As organizations increasingly integrate artificial intelligence (AI) into their operations, the nature of data security is undergoing significant transformation. With AI’s ability to process vast... Read ›
The Imperative of Data Loss Prevention in the AI-Driven Enterprise As organizations increasingly integrate artificial intelligence (AI) into their operations, the nature of data security is undergoing significant transformation. With AI's ability to process vast amounts of data quickly, the risk of data breaches and leaks has grown exponentially. In this context, Data Loss Prevention (DLP) has (re)emerged as a critical component for IT professionals seeking to safeguard sensitive information. DLP is no longer a "nice-to-have" feature; it's an essential part of any comprehensive security strategy, especially in an AI-driven world.
DLP is Essential in the Age of AI
AI systems thrive on data—structured and unstructured, internal and external—making them invaluable assets but also prime targets for data breaches. Traditional security measures often fall short in this landscape, as they are not designed to handle the dynamic, large-scale data flows that AI systems generate and rely upon. This is where DLP comes into play. DLP solutions help identify, monitor, and protect sensitive data from unauthorized access or leaks, whether at rest, in motion, or in use.
But why is DLP so critical now? The answer lies in the very nature of AI systems. AI requires continuous access to high-quality data to function optimally. This data often includes proprietary information, personal data, and other sensitive materials that, if exposed, could lead to severe financial and reputational damage. For IT professionals, the challenge is not just to protect this data but to do so in a way that doesn't hamper the operational efficiency of AI systems.
The primary value of DLP in the AI era is its ability to provide comprehensive data protection without compromising the performance of AI-driven processes. Modern DLP solutions are designed to integrate seamlessly with AI systems, offering real-time monitoring and protection. For example, a DLP solution can automatically classify data based on sensitivity tags and apply relevant security measures as needed, all while allowing AI systems to access the data they require to function.
This level of integration is crucial for organizations that rely heavily on AI for decision-making, customer service, or product development. With a robust DLP solution, IT professionals can ensure that their AI systems are both secure and effective, maintaining the integrity of sensitive data without slowing down business processes.
[boxlink link="https://www.catonetworks.com/resources/take-the-dlp-interactive-tour/"]
Take the DLP Interactive Tour | Start The Tour [/boxlink]
How DLP Works with AI
From a technical standpoint, implementing DLP in an AI-driven environment involves several key components:
1. Data Classification and Discovery: DLP solutions use AI and machine learning to automatically discover and classify sensitive data across an organization’s network. This capability ensures that even newly generated data, such as that produced by AI systems, is promptly identified and protected.
2. Policy Enforcement: DLP allows IT teams to enforce data security policies consistently across the organization. This includes specifying what types of data can be accessed by AI systems, under what conditions, and by whom. These policies can be fine-tuned to balance security needs with operational requirements.
3. Monitoring and Alerts: DLP systems provide continuous monitoring of data usage, with alerts for any suspicious activity. This proactive approach is essential in AI environments where data flows are complex and can easily be exploited if not properly monitored.
4. Integration with Existing Security Frameworks: DLP solutions are mostly effective when integrated, or better- converged, with other security tools, such as firewalls, intrusion detection systems, and CASB. This ensures a unified approach to data security, where DLP serves as a critical layer in a broader, multi-faceted defence strategy.
A Non-Negotiable Defence Strategy
In the era of AI, DLP is not just a tool but a critical defence strategy that IT professionals must adopt to safeguard their organizations. The integration of DLP with AI systems offers a powerful combination that protects sensitive data while enabling the full potential of AI. As AI continues to evolve and become more deeply embedded in business processes, the importance of DLP will only grow, making it a non-negotiable element of any modern security strategy.
For IT leaders, the time to act is now. By implementing a robust DLP strategy, you can protect your organization’s most valuable asset—its data—while still leveraging the transformative power of AI.
If your enterprise has deployed a Single-vendor SASE platform, or is about to – enabling DLP is just a few clicks away. With the complexities of the digital age, adopting a true SASE platform is a strategic move that can provide a competitive edge, enabling them to innovate faster, secure their networks, and ultimately, deliver better experiences to their customers.
In today’s rapidly evolving retail landscape, where digital transformation is no longer a choice but a necessity, the importance of a robust and agile network... Read ›
The Retail Industry’s Need for a True SASE Platform In today's rapidly evolving retail landscape, where digital transformation is no longer a choice but a necessity, the importance of a robust and agile network and security infrastructure cannot be overstated. Retailers face a multitude of challenges, from managing vast networks across geographically dispersed locations to safeguarding sensitive customer data in an increasingly complex threat environment. The traditional approach to network and security management, with its disparate solutions and siloed operations, is proving inadequate. Enter SASE (Secure Access Service Edge), a revolutionary architecture that converges networking and security into a single, cloud-native platform. For retailers looking to stay ahead of the curve, adopting a true SASE platform is not just advantageous—it's essential.
The Value of True SASE for Retail IT Professionals
For IT professionals in the retail sector, the value of a true SASE platform lies in its ability to simplify network management, enhance security, and ensure seamless connectivity across all retail locations, from flagship stores to pop-up shops. Unlike traditional models, a true SASE solution provides a unified platform that integrates security and networking into a single-pass architecture. This integration is critical for retailers, who must manage both the flow of sensitive customer data and the operational needs of their distributed networks.
One of the primary benefits of SASE is the elimination of the complex, costly, and rigid hardware-based solutions that have traditionally been used in retail networks. Instead of relying on multiple appliances and fragmented services, SASE offers a cloud-native approach, enabling IT teams to manage their entire network through a single pane of glass. This not only reduces operational overhead but also significantly improves agility, allowing retailers to scale their networks up or down in response to seasonal demands or changing market conditions.
From a security standpoint, true SASE platforms provide end-to-end security, threat detection, and prevention across all network traffic, regardless of the store’s location. For retailers, this means a consistent security posture across all stores, warehouses, and online operations, safeguarding both customer information and corporate data from sophisticated cyber threats. Additionally, with built-in threat intelligence and real-time monitoring, SASE helps IT teams identify and respond to threats faster, reducing the risk of data breaches and ensuring compliance with industry regulations.
More specifically, a true SASE platforms enables seamless operation of existing retail applications and systems. Whether it's connecting point-of-sale systems, inventory management tools, or customer relationship management software, SASE ensures that all data flows securely and reliably across the network. This is particularly beneficial in the retail sector, where downtime or network latency can directly impact sales and customer satisfaction.
[boxlink link="https://www.catonetworks.com/resources/sase-for-different-verticals/"] SASE For Different Verticals | Get the Report![/boxlink]
Want an Example? Sure
To illustrate the practical benefits of SASE for retailers, consider a scenario where a retailer needs to rapidly deploy new stores or pop-up locations. With a traditional network setup, this would involve significant time and investment in configuring hardware, establishing VPN connections, and ensuring security measures are in place. However, with a true SASE platform, new locations can be brought online quickly and securely, using a lightweight SD-WAN edge device and a centralized cloud management that automates most of the process.
Another example is the challenge of managing security across a distributed retail network. In a traditional setup, each location might have its own firewalls and security stack, leading to inconsistencies and potential vulnerabilities. A SASE platform, on the other hand, delivers a consistent security framework across all locations, with centralized control and automated updates that ensure the entire network is always protected against the latest threats.
Finally, SASE's ability to provide a seamless and secure connection for remote workers is invaluable in the retail sector, where employees increasingly need to access the network from various locations, whether for managing inventory, customer data, or conducting virtual meetings. SASE ensures that these connections are not only secure but also optimized for performance, enhancing productivity and reducing the risk of cyberattacks.
Retail and SASE Are a Power Couple
The future of retail lies in embracing technologies that not only enhance operational efficiency but also provide robust security in an increasingly digital world. True SASE platforms offer retailers a powerful solution to these challenges, combining the flexibility and scalability of the cloud with integrated security that is critical for protecting sensitive data. As retailers continue to navigate the complexities of the digital age, adopting a true SASE platform is a strategic move that can provide a competitive edge, enabling them to innovate faster, secure their networks, and ultimately, deliver better experiences to their customers.
Selecting the right SASE (Secure Access Service Edge) vendor requires a solid project management tool that fosters collaboration between network and IT security teams. This... Read ›
How to Build a RACI Matrix for Single-Vendor SASE Success Selecting the right SASE (Secure Access Service Edge) vendor requires a solid project management tool that fosters collaboration between network and IT security teams. This collaboration, or team unity, will ensure alignment with an organization’s strategic goals while leveraging the respective expertise of stakeholders. Consequently, the selected SASE solution will meet network design, configuration, and security needs – essential for project success.
In this blog post we introduce the use of a RACI matrix for single-vendor SASE selection. It’s a simple but straightforward project management tool you can use during your vendor evaluation and selection process.
You’ll find more details and examples in the eBook “RACI for SASE Success: Optimizing Single-Vendor SASE Selection,” that this blog post is based on.
The Value of Unifying Network and Security Teams
According to a recent Cato Networks SASE Adoption survey, an increasing number of organizations are understanding the value of unifying network and IT security teams. Shared insights and knowledge lead to more robust and secure IT infrastructures, and better business outcomes.
Effective network and IT security team collaboration during SASE vendor selection is valuable as well. It ensures the right SASE solution is chosen, and will be the foundation for SASE implementation and Day-2 operations.
Which Type of SASE to Choose?
There are three main recognized SASE architectures: Single-Vendor, Multi-Vendor, and Managed. Each offers distinct features and benefits, and fit different needs and priorities.
Single-Vendor SASE – One vendor delivers both networking and security in a single, converged, cloud-native service.
Multi-Vendor SASE – Two vendors (usually) provide all SASE functionalities, one vendor for network, and one for security.
Managed SASE - Multiple SD-WAN and security vendors are connected via API with an overlaying monitoring console
According to Gartner, by 2025, single-vendor SASE will contribute to one third of all new SASE deployments. By 2026, 60% of new SD-WAN purchases will be part of a single-vendor SASE offering, up from 15% in 2023.
The Case for Single-Vendor SASE
SASE enables 360-degree digital transformation. But not all SASE is the same. Single-vendor SASE is a strategic commitment that views network security as part of the organization’s growth and success. The unified architecture also aligns with the unification of network and IT security teams, supporting both functions’ goals, and simplifying the vendor selection process. This simplicity makes it an attractive option for organizations looking to future-proof their network security.
Multi-vendor SASE, on the other hand, is a tactical solution that may meet immediate needs, but with two or more vendors in the mix, could add across-the-board complexity to the vendor selection process.
[boxlink link="https://www.catonetworks.com/resources/raci-for-sase-maximizing-collaboration-and-project-efficiency/"]
RACI for SASE: Maximizing Collaboration and Project Efficiency | EBOOK [/boxlink]
What is a RACI Matrix?
Collaboration and unity across network and IT security teams, together with other business stakeholders, are key in the decision-making process and success of SASE. This is where the RACI matrix can help. A RACI matrix is usually presented as a chart or table, and defines roles and responsibilities for project execution, encouraging awareness and alignment from the get-go.
Each stakeholder is appointed a role - Responsible, Accountable, Consulted, Informed, and progress is tracked in the matrix. See examples of RACI matrices in the eBook, here.
The Benefits of RACI for Evaluating SASE
Choosing RACI as your project management framework has multiple advantages:
Planning - You can be sure resources are allocated and stakeholders are engaged
Transparency - Clearly defining roles and responsibilities will prevent confusion and friction
Communication - Everyone is on the same page and knows what and how to communicate with who
Gap identification - RACI ensures all tasks are covered and nothing remains overlooked
Scalability - You can adjust and adapt the matrix as priorities and needs change
Productivity - RACI focuses stakeholders on their responsibilities
What Now?
If you’re ready to move from theory to practice in building a RACI for your SASE vendor selection project, this eBook offers an easy-to-follow guide with ready-built project templates. It’s designed to support unification of network and IT security teams, along with other key stakeholders. Feel free to copy and use the provided examples in your organization, or contact Cato for project assistance.
In the ever-evolving landscape of IT services, channel partners like solution integrators, service providers, managed service providers (MSPs), and telecommunications companies have long played a... Read ›
Riding the Wave: Why Channel Partners Can’t Afford to Ignore the SASE Surge In the ever-evolving landscape of IT services, channel partners like solution integrators, service providers, managed service providers (MSPs), and telecommunications companies have long played a crucial role in delivering enterprise networking and security solutions. However, a subtle yet powerful shift is emerging that threatens to disrupt this status quo. Single-vendor SASE (Secure Access Service Edge) solutions are rapidly gaining traction and quietly reshaping the competitive landscape.
While some channel partners might dismiss this as just another industry trend, history has shown us that undercurrents like these can quickly evolve into formidable forces that demand attention. It seems the question is no longer if channel partners will need to adapt, but when.
The Rise of Single-Vendor SASE: A Challenge to Traditional Channel Models
SASE, a term coined by Gartner in 2019, represents the convergence of networking and security functions into a unified, cloud-native service. By integrating SD-WAN, security, and remote access into a single solution, SASE simplifies the IT stack, reduces costs, and improves security postures for enterprises. Single-vendor SASE providers like Cato Networks are leading this charge, offering a fully integrated platform that is managed from the cloud and delivered as a service.
