloading, testing, and verifying. Updates to the device’s firmware or operating system will likely take longer and can lead to outages or device failures. All this time spent on maintaining what you already own can slow other projects in your organization. “[Content update] installation can take up to 10 minutes on a PA-220 firewall” * Source Beyond your organization’s ability to innovate, you should also consider the impacts on yourself or your team. Most security products require specialized technical expertise. This can make hiring challenging, especially if you need someone who can manage multiple aspects of your deployment. This means that hiring cycles will take longer, work/life balance may be compromised, and new hire ramping time is increased. Furthermore, complex deployments can make it difficult for skilled individuals to be promoted or take vacation time. Your security stack represents a significant investment, but is it serving all users, locations, and applications? The costs of deploying and managing your own security architecture will often lead to compromises. You may have a few datacenters and probably backhaul traffic to them to secure. But often enough due to performance and other requirements, you may also be excluding specific locations, users, or applications from some or all security functions. This creates inconsistency in your security posture and user experience and will hurt your organization. SASE Is the Way You probably have heard of the Secure Access Service Edge or SASE, a term that Gartner coined in 2019. SASE is the way forward for most modern organizations and represents the convergence of networking and security capabilities delivered from the cloud. This allows organizations to remain agile and flexible, reducing complexity, while securing and enabling their users. The SASE market is relatively new, but there are already multiple vendors who want your business. When looking at SASE, don’t forget about simplicity, many vendors don’t have converged solutions and the complexity of legacy technology still lurks in their products. Management time and policy sets should be reduced, while deployments and new feature adoption should be seamless. Updates are the vendor's responsibility, keeping you more secure and giving you time for other projects. You may have heard the acronym K.I.S.S. before, but I’ve changed it a bit for a SASE world: Keep It Simple & Secure. “When we learned about the Cato solution, we liked the idea of simple and centralized management. We wouldn’t have to worry about the time-consuming process of patch management of on-premise firewalls,” – Alf Dela Cruz, Head of IT Infrastructure and Cyber Security at Standard Insurance    

Inside Cato: How a Data Driven Approach Improves Client Identification in Enterprise Networks

Identification of OS-level client types over IP networks has become crucial for network security vendors. With this information, security administrators can gain greater visibility into...

Asaf Fried

April 7, 2022

4m read

Inside Cato: How a Data Driven Approach Improves Client Identification in Enterprise Networks Identification of OS-level client types over IP networks has become crucial for network security vendors. With this information, security administrators can gain greater visibility into their networks, differentiate between legitimate human activity and suspicious bot activity, and identify potentially unwanted software. The process of identifying clients by their network traces is, however, very challenging. Most of the common methods being applied today require a great deal of manual work, advanced domain expertise, and are prone to misclassification. Using a data-driven approach based on machine learning, Cato recently developed a new technology that addresses these problems, enabling accurate and scalable identification of network clients. Going “old school” with manual fingerprinting One of the most common methods to passively identify network clients, without requiring access to either endpoint, is fingerprinting. Imagine you are a police investigator arriving at a crime scene for forensics. Lucky for you, the suspect left an intact fingerprint. Since he is a well-known criminal with previous offenses, his fingerprints are already in the police database, and you can use the one you found to trace back to him. Like humans, network clients also leave unique traces that can be used to identify them. In your network, combinations of attributes such as HTTP headers order, user-agents, and TLS cipher suites, are unique to certain clients. [boxlink link="https://catonetworks.easywebinar.live/registration-ransomware-chokepoints"] Ransomware Chokepoints: Disrupt the Attack | Watch Webinar [/boxlink] In recent years, fingerprints relying solely on unsecured network traffic attributes (e.g., the HTTP user-agent value) have become obsolete, since they are easy to spoof, and are not applicable when using secured connections. TLS fingerprints, that rely on attributes from the Client Hello message of the TLS handshake, on the other hand, do not suffer from these drawbacks and are slowly gaining larger adaptation from security vendors. Below is an example of a TLS fingerprint that identifies a OneDrive client. Caption: TLS header fingerprint of a One Drive client (source) However, manually mapping network clients to unique identifiers is not a simple task; It requires in-depth domain knowledge and expertise. Without them, the method is prone to misclassifications. In a shared community effort to address this issue, some open-source projects (e.g. sslhaf and JA3) were created, but they provide low coverage and are not updated frequently. An even greater issue with manual fingerprinting is scalability. Accurately classifying client types requires manually analyzing traffic captures, a labor-intensive process that does not scale for enterprise networks. Taking such an approach at Cato wasn’t feasible. Each day the Cato SASE Cloud must inspect millions of unique TLS handshake values. The large number of values is due not only to the number of network clients connected to Cato SASE Cloud but also to the number of different versioning and updates that alter the TLS behavior of each client. Clearly, we needed a better solution. Clustering – An automated and robust approach With great amounts of data, comes great amounts of capabilities. With the use of machine learning clustering algorithms, we’ve managed to reduce millions of unique TLS handshake values to a subset of a few hundred clusters, representing unique network clients that share similar values. After creating the clusters, a single fingerprint can be generated for each one, using the longest common substring (LCS) from the Client Hello message of all the samples in the cluster. Finding the common denominator of several samples makes the approach more robust to small variations in the message values. Caption: Similar values from the TLS Client Hello message are clustered together and the LCS is used to generate a fingerprint. Each colored cluster represents a different client. The next step of the process is to identify and label the client of the fingerprint. To do so, we search for the fingerprint in our data lake, containing terabytes of daily network flows generated from different clients, and look for common attributes such as domains or applications contacted, and HTTP user-agent (visible from TLS traffic interception and inspection). For example, in the plot above, a group of TLS network flows, containing similar Client Hello messages, were clustered together by the algorithm (see the 3-point “Java/1.8.0_211” cluster colored in light blue). The resulting TLS fingerprint matched a group of inspected TLS flows in our data lake, with visible HTTP headers; all of which had a common user-agent that belongs to the Java Standard Library; a library used to perform HTTP requests. Wrapping up Accurately identifying client types has become crucial for network security vendors. With this new data-driven approach, we’ve managed to develop a fully automated and continuous pipeline that generates TLS fingerprints. The new method scales to large enterprise networks and is more robust to variation in the client's network activity.    

Can You Really Trust Zero Trust Network Access?

Why Yes The global economy’s shift to hybrid work models is challenging enterprises to securely connect their work-from-anywhere employees. Supporting these highly distributed, dynamic, and...

Boaz Avigad

April 5, 2022

3m read

Can You Really Trust Zero Trust Network Access? Why Yes The global economy's shift to hybrid work models is challenging enterprises to securely connect their work-from-anywhere employees. Supporting these highly distributed, dynamic, and diverse networks requires enterprises to be more flexible and accommodating, which results in remote access becoming an increasingly expanding attack surface. A crucial step in reducing this risk is transitioning from legacy VPNs, with their inherently risky castle-and-moat approach, to Zero Trust Network Access (ZTNA). The latter implements a much more restrictive access control mechanism, which allows users to connect to applications on a need-to-access only basis. Why Not ZTNA solutions, however, rely mostly on user authentication, and when this becomes compromised, a perpetrator still has the capability to wreak havoc in the enterprise network and its connected assets. User account takeovers are quite common and are achieved by way of social engineering (e.g. phishing) and other techniques. Security experts agree that enterprise security teams should work under the assumption that user accounts have been, or at some point will be, compromised. What’s Next Recognizing this risk, and as part of our continuous quest to provide our customers with better security, Cato has released the Client Connectivity Policy (CCP) feature. CCP acts as an additional layer of security when connecting remote employees to the enterprise network. It adds user or group-level validations based on the client platform (Operating system), location, and Device Posture information (fig. 1). Clients are granted access only after fully satisfying the defined connectivity policies. [caption id="attachment_24508" align="alignnone" width="1200"] Figure 1[/caption]   [boxlink link="https://www.catonetworks.com/resources/the-hybrid-workforce-planning-for-the-new-working-reality/?utm_source=blog&utm_medium=top_cta&utm_campaign=hybrid_workforce"] The Hybrid Workforce: Planning for the New Working Reality | Download eBook [/boxlink] It is no longer enough to pass ZTNA authentication in order to access the enterprise network. The additional security layer added by Cato's CCP significantly reduces ZTNA related attack vectors, even for compromised accounts, and strengthens the enterprise's overall security posture. While Device Posture itself is commonly used as part of ZTNA, Cato's CCP is unique in that Device Posture is just one source of information used to make access decisions (fig. 2). CCP also enables numerous different Device Posture checks that can be defined, and selectively implemented, for different users and groups. This provides security teams a high degree of flexibility when defining connectivity policies. For example, highly stringent requirements for users with access to highly sensitive enterprise assets e.g., "the crown jewels", and more relaxed requirements for users with limited access and lower risk potential. [caption id="attachment_24510" align="alignnone" width="1200"] Figure 2[/caption]   The Bottom Line In the evolving threat landscape of remote access, Zero Trust is just too trusting. Cato's Client Connectivity Policy takes ZTNA an extra step by adding a security layer capable of blocking access from unauthorized clients, even when the user account has been compromised. By using several independent evaluation criteria, and highly flexible Device Posture profiles, Cato's CCP keeps your enterprise's security posture one step ahead of your next attack.    

Cato Patches Vulnerabilities in Java Spring Framework in Record Time

Two Remote Code Execution (RCE) vulnerabilities have been discovered in the Java Spring framework used in AWS serverless and many other Java applications. At least...

The role of the CIO has changed dramatically in the past years. Until now, CIOs had been focusing on ongoing IT management. But today, technology...

Eyal Webber Zvik

March 3, 2022

5m read

5 Strategic Projects for Strategic CIOs The role of the CIO has changed dramatically in the past years. Until now, CIOs had been focusing on ongoing IT management. But today, technology creates new business models and helps achieve business goals. This makes technology the defining pillar of business transformation. CIOs who realize this and identify the right opportunities for strategically leveraging technology, can transform their organization. Let’s look at five strategic projects that can help CIOs drive innovation and generate new revenue streams. Project #1: Migrating MPLS or SD-WAN to SASE Many organizations have replaced their MPLS with SD-WAN, or are in the process of doing so. SD-WAN emerged a few decades ago as a cost-effective replacement to MPLS, because it answers MPLS constraints like capacity, cost and lack of flexibility. However, SD-WAN does not provide solutions for modern requirements like security threats, remote work, global performance and cloud-native scalability. SASE (Secure Access Service Edge) is the next step after SD-WAN. A Gartner-coined term, SASE is the convergence of SD-WAN, network security and additional IT capabilities into a global, cloud-native platform. Compared to SD-WAN and other point solutions, SASE ensures reliability, performance, security and connectivity. In fact, according to Gartner’s Hype Cycle of Network Security 2020 - by 2024, more than 60% of SD-WAN customers will have implemented a SASE architecture, compared to approximately 35% in 2020. How CIOs Create Business Value with SASE: By migrating to SASE, CIOs ensure all employees will always be able to connect via a secure, global and performance optimized network. With SASE, CIOs are also relieved from the complexity and risk of supporting the business with point solutions, which are often outdated. Project #2: Building Cloud Native Connectivity Cloud-native infrastructure, platforms and applications provide businesses with flexibility, scalability and customizability. They also increase the speed and efficiency of processes. Technological advancements have enabled this transition, but it is the growing need for remote accessibility and global connectivity that is accelerating it. On-premises solutions can no longer answer modern business needs for performing business activities. SASE is a cloud-native technology, providing businesses with all the benefits of the cloud and connecting all edges, branches, users and data centers. How CIOs Create Business Value with Cloud Native Connectivity By building cloud native connectivity across all edges, CIOs provide employees with optimized performance, security and accessibility to any required internal or external business application. Cloud readiness also enables agile delivery to customers. [boxlink link="https://www.catonetworks.com/resources/deploy-your-site-in-under-6-minutes/?utm_source=blog&utm_medium=top_cta&utm_campaign=6_minute_demo"] Deploy your site in under 6 minutes with Cato SASE Cloud! | Check it out [/boxlink] Project #3: Implementing a Full Security Stack in the Cloud Cyber attacks are becoming increasingly more sophisticated, widespread and with the potential to create more destruction. Coupled with the dissolvement of network borders, IT and security teams need to rethink their security strategy and solutions. Existing point security solutions simply cannot keep up with all these changes. In addition, the overhead tax IT and security teams pay for finding, purchasing, managing, integrating and updating various security solutions from numerous vendors is very high. A converged security solution implements innovative security models, like ZTNA (Zero Trust Network Access) alongside security measures like threat prevention and decryption. In addition, it is automatically updated, to ensure it can thwart CVEs and zero day threats. How CIOs Provide Business Value with Full Stack Cloud Security By implementing a complete security stack in the cloud, CIOs provide the company’s employees and customers with the confidence that their information is secure and accessible only to authorized users and services. In addition, IT and security teams regain peace of mind to operate with confidence and stress free. Project #4: Enable Access to All Edges Working remotely from home, the road or a different office is becoming increasingly popular, and is turning into a working model that is here to stay. In addition, the global distribution of networks has also introduced many new entry points to business systems. But, traditional access capabilities are not designed for these types of connectivity models. SASE provides dynamic and secure access through global PoPs (Points of Presence). Traffic from remote users, data centers, applications or other edges is automatically detected and sent to the nearest PoP. There, it is authorized and then given access. How CIOs Provide Business Value with Global Access to All Edges By providing users with secure access while ensuring first-class citizen performance, CIOs become enablers for business agility and speedy deliveries. The freedom and flexibility to work from anywhere and connect to anywhere power new opportunities for business initiatives. In addition, they provide employees with working conditions fit for modern life and ensure they will not look elsewhere for an employer that enables working remotely. 5. Optimize Routing with Global Connectivity Businesses today route high volumes of traffic, from globally dispersed employees and other edges. Performance optimization is essential for connectivity and communication so employees can get things done. However, the Internet is too erratic to be relied on, and SD-WAN providers are forced to integrate with third party backbone providers for such optimization. SASE solutions provide a global backbone and WAN optimization, serving IT and security capabilities to all users and accelerating east-west and northbound traffic to the cloud. How CIOs Provide Business Value with Optimized Global Connectivity By ensuring low latency and optimized routing, CIOs are fulfilling a key requirement for business agility. From video streaming to accessing information to transferring data, optimized routing facilitates and powers business activities. How to Get Started Looking at this list might be daunting at first. However, all these projects can be achieved through the implementation of SASE. SASE converges network and security point solutions into a single, global, cloud-native platform that enables access from all edges. Therefore, it provides a single and streamlined answer to all network and security needs, now and in the future. Cato is the world’s first SASE platform. Using the Cato SASE Cloud, customers easily migrate from MPLS to SD-WAN, improve connectivity to on-premises and cloud applications, enable secure branch Internet access everywhere, and seamlessly integrate cloud data centers and remote users into the network with a zero-trust architecture. With Cato, your network and business are ready for whatever’s next. Start now. You can read more from the following resources: Your First 100 Days as CIO: 5 Steps to Success 5 Things SASE Covers that SD-WAN Doesn’t What is SASE? The Hybrid Workforce: Planning for the New Working Reality    