For channel partners, this presents both a challenge and an opportunity. Traditionally, these partners have operated by stitching together multiple point solutions from different vendors to create comprehensive offerings for their customers. This approach has often been complex, resource-intensive, and prone to integration issues. In contrast, single-vendor SASE solutions offer a more streamlined, efficient, and scalable alternative.
Cato Networks, for instance, provides a complete SASE platform that converges all critical networking and security functions into a single, easy-to-manage service. This model not only reduces operational overhead for enterprises but also offers partners a simpler, more predictable solution to sell. As more enterprises recognize the value of SASE and begin to demand these solutions, partners who continue to rely on traditional, multi-vendor approaches may find themselves at a competitive disadvantage.
[boxlink link="https://www.catonetworks.com/resources/gartner-magic-quadrant-for-single-vendor-sase-2024/"] Cato Networks named a Leader in the 2024 Gartner® Magic Quadrant™ for Single-Vendor SASE | Get the Report![/boxlink]
The Undercurrent Becomes a Wave
The rapid adoption of single-vendor SASE solutions is not merely an undercurrent; it is fast becoming a wave that will redefine the channel landscape. Cato’s recent achievement of a $200 million ARR milestone is a clear indicator that the market is embracing this model at scale. The appeal of a Single-vendor SASE approach lies in its ability to deliver consistent performance, enhanced security, and simplified management—all critical factors in today’s digital-first world.
However, for channel partners entrenched in traditional models, this shift can seem daunting. The transition from a multi-vendor to a single-vendor strategy requires not just a change in mindset but also a re-evaluation of existing business models, vendor relationships, and customer engagement strategies. Yet, those who are willing to make this shift stand to benefit significantly. Partners who align themselves with leading single-vendor SASE providers can leverage their comprehensive solutions to offer more value to their customers while also streamlining their own operations.
Adapt or Be Left Behind
Ignoring this shift could prove costly. As the market continues to evolve, enterprises will increasingly gravitate towards solutions that offer greater simplicity, security, and efficiency. Channel partners that fail to embrace the Single-vendor SASE model risk losing relevance as their customers seek out more innovative and agile providers.
The good news is that the path forward is clear. By partnering with recognized Single-vendor SASE market leaders, channel partners can not only stay competitive but also position themselves as leaders in the next generation of IT service delivery. The success of Cato Networks serves as a compelling case study in how rapidly this change is occurring and underscores the importance of not underestimating the potential of this market shift.
Conclusion: Seizing the SASE Opportunity
In the world of cyber security and IT services, ignoring an emerging trend can be perilous, especially when that trend begins to gain undeniable momentum. The rise of Single-vendor SASE solutions is not just a fleeting trend; it is a fundamental shift in how networking and security are delivered to enterprises. Those who recognize the significance of this shift and adapt accordingly will be well-positioned to thrive in the new landscape. The time to act is now—before the undercurrent becomes an unstoppable wave.
Executive Summary To further raise awareness on threat actor activity in the dark web and hacking communities, today we are introducing the Cato CTRL Threat... Read ›
Cato CTRL Threat Actor Profile: Yashechka Executive Summary
To further raise awareness on threat actor activity in the dark web and hacking communities, today we are introducing the Cato CTRL Threat Actor Profile. This will be a blog series that profiles various threat actors and documents notable activity that we are observing. Our inaugural Cato CTRL Threat Actor Profile is on Yashechka.
Yashechka is a Russian threat actor, who is a highly active participant across various underground hacking forums focused on data breaches, malware development and the exploitation of software vulnerabilities.
Yashechka’s activities range from sharing malware source code to in-depth discussions and contributions on methods to bypass or exploit Endpoint Detection and Response (EDR) solutions. Yashechka has substantial technical expertise and access to a variety of cybercriminal tools and techniques, as evidenced by his detailed forum discussions.
Below is an overview of Yashechka’s activities:
Malware Development and Sharing:Yashechka specializes in the development and dissemination of ransomware and information stealers, focusing on financial gain and data exfiltration of targeted systems.
Yashechka provides detailed guidance, including source code for building and customizing malicious software, and demonstrates a high level of proficiency in programming and malware creation.
Exploitation of System Vulnerabilities:Yashechka regularly shares techniques for exploiting CVEs (Common Vulnerabilities and Exposures), particularly within Windows environments.
Yashechka has shown a vested interest in bypassing EDR solutions.
Community Engagement and Influence:
Yashechka regularly engages with other cybercriminals through tutorials, advice and collaborative projects, extending his impact to influence entire communities of entrepreneurial threat actors.
Use of Anonymization Techniques:
Yashechka demonstrates his expertise in operational security by using anonymization techniques and encouraging other threat actors to leverage tools and methods to evade detection.
Yashechka represents a high level of threat due to his technical skills, active involvement in the cybercriminal community and focus on disseminating harmful information and tools. His activities are likely to support and enhance cybercriminal operations (both individually and at a community level), which poses a direct threat to organizations.
[boxlink link="https://www.catonetworks.com/resources/the-cato-ctrl-sase-threat-report-q2-2024/"]
Q2 2024 Cato CTRL SASE Threat Report | Get the report [/boxlink]
Technical Overview
Figure 1. XSS forum post of Yashechka interview
Yashechka is active on XSS, a Russian dark web forum. This interview with Yashechka provides insights into his background, personal experiences and perspective on InfoSec. Here’s an analysis of key parts of the interview:
Background and Personal History
Childhood and Accidents: Yashechka shared anecdotes from his childhood growing up in the 90s, including a near-death experience which appears to have shaped his outlook and perhaps his future interest in InfoSec.
Initial Interest in InfoSec: His interest in InfoSec began in January 2003, notably after another life-threatening incident as an adult, which further intensified his focus on the field.
Technical Involvement and Expertise
First Computer and Access to Internet: Yashechka discusses his first experiences with computers and internet access, dating back to 2000. This marks the beginning of his deeper involvement with technology.
Content Creation: Yashechka is known for his educational YouTube videos (especially tutorials and translations), indicating a strong commitment to sharing knowledge and assisting others in the InfoSec community.
Dark Web Forum Participation: Yashechka mentions his active participation in dark web forums such as Antichat, Exploit.in and XSS, where he engages deeply with the community.
Perspective on InfoSec
Ethical Stance: Yashechka reflects on the ethical dimensions of hacking, suggesting a preference for educational and protective measures in cybersecurity rather than engaging in malicious activities.
Professional Experience: Yashechka’s professional background includes various roles which, while not exclusively focused on cybersecurity, involve significant technical expertise.
Health Issues and Personal Struggles
Health and Wellness: Yashechka openly discusses his health challenges, which affect his day-to-day life and professional activities. His condition influences his work style and his contributions to the field.
Threat Analysis and Capabilities
Skill Set: Yashechka is highly knowledgeable in InfoSec. The interview revealed that his key focus is on educating others.
###
Below are several examples of posts from Yashechka in XSS that would be deemed malicious.
Figure 2. Yashechka post: How to write an encryptor?
Explanation of malicious intent:
Promotion of Malware Development: Yashechka provides links to repositories that contain source code for ransomware. This encourages and facilitates the creation and distribution of malware. Sharing malware source code can help others learn how to build and possibly deploy ransomware, which is highly illegal and potentially catastrophic for organizations.
Encouragement of Illegal Activities: By directing the original poster and others to sources where they can find detailed malware code, Yashechka is promoting illegal activities. Developing, distributing or using ransomware to attack systems and encrypt data for ransom is a criminal act in many jurisdictions.
Potential Damage: The spread of ransomware has significant repercussions. It can lead to financial losses, operational downtime, reputational damage and the loss of sensitive data. Encouraging the creation of such tools contributes to cybercrime.
Ethical Concerns: From an ethical standpoint, providing resources and knowledge on how to engage in cyberattacks lowers the ethical standards within the cybersecurity tech community.
It's evident based on Yashechka's response that he poses a significant threat to organizations and systems. His proficiency in malware types makes him a legitimate threat to organizations that could potentially become targets of an attack.
Figure 3. Yashechka post: Why doesn’t the simple stealer report data?
Explanation of malicious intent:
Distribution of Malware Source Code: Yashechka includes a link to download a "simple stealer" from a known repository of malware source code. Information stealers are a type of malware designed to harvest sensitive data such as passwords, credit card details and other personal information from infected systems.
Technical Support for Malware Deployment: Yashechka is seeking assistance to make the malware operational, specifically wanting to understand why the data harvested by the malware isn’t appearing in the control panel. This suggests an attempt to activate and possibly deploy the information stealer malware.
Promotion of Malicious Activities: By asking for assistance in troubleshooting malware, Yashechka is encouraging others to engage in malicious activities.
Ethical and Legal Implications: Discussing and sharing methods for the effective deployment of malware violates ethical standards, in addition to legal regulations against the creation and distribution of malicious software.
The nature of this post highlights clear intention towards developing and utilizing tools that are inherently designed to perform unauthorized extraction of data, thus posing a significant threat to digital safety and privacy.
Figure 4. Yashechka post: The use of a Windows CVE checker
The post mentions a "Windows CVE checker," which is a tool designed to identify vulnerabilities in Windows systems cataloged under the Common Vulnerabilities and Exposures (CVE) system. CVE is a list of publicly disclosed security flaws. When someone refers to a CVE checker, they're generally referring to software that scans for known vulnerabilities to help admins secure their systems against known exploits.
Explanation of malicious intent:
Legitimate Use: In a benign scenario, a CVE checker like this could be used by system admins or security professionals to detect and patch vulnerabilities in their systems.
Malicious Use: Alternatively, such a tool could be used by attackers or malicious users to identify vulnerabilities in a target’s system, which they can be further exploited. The context of the post raises concerns and red flags that it might be intended for or promoted within a community interested in exploiting these vulnerabilities rather than mitigating them.
The specific mention of a GitHub repository suggests that the tool (or at least the code) is publicly accessible, which could potentially allow both security professionals and cybercriminals to access and utilize the tool. The reference to "GitHub - BC-SECURITY/Moriarty" suggests that the tool might be part of a larger suite of security tools, or a project dedicated to vulnerability scanning.
Additionally, the post mentions an initiative to translate official documentation for "CS 4.3," which might refer to a software or tool version, indicating that the community is involved in deeper technical engagements possibly around security tools or software development.
Given this information, the threat level of such a post would largely depend on the audience and the purpose of the tool’s application. If the audience includes cybercriminals, the existence of such a tool in the public domain further heightens the risk of exploitation of unprotected systems that are vulnerable to known CVEs.
Figures 5-9. Yashechka posts: Attacks on EDR solutions
Explanation of malicious intent:
EDR Solutions: These are security tools designed to detect, investigate and respond to threats on host computers and networks. They are critical for modern cybersecurity defenses. Research into bypassing or exploiting EDR solutions can be used maliciously to undermine these defenses.
Vulnerability Exploitation: Yashechka’s posts outline practical research into exploiting vulnerabilities in EDR solutions. This includes bypass techniques that cybercriminals could potentially use to evade detection while carrying out malicious activities.
Black Box Analysis: The approach described involves black box analysis—testing the systems without access to the source code or architecture. This is a common practice in both legitimate security research and malicious hacking attempts. This type of analysis can uncover vulnerabilities that might be exploited by attackers to disable or bypass EDR solutions.
Collaboration with Vendor: While the vendor collaboration for a controlled testing environment is a positive aspect, it also indicates that certain vulnerabilities might have been found and potentially exploited during the research. If such vulnerabilities were disclosed improperly or not efficiently mitigated, they could pose serious risks to all users of the affected EDR solution.
Ethical and Legal Implications Risks: Yashechka treads a fine line between ethical security concerns and activities that might be construed as unauthorized or illegal hacking, depending on the methods used.
In summary, the overall threat lies in the potential misuse of discovered vulnerabilities by attackers before vendors can quickly identify and address them.
Additionally, the detailed publication of exploited techniques without proper context or security measures can be leveraged by threat actors with malicious intent.
Conclusion
If Yashechka continues his active involvement across a wide variety of hacking forums and communities, organizations will have to ramp up their security measures beyond traditional EDRs. While Yashechka has been profiled within this blog, there are many others potentially actively carrying out attacks that might leverage Yashechka's vast expertise to bypass or exploit EDR solutions and other point products for malicious intent or financial gain
Executive Summary Recently, security researchers published a proof of concept (PoC) for a critical remote code execution (RCE) vulnerability in Windows Server (CVSS score 9.8),... Read ›
Cato CTRL Threat Brief: CVE-2024-38077 – Windows Remote Desktop Licensing Service RCE Vulnerability (“MadLicense“) Executive Summary
Recently, security researchers published a proof of concept (PoC) for a critical remote code execution (RCE) vulnerability in Windows Server (CVSS score 9.8), ranging all the way from Windows Server 2000 up to 2025. The vulnerable component is the Remote Desktop Licensing service, often deployed and enabled on Windows Servers using Remote Desktop Services.
The exploit is a 0-click pre-auth exploitation, meaning no user interaction or authentication details are necessary. This is an extremely high-risk exploit, especially for internet-connected servers running the impacted Licensing Service component, which the researchers have determined there are at least 170,000 instances.