The DGA Algorithm Used by Dealply and Bujo Campaigns

During a recent malware hunt[1], the Cato research team identified some unique attributes of DGA algorithms that can help security teams automatically spot malware on...

Elad Menahem

March 1, 2022

5m read

The DGA Algorithm Used by Dealply and Bujo Campaigns During a recent malware hunt[1], the Cato research team identified some unique attributes of DGA algorithms that can help security teams automatically spot malware on their network. The “Shimmy” DGA DGAs (Domain Generator Algorithms) are used by attackers to generate a large number of – you guessed it – domains often used for C&C servers. Spotting DGAs can be difficult without a clear, searchable pattern. Cato researchers began by collecting traffic metadata from malicious Chrome extensions to their C&C services. Cato maintains a data warehouse built from the metadata of all traffic flows crossing its global private backbone. We analyze those flows for suspicious traffic to hunt threats on a daily basis. The researchers were able to identify the same traffic patterns and network behavior in traffic originating from 80 different malicious Chrome extensions, which were identified as from the Bujo, Dealply and ManageX families of malicious extensions. By examining the C&C domains, researchers observed an algorithm used to create the malicious domains. In many cases, DGAs appear as random characters. In some cases, the domains contain numbers, and in other cases the domains are very long, making them look suspicious. Here are a few examples of the C&C domains (full domain list at the end of this post): qalus.com jurokotu.com bunafo.com naqodur.com womohu.com bosojojo.com mucac.com kuqotaj.com bunupoj.com pocakaqu.com wuqah.com dubocoso.com sanaju.com lufacam.com cajato.com qunadap.com dagaju.com fupoj.com The most obvious trait the domains have in common is that they are all part of “.com” TLD (Top-Level Domain). Also, all the prefixes are five to eight letters long. There are other factors shared by the domains. For one, they all start with consonants and then create a pattern that is built out of consonants and vowels; so that every domain is represented by consonant + vowel + consonant + vowel + consonant, etc. As an example, in jurokotu.com domain, removing the TLD will bring “jurokotu”, and coloring the word to consonants (red) and vowels (blue) will show the pattern: “jurokotu”. From the domains we collected, we could see that the adversaries used the vowels: o, u and a, and consonants: q, m, s, p, r, j, k, l, w, b, c, n, d, f, t, h, and g. Clearly, an algorithm has been used to create these domains and the intention was to make them look as close to real words as possible. [boxlink link="https://www.catonetworks.com/resources/8-ways-sase-answers-your-current-and-future-it-security-needs/?utm_source=blog&utm_medium=top_cta&utm_campaign=8_ways_sase_answers_needs_ebook"] 8 Ways SASE Answers Your Current and Future Security & IT Needs [eBook] [/boxlink] “Shimmy” DGA infrastructure A few additional notable findings are related to the same common infrastructure used by all the C&C domains. All domains are registered using the same registrar - Gal Communication (CommuniGal) Ltd. (GalComm), which was previously associated with registration of malicious domains [2]. The domains are also classified as ‘uncategorized’ by classification engines, another sign that these domains are being used by malware. Trying to access the domains via browser, will either get you a landing page or HTTP ERROR 403 (Forbidden). However, we believe that there are server controls that allow access to the malicious extensions based on specific http headers. All domains are translated to IP addresses belonging to Amazon AWS, part of AS16509. The domains do not share the same IP, and from time to time it seems that the IP for a particular domain is changed dynamically, as can be seen in this example: tawuhoju.com 13.224.161.119 14/04/2021 tawuhoju.com 13.224.161.119 15/04/2021 tawuhoju.com 13.224.161.22 23/04/2021 tawuhoju.com 13.224.161.22 24/04/2021 Wrapping Up Given all this evidence, it’s clear to us that the infrastructure used on these campaigns is leveraging AWS and that it is a very large campaign. We identified many connection points between 80 C&C domains, identifying their DGA and infrastructure. This could be used to identify the C&C communication and infected machines, by analyzing network traffic. Security teams can now use these insights to identify the traffic from malicious Chrome extensions. IOC bacugo[.]com bagoj[.]com baguhoh[.]com bosojojo[.]com bowocofa[.]com buduguh[.]com bujot[.]com bunafo[.]com bunupoj[.]com cagodobo[.]com cajato[.]com copamu[.]com cusupuh[.]com dafucah[.]com dagaju[.]com dapowar[.]com dubahu[.]com dubocoso[.]com dudujutu[.]com focuquc[.]com fogow[.]com fokosul[.]com fupoj[.]com fusog[.]com fuwof[.]com gapaqaw[.]com garuq[.]com gufado[.]com hamohuhu[.]com hodafoc[.]com hoqunuja[.]com huful[.]com jagufu[.]com jurokotu[.]com juwakaha[.]com kocunolu[.]com kogarowa[.]com kohaguk[.]com kuqotaj[.]com kuquc[.]com lohoqoco[.]com loruwo[.]com lufacam[.]com luhatufa[.]com mocujo[.]com moqolan[.]com muqudu[.]com naqodur[.]com nokutu[.]com nopobuq[.]com nopuwa[.]com norugu[.]com nosahof[.]com nuqudop[.]com nusojog[.]com pocakaqu[.]com ponojuju[.]com powuwuqa[.]com pudacasa[.]com pupahaqo[.]com qaloqum[.]com qotun[.]com qufobuh[.]com qunadap[.]com qurajoca[.]com qusonujo[.]com rokuq[.]com ruboja[.]com sanaju[.]com sarolosa[.]com supamajo[.]com tafasajo[.]com tawuhoju[.]com tocopada[.]com tudoq[.]com turasawa[.]com womohu[.]com wujop[.]com wunab[.]com wuqah[.]com References: [1] https://www.catonetworks.com/blog/threat-intelligence-feeds-and-endpoint-protection-systems-fail-to-detect-24-malicious-chrome-extensions/ [2]  https://awakesecurity.com/blog/the-internets-new-arms-dealers-malicious-domain-registrars/    

Cato Networks Response to UK’s NCSC Guidance On Tightening Cyber Control Due to the Situation in Ukraine

Last week the United Kingdom’s National Cyber Security Centre (NCSC) urged UK organizations “to strengthen their cyber resilience in response to the situation in Ukraine”...

Peter Lee

February 24, 2022

5m read

Cato Networks Response to UK’s NCSC Guidance On Tightening Cyber Control Due to the Situation in Ukraine Last week the United Kingdom’s National Cyber Security Centre (NCSC) urged UK organizations “to strengthen their cyber resilience in response to the situation in Ukraine” [1] and today they followed that warning up with a call for “organisations in the UK to bolster their online defences” [2] by adopting a set of “Actions to take when the cyber threat is heightened.”[3] Similar statements have been issued by other authorities such as Germany’s Federal Office for Information Security (BSI) and CISA in the US. As a global provider of the converged network and security solutions known as SASE (Secure Access Service Edge) [4], Cato Networks has a rapidly expanding portfolio of customers not just here in the UK but in many other regions around the world which are also exposed to the current situation. Here are some suggestions for Cato customers who wish to enhance their security posture in accordance with the NCSC’s advice. Step 1 - Lock administrative access down. Cato’s true single-pane-of-glass management console makes it easy for organisations to understand and control exactly who can make changes to their Cato SASE environment. Customers can use the built-in Events Discovery (effectively, your own SIEM running inside Cato) to easily filter for admin users which haven’t recently logged on, and then disable them. Admin user MFA should be enabled across the board and any administrators who don’t make changes (such as auditors) given viewer accounts only. This is also a good opportunity to review API keys and revoke any which are no longer required. Step 2 - Review SDP user account usage. Now is also the right time to review SDP users for stale user accounts which can be disabled or deleted, ensure that directory synchronisation and SCIM groups are appropriately configured and filter all manually created SDP users for unexpected third party users. Customers should also check that any user-specific configuration settings which override global policy are there for good reasons and do not expose the organisation to increased risk. [boxlink link="https://www.catonetworks.com/resources/inside-cato-networks-advanced-security-services/?utm_source=blog&utm_medium=top_cta&utm_campaign=inside_cato_advanced_security_services"] Inside Cato Networks Advanced Security Services | Find Out [/boxlink] Step 3 - Tighten access controls. Cato provides a wide range of access control features including Device Authentication, Device Posture (currently EA), MFA, SSO, operating system blocking and Always-On connectivity policy. Customers should ensure that they are taking advantage of the tight access control capable with Cato by implementing as many of these features as possible and minimising user-based exceptions to the global policy. Step 4 - Implement strong firewalling. As true Next-Generation Firewalls which are both identity-aware and application-aware, Cato’s WAN Firewall and Internet Firewall allow our customers to create fine-grained control over all network traffic across the WAN and to the Internet from all Cato sites and mobile users. The seamless integration of a Secure Web Gateway with the firewalls further increases the degree of control which can be applied to Internet traffic. Both firewalls should be enabled with a final “block all” rule. Customers should also inspect the remaining rules for suitability, and engage Cato Professional Services to assist with a comprehensive firewall review. Step 5 - Start logging everything. One of the main benefits of cloud-based security solutions is that unlike on-premise appliances which are constrained by hardware, the elasticity built into the cloud allows for seamless real-time scaling up of features such as logging. Cato customers can take advantage of our cloud-native elasticity to enable flow-level logging for all traffic across their environment, and then use the built-in SIEM and analytics dashboards to derive real intelligence and perform forensics on real-time and historic data. Step 6 - Enable TLS inspection. Another feature made possible by the cloud is ubiquitous inspection of TLS inspection regardless of source location or destination. Cato SASE automatically detects TLS traffic on non-standard ports and can be controlled by fine-grained policies to avoid disrupting traffic to known good destinations and to comply with local regulations regarding sensitive traffic decryption. Step 7 - Enable Enhanced Threat Protection (IPS, Anti Malware, NG Anti Malware). Even organisations who are not directly in the line of state-sponsored fire are exposed to the usual risk of compromise by ransomware gangs and other actors of economic motivation. Cato’s Enhanced Threat Protection services – IPS, Anti Malware and Next-Gen Anti Malware – are specifically designed to complement the base level firewalls and Secure Web Gateway by inspecting the traffic which is allowed through for suspicious and malicious content. Customers who don’t currently have these features should ask their account management team to enable an immediate trial. Customers with these features should ensure that TLS inspection is enabled and engage Cato Professional Services to ensure that the feature are properly configured and tuned for maximum efficacy. Step 8 – 24x7 Detection and Response. During a recent interview [5] regarding a high-profile hack which occurred on his watch, a CISO stated that “no time is a good time, but these things never come during the middle of the day, during the work week.” Customers without a 24x7 incident response capability should carefully consider their options for being able to detect and respond to threats outside of normal working hours. Cato’s Managed Detection and Response (MDR) service can help customers who are unable to stand up their own 24x7 MDR capability. The NCSC article referred to above includes many other suggestions which are automatically covered by Cato, such as device patching, log retention and configuration backup. The main concern for organisations who already have Cato is to make the best use of what they’ve already got. They no longer need to worry gaps in their security posture, because Cato has those covered out of the box. If you’re not a Cato customer and you’d like to find out more about our solution, or you’re an existing customer who wants to find out more about the additional products and services we provide, let's talk. References: [1] https://twitter.com/NCSC/status/1493256978277228550 [2] https://www.ncsc.gov.uk/news/organisations-urged-to-bolster-defences  [3] https://www.ncsc.gov.uk/guidance/actions-to-take-when-the-cyber-threat-is-heightened [4] https://www.catonetworks.com/sase/sase-according-to-gartner/ [5] https://risky.biz/HF15/  

Pros and Cons of MPLS: Is It Right for Your Network?

MPLS is a reliable routing technique that ensures efficiency and high performance. However, global changes like remote work, mobile connectivity and cloud-based infrastructure require businesses...