The Remote Desktop Licensing (RDL) Service is a crucial component of Windows Server that manages the licensing for Remote Desktop Services (RDS), which allows users to remotely access desktops and applications hosted on a server. The RDL Service ensures that each user or device that connects to a remote desktop session has a valid Remote Desktop Client Access License (RDS CAL).
Cato-deployed intrusion prevention system (IPS) signatures in the Cato SASE Cloud Platform block this attack, protecting all Cato-connected edges – sites, remote users, and cloud resources.
[boxlink link="https://www.catonetworks.com/resources/the-cato-ctrl-sase-threat-report-q2-2024"] Q2 2024 Cato CTRL SASE Threat Report | Get the Report![/boxlink]
Technical Overview
This attack involves a sophisticated method to inject a malicious DLL into a victim's machine by exploiting several critical memory addresses and manipulating Remote Procedure Call (RPC) functions. The key addresses targeted in this attack are:
Heap Address Base: Manages and manipulates dynamic memory allocations within the heap memory.
NT DLL Base: The base address of ntdll.dll is a vital system library containing essential system functions and kernel-mode routines.
PEB Base (Process Environment Block): Provides information about the process’s memory layout and loaded modules.
PE Base (Process Environment): The base address of the process's executable image in memory, used for locating and interacting with the executable's code.
Rpcrt4 Base: The base address of rpcrt4.dll, which supports inter-process communication through RPCs.
Kernel Base: The base address of the Windows kernel is critical for performing low-level system operations and accessing system functions.
Figure 1: Example of an attacker leaking each structure's address base, with every new address building upon the previous one using the same spraying techniques
Exploiting Memory: Manipulating Base Values Through Intensive Memory Spam
In this phase, the attack maps the Remote Desktop Service - Remote Desktop Licensing (RDS-RDL, UUID: 83d267954-eeb7-11d1-b94e-00c04fa300d) service from the victim’s machine to the attacker to spam the system's memory aggressively. The key is to manipulate these critical address bases:
Heap Fragmentation: The attacker starts by spraying the low-fragmentation heap (LFH) by sending 1,000 to 2,000 TLSRpcRegisterLicenseKeyPack requests (opnum 38). LFH helps optimize memory management but is exploited to introduce vulnerabilities in this context.
Creating RPC Connections: Around 3,000 TlsRpcConnection requests (opnum 1) are made to establish RPC connections in memory. These connections are partially released using multiple TLSRpcDisconnect requests (opnum 2), strategically creating memory gaps for exploitation.
Triggering the Exploit: A single TLSRpcGetServerName request (opnum 4) may be made after the TLSRpcTelephoneRegisterLKP request (opnum 49), which triggers a buffer overflow. This overflow allows the attacker to craft a fake object with specific parameters to exploit the memory layout.
Memory Manipulation Loop: The attacker repeatedly sends TLSRpcTelephoneRegisterLKP (opnum 49) requests, manipulating the system's memory. During this loop, additional requests like TLSRpcRequestTermServCert and TLSRpcRetrieveTermServCert (opnum 34 and 35) are used to manipulate certificate handling within the memory.
Heap Leak Analysis: After each request, the attacker checks the certificate data returned by TLSRpcRetrieveTermServCert. If the expected data ("n\x00c\x00a\x00c\x00n\x00") is missing, the attacker uses the heap leak information to calculate the necessary memory base addresses for further exploitation.
DLL Injection via Remote SMB Share: Attack Chain Execution
In the final phase of the attack, the attacker injects a malicious Dynamic Link Libraries (DLL) file using a remote Service Message Block (SMB) shared folder:
Constructing and Positioning Memory: The attack begins with assembling a fake object using TLSRpcRegisterLicenseKeyPack (opnum 38) to position critical memory locations, such as the heap base and DLL path.
Memory Spraying and Handle Management: Memory is sprayed with LFH chunks, and handles are strategically created and freed to manipulate the memory layout further.
DLL Path Specification: The attacker sends a TLSRpcTelephoneRegisterLKP request (opnum 49), providing the address of the fake object that specifies the path to the malicious DLL located on the SMB share.
Triggering the DLL Injection: The attack chain continues with repeated handle interactions through the TLSRpcKeyPackEnumNext request (opnum 13), which ultimately triggers the DLL injection into the target process.
Verification: The final step involves checking if the malicious DLL has been successfully injected and executed within the target process, confirming the success of the attack.
Figure 2: After gaining all the vital information, an attacker is ready to get and trigger the DLL file
Conclusion
From our data, Cato CTRL has not witnessed any exploitation attempts on Cato customers. But given the very broad scope of impacted Windows Server versions and the relative ease of leveraging the PoC code to create a working exploitation, we expect these attempts to increase over time. Nevertheless, as always it is recommended that all Windows Servers be patched with the latest security updates to stay protected.
Protections
Cato-deployed IPS signatures in the Cato SASE Cloud Platform block the attack, protecting all Cato-connected edges – sites, remote users, and cloud resources.
Introduction At RSA Conference 2024, Cato Networks introduced Cato CTRL (Cyber Threats Research Lab), which is our cyber threat intelligence (CTI) team. Cato CTRL protects... Read ›
Highlights from Q2 2024 Cato CTRL SASE Threat Report Introduction
At RSA Conference 2024, Cato Networks introduced Cato CTRL (Cyber Threats Research Lab), which is our cyber threat intelligence (CTI) team. Cato CTRL protects organizations by collecting, analyzing and reporting on external and internal threats, utilizing the data lake underlying the Cato SASE Cloud Platform.
For 2024, Cato CTRL is publishing quarterly threat reports that provide an overview of the threat landscape. Today, we published the Q2 2024 Cato CTRL SASE Threat Report, which summarizes findings from Cato CTRL’s analysis of 1.38 trillion network flows across more than 2,500 customers globally between April and June 2024.
Key Findings
IntelBroker is a highly active threat actor selling data and source code
In its investigation of hacking communities and the dark web, Cato CTRL came across a threat actor named IntelBroker, who is a prominent figure and moderator in the BreachForums hacking community.
IntelBroker’s illicit activities encompass a wide range of cybercriminal tactics. In recent months, IntelBroker has offered to sell data and source code from AMD, Apple, Facebook, KrypC, Microsoft, Space-Eyes, T-Mobile and U.S. Army Aviation and Missile Command.
Amazon is the top spoofed brand—thanks to cybersquatting
Cybersquatting involves using a domain name with the intent to profit off another brand's registered trademark. Threat actors leverage cybersquatting to harvest user credentials through various techniques, including malware distribution or phishing attacks.
In Q2 2024, Cato CTRL observed that Amazon was the top spoofed brand by a significant margin (66% of domains), with Google ranked second at 7%. Given the popularity of Amazon, users should be wary of threat actors creating counterfeit websites that ask to submit sensitive information. Users could be putting themselves or their organizations at risk.
[boxlink link="https://www.catonetworks.com/resources/the-cato-ctrl-sase-threat-report-q2-2024/"]
Q2 2024 Cato CTRL SASE Threat Report | Get the report [/boxlink]
Log4j remains a popular vulnerability that threat actors attempt to exploit
Three years after its discovery in 2021, Log4j remains one of the most used vulnerabilities leveraged by threat actors. From Q1 2024 to Q2 2024, Cato CTRL observed a 61% increase in the attempted use of Log4j in inbound traffic and a 79% increase in the attempted use of Log4j in WANbound traffic.
The Oracle WebLogic vulnerability, which originated in 2020, is another popular exploit leveraged by threat actors. From Q1 2024 to Q2 2024, Cato CTRL observed a 114% increase in the attempted use of the Oracle WebLogic vulnerability in WANbound traffic.
Inbound traffic is traffic that doesn't originate from within the network, while WANbound traffic resides within a WAN environment. For threat actors, these are different potential entry points to infiltrate organizations and conduct attacks.
Security Best Practices
Based on our key findings, Cato CTRL recommends that organizations take the following actions:
Implement Continuous Threat Intelligence Monitoring
Set up a system to monitor dark web forums and marketplaces for any mention of your company's data or credentials being sold.
Educate Yourself on the Perils of Cybersquatting
Incorporate cybersquatting tools and techniques for detecting phishing and other attacks that use this method for nefarious purposes.
Prioritize Patching of Highly Exploited Vulnerabilities
Implement a proactive patching schedule for critical vulnerabilities, especially those actively exploited (ex: Log4j).
Use vulnerability prioritization tools to focus on the most critical and actively exploited vulnerabilities first.
Resources
Download the Q1 2024 Cato CTRL SASE Threat Report.
Download the Q2 2024 Cato CTRL SASE Threat Report.
Read the press release.
Visit the Cato CTRL page to learn more about Cato’s threat intelligence team.
The Role of the CISO Post-Pandemic The world has evolved and the on-going momentum of Cloud and Work-From-Anywhere (WFA) has become unstoppable. CISOs have realized... Read ›
A CISO’s Guide: Avoiding the Common Pitfalls of Zero Trust Deployments The Role of the CISO Post-Pandemic
The world has evolved and the on-going momentum of Cloud and Work-From-Anywhere (WFA) has become unstoppable. CISOs have realized their traditional security architectures, specifically VPNs, are no longer adequate to ensure only authorized users have access to critical resources.
This has made the role of CISO ever more important because we now have applications everywhere and people everywhere, leading to increased cyber threats everywhere. CISOs have an unenviable mandate: master the IT Security game to effectively map out the company’s security priorities and strategy. They must flawlessly execute on this to ensure the strongest possible security posture to protect access to critical data.
Zero Trust Is Just a Starting Point
Zero Trust has been around for more than a decade and is now top-of-mind for all CISOs. Zero Trust mandates that access to all critical corporate data be authenticated, authorized and validated before granting or maintaining access. In short, Zero Trust is a framework for building holistic security for the modern digital. Considering the attack surface continues to expand, Zero Trust is uniquely equipped to address the modern digital business architecture: WFA workers, supply chains, hybrid cloud, and evolving threats.
It must be noted that Zero Trust is not a single product solution, and CISOs would be well advised to consult the three main standards (Forrester ZTX, Gartner Carta, NIST SP-800-207) as guidance for developing their Zero Trust strategy. Of the three, NIST SP-800-207 as pictured below, is the most widely adopted framework.
Figure 1.
The NIST model is a discussion of 2 key functions:
Data plane – this is the collector of data from numerous sources. These sources can be application data, user device information, user identity information, etc.
Control plane – this is the brains of the model as this is responsible for making decisions upon what is considered good, bad, or requiring further clarification.
Together, they collaborate to determine whether to grant or deny access to critical business resources. For this to be viable, effective, and scalable, context must inform decisions to be made around access and security. As each business varies in its data flows and security concerns, this context consists of numerous data feeds, as depicted in figure 1. This includes compliance data, log data, threat intelligence feeds and user and application data captured across the network. The more context you have, the better decisions your Zero Trust deployment will make.
The 5 Most Common Pitfalls in Zero Trust Projects
Zero Trust is often misunderstood, potentially resulting in misaligned strategies that don’t meet the organization’s needs. Gartner defines Zero Trust as a ‘mindset that defines key security objectives’ while removing implicit trust in IT architectures. This implies that today’s CISOs would be well-advised to pursue their Zero Trust strategy thoughtfully, to ensure they avoid common pitfalls that impede most security initiatives.
Pitfall 1: Failing to Apply the Key Tenants of Zero Trust
Zero Trust came to life as a resolution for overly permissive access rights that created broad security risks throughout networks. The concept of implicit deny is perceived as the catch all terminology for a better security architecture, assuming it to be the fix-all for all things security. Considering this, it may be easy for CISOs to inadvertently disregard the core purpose of Zero Trust and overlook some key architectural tenants that influence Zero Trust architectures.
While each Zero Trust framework highlight several architectural attributes, for the purpose of this section, we will highlight a few that we feel should not be overlooked.
Dynamic policy determines access to resources – dynamic polices focus on the behavioral characteristics of both the user and devices when determining whether access will be granted or denied. A subset of these characteristics can include location, device posture, data analytics and usage patterns. For example, is the user in a restricted location, or are user and device credentials being used correctly? Any of these should determine whether access should be granted and at what level.
Continuous monitoring and evaluation – no user or device should blindly be trusted for access to network or application resources. Zero Trust dictates that the state of both the resource and the entity requesting access to be continually monitored and evaluated. Those deemed to be risky should be treated accordingly, whether it is limited access or no access.
Segmentation & Least Privileges – Zero Trust should eliminate blind trust and by extension, blanket access to targeted resources from all employees, contractors, supply chain partners, etc. and from all locations. And when access is granted, only the minimal amount of access required to ensure productivity should be granted. This ensures the damage is limited should there be a breach of some kind.
Context Automation – For Zero Trust to deliver the desired impact, organizations need to collect lot of data and contextualize this. This context is the key as without context, well-informed decisions for user or device access cannot be made. The more context, the better the decisions being made.