Eyal Webber Zvik

February 22, 2022

4m read

Pros and Cons of MPLS: Is It Right for Your Network? MPLS is a reliable routing technique that ensures efficiency and high performance. However, global changes like remote work, mobile connectivity and cloud-based infrastructure require businesses to reconsider their MPLS network strategy. This blog post explains what MPLS is, how it works, MPLS advantages and disadvantages and what to consider next. What is MPLS? MPLS (Multiprotocol Label Switching) is a network routing technique that is based on predetermined paths, instead of routers determining the next hop in real-time. This enables quicker and more efficient routing, as the router only needs to view a packet label, instead of looking up the address destination in complex routing tables. In addition, using MPLS requires setting up a dedicated connection. It is de facto a private network. How does MPLS Work? In MPLS, when a data packet enters the network, it is assigned a data label by the first router in the path. The label predetermines the path the packet needs to follow. It includes a value, as well as additional fields to determine the quality of service required, the position of the label in the stack and time-to-live. Based on this label, the packet is routed to the next router in its path. The second router that receives the packet then reads this label and uses it to determine the following hop in the network. It also removes the existing label from the packet and adds a new one. This process is repeated until the data packet reaches its destination. The last router in the path removes the label from the data packet. Since the path is predetermined, the routers only need to read the label and do not need to check the packet’s IP address. This enables faster and more efficient routing. MPLS routing terms: Label Edge Router (LER) - the first or last routers that either assign the first data label and determine the path or pop the label off the packet. The first router is also known as Ingress Label Switching Router (Ingress LSR) and the last as Egress LSR.Label Switching Router (LSR) - the routers along the path that read the labels, switch them and determine the next hop for the packets.Label Switching Path (LSP) - the path the packets are routed through in the network Now let’s look at the advantages and disadvantages of MPLS routing. [boxlink link="https://www.catonetworks.com/resources/what-telcos-wont-tell-you-about-mpls?utm_source=blog&utm_medium=top_cta&utm_campaign=wont_tell_you_about_mpls"] What Others Won’t Tell You About MPLS | Find Out [/boxlink] MPLS Advantages & Benefits MPLS provides multiple advantages to network administrators and businesses. These include: Reliability Routing based on labels over a private network ensures that packets will be reliably delivered to their destination. In addition, MPLS enables prioritizing traffic for different types of packets, for example routing real-time, video packets through a lower latency path. This reliability is guaranteed through service level agreements (SLAs), which also ensure the MPLS provider will resolve outages or pay a penalty. High Performance MPLS dedicated infrastructure assures high-quality, low latency and low jitter performance. This ensures efficiency and a good user experience. It is also essential for real-time communication, like voice, video and mission-critical information. MPLS Disadvantages However, there are also disadvantages to MPLS. Expensive MPLS services are expensive, due to their commitment to ensure high bandwidth, high performance and competitive SLAs. Deployments and upgrades of the required private connection can also turn into a resource-intensive process. Rigid MPLS is built for point-to-point connectivity, and not for the cloud. Therefore, the WAN does not have a centralized operations center for reconfiguring locations or deploying new ones and does not enable quick scalability. Does Not Support All Edges MPLS cannot be extended to the cloud since it requires its own dedicated infrastructure. Therefore, it is not a good fit for remote users or for connecting to SaaS applications. Conclusion MPLS is a trustworthy solution for legacy applications in enterprises. However, the transition to the cloud and remote work require businesses to reconsider their network strategy and implement more cost-effective and efficient solutions. Alternatives like SASE (Secure Access Service Edge) combine all the advantages of MPLS, SD-WAN and more. To learn more about SASE and to see how it improves your MPLS connectivity, contact us.  

Total Economic Impact™Study: Cato Delivers 246% ROI and $4.33 Million NPV

Cato Networks was founded with a vision to deliver the next generation of networking and network security through a cloud–native architecture that eliminates the complexity,...

Eyal Webber Zvik

February 15, 2022

5m read

Total Economic Impact™Study: Cato Delivers 246% ROI and $4.33 Million NPV Cato Networks was founded with a vision to deliver the next generation of networking and network security through a cloud–native architecture that eliminates the complexity, costs, and risks associated with legacy IT approaches. We aim to rapidly deploy new capabilities and maintain a security posture, without any effort from the IT teams. The question is - are we living up to our goals? To help us and our potential customers gauge the potential impact and ROI of Cato Networks, we commissioned Forrester Consulting to conduct a Total Economic Impact (TEI) study. To be completely honest, even we were blown away by the success these companies achieved through the Cato SASE Cloud. The study shows how Cato Networks is helping reduce costs, eliminate overhead, retire old systems, enhance security, improve performance and create higher employee morale. Some of the key findings Forrester found, were that by using Cato, a composite organization can enjoy: 246% ROI $4.33 million NPV Payback in less than 6 months $3.8 million saved on reduced operation and maintenance Almost $44,000 saved on reduced time to configure Cato on new sites $2.2 million saved by retiring systems that Cato replaces Reduced time and transit cost Security consistency And more This matters because today organizations are struggling with managing security and network services. They have dedicated teams for VPN, internet and WAN, and more, which need to individually manage updates at each network site. This is time-consuming and costly. In the long run, this prevents the business from transforming digitally, maintaining a competitive advantage and delivering the best services they can to their customers. Let’s dive into some more of these key findings. [boxlink link="https://www.catonetworks.com/resources/the-total-economic-impact-of-cato-networks?utm_source=blog&utm_medium=top_cta&utm_campaign=tei"] The Total Economic Impact™ of Cato Networks | Read The Full Report [/boxlink] Reduced Operation and Maintenance Costs The study revealed that Cato Networks enables saving $3.8 million in reduced operation and maintenance costs over three years. This objective is extremely important for multiple organization stakeholders, as network and security engineers spend a lot of time managing systems instead of optimizing them. “Honestly, I was shocked to see how easy it was to set up and maintain an SD-WAN solution based on the whole Cato dashboard. Now there’s a saying that with [the previous solution], you need 10 engineers to set it up and 20 engineers to keep it running. With Cato, this all went away. It’s in the dashboard. Within the hour, you understand the idea behind it and then you can just do it.” - IT manager, motor vehicle parts manufacturer Reduced Configuration Time With companies scaling and requiring flexibility to connect employees and customers from anywhere, setup and configuration time has become an important consideration when choosing a network and security solution. According to the study, Cato Network saves nearly $44,000 and a huge number of manual hours over three years. “The other thing that we were driving towards was, because we do mergers, because we do a lot of office moves, [because] we go into different geographies, I wanted an ‘office in a box,’ fire- and-forget sort of management plane separation approach where my team could do a lot with just shipping a box out [and] having a reasonably intelligent individual follow a diagram, plug it in, have it light up in a management portal, and we're in business.” - Director of technology, advisory, tax and assurance Savings From Retired Systems Expensive hardware is a huge pain for IT and security teams. It requires maintenance, upgrades, fixes and integrations with other platforms. By migrating to SASE and retiring old systems, organizations can save $2.2 million dollars with Cato, over three years. “We don’t need to go invest in those other solutions because the Cato transport with the intelligence and the security layer does everything we need it to do.” - Director of technology, advisory, tax and assurance Additional Benefits According to the report, Cato Networks also provides additional, unquantifiable benefits, like: Reduced time and transit costs -Saving time and money transporting the equipment to remote sites. Increased security posture - By ensuring the consistency of security rule sets across the organization. Better application performance - Enabling practitioners to get their work done faster. Higher employee morale - According to a director of technology, advisory, tax and assurance: “I know that if I tried to roll it back in my firm, [the employees] would revolt because of the speed it gets. My engineers love it because you ship it, we’ll configure it, it shows up, and we’re off to the races.” Flexibility - The ability to add new mobile users without the need to add infrastructure and to deploy sites quickly. Read the Complete Report You’re welcome to read the complete report to dive deeper into how businesses can digitally transform with Cato Networks. It has all the financial information, more quotes and use cases, and a breakdown of costs and savings to help you gain a more in-depth understanding of Cato Network’s business impact. Read the complete TEI report. To speak with an expert about how you can achieve such ROI in your company, contact us.

Why Cato Uses MITRE ATT&CK (And Why You Should Too)

As Indicators of Compromise (IoC) and reactive security continue to be the focus of many blue teams, the world is catching on to the fact...

Dolev Moshe Attiya

Maayan Pelleg

February 13, 2022

6m read

Why Cato Uses MITRE ATT&CK (And Why You Should Too) As Indicators of Compromise (IoC) and reactive security continue to be the focus of many blue teams, the world is catching on to the fact that adversaries are getting smarter by the minute and IoCs are getting harder to find and less effective to monitor, giving adversaries the upper hand and letting them be one step ahead. With the traditional IoC-based approach, the assumption is that whenever adversaries use some specific exploit it will generate some specific data. It could be an HTTP request, a domain name, a known malicious IP, and the like. By looking at information from sources such as application logs, network traffic, and HTTP requests enterprises can detect these IoCs and stop adversaries from compromising their networks. In 2020 there were about 18,000 new CVEs reported and in 2021 there were about 20,000, as this trend continues the number of IoCs that are discovered becomes unmanageable and many of them can be modified in small ways to avoid detection. What’s more, as we will show in this blogpost, IoCs are not even the full security picture, representing a small portion of the attacks confronting enterprises. All of which suggests that security professionals need to expand their methods of detecting and stopping attacks. [boxlink link="https://www.catonetworks.com/resources/ransomware-is-on-the-rise-catos-security-as-a-service-can-help?utm_source=blog&utm_medium=top_cta&utm_campaign=ransomware_ebook"] Ransomware is on the Rise – Cato’s Security as a Service can help [eBook] [/boxlink] TTPs: The New Approach to Detecting Attacks The security community has noticed this trend and has started shifting from IoC-based detection to understanding adversaries’ Tactics, Techniques, and Procedures (TTPs). Having identified TTPs, security vendors can then develop the necessary defenses to mitigate risk. Many tools have been developed to help understand and map these TTPs, one such tool is MITRE’s ATT&CK Framework. ATT&CK is a collaborative effort involving many security vendors and researchers. The project aims to map adversary TTPs to help create a common language for both red and blue teams. ATT&CK contains a few different matrices, each with its own sector. In the enterprise matrix, which is focus of our work, there are 14 “tactics.” A “tactic” is a general goal that the adversary is trying to accomplish, under each tactic there are several “techniques.” A “technique” is the means the adversary uses to accomplish his tactic, it is a more technical categorization of what the adversary may do to implement his tactic. Each technique can appear under multiple tactics and can be further divided into sub-techniques. Some tactics can be seen across the network with Reconnaissance, Initial Access, Execution, and Exfiltration associated with the network’s perimeter. To better understand the value of ATT&CK, look at “The Pyramid of Pain,” which shows the relationship between the types of indicators you might use to detect an adversary's activities and how hard it will be for them to change them once caught. TTPs being the hardest to change thus causing more pain to the adversary if detected. [caption id="attachment_22591" align="alignnone" width="2080"] This diagram shows us in a simple manner why aiming to identify TTPs can be more beneficial and improve defenses against adversaries rather than those focusing on IoCs.[/caption] As enterprises shift from reactive and IoC-based security, which heavily relies on processing IoCs from threat intelligence feeds, to TTP-based security, which requires a proactive approach based on research, enterprise security becomes more challenging. At the same time, TTP-based security brings numerous benefits. These include better visibility into one’s security posture, better understanding of security risks, and an improved understanding of how to expand security capabilities to better defend against real adversaries. Cato Implements MITRE ATT&CK Cato has implemented the MITRE ATT&CK methodology of identifying and protecting against TTPs on top of the traditional IoCs. We incorporated this ability into our product by implementing a tagging system that tags each security event with the relevant ATT&CK tactics, techniques, and sub-techniques. This allows customers to visualize and understand what threats they face and what attack flows they are vulnerable to, further enabling them to understand where to improve their insight, and what TTPs their adversaries are using. [caption id="attachment_22593" align="alignnone" width="1358"] A view of an event that is mapped to ATT&CK in the Cato Cloud[/caption] So, what did implementing a TTP-based approach reveal to us? As we dove into the details of our signatures, we saw that we could divide them into two main approaches: IoC-based - Covering a specific vulnerability using well-defined IoCs. TTP-based - Covering a behavior of an adversary. We started by looking at our products’ coverage over the entire ATT&CK matrix and trying to understand where we are most vigilant and where we are less so. Our scope was the most common threats we cover (in our customers’ networks), and new threats we covered from the last year. After going through this process and creating a visualization of our threat protection with the ATT&CK Navigator, we found that Cato Cloud provides protection across all stages of the attack flow with particular strengths in the Initial Access and Execution stages. [caption id="attachment_22595" align="alignnone" width="2708"] Cato’s protection capabilities mapped onto the ATT&CK matrix. The darker the color, the more vulnerabilities Cato protects against in that technique. (For simplicity, sub-techniques are not shown.)[/caption] We should not be satisfied with this data alone, while signature numbers and mappings are an insightful metric, the real insights should be derived from events in the field. So, we then examined Cato’s defenses based on the actual events of exploitation attempts in each ATT&CK technique. Our sampling looked at a two-week period spanning some 1,000 networks. [caption id="attachment_22597" align="alignnone" width="2928"] Cato’s security events mapped onto the ATT&CK Matrix. Again, the darker the color the more events found to be using that technique in the last two weeks. Sub-techniques are not shown to keep it simple.[/caption] From this mapping, we can see two things. Most events are from scanning techniques, this is expected as a single scan can hit many clients with many protocols and generate many events. We see events from many different techniques and tactics, which means that covering more than just the perimeter of the network does increase security as adversaries can appear in any stage of the attack flow and should never be assumed to exist only in the perimeter. Putting aside scans, we found that TTP-based signatures identified far more security events than the IoC-based signatures did. Below is a table mapping the percentage of events identified by TTP-based (ATT&CK) and IoC-based approaches over our sampling period. Looking at the table, three techniques represent 87% of all events in the last two weeks. Counting the signatures, we saw that on average 78% of all signatures were IoC-based and only 22% were TTP-based. [caption id="attachment_22635" align="alignnone" width="632"] Top 3 techniques based on number of events, excluding scans.[/caption] But when we looked at the number of total events, we noticed that on average 94% are TTP-based and only 6% are IoC-based, this affirms our TTP-based approach’s effectiveness in focusing on those areas of actual importance to organizations. TTP: Lets You Focus on Quality Not Chase Quantity Focusing on TTP-based signatures provides a wide angle of protection against unknown threats, and the potential to block 0-days out of the box. On top of 0-days, these signatures cover past threats just as well, giving us a much greater ratio of threats covered per signature. The IoC-based approach is less valuable, identifying fewer threats confronting today’s enterprises. TTP-based signatures prove to save production time by having a better protection for less effort and giving us more confidence in our coverage of the ATT&CK Matrix. What’s more, when covering IoC-based signatures, the focus is on the number of signatures, which does not necessarily result in better security and might even lead to a false sense of one. The bottom line is that one good TTP-based signature can replace 100 IoC-based ones, allowing enterprises to focus on quality of protection without having to chase quantity of threats.