Cato SASE Cloud Approach: The Cato SASE Cloud takes a risk-based approach to Zero Trust, combining Client Connectivity & Device Posture capabilities with more holistic threat prevention techniques. Because we have full visibility of all data flows across the network, we utilize this, as well as threat intelligence feeds and user and device behavioral attributes to pre-assess all users and devices prior granting access onto the network. This in-depth level of context allows us to determine their client connectivity criteria and device suitability for network access, as well as continually monitor and assess both the user and device throughout their life on the network. Additionally, we use AI & Machine Learning algorithms to continually scan the network for indications of malware or other advanced threats and will proactively block these threats to minimize the potential damage inflicted upon the network.
[boxlink link="https://www.catonetworks.com/resources/the-hybrid-workforce-planning-for-the-new-working-reality/?utm_source=blog&utm_medium=top_cta&utm_campaign=hybrid_workforce"] The Hybrid Workforce: Planning for the New Working Reality | EBOOK [/boxlink]
Pitfall 2: Treating Zero Trust a Like a Traditional VPN
When deploying Zero Trust, many organizations tend to rely on legacy security processes that are no longer applicable or select the shiny new toy that equates to a less viable solution. In 2021, Gartner noted that some organizations reported initially configuring their Zero Trust deployments to grant full access to all applications, which ironically, mirrored their VPN configuration. One of the intrinsic shortcomings of traditional VPNs, beyond the connectivity issue, is the challenge of least privilege user access to critical applications once a user has been authenticated to the network. Traditional VPNs cannot provide partial or specific access to selected applications or resources. So, deploying Zero Trust like their old VPN leaves us to wonder what problems they are truly solving, if any.
CISOs must remember that existing security architectures are based on the concept of implicit trust, which leads to unknown, yet ever-increasing risk to modern enterprise environments. The goal of Zero Trust is to ensure that users and their devices prove they can be trusted with access to critical resources. Hence, the goal for any CISO in creating a Zero Trust strategy is to reduce the risk posed by users and devices, and in the event of a successful breach, limit the spread and impact of the attack.
Cato SASE Cloud Approach: Cato Networks realizes that existing VPN architectures are too inadequate to provide the depth of access protections for critical enterprise resources. The Cato approach to Zero Trust invokes consistent policy enforcement everywhere to ensures least privilege access to all enterprise & cloud resources, while also taking a holistic approach to preventing cyber threats. We consume terabytes of data across our entire SASE Cloud backbone, and this informs how we apply additional protections once users and devices are on the network.
Pitfall 3: Not understanding the true impact on the user, IT and Security
Unfortunately for many CISOs, IT and Security departments do not always operate with aligned priorities and desired outcomes. IT departments may have critical projects they deem to have a higher priority than Security. Security teams, being tasked with strengthening the organization’s security posture may view Zero Trust as the only priority. In such cases of mis-aligned priorities, Zero Trust efforts may result in incomplete or mis-configured deployments, expanding security gaps and increasing blind spots. And let’s not forget the end user. When IT organizations finally make significant changes to networks, security, or other systems, if priorities aren’t aligned, the end results will produce adverse user outcomes.
When it comes to Zero Trust, CISOs must ensure they are mapping out the journey. In doing so, IT and Security teams should establish a “Hippocratic Oath” of “first, do no harm”. This could make it easier to map the journey to Zero Trust where the solution is simple to deploy, easy to manage, easily scales at the speed of the business, and provides positive outcomes for all parties impacted. Critical to this is the user – Zero Trust must not impede their ability to get things done.
Cato SASE Cloud Approach: At Cato Networks, our entire approach to Zero Trust is to ensure the most holistic user experience with zero impact on productivity. Often when deploying or upgrading to new security technologies, security teams will inadvertently have policy mismatches that result in inconsistent policy enforcement in certain segments of the network. Zero Trust, if not implemented correctly, increases the risk level for negative user experiences, which will reflect poorly upon the CISO and their teams. With the Cato SASE Cloud, Zero Trust & Client Access policies are applied once and enforced everywhere. This ensures specific and consistent policy treatment for all users and devices based upon identity and user and devices access criteria.
"The hallmark of Zero Trust is Simplicity"
John Kindervag
Pitfall 4: Inadequately Scoping Common Use Cases
CISOs are so inundated with everyday security concerns that identifying all possible use cases for their Zero Trust initiative, while seemingly straight-forward, could be easily overlooked. It is easy to drill down into the core requirements of Zero Trust, approaching from a broad enterprise perspective, yet neglect smaller details that might derail their project. While there are numerous use cases and each would depend on the individual organization, this document calls out (3) use cases that, if not properly planned for, will impact all non-HQ based or non-company users.
Multi-branch facilities – It is common that today’s enterprises will comprise of a single headquarter with multiple global locations. More commonly, these global locations exist in a shared space arrangement whereby the physical network and connectivity is independent of the company. In such cases, these employees still require access to enterprise applications or other resources at the HQ or company data center. In other cases, a user may be a road warrior, using unmanaged personal devices, or be located in restricted locations. Given this, great care and consideration must be given in determining if, when and how to grant access to necessary resources while denying access or restricting actions to more sensitive resources.
Multi-cloud environments – More enterprises are utilizing multi-cloud providers to host their applications and data. There are occasions whereby the application and data source exist in different clouds. Ideally, these cloud environments should connect directly to each other to ensure the best performance.
Contractors and 3rd party partners – Contractors and 3rd party supply chain partners requiring access to your network and enterprise resources is very common these days. Often these entities will use unmanaged devices and/or connect from untrusted locations. Access can be granted on a limited basis, allowing these users and devices only to non-critical services.
CISOs must factor in these and other company specific use cases to ensure their Zero Trust project does not inadvertently alienate important non-company individuals.
Cato SASE Cloud Approach: At Cato Networks, we acknowledge that use cases are customer, industry, and sometimes, location dependent. And when Zero Trust is introduced, the risk of inadvertently neglecting one or more critical use cases is magnified. For this reason, we built our architecture to accommodate, not only the most common use cases, but also obscure and evolving use cases as well. The combination of our converged architecture, global private backbone, single policy management, and virtual cloud sockets ensure we provide customers with the most accommodating, yet most robust and complete Zero Trust platform possible.
Pitfall 5: Not having realistic ROI expectations
ROI, for many IT-related initiatives is rather difficult to measure, and many CISOs often find themselves twisted on how to demonstrate this to ensure company-wide acceptance. Three questions around ROI that are traditionally difficult to answer are:
What should we expect?
When should we expect it?
How would we know?
Like many things technology-related, CISOs are hesitant to link security investments to financial metrics. However, delaying a Zero Trust deployment can yield increased costs, or negative ROI over time that can be measured in increased data breaches, persistent security blind spots, inappropriate access to critical resources, and misuse of user and resource privileges, just to name a few.
CISOs can address these ROI concerns through several strategies that extend beyond simple acquisition costs and into the broader operational costs. With the right strategy and solution approach, a CISO can uncover the broader strategic benefits of Zero Trust on financial performance to realize it as an ROI-enabler.
Cato SASE Cloud Approach: It is easy to appreciate the challenge of achieving ROI from Security projects. As mentioned, CISOs like CIOs are hesitant to link security investments to financial metrics. However, with an appropriate Zero Trust strategy, organizations will assure themselves enormous savings in IT effort and vendor support. Organizations deploying a Zero Trust solution based off a converged, cloud-native, global backboned SASE Cloud like Cato can expect more efficient cost structures while achieving greater performance. By converging critical security functions, including Zero Trust, into a single software stack within the Cato SASE Cloud, organizations can immediately retire expensive, non-scalable, maintenance-intensive VPN equipment. This approach delivers ease of deployment and simplistic management, while drastically reducing maintenance overhead and IT support costs.
Achieving Your Organization’s Zero Trust Goals with Cato SASE Cloud
Justifying a security transformation from implicit trust to Zero Trust is becoming easier and easier. However, determining the right approach to achieving an organization’s Zero Trust goals can be daunting. It is challenging when factoring in the broad paradigm shift in how we view user and device access, as well as numerous use case considerations with unique characteristics. Zero Trust Network Access is an identity-driven default-deny approach to security that greatly improves your security posture. Even if a malicious user compromises a network asset, ZTNA can limit the potential damage. Furthermore, the Cato SASE Cloud’s security services can establish an immediate baseline of normal network behavior, which enables a more proactive approach to network security in general and threat detection in particular. With a solid baseline, malicious behavior is easier to detect, contain, and prevent.
"The Zero Trust is a security model based on the principle of maintaining strict access controls and not trusting anyone by default; a holistic approach to network security, that incorporates a number of different principles and technologies.”
Ludmila Morozova-Buss
The Cato SASE Cloud was designed for the modern digital enterprise. Our cloud-native architecture converges security features such as Zero Trust Network Access (ZTNA), SWG, NGFW, IPS, CASB, and DLP, as well as networking services such as SD-WAN and WAN Optimization across a global private backbone with a 99.999% uptime SLA. As a result, Cato is the only vendor currently capable of delivering seamless ZTNA on a true SASE platform for optimized performance, security, and scalability.
Zero Trust is a small part of SASE. The Cato SASE Cloud controls access to critical business data in accordance with Zero Trust principles. Click here to understand more about Cato Networks’ approach to Zero Trust.
When Cato Networks was launched and we onboarded our first customers, we were exhilarated to share the disruptive innovation that has turned into an incredible... Read ›
Cato Networks Surpasses $200M ARR and 2,500 Customers: Here’s Why When Cato Networks was launched and we onboarded our first customers, we were exhilarated to share the disruptive innovation that has turned into an incredible opportunity. Enterprises had become too complex, with many point solutions requiring assessment, integration, deployment, and maintenance. Cato was the remedy to that complexity.
Nine years later, we’ve seen the Cato approach of converging security and networking into a single, cloud-native platform become the industry standard—now called SASE. It’s an approach that transforms how IT manages and delivers security to support the business. And today, I’m excited to share that we surpassed $200 million in annual recurring revenue (ARR)—doubling our total ARR in under two years—and we now have more than 2,500 enterprise customers embracing the Cato SASE Cloud Platform.
“The shift to SASE has empowered us, no question,” said Rodney Masney, chief information officer at O-I Glass. “Our factories run more efficiently, our users complain less, and all of that makes my life as the CIO – and the lives of my team – easier. My team’s work-life balance is incredibly important to me, and with Cato, we’ve been able to strike that balance here at O-I.”
O-I Glass is a $7 billion leading glass bottle manufacturer, designing innovative glass packaging for the world’s leading brands. O-I is using the Cato SASE Cloud Platform to digitally transform how glass bottles are designed and manufactured. With Cato, O-I was able to connect and secure 23,000 employees in approximately 150 factories and office locations across 20 countries worldwide.
And O-I is not alone in transforming their business with Cato. Sixt, the world-renowned car rental company, connects and protects its locations and rental branches worldwide, as well as mobile users, with the Cato SASE Cloud Platform.
Finally, we have Vitesco Technologies, the $10 billion German automotive supplier and manufacturer. It has been a Cato customer since 2020 and has 35,500 employees worldwide. The company recently expanded the Cato SASE Cloud Platform by nearly 25% to over 90 connected locations and services and 24,000 remote users.
As we enter the third generation of IT security, Cato is being embraced faster than the appliances and proxies that defined the previous generation. Our growth attests to the demand for a true, autonomous cloud-native platform—one that maintains an optimal security posture and a superb application experience worldwide, freeing IT teams to better support the business.
It's a message that legacy vendors like to imitate, even going so far as to adopt terms like “platformization” to give them the appearance of delivering a single platform when they’re only offering a portfolio of point solutions. But as our co-founder and CEO Shlomo Kramer noted in today’s announcement, “Converting a portfolio company into a platform company is about as easy as unscrambling an omelet. Security is a data problem. A platform makes high-quality, contextualized data available in real-time for protection and stores that data in a single data lake for detection. You cannot get that kind of high-quality data from a portfolio company, no matter how pretty the management interface.”
With the Cato SASE Cloud Platform, though, you can. You can get the right data when you need it, wherever you need it, to make the right decisions about security and your network. That’s the power of a true IT security platform, and that’s the power of Cato.
A vision born from complexity Most security companies grow reactively, a continuous, complex cycle of funding and building point solutions to address emerging point problems.... Read ›
Unlocking Simplicity in Network Security: The Cato Networks Story A vision born from complexity
Most security companies grow reactively, a continuous, complex cycle of funding and building point solutions to address emerging point problems. Cato Networks chose to revisit and address two decades of accumulated complexities in networking and security infrastructures, looking to finally solve and break the point problem, point solution cycle. Cato envisioned a better way. It began not just with a forward-looking question, but with a reflective look into the past: What if network security could be as straightforward as clicking a button?
“What can we do to actually solve that problem that no point solution can solve, that only adds to the complexity?” shared Yishay Yovel, Chief Strategy Officer at Cato, during a candid discussion with Vikram (Vik) Sood, Managing Director Tech Investment Banking at Jefferies, during Tech Trek 2023. Inspired by the transformative simplicity that AWS brought to cloud computing, Cato set out to do the same in network security - to allow enterprises of all sizes, with all levels of expertise, to access the same security capabilities once reserved for industry giants.