If Only Kodak and Nokia Resellers Had Known

A short story that doesn’t have to be yours Prologue You’re the captain of a massive container ship filled with servers, hard drives, and mounting...

Niv Barzilay

February 7, 2022

5m read

If Only Kodak and Nokia Resellers Had Known A short story that doesn’t have to be yours Prologue You’re the captain of a massive container ship filled with servers, hard drives, and mounting racks, making its way through stormy waters. The heavy cargo makes it hard for the ship to float and for you to navigate it safely to its destination. Suddenly, you notice a huge boulder ahead. You try to steer away, but the heavy cargo makes it difficult, and it seems like impact is inevitable. As you sound the alarm, you jump into action without wasting a second and start packing your single lifeboat with all the appliances you can get your hands on. Your team looks at you scared and puzzled, but you’re positive you can save everything; yourself, your team, and all the appliances ignoring the fact that they were the ones that led to the collision in the first place. Dramatic? Yes. Ridiculous? Not really You’re likely facing this dilemma while reading this blog post. Will you act differently? A good 50-90% of your revenue comes from reselling appliance-based point solutions. You’re operating on slim margins, and it’s becoming more and more challenging to differentiate yourself and explain the value you bring to your customers. You find it hard to hire top engineers and sales professionals because they’re busy selling cloud solutions and future-proofing their careers. You see the storm waves rising. You feel the steering wheel getting heavier by the minute. [boxlink link="https://www.catonetworks.com/resources/what-telcos-wont-tell-you-about-mpls?utm_source=blog&utm_medium=top_cta&utm_campaign=what_others_wont_tell_you"] What Others Won’t Tell You About MPLS | Get The eBook [/boxlink] Let’s pause here and look at the facts On November 16th, 2021, Riverbed Technology announced filing for Chapter 11 Bankruptcy. Check Point Software Technologies was recently pushed out of the Nasdaq 100 Index. These events happen while the network security business is skyrocketing, and the competitors are reaching an all-time high in market valuation and revenue growth. What do these companies have in common? First, they never really embraced the convergence of networking and network security. Secondly, their solutions are not cloud-delivered as a service but are still heavily dependent on edge appliances, physical or virtual. While most other pure SD-WAN and network acceleration companies were acquired (VeloCloud by VMware, CloudGenix by PAN, Viptela by Cisco) as a part of a SASE play, Riverbed stood by itself as an appliance-based point solution company. While most leading security vendors made aggressive moves towards SASE convergence or integration onto the cloud (PAN, Fortinet, VMware, Cisco), Check Point stayed away from networking and was late to launch cloud-delivered solutions. These are all obvious indications, warning signs, if you will, of a fundamental shift in IT architectures. Ignoring these signs is equivalent to loading your lifeboat with appliances while riding 100 feet waves. You, as a reseller or a service provider, can’t save yesterday’s technology. Evolving is no longer the privilege of the brave and innovative but necessary for any business looking to remain relevant. You can choose how your business story unfolds. Consider the following one. A day in the life of a cloud-native SASE reseller Resellers and service providers of cloud-native SASE solutions help their customers transform their networks into agile, flexible, and maintenance-free environments. They bring to the table a highly differentiated offering that enterprise customers going through digital transformation deeply appreciate. These partners generate recurring revenues that future-proof their financials. They enjoy the rewards of buying a managed service just like you recommend to your customers. Their SASE Cloud provider takes care of the network, hires the right personnel, maintains, patches, and updates everything according to the industry’s best practices. The provider releases new features and capabilities that are available to their customers at the flip of a switch and is accountable for all the network and security components of its service. These SASE partners have ‘one throat to choke’ and benefit from unmatched SLA. On their SASE deals, SASE partners make high margins and add their professional and managed services on top for even more attractive blended margins. Their employees master modern technologies, taking pride in driving this revolution rather than trying to convince everyone, themselves included, that nothing is changing. And their customers? They will never go back to appliance-based solutions. Thanks to their trusted partners, they now enjoy a scalable and resilient cloud-native network and a full security stack delivered as a cloud service. They are becoming SASE experts and thought leaders, and some of them even started their own blogs. But most importantly, they weathered the storm. Their ships are safe, and so is everyone on them. The Way Forward: How to Win in a Changing Business Environment Cloud-delivered solutions are winning. Cloud datacenters replace the world’s on-premises data centers. Cloud application replaced most of our on-prem applications. The 2019 COVID outbreak accelerated cloud and SASE adoption, as enterprises moved to work-from-anywhere. The SASE revolution is here, as defined by the world’s leading analysts, changing networking and network security for good. 2022-2025 is the transition period to mainstream adoption of SASE among enterprise customers 1 Our music is in the cloud. No more CDs. MP3 players are no longer needed. We have smartphones. Cloud and convergence are revolutionizing the way we use technology. Why would network and network security be any different? They are not. These shifts in the market don’t happen overnight. Business managers that recognize them, must adapt to ensure the relevancy and profitability of their companies. Not all appliances will disappear. Some customers, in some cases, will still choose them. But, they represent the past. In the same way that CDs, Kodak films, and Nokia (not so smart) phones are still available, edge appliances will stick around. But do you want your business to be recognized by these legacy solutions? Do you want their success or failure to determine yours? Be brave enough to write your own story.       1 Gartner, “Hype Cycle for Enterprise Networking ” Andrew Lerner. October 11, 2021 GARTNER is registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.    

How Schema-First approach creates better API, reduces boilerplate and eliminates human error

In the server team at Cato Networks, we are responsible for building the web console for network and security configuration. Cato Networks is currently experiencing...