Crafting the unique: a platform approach
It’s clear that Cato is not just a participant, but a pioneer in a sector burdened by complexity. Recognized by leading industry analysts like Gartner and Forrester, Cato’s single-vendor SASE platform architecture, Cato SASE Cloud, is the answer for enterprises overwhelmed with managing multiple security products.
“We are the first vendor to build a platform from the ground up so we consistently deliver what customers need today, and what they will need in the future, in the exact same way,” Yovel states. This strategic choice not only simplifies and optimizes network and security infrastructure out of the box but aligns with the demand for vendor consolidation.
Organizations no longer tolerate lengthy deployments, planning, rising costs, and unproductive finger-pointing. They need agility, and they need it now.
The ‘Rip and Replace’
Cato’s strategy is bold. It involves removing outdated, cumbersome, and costly traditional architectures, replacing them with an infrastructure that is scalable, resilient, global, secure, and optimized. This transformation is not just about updating technology; it’s about revolutionizing how enterprises operate and grow. The Cato SASE Cloud platform is a turnkey service that delivers security and optimization to anyone, anywhere, at any time – from the largest data center down to a single user. “You take stuff out that costs you, is painful to own and operate on your own, and then you move to something that is an outcome-driven platform,” Yovel states.
Innovative sales strategy
Cato’s sales strategy is designed to integrate into the financial frameworks of enterprises, which means easier adoption without imposing extra costs. Highlighting the hard and soft benefits, Yovel talks about this unique approach: “Cato projects are funded by existing budgets. If you can come to a customer and demonstrate both the hard savings that will come from consolidating multiple budgets - for firewalls, for remote access, for networking infrastructure - you save money on that side.”
This sales motion not only removes direct acquisition costs, it significantly lowers Total Cost of Ownership (TCO). By streamlining how network security is delivered, and by eliminating the need for disparate security solutions, Cato helps businesses achieve long-term savings.
Cato’s SASE platform also enhances operational agility. Its soft benefits change and simplify the management of network security, enabling IT teams to respond more swiftly to business demands and focus on growth initiatives. Enterprises can finally optimize both their IT infrastructure and their fiscal resources with ease.
Facing the future with confidence
Cato’s growth strategy is articulated across two dimensions. The first focuses on their move up-market from an established mid-market base. Yovel explains “Because our technology is so transformative and disruptive, and requires ‘rip and replace’ of infrastructure, we started in the mid-market.” Recent customer acquisitions, such as Carlsberg, demonstrate Cato’s ability to scale and cater to the complex demands of renowned global brands, showcasing the robustness and suitability of its SASE platform for the largest enterprises.
The second dimension involves Cato extending its technological reach beyond the core into adjacent markets, actively expanding its capabilities in XDR, endpoint, and IOT. This not only broadens Cato’s market presence, but also enhances its value proposition across a more diverse customer base.
A story still unfolding
Cato is on a clear path to IPO with its ambitions shaped by the leadership of its founder, Shlomo Kramer. Anecdotally, Yovel offers “When Cato goes public, Shlomo Kramer will be the only founder to take three companies in cybersecurity from seed to multi-billion-dollar IPOs, in history.”
Cato’s journey is heavily influenced by its roots in Israel, a nation renowned for cybersecurity innovation. With its unparalleled SASE platform, next-gen technology, strategic market expansion, strong leadership, and the trust of investors - transition to a public company edges closer.
Cato isn’t another success story; it’s an ongoing revolution in network security. A narrative that invites every enterprise to turn the page to a simpler, more secure future.
Explore the full story
Gain further insights into how Cato is redefining an industry, and the future of network security. Watch the full interview here.
Credit: Vikram (Vik) Sood
Healthcare and pharma companies are at the forefront of our most important need as humans: saving lives. To succeed, they require highly skilled staff members,... Read ›
How SASE Ensures Healthcare & Pharmaceutical Companies Thrive Healthcare and pharma companies are at the forefront of our most important need as humans: saving lives. To succeed, they require highly skilled staff members, medical equipment, drugs and resources. On top of these, there is another equally crucial component that will determine their ability to perform their jobs: their network. A secure, reliable and high performing network will ensure patient safety, data integrity and operational efficiency.
Such a network will enable healthcare organizations to protect sensitive customer data, connect medical professionals to patients through video, support the monitoring of patient data from IoT devices, set up effective communication between clinics, hospitals and other medical facilities, facilitate research and development processes, ensure proper distribution of drugs and medical equipment, and much more.
In this blog post, we introduce SASE (Secure Access Service Edge) and show how this innovative and easy-to-use technology can answer healthcare and pharma connectivity and security needs.
What Health and Pharmaceutical Companies Need From their Networks to Succeed
The healthcare industry is diverse, dispersed, susceptible to cyber attacks, and highly reliant on data and real-time communication. As a result, health and pharma organizations require the following from their networks:
Advanced security measures that protect from breaches and can safeguard sensitive data, like ePHI.Healthcare networks are sought after targets for threat actors because they store and transit high volumes of valuable data and the distributed nature of healthcare means the attack surface is broad.
Global connectivity across clinics, health centers, hospitals, pharmacies, remote medical personnel, telehealth centers and more.
Low latency and network stability to support real-time and reliable communication. Using legacy network solutions like MPLS result in instability, fluctuating availability, and little redundancy. Multiple carriers result in inconsistent SLAs.
Scalability to accommodate growth, including for new facilities, telehealth services and expanding digital health platforms.
Support for compliance requirements, like HIPAA and others. For example, when there is no standardization across legacy tools, it is difficult for IT to meet compliance requirements like enforcing consistent policies to ensure patient data is secure, or even just tracking who has access to that data.
Flexibility to support varying infrastructure and end-devices needs like IT and IoT.
A positive user experience for both healthcare providers and patients, who are not always tech-savvy individuals, but they are busy.
The ability to balance effectiveness with cost, since these organizations are often publicly funded and/or need to invest resources in patient care.
The ability to support acquisitions of other healthcare companies and clinics.
Ease of use for IT, since tasks are plentiful and time is short. In addition, the global skills gap is also prevalent in healthcare.
How SASE Can Answer Healthcare and Pharma Needs
SASE (Secure Access Service Edge), is an innovative networking and security solution that converges SD-WAN and security functions into a single, global, cloud-native solution. SASE was designed to reduce the effort and costs associated with setting up, maintaining and monitoring complex networks, while offering high-performing and secure connectivity. This makes it an ideal solution for healthcare companies.
For healthcare and pharma, SASE enables:
Enhanced Security and Compliance Posture
SASE integrates advanced security measures like FWaaS, CASB, DLP, SWG and ZTNA directly into the network. These measures allow granular control of data, ensuring it is securely accessed and shared. This reduces the risk of breaches and ensures compliance with regulations such as HIPAA, ISO 27001, or SOC2.
Optimal Performance
SASE optimizes network performance through SD-WAN, a global private backbone, and networking optimization capabilities. This ensures that healthcare professionals and researchers can quickly and reliably access the resources they need, regardless of their location, with minimal latency.
Scalability and Flexibility
SASE's cloud-native design allows organizations to scale their network and security needs dynamically as they expand or adapt services. This includes opening new clinics or locations, adding new remote users or even onboarding newly acquired companies or facilities.
Simplified Management
By consolidating various networking and security functions into a single, cloud-delivered platform, SASE reduces the complexity of managing multiple security products and vendors. IT teams can easily enforce consistent security policies across all locations and users, including remote and on-site employees, through single pane of glass management.
In addition, IT teams gain full network visibility, which allows optimizing traffic and prioritizing applications.
Improved User Experience
SASE users enjoy fast download times and reliable connectivity to their applications, from video conferences with patients to sharing data during critical care situations. This is due to SASE’s private global backbone, which doesn’t rely on the internet, as well as advanced routing methods.
Operational Efficiency
SASE is a single solution for networking and security needs. The ability to eliminate network redundancies, drop expensive network lines and increased operational efficiency deliver high ROI for SASE, which helps prioritize patient care above all.
Global Connectivity
A cloud-based network and global network of PoPs allows connecting locations around the world while maintaining governance and visibility. High quality healthcare services can be provided without boundaries.
Conclusion
SASE delivers global connectivity, low latency, scalability, advanced security, compliance, flexibility, and a positive user experience. This enables healthcare and pharma organizations to overcome operational challenges, whether it's connecting clinics across the country, protecting from ransomware, or transferring life-saving data in real-time. By choosing SASE, IT professionals in the healthcare industry are better supporting medical teams, which ultimately improves patient outcomes and their quality of life.
To learn more about how healthcare providers leverage SASE, click here.
Build Partner Trust. Avoid Partner Fatigue “Trust takes years to build, seconds to break, and forever to repair.” The road to becoming a trusted partner... Read ›
The Whole is Bigger Than the Sum of its Parts. The Channel Experience Build Partner Trust. Avoid Partner Fatigue
“Trust takes years to build, seconds to break, and forever to repair.” The road to becoming a trusted partner to your customers has no shortcuts. As you review your portfolio, filled with various network and IT security solutions you’ve accumulated over the years, you believe each fulfills the needs of your customers. Each solution represents significant investments in resources and efforts to stay competitive and succeed. You’ve worked hard to grow and earn the trust of your customers, even when there seemed to be no other choice. But, given the opportunity, wouldn’t you prefer to provide your customers with a superior experience? One that you would enjoy as well?
Recently, we’ve heard many vendors talk about platform consolidation and customer fatigue. The correlation is clear. But what about the fatigue experienced by Channel Partners? Consolidating acquired products under the same umbrella can present its own set of challenges. Achieving optimal efficiency nirvana starts with selecting a vendor that simplifies integration and support.
Close your eyes. How do you imagine nirvana?
Single vendor SASE is channel-first in its DNA. Every channel aims to become a trusted partner by offering the most advanced, authentic, one-stop-shop solution for its customers. The challenge some partners face is building a future-proof business that allows them to shine and differentiate themselves. To succeed, partners should base their strategy on a recurring revenue business model, that enables them to build and deliver managed or value-added services with a customer success approach, while choosing a vendor with a platform that eliminates the grunt work. That is the way to capitalize on a market that, according to the Gartner® Market Guide for Single-Vendor SASE, says, “by 2025, 80% of enterprises will have adopted a strategy to unify web, cloud services, and private application access using a SASE/SSE architecture, up from 20% in 2021”.
[boxlink link="https://www.catonetworks.com/resources/cato-managed-sase-enabling-partners-to-deliver-advanced-services/"]
Cato Managed SASE | Get it Now[/boxlink]
Imagine sitting in front of your customers, asking them what network and IT security nirvana means to them. You will probably hear:
“We need all network and IT security capabilities delivered anywhere”
“I need to be able to scale fast”
“My IT team is exhausted handling patches and updates and ensuring they are implemented across the company”
“I need to be able to manage it all seamlessly by a single console”
“All decisions made should be based on a single data lake”
“Simple, secure, resilient”
“It must be cloud-native; I don’t want to manage appliances anymore”
As a trusted partner, you have four options:
You might come back and say “No one can do all that”. No one wants that.
Go to the nearest DIY shop, buy duct tape, think of a narrative that will fit your offering of multi-SASE vendor solutions, and come back to your next meeting with what would be yet another ‘doing the same thing expecting a different result’ kind of solution.
Choose a wannabe single-vendor SASE. (See number 2 above). Now imagine that they are all owned by a single company. Well, at least someone else bought the duct tape and did all the taping for you. It still doesn’t change the customer experience.
Achieve nirvana with a single-vendor SASE platform.
Is this really your comfort zone?
A SASE offer constructed from multiple vendors or patched-together solutions is anything but comfortable. It requires building and maintaining expertise across various vendors, managing complex sales cycles, staying updated on new features, endless patching, and managing the shipping and storage of point products that aren’t cloud-native. As your business expands, so does the burden of managing multiple vendor solutions, necessitating the support of numerous teams across sales, engineering, support, and operations. It’s more of a burden than a comfort.
Grow with your customers, but not by adding more vendors or solutions
Most of the partner programs out there today have all the standard industry ingredients: free self-paced enablement, $0 demo equipment, straightforward deal protection, good margins, access to marketing content, and a frictionless MDF program.
But these offerings won't move the needle for you to drive significant impact. The needle will move if the value proposition of a platform allows partners to focus on what really matters.
Introducing the concept of a single-vendor SASE platform has inherent advantages for the channel:
Growth by mastering the customer experience. One business unit: sell cycle, knowledge, retention, support, and services.
Simplicity at its best. Demoing and POCing a cloud-native solution to upmarket customers with the most complex customer environments doesn’t take months to design, plan, and execute. Efficient architecture for low-maintenance operation.
Differentiate yourself. Invest in your high-margin professional and managed services; spread them across your customer base.
Customer First. Inequivalent customer satisfaction and low churn.
Agility. Fast response to customers’ needs. New sites are deployed in minutes, and M&As are executed in days or weeks. Upsell and cross-sell features are available at the flip of a switch.
Efficiency. Unified management gives you full visibility and control over the entire solution from a single interface, significantly reducing human errors and oversights.
Recurring revenue model. Minimized operational costs = high-profit margins.
Eliminate grunt work. Maintenance, patches, updates - everything is taken care of seamlessly and automatically.
Then you can Veni, Vidi, Vici the $25B (so far) SASE market.
With a platform architected from the ground up, Cato SASE Cloud is channel-first in its DNA. Whether you are an MSP, SP, VAR, or GSI, you can offer your customers’ nirvana, while experiencing it yourself.
For the whole to be bigger than the sum of its parts, look at the parts carefully; they need to be assembled perfectly without cutting any corners. Look at the roadmap; any enhancements and added products should fit as if they were designed to grow the whole.
Dare to be different and move away from your comfort zone.
The Paris Olympics are coming up, arousing excitement and anticipation around the globe. As the world’s greatest athletes prepare to compete on this renowned stage,... Read ›
The Divine SASE Touch The Paris Olympics are coming up, arousing excitement and anticipation around the globe. As the world’s greatest athletes prepare to compete on this renowned stage, let’s shift our focus to a few of the earliest Olympics competitors - the Greek Gods. These deities, myth says, competed in the ancient Olympics, and later on, the Games were held in their honor. To this day, the Olympics are a global festival of what the Gods symbolized - strength, resilience and elegance.
Modern Olympus: Digital Deities
Today, much of our capabilities and influence come from technology. Just as the Greek Gods wielded immense control over their realm, IT teams hold the keys to the digital kingdom - our modern utopia. They keep businesses moving forward, supporting strategic initiatives like hybrid work, cloud migration, expansion, and M&A, while protecting against attackers.
Similar to the Greek Gods’ distinct abilities, IT teams possess specialized skills that are critical for overseeing and managing the technological infrastructure that powers modern businesses. Their leadership, governance, specialization, and ability to rise to challenges, strategically influence the business and can determine its fate. However, unlike the Gods, IT teams have access to powerful technology tools and solutions that amplify their efforts.
SASE: The New Divine Tool for IT Titans
Among these powerful tools is SASE (Secure Access Service Edge) - converging SD-WAN, a cloud network, and robust security functions into a unified, cloud-native solution. SASE provides a potent, innovative, and holistic solution to overcome the point complexities posed by the old legacy IT giants, making modern life better and more secure.
But, not all SASE is created equal.
Some SASE offerings are constructed from disparate technologies, Cato Networks stands apart with a true cloud-native SASE platform. Architected from the ground up, Cato SASE Cloud provides unmatched security, scalability, agility, and efficiency both now and in the future. For IT, this marks a new era of capability and insightfulness, akin to the powers of the Greek Gods themselves:
Five Gods and Goddesses stand out as embodiments of the powers that IT teams can now harness with SASE: Zeus, Hercules, Aphrodite, Athena and Artemis.
Zeus
Zeus is the supreme deity among the Olympian Gods, representing power and control. He governs the heavens and earth, overseeing natural phenomena such as thunder, lightning and storms.
Similarly, IT teams can provide leadership and governance over the organization's technological landscape. They can set the direction for IT projects, infrastructure investments, and cybersecurity policies, ensuring alignment with business goals.
With Cato SASE Cloud, IT teams ensure comprehensive security across all aspects of the network, from endpoints to the cloud, ensuring governance and protection everywhere just like Zeus oversees all of Olympus. SASE impacts the lives of customers and organizations just like Zeus touched upon the lives of all mortals and immortals.
Cato converges a wide range of security capabilities into a global cloud-native service that scales while automating resilience, security posture, and performance optimization. Instead of patching vulnerabilities, replacing boxes, or spending a weekend testing high availability, Cato eliminates the ‘grunt work’ that has plagued IT teams, allowing them to focus on partnering with the business, providing exceptional service, enabling business growth, and spending time on personal pursuits.
Hercules
Hercules is renowned for his incredible strength, courage, and numerous heroic deeds through the Twelve Labors.
Similar to Hercules, IT teams need to have relentless problem-solving skills and resilience. They handle a broad spectrum of issues, from routine maintenance to critical system outages, to cyber attacks, requiring quick and effective solutions.
With Cato, IT teams can enjoy the resilience offered in the face of challenges, ensuring the network remains strong and secure. Cato SASE Cloud connects and protects every location, user, and application, in any geography, and at any scale. This allows efficient enforcement of corporate policies for threat prevention and sensitive data protection, so IT can deal with its own Twelve Labors - cyber attacks, employee requirements, and quickly supporting business needs.
Aphrodite
Aphrodite is the goddess of love, beauty, elegance and desire. With SASE, IT teams can enjoy seamless and effortless operations and provide users with a smooth and graceful user experience. This is akin to the traits of this goddess herself.
Cato changes how IT security infrastructure is built, replacing it with an elegant platform that takes away the pain of selecting, validating, integrating, and deploying incremental networking and security capabilities, as well as product footprints, contracts, and billing cycles. Instead, everything is seamlessly converged in one solution. This simplifies day-to-day management, creating harmony and organizational aesthetics and functionality.
Enterprises and their users love Cato SASE Cloud and the effortless experience it provides.
Athena
Athena, known as the goddess of wisdom, courage and strategic warfare in Greek mythology, is one of the most revered and majestic deities among the Olympian gods. Similarly, IT requires strategic and critical thinking, choosing innovative and intelligent solutions that safeguard and advance an organization's infrastructure with digital transformation.
Cato enables IT to partner with the business and drive strategic business outcomes. By eliminating complexity, and reducing risks and costs, Cato SASE Cloud platform enhances IT’s agility, responsiveness, and impact, so it can move like Athena, at the speed of the digital business.
Artemis
Artemis is known as the goddess of the hunt in Greek mythology. Just like Artemis, IT teams need to be agile, vigilant and have the ability to target and resolve specific issues swiftly and effectively.
Cato SASE Cloud provides secure access, allowing users to connect safely wherever they may be. Users can establish a secure and optimized connection from anywhere, to any application, on-premises or in the cloud. Access security is provided through risk-based application access policies, EDP/EDR, a next generation malware engine, and more. In addition, all WAN, Cloud and Internet traffic is fully protected against threats and sensitive data loss. This reflects Artemis's precision and care in tracking her prey.
Know Thyself: Become the Most Powerful You with Cato SASE Cloud Platform
Wisdom, elegance, control, agility, and strength are values that can be enhanced in IT teams with Cato SASE Cloud Platform - a single, converged, global, and cloud-native security and networking service elegantly architected to deliver on the promise of SASE: to secure and optimize the business everywhere, for everyone, and for every use case.
IT has always faced the necessity to own and run a complex and fragmented security infrastructure. The urgent need to “keep the lights on” reduced IT’s agility and responsiveness to the business. Now, Cato SASE Cloud Platform is giving IT the divine touch, transforming how it manages and delivers security to support the business.
Welcome to the digital Utopia. Welcome to Catopia.
In the early hours of July 19th, 2024, CrowdStrike endpoints on Windows machines worldwide received a faulty content update, causing what is shaping up to... Read ›
A Brief History of Graduality In the early hours of July 19th, 2024, CrowdStrike endpoints on Windows machines worldwide received a faulty content update, causing what is shaping up to be the one of the largest global IT outages to date.
All over the world reports of Windows workstations and servers stuck in a boot loop with a BSOD were pouring in, impacting airlines, airports, banks, hospitals and many other critical infrastructures such as emergency services call centers, and the list goes on.
Many details including a detailed RCA from CrowdStrike will surely follow and shed more light on this, detailing why an update was pushed to the entire install base and how it passed testing, but until then nothing but our best wishes for our colleagues at CrowdStrike managing this incident.
Nonetheless, this is a good opportunity to discuss and highlight Cato’s Gradual Deployment Model, which is at the very core of how we manage our cloud service and the managed endpoints using the Cato Client.
Graduality, and more graduality
At Cato there isn’t a single stricter guideline throughout the entire Engineering and Operations organization than graduality. And it is without a doubt the most followed through guideline whether it’s in coding practices, performing production changes or publishing new software updates.
In simple terms, nothing is EVER executed on everything all at once. That ‘everything’ can be servers in our Cato SASE Cloud service (e.g. cloud PoPs, backend management services, Kubernetes clusters, etc.), managed Socket devices or Cato Clients running on the endpoints of our customers.
Over the years we’ve developed multiple dedicated infrastructures and feature suites serving this methodology, including automation for deployment with real-time checks of failures in between phases of deployment and features allowing admin full control of how they manage updates of Cato Sockets and Cato Clients inside their organization.Graduality allows them to do it at a pace that’s acceptable and meets the parameters that each IT organization sets for itself, providing the necessary time in between every phase and update group to make sure that if something goes wrong there is time to discover it and reduce the impact radius.
Cato Client Gradual Rollout - Client Upgrade Policy
For comparison, we will highlight the way Cato manages updates to its Cato Client, which is similar to how the CrowdStrike agent is installed on all workstations of the organization.
When a new client version is approved for release, following its extensive automation and regression testing, it goes into a release pipeline that is managed from start to finish. New client versions are distributed gradually between groups of customers and are never made available to all the groups at once.
A worthwhile mention is that Cato employs “dogfooding”, and the very first clients to be upgraded are all the Cato Clients managed by Cato’s own IT department, and using the same tools and methods as do our customers, as a final gate of quality control.
At the scope of a specific customer for which an update has been made available, their IT administrator is able to control how the client will be published to the users withing the organization using the Client Upgrade Policy.
The Client Upgrade Policy is a native graduality mechanism that the admin uses to control the pace of upgrades of the Client, with granularity to control different rollouts based on the endpoint platform. Initially a “Pilot Group” of users receives the update, typically these are IT members and other early adopters that can identify and report any issues first.After the Pilot Group, the client update continues to rollout gradually to the rest of the install base, with the administrator being able to track the progress in the CMA and pause the update at any moment if it’s required.
Figure 1 – Client Rollout screen showing multiple client version and their rollout status
Summary
This recent global outage highlights the critical need for robust deployment practices. At Cato Networks, our [quite overzealous] commitment to gradual deployment models ensures that any changes or updates to our cloud services and endpoints are meticulously controlled and monitored.
By deploying updates in phases and giving the tools and fine-tuned control of Client updates to the IT teams we minimize the risk of widespread disruptions and provide ample time to detect and address issues early. This approach not only enhances the reliability of our services but also gives our customers confidence in the stability of their IT operations.
Healthcare information security teams are tasked with a common responsibility: safeguarding devices, services, and patient data; however, they also deal with the unique regulatory and... Read ›
I Need 90 PoPs of SASE…Stat! Healthcare information security teams are tasked with a common responsibility: safeguarding devices, services, and patient data; however, they also deal with the unique regulatory and compliance requirements surrounding patient data. Compounding this challenge is the sheer number of branch offices, connectivity to internal- and cloud-based applications, and all of the disparate point products accumulated over time. Complexity abounds in healthcare, where there is no room for complexity in an industry that impacts human life. Simplicity is the want…security is the need.
Branches, and Branches, and more Branches
Healthcare organizations frequently comprise multiple hospitals and dozens of branch offices that house family doctors, radiologists, medical laboratories, and others. These branch locations are frequently in geographically disbursed areas.
Deploying security appliances in each of these locations can be too expensive, even when considering performance, manageability, and cost. Because of this, all network traffic tends to be backhauled to a primary data center or hospital to enforce security against that traffic. While this does work, it adds unnecessary latency and network overhead to already limited security and networking capabilities.
Backhauling traffic seemingly offloads deploying physical appliances at each branch but also creates risky dependencies. If connectivity to the main hospital or data center is lost, access to the applications is also lost. This causes a massive disruption in the day-to-day operations of those remote branches and can cause organizations to lose customers.
Another critical area to consider is when healthcare organizations open or acquire existing branch locations; they often come with a different networking and security architecture. Integrating disparate solutions into existing environments can be complex …driving additional costs for new licensing and/or hardware.
All of these factors create complexity, and complexity is the enemy of security.
SASE is the Cure-All for Healthcare IT Woes
The cure for all of these challenges in healthcare organizations is what Gartner named Secure Access Service Edge, or SASE. SASE is the convergence of network and security controls into a single platform that is available as a global cloud-native service. The key components of SASE are Firewall as a Service (FWaaS), Secure Web Gateway (SWG), Intrusion Prevention as a Service (IPS), Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA), and optionally so much more.
The Cato SASE Cloud platform accelerates and simplifies networking and security with true zero-touch deployment and global full security offerings. Specifically in healthcare, From a compliance perspective, SASE helps with HIPAA, PCI, and other standard healthcare regulatory compliance requirements. Cato Networks was the first company to see the evolution of security and networking, and with that foresight, we created our SASE Cloud platform. With over 80 points of presence (PoPs) worldwide, customers can have the same security experience regardless of location.
Simplifying Connectivity
There is no need to deploy expensive security appliances at each branch and no need to impact performance by backhauling your network traffic; Cato Networks’ global private backbone provides powerful connectivity to all branch locations, accomplished by our extensive network of PoPs. The branch locations no longer have to connect directly to one another or a hub site; they can connect to the Cato SASE Cloud and then use our full-mesh redundant backbone network to communicate. Each site would require a small Cato Socket device to connect the branch locations to the nearest PoP. Regardless of where your branches or remote users are located, any edge can connect to the nearest Cato PoP and access the global private backbone. As we stated above, there are also lots of applications and data that employees and branch locations need to access daily. The Cato SASE platform is architected to provide both acceleration of application data and smart egress at the closest PoP to the application data center. This makes the application perform better and provides users with a better working experience, regardless of the location.