Nikita Bahliuk

February 3, 2022

4m read

How Schema-First approach creates better API, reduces boilerplate and eliminates human error In the server team at Cato Networks, we are responsible for building the web console for network and security configuration. Cato Networks is currently experiencing rapid growth in which bigger customers require control over the Cato API and the old solutions, that were built quickly can no longer stand the scale. Obviously, in tandem the development teams are also growing rapidly. All this led us to decide to move from a large and complex json over http API, which was only used by our UI, to a public graphQL API that is exposed to customer use, while still serving our web application. We needed to choose the development approach for the API. Use code as a single source of truth and have schema as an artifact generated from the code (aka. Code-First approach), or create a schema and implement code to match its definitions (aka. Schema-First approach). We decided to go Schema-First, and in this post I’d like to explain why. FOCUS When API development starts from writing the code, it is hard to stay focused on its structure, consistency, and usability. On the other hand, when development starts from describing the API in the schema, while abstracting from the actual implementation, it creates clear focus. You also have the entire schema in front of your eyes, and not scattered through the codebase,  which helps to keep it consistent and well organized. [boxlink link="https://www.catonetworks.com/resources/management-application-walkthrough/?utm_source=blog&utm_medium=top_cta&utm_campaign=management_demo"] Cato Management Application | 30 min Walkthrough [/boxlink] INTERFACE We treat our schema as an interface between front and back, which is visible and clear to both sides. After agreeing on a schema, code on both ends can be written in parallel, without worrying about misaligned bridge situations:   DECOUPLING When working with a Code-First approach there is a backend-frontend dependency. Code is required to be written at the backend first, so the schema can be generated from it, slowing down the frontend development, and leading to slower schema evolution. In contrast, there is no dependency on the backend team when working Schema-First. No need to wait for any code to be written (and schema to be generated from it). Schema modifications are fast and the development cycle is shortened. CODE-GEN After designing the schema, it is easy to start implementing it, building from a generated code both on frontend and backend. We hooked code-gen in our build process, and were getting server stubs that are perfectly aligned with schema in terms of arguments, return types, and routing rules.  The only thing that is left to be done is writing actual business logic. There is no need to worry that your server-side code diverges from schema, because upon any change to schema, code is re-generated and you can spot the problem early, at compile time. Things are even better at the client side. There are tools that allow you to generate a fully functional client library from the schema. We use Apollo's official codegen tool for this purpose. Getting data from the server became a no-brainer, just calling a method on a generated client library that we spend zero effort creating. BEING DECLARATIVE GraphQL allows you to create custom directives and handlers for them. We utilized this to cut the security and validation concerns from the query resolvers code and centralized them, declaratively, inside the schema. For example, we have @requireAuth directive that can be set on a type, field or argument to define that this is a restricted part of the API. Here are some self-explanatory examples of our custom-built validation directives: @stringValue(regex:String, maxLength:Int, minLength:Int, oneOf: [String!]) @numberValue(max:Int, min:Int, oneOf: [Int!]) @email @date(format:String,future:Boolean) This not only reduces the code on the server side, but also gives some hints to the frontend, in terms of validations that need to be implemented to eliminate unnecessary roundtrips of not valid inputs. SUMMARY Almost all of the points described here apply not only for graphQL API, but to any schema-based API, like OpenAPI (aka. Swagger)  for json over HTTP or  gRPC. In any case Schema-First or Code-First is a decision that must be made on a per project basis, taking into consideration its specifics and needs. I do hope I've managed to encourage you to at least give a Schema-First approach a chance.    

Cato Resiliency: An Insider’s Look at Overcoming the Interxion Datacenter Outage

The strength of any network is its resiliency—its ability to withstand disruptions that might otherwise cause a failure somewhere in the connectivity. The Cato Cloud...

Aviram Katzenstein

February 2, 2022

5m read

Cato Resiliency: An Insider’s Look at Overcoming the Interxion Datacenter Outage The strength of any network is its resiliency—its ability to withstand disruptions that might otherwise cause a failure somewhere in the connectivity. The Cato Cloud service proved its resiliency during the massive hours-long service outage of the LON1 Interxion data center at its central London campus on January 10. Interxion suffered a catastrophic loss of power beginning just before 18:00 UTC on a Monday evening. The failure cut out multiple power feeds going into the building, and equipment designed to switch to backup generator power also failed. The result was complete loss of power leading to service outages for numerous customers dependent on this particular data center. Hundreds of companies were impacted with the London Metal Exchange, for example becoming unavailable for nearly five hours. Cato customers were also impacted by this outage – for a few seconds. For the benefit of proximity to the financial and technology hubs near Shoreditch, Cato has a PoP in this Interxion datacenter. That means that Cato’s customers, too, were affected by the sudden unavailability of our PoP. However, most customers suffered few repercussions as their traffic was automatically moved over to another nearby Cato PoP for continued operation. The transfer took place within seconds of the LON1 power failure, and I’d venture a guess that few Cato customers even noticed the switch-over. To a network operator, this is a true test of both resiliency and scale. [boxlink link="https://www.catonetworks.com/resources/tls-decryption-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=tls_demo"] Cato Demo | TLS Inspection in Minutes [/boxlink] Cato’s Response to the Outage Was Both Immediate and Automatic On January 10 at 17:58 UTC, we started to receive Severity-1 alerts about our London PoP. The alerts indicated that all our machines in London were down. We were unable to access our hardware with any of our carriers. Calling Interxion proved impossible. Only later did we learn that the power outage that took down the datacenter also disrupted their communications. The same was true for opening a support ticket; it too elicited no response. Checking Twitter showed different complaints about the same thing. Despite having no word directly from Interxion, we understood there was a catastrophic power failure. We incident to our customer about 10 minutes after it started on our status page -- official reports would only be received several hours later. As for the impact on SASE availability, every Cato customer sending traffic through this London PoP using a Cato Socket (Cato’s Edge SD-WAN device) had already been switched over within seconds of the power outage to a different PoP location. They were humming away as if nothing had happened. Most customers had their traffic routed to Manchester instead of London. Our PoPs have been designed with surplus capacity precisely for these reasons. You can see from the chart below that our Manchester PoP saw a sudden increase in tunnels coming in, and we were able to accommodate the higher traffic load without a problem. This demonstrates both the resiliency and the scale of Cato’s backbone network. [caption id="attachment_22306" align="alignnone" width="2746"] This graph shows how the number of tunnels at Cato’s Manchester PoP suddenly quadrupled at 18:00 UTC on January 10, 2022, as users automatically switched over from our London PoP due to the Interxion outage. [/caption] There were a few exceptions to the quick transition from the London PoP to another. Some Cato customers, for whatever reason, choose to use a firewall to route traffic rather than a Cato Socket. In this case, they create a tunnel using IPsec to a specific PoP location. Cato recommends – and certainly best practices dictate – that the customer create two IPsec links, each one going to a different location. In this case, one link operates as a failover alternative to the other. We had a handful of customers using firewall configurations with two tunnels going only to the London site. When London went down, so did their network connections—both of them. We could see on our dashboard exactly which customers were affected in this way and reached out to them to configure another tunnel to a location such as Manchester or Amsterdam. Here’s a comment from one such customer: “When dealing with the worst possible situation and outage, you have provided excellent support and communications, and I am grateful.” Lessons We Took Away from This Incident At Cato, we view every incident as an opportunity to strengthen our service for the next inevitable event. We think about rare case scenarios that can happen and run retrospective meetings from which we identify the next actions that need to be taken to ensure the resiliency of our solution. When we built a service with an SLA of five 9’s this is the commitment we made to our customers. When we carry their traffic, we know that every second counts. This requires ongoing investments and thinking about how things could go wrong and what we have to do to ensure that our service will be up. Part of that is what drives our continued investment in opening new PoPs across the globe and often within the existing countries. The density of coverage, not just the number of countries, is important when considering the resiliency of a SASE service. Who would ever have thought that a major datacenter in the heart of London would lose access to every power source it has? Well, Cato considered such a scenario and prepared for it, and I’m pleased to say that this unexpected test showed our service has the resiliency and scale to continue as our customers expect it to.

SASE Expert advanced Certification

Cato SSE 360

Cato Solution Brief

How to Migrate from MPLS to SD-WAN

Highlander Computing Solutions

C3 Technology Advisors

Cato Managed Threat Detection and Response (MDR)

Cato Networks Quick Overview

The Network for the Digital Business Starts with the Secure Access Service Edge

Filter by topic