[boxlink link="https://www.catonetworks.com/customers/fullerton-health-builds-a-secure-sase-linking-550-locations-and-the-cloud-thanks-to-cato/"] Fullerton Health Builds a Secure SASE Linking 550 Locations and the Cloud, Thanks to Cato | Read more [/boxlink]
Simplifying Security
Security appliances in multiple branch offices make it challenging for security administrators to manage, update, and patch on regular schedules. If there are network connectivity issues, security personnel must physically visit the branch locations to manage the individual devices. This is not the best use of security personnel's time and effort. Cato Networks SASE is a cloud-native service that accelerates and simplifies networking and security with true zero-touch deployment and global full security offerings. In our PoPs, full-stack security policies are enforced in our single-pass architecture. Specifically in healthcare, Cato’s intrusion prevention (IPS) and data loss prevention (DLP) detect and block unauthorized personnel from accessing and exfiltrating any personal information from your organization. From a compliance perspective, SASE helps with HIPAA, PCI, and other standard healthcare regulatory compliance requirements.
Security at Scale
As organizations grow, pressure on the security and networking teams to accommodate those new users and locations increases. Oftentimes, in healthcare, this comes with mergers and acquisitions. Choosing a vendor that can grow with you, with minimal impact on your workload, is crucial. Since Cato’s SASE service is completely cloud-native, it can grow with your organization without requiring your organization to rearchitect the network or purchase more expensive hardware to secure the new locations.
Conclusion
In healthcare, where safeguarding sensitive patient data is crucial, security and IT teams face unprecedented pressure. CISOs may even bear personal responsibility for breaches. Therefore, adopting comprehensive security solutions rather than relying on point-solution approaches is critical.
Transitioning to an SASE solution provides a complete suite of modern security capabilities, including ZTNA, SWG, CASB, DLP, and more, and it also streamlines maintenance. This approach reduces the burden of managing multiple products and appliances, eliminating the need to apply patches and constantly cope with staff fatigue. By consuming networking and security infrastructure as a cloud-native service, healthcare security teams can prioritize their efforts quickly and effectively.
Come read how Cato Networks helped a healthcare organization connect and secure its 500+ locations, the public cloud, and SaaS applications.
In 2023, the European cybersecurity landscape painted a concerning picture. According to a report[1] from ITGovernance.eu, sectors such as energy, utilities, manufacturing, and healthcare were... Read ›
Making Sense of NIS 2: Adopt a Cybersecurity Blueprint like NIST to Set Your House in Order In 2023, the European cybersecurity landscape painted a concerning picture. According to a report[1] from ITGovernance.eu, sectors such as energy, utilities, manufacturing, and healthcare were the most breached, indicating a strategic targeting by cybercriminals. Meanwhile, IBM's alarming metrics[2] in detection, response, and mitigation further emphasized that enterprise cybersecurity implementations were falling short .
The European Community established the Network and Information Security Directive 2 (NIS 2) to bolster cybersecurity resilience across the EU, driven by several critical objectives:
Enhanced Cybersecurity Resilience: improve the overall resilience of critical infrastructure and services against cyber threats and attacks.
Uniform Security Standards: create a standardized framework for cybersecurity practices across the EU, ensuring a consistent level of security and risk management.
Improved Incident Reporting: establish more stringent reporting requirements for cybersecurity incidents, allowing for quicker and more coordinated responses to threats.
Broadened Scope: expand the scope of the original directive to include more sectors and services that are critical to the economy and society, reflecting the evolving nature of cyber threats.
Better Cooperation: enhance cooperation and information sharing between member states, promoting a more unified and effective approach to cybersecurity.
Supply Chain Security: address security concerns within supply chains, ensuring that third-party vendors and service providers meet the necessary cybersecurity standards.
In a nutshell, the NIS 2 directive obligates organizations to implement appropriate and proportional technical, operational, and organizational measures to manage risks posed to the security of network and information systems. The goal is to prevent or minimize the impact of incidents on service recipients and other interconnected services.
[boxlink link="https://catonetworks.easywebinar.live/registration-nis2-is-coming-are-you-ready"] NIS 2 is coming. Are You Ready? | Watch Now![/boxlink]
Key Areas of Focus in NIS 2
Four crucial topics emerge from the directive:
risk assessment and management
corporate accountability
reporting obligations
business continuity
By October 17th 2024, European member states European member states must adopt into law and publish the measures to comply with NIS2, and by April 17, 2025, they must establish a list of essential and important entities.
NIS 2 is a significant enhancement over its predecessor, NIS 1, addressing its shortcomings such as insufficient cyber resilience, disparate implementations across member states, and lack of a joint crisis response team. NIS 2 expands coverage to sectors like food and beverage, digital service providers, and postal services, acknowledging the digital systemic risks associated with cybersecurity. This directive is expected to impact over 160,000 companies.
Organizations Impacted and Obligations
Organizations fall into two categories under NIS 2: (1) essential and (2) important entities.
Essential entities, which include sectors like energy, transport, and water supply, must have at least 250 full-time employees and an annual turnover of €50 million or higher. They will undergo continuous auditing by the competent authority within the country they operate in.
Important entities, on the other hand, include sectors such as digital providers and postal services , with a minimum of 50 employees and an annual turnover of €10 million. They will be subjected to audits only after an incident has occurred.
Figure 1- Organization Sectors impacted by NIS 2 (courtesy of nis2directive.eu)
Out of the 144 preambles, 46 articles, 3 annexes and more than 270 pages, organizations should focus on these key obligations:
Full accountability for outsourced services (Preamble 83)
Defined competencies for supervisors (Preamble 125)
Personal accountability at the C-suite level for approving cybersecurity measures and ensuring continuous training (Article 20)
Adopting technical, operational, and organizational measures (Article 21).
Mapping NIS 2 with the NIST Cybersecurity Framework
While NIS 2 sets forth comprehensive obligations, it lacks a clear list of actionable items. This is where adopting a security blueprint like the NIST Cybersecurity Framework (CSF) can help organizations prepare effectively for NIS 2 compliance.
Figure 2 - NIST cybersecurity frameworkä[3]
The framework’s core is organized around five key functions: Identify, Protect, Detect, Respond and Recover, along with CSF 2.0’s newly-added Govern function. When considered together, these functions provide a comprehensive view of the life cycle for managing cybersecurity risk.
Govern Function: this function provides outcomes to inform what an organization may do to achieve and prioritize the outcomes of the other five functions. It aligns with NIS 2 requirements for organizations to have appropriate management policies, in the context of its mission and stakeholder expectations.
Identify Function: controls for asset management, risk assessment, aligning with NIS 2's requirements for organizations to identify assets and assess their associated risks.
Protect Function: This includes controls related to identity management, access control, data and network security, zero trust, and multi-factor authentication. These controls align with the NIS 2 measures that must be taken by Member states to protect their critical infrastructure against identified risks.
Detect Function: The CSF's detect function includes controls for incident and anomaly detection, network monitoring, and supply chain security, aligning with NIS 2's requirement for early warning systems to detect incidents.
Respond Function: This function includes controls for incident response planning, communication, and coordination, ensuring organizations have plans to respond to incidents affecting critical infrastructure.
Recover Function: The recover function includes controls for business continuity and disaster recovery planning, ensuring organizations can recover from incidents affecting their critical infrastructure.
Challenges and Solutions
Organizations face several challenges in achieving NIS 2 compliance. These include monitoring blind spots, managing fragmented security solutions, dealing with alert fatigue, overcoming patch management backlogs, and addressing shadow IT. Moreover, coordination between network and security teams often poses delays in incident detection and response.
To address these challenges, a comprehensive approach leveraging the NIST CSF can provide detailed security controls mapping into NIS 2 requirements. These controls include using a single-pass software stack for full visibility of digital assets, automated device inventory dashboards, comprehensive risk assessment tools, and a unified management application for security and network incident detection and correlation.
Investing in trusted partners with ISO 27001 certification can also help manage supply chain security and governance, ensuring a reliable approach to cybersecurity. Continuous training, adopting zero trust models, and integrating advanced threat detection and response mechanisms are critical to meeting NIS 2 obligations.
In conclusion, while NIS 2 presents a complex set of requirements, adopting a cybersecurity blueprint like the NIST CSF can streamline compliance efforts and enhance the overall security posture of organizations. By focusing on comprehensive risk management, continuous monitoring, and robust incident response, organizations can set their cybersecurity house in order and mitigate the impact of potential cyber threats.
The right network and security platform can help
Cato Networks offers a comprehensive solution and infrastructure that can greatly assist companies in achieving NIS 2 compliance. By leveraging Cato’s Secure Access Service Edge (SASE) platform, organizations can enhance the security and resilience of their network and information systems.
If you want to know more on how Cato Networks can help achieve NIS 2 compliance, please check our Webinar “NIS 2 is coming. Are you ready?’
[1] https://www.itgovernance.eu/blog/en/data-breaches-and-cyber-attacks-in-europe-in-december-2023-100884532-records-breached
[2] IBM report
[3] Copyright of NIST
TL; DR – Multiple versions of OpenSSH are vulnerable to remote code execution. There is no working public PoC, and researchers have only been able... Read ›
CVE-2024-6387 OpenSSH RCE vulnerability (“regreSSHion”) – Cato Networks impact and analysis TL; DR – Multiple versions of OpenSSH are vulnerable to remote code execution. There is no working public PoC, and researchers have only been able to exploit the vulnerability under unique lab conditions.
Cato’s cloud infrastructure is NOT impacted
Cato Sockets use one of the vulnerable OpenSSH versions, patches containing an upgrade to the latest OpenSSH version are in testing phase and will be released to the field for all supported Socket platforms (physical & virtual) for the following Socket versions:Version 19 – last stable
Version 20 – latest
Cato Sockets by default do NOT have a publicly exposed SSH interface, it is always recommended to keep Cato Sockets LAN interface exposed only internally and use comprehensive network access controls to manage SSH access.
Vulnerability overview
Researchers from Qualys published their findings on July 1st, deeming it worthy of a name like all pet CVEs making big news in the industry, naming it “regreSSHion” due to it being caused by a previous fix in OpenSSH and causing this regression in the code.
OpenSSH is one of the most widely used suite of tools on Unix based systems, used all over the world for securing communications to servers over the internet, secure file transfers and more. It is considered one of the more secure applications in the Unix world, to quote the researchers from Qualys - “this vulnerability is one slip-up in an otherwise near-flawless implementation”, and CVEs such as this finding are very rare indeed.
Impacted OpenSSH versions are:
OpenSSH versions earlier than 4.4p1
OpenSSH versions between 8.5p1 and 9.7p1
* Versions between 4.4p1 and 8.5p1 (not inclusive) are not vulnerable due to previously applied patch for a different vulnerability (CVE-2006-5051).
In the present research published by Qualys, under lab conditions and only successful against a 32bit system, the attack on average takes 6 – 8 hours to succeed, likely increasing in several orders of magnitude on 64bit systems and was not demonstrated.
Analysis of the vulnerability
The vulnerability was introduced to newer OpenSSH versions in October 2020 and is tied to a code regression of CVE-2006-5051, which was fixed originally for version 4.4p1 and later an incorrect fix of another CVE brought this issue back (hence the regression) and made version starting from 8.5p1 vulnerable.
The exploit leverages a race condition in the signal handler of sshd, the server component of OpenSSH. If the client fails to complete the authentication process within LoginGraceTime (which by default is 120s or 600s depending on the version in use), then a SIGALRM signal is raised calling a signal handler which runs asynchronously, calling additional unsafe functions running under root privileges which the researchers were able to exploit to run arbitrary code and gain root shell access.
The researchers have used a uniquely crafted lab environment to prove the RCE, trying to circumvent multiple protections all modern operating systems employ to protect against access to running memory, e.g. ASLR.
In the lab, using a 32-bit server and a low-latency network connection, it took an average of 6 to 8 hours to obtain a root shell after approximately 10,000 connection attempts. On top of the very long time to exploit, the massive number of connections needed is likely to be flagged by different network monitoring systems and is an easy vector to identify and block.
The attack for the time being is extremely complicated to perform in real-world conditions, with mitigations such as using fail2ban and limiting public access to OpenSSH – which is ALWAYS recommended - making it nearly impossible to exploit.
Public exploitation & prevention
No indications of exploitation attempts targeting Cato customers were found. And while PoC code has surfaced with a claim to exploit the vulnerability, Cato’s security research team has determined that it is not in fact a viable exploit and would not result in an RCE, including tests performed on Cato Sockets internally. However, it does lay a good foundation for exploiting this vulnerability, and we expect more attempts to be released soon.
Cato’s security research team continues to analyze this threat to determine the possible exploitation avenues and how they meet existing prevention policies and introduce new logic to address the issue specifically.
Summary
A remote code execution in multiple versions of OpenSSH was discovered, there is no working public PoC available and exploitation in real-world conditions is impractical to near impossible.
Nonetheless due to the high profile of the CVE and quickly evolving landscape, if an exploit PoC surfaces in the future it is important that all systems are patched. Just as important are strict network access controls limiting public SSH access, including of course Cato Sockets which should never be internet facing on the management side.
SASE is all about strategically solving business problems. The systematic removal of technology barriers standing in the way of business outcomes. It is a brand... Read ›
Cato Networks recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for Single-Vendor SASE Report SASE is all about strategically solving business problems. The systematic removal of technology barriers standing in the way of business outcomes. It is a brand new “how” (platform) for a well-known “what” (features).
When we started Cato Networks in 2015, we were immersed in skepticism. Can you actually build a cloud network that will replace MPLS circuits with decades of proven reliability? (We did.) Can you really build a cloud-native next-gen firewall and powerful threat prevention that can displace the industry’s leading incumbents? (We did.) Can you innovate fast enough in AI and data protection to close feature gaps with veteran pure-play vendors, and even gain competitive advantage over them? (We did.)
Almost ten years in, one of the things that makes Cato Networks unique is being defiant. Defiant against decades of point products trying to solve point problems. Defiant against the assumption that complexity is inevitable. Defiant against the perception that “it was always done that way”.
With the Gartner most recent recognition of Cato Networks as a Leader in the 2024 Gartner® Magic Quadrant™ for Single-Vendor SASE Report, we believe that our vision aligned with what customers really needed. I am even more proud of our perseverance during this journey, staying focused on what drives value and outcomes, even when facing legacy vendors and legacy state-of-mind headwinds.
[boxlink link="https://www.catonetworks.com/resources/cato-named-leader-in-gartner-magic-quadrant-for-single-vendor-sase/"] Cato Networks named a Leader in the 2024 Gartner® Magic Quadrant™ for Single-Vendor SASE | Download Report[/boxlink]
Building it right from the start
As we built the Cato SASE Cloud Platform over the years, and onboarded thousands of enterprise customers and partners, we followed these core principles:
True Convergence. The technical capabilities the platform delivers (e.g. SD-WAN, FWaaS, SWG, CASB, DLP, ZTNA, XDR, etc.) are built as one, act as one, and are consumed as one. There is one policy engine that does everything customers expect from networking and network security solutions. There is one data lake storing all events with a single, shared context. There is one management interface and API for configuring, managing, and monitoring the enterprise infrastructure. It is not a “bolt on” integration of portfolio products and acquisitions, and it is not a ‘management of managements’.
Consistency. SASE is meant to serve all enterprise edges: sites, datacenters, clouds, and remote users – wherever they are. All of Cato’s 90+ PoPs are symmetrical and have the exact same capabilities. Cato Networks customers are confident knowing that wherever they are today, and wherever they may expand to in the future, they will not have to compromise on performance, security, or productivity.
Autonomous operation. SASE is expected to be trusted as the enterprise’s new critical infrastructure, promising to offload maintenance and operational grunt work from IT teams, freeing them to focus on enabling business growth and outcomes. We built the Cato SASE Cloud Platform to transparently scale as customers grow, seamlessly overcome component failures, and effortlessly sustain optimal security posture and peak performance - so our customers would have so much less to worry about.
Customers know when you get it
What used to be a disruptive vision is now the mainstream.
SASE is one of the fastest growing markets in IT, and leading players in networking, network security, cloud security, and data security are trying to find their way into it. Some take a path of partnerships, some acquire companies and integrate them, some develop new technologies in-house, and some still focus on positioning rather than building.
Customers want hard proofs. When you promise true convergence – they want to see it to believe it. When you speak about consistency – it needs to be demonstrated. When you tell them you can offload grunt work to help them become champions in their organization – they ask to speak with reference customers to verify it.
The Cato SASE Cloud Platform has repeatedly proven it does what it says on the tin, and our customers are voluntarily vocal about it. They speak publicly about the change Cato Networks is making and about the difference from legacy vendors and other SASE providers. You can read the reviews of our product on the Gartner Peer Insights page.
To date, Cato Networks has thousands of customers and partners that share our vision and support our journey to transform the IT industry.
From a revolution to an evolution
“Don’t you know, they're talking about a revolution. It sounds like a whisper” sings Tracy Chapman in one of her greatest songs. Sometimes, there is a delicate, almost unnoticed, tremble that makes you feel something is about to happen. Cato Networks was that tremble 10 years ago. Gartner’s 2024 Magic Quadrant for Single-vendor SASE, and Cato Networks' recognition as a Leader in it, according to us, is the living proof SASE is no longer a whisper, and that a new era is upon us.
Cato Networks. We Are SASE.
2024 is expected to be another year of strong growth in the SASE market. Dell’Oro Group predicts the SASE market will surpass $10 billion by... Read ›
Cato Survey: Remote Access Issues and Need for Increased Visibility Continue to Drive SASE in 2024 2024 is expected to be another year of strong growth in the SASE market. Dell’Oro Group predicts the SASE market will surpass $10 billion by the end of the year “representing more than a doubling of the total market in three years,” according to Mauricio Sanchez, Senior Research Director of Dell’Oro Group. Gartner expects the market for SASE to reach $25 billion by 2027. What’s driving this trend? Sanchez attributes it to the ongoing “transformation of the Enterprise to align with the new normal of hybrid work and cloud-based applications.”
Sanchez isn’t alone in that assessment. Cato Networks’ latest survey of 1,069 IT leaders also found the new normal around hybrid work to still be challenging for legacy network and security infrastructure.
Four years after the pandemic forced companies to go remote, securing remote users in particular is still challenging. Respondents indicated that enabling remote access from anywhere and adopting zero-trust security posture for all access were two of the top three challenges of the current network and security architecture. A majority (58%) indicated the increased remote work and mobile workforce is a top factor that’s driving organizations’ need for zero-trust security.
According to a Deloitte survey, 80% of global organizations still allow employees some level of remote and hybrid work options. As the work environment remains highly distributed, it’s clear that organizations are still reckoning with developing and executing a secure remote access strategy that provides the same level of security protections that workers have in the office.
Some organizations have continued to rely upon legacy network solutions based on VPN. The trouble with VPNs is that users implicitly gain access to everything on the same subnet. As one respondent pointed out: “We were using a traditional security model that relied on a VPN to secure our network. However, this model did not provide the level of security we were looking for.”
ZTNA flips that paradigm. Users can only “see” the specific applications and resources explicitly permitted by their company’s security policy. So, it’s unsurprising that 43% of respondents identified remote access VPN refresh as the trigger for starting a SASE transformation project. One respondent elaborated: “Our organization decided to switch to a SASE model, which provided us with a more comprehensive security solution. With SASE, our organization was able to implement a zero-trust security model, which helped us to improve our security posture.” Transitioning from outdated solutions to SASE models facilitates zero trust maturity, while also protecting access at the edges, including sites, mobile users and devices, and enterprise and cloud resources. This transition enables enterprises to move from disjointed IT architectures to converged security platforms.
SASE increases visibility, reduces complexity and costs
Just as SASE models are empowering organizations by increasing network security, so too is this technology enabling comprehensive visibility and control in a complex landscape. More than half (55%) of respondents indicated that sensitive data visibility and control plus threat protection is a key challenge of organizations’ current network and security infrastructure. Why? Increased adoption of remote work, cloud computing, and disruptive technologies like generative artificial intelligence (AI) are all creating new data security risks—leaving organizations vulnerable to data breaches and regulatory noncompliance.
Further challenging organizations’ ability to maintain comprehensive data visibility and control are the stacks of disjointed point solutions and security appliances that they lean on. In fact, 42% of respondents identified consolidating vendors and reducing costs and complexity as a key challenge of current network and security architectures. Unlike point solutions, SASE platforms are fully converged, giving IT teams a single, shared context to better see and understand enterprise networks, prevent threats, and resolve problems. Indeed, one participant stated that SASE provides “more of a holistic viewpoint that gives us overall visibility not seen before.”
Not only is SASE adoption increasing visibility and control by providing a single pane of glass, but it’s also reducing costs. One survey participant reported that “the annual savings for us was over $250,000.” The savings was “substantial” for the respondent’s organization. As the World Economic Forum finds that more than half of chief economists anticipate the global economy to weaken in 2024, organizations face another year of economic uncertainty. It’s crucial that IT leaders can implement ways to reduce costs without compromising network security.
Shlomo Kramer, CEO and co-founder of Cato Networks, said it best: “SASE continues to be the antidote to security complexity." SASE’s ability to give IT teams a single, shared context worldwide to understand their networks, prevent threats, and resolve problems makes it no wonder why nearly 70% of respondents have already deployed or plan to deploy SASE in the coming years.
The concept of Secure Access Service Edge (SASE) promised a revolution in network security. Its core intent: to simplify the deployment and consumption of both... Read ›
Unleashing SASE for All: Empowering the Channel Ecosystem Business The concept of Secure Access Service Edge (SASE) promised a revolution in network security. Its core intent: to simplify the deployment and consumption of both networking and security functions. However, does the reality really live up to the initial hype?
The Intent Behind SASE
SASE is meant to streamline the delivery of network security functions, boosting efficiency and reducing complexity for organizations. Traditional approaches often involve a fragmented array of point products, each addressing a specific aspect of security or networking. This fragmentation not only complicates the management but also undermines the overall efficiency and security posture of organizations. SASE seeks to address these issues by converging various functions—such as SD-WAN, secure web gateways, cloud access security brokers (CASB), and zero-trust network access (ZTNA)—into a single, cohesive platform. The goal is to provide a more integrated, simpler, and scalable solution that meets the dynamic needs of today's businesses.
The Search for True SASE
Many vendors, in the race to capitalize on the SASE gold rush, have simply stitched together existing point products. This creates a situation where complexity lurks beneath the surface of a supposedly unified solution. Acquisitions haven't helped either, as vendors wrestle with integrating multiple management systems, further adding to the confusion.
What's missing is a true SASE platform, one designed from the ground up for the convergence of networking and security. This platform needs to be cloud-native to handle the ever-increasing demands of bandwidth and innovation. Cloud-native services are able to leverage automatic updates and security patches, ensuring enterprise networks are always up-to-date. This eliminates the need for manual, often procrastinated, updates on physical appliances, saving time and minimizing security risks. Legacy vendors simply can't compete with this vision.
Trying to find SASE & Deliver It
Even if a "true" SASE platform emerges, the question of delivery remains. Large enterprises with vast resources might enjoy the luxury of direct vendor SASE services. However, the vast majority – including a significant portion of large enterprises themselves – rely on channel partners to access and implement these solutions. These partners, be they Service Providers (SPs), Global System Integrators (GSIs), Managed Service Providers (MSPs), or Value-Added Resellers (VARs), have faced their own challenges in delivering SASE efficiently and profitably to their diverse customer base. The challenges still come down to complexity in stitching together multiple point products, visibility into delivery of performance (and the opportunities of upsell), the ability to deliver value-added services, and, frankly, the “how” of everything SASE.
[boxlink link="https://catonetworks.easywebinar.live/registration-transform-your-sase-services-with-cato-msase"] Transform Your SASE Services with the Cato MSASE Partner Platform | Watch the Webinar [/boxlink]
Cato SASE: A Platform Built for True SASE
Cato SASE Cloud Platform breaks free from the constraints of legacy solutions. Cato Networks has emerged as a game-changer in the SASE landscape by delivering a true SASE platform. Unlike fragmented or acquired solutions, Cato's platform is designed from the ground up to integrate networking and security into a single, cloud-native service. This holistic approach ensures that businesses can easily adopt and benefit from SASE without the operational headaches associated with traditional or pseudo-SASE solutions.
Cato's platform is built to scale, providing the performance and reliability needed to meet the demands of modern enterprises. It offers a unified, cloud-native platform designed specifically for the SASE model. This platform integrates critical networking and security functions –SWG, CASB, ZTNA, FWaaS, and more – into a single, cohesive offering.
With Cato SASE Cloud Platform, organizations gain:
Simplified Deployment and Management: Cato SASE converges networking and full-stack security into a single platform, freeing up valuable IT resources.
Unparalleled Scalability: The cloud-native architecture scales effortlessly to meet the bandwidth and security demands of any organization, regardless of size or location.
Global Reach: Cato's global private backbone ensures consistent, high-performance security and access, no matter where users and applications reside.
Cato MSASE: Empowering the Channel Ecosystem for SASE Delivery
Cato understands the critical role channel partners play in bringing SASE to the masses. That's why we created the Cato MSASE Partner Platform. MSASE provides partners with a complete SASE toolkit specifically designed for their unique business models.
Here's how Cato MSASE Partner Platform empowers the channel:
Channel partners can now differentiate their solution in the SASE market with Cato MSASE Partner Platform. This platform leverages Cato's converged, cloud-native, and global SASE platform, simplifying deployment and management. By consolidating networking and security into a single, multi-tenant platform, Cato MSASE empowers partners to streamline operations. Partners can further amplify their differentiation by adding their own unique services and leveraging co-branding capabilities.
Channel partners can accelerate their SASE go-to-market strategy with Cato's comprehensive launch toolkit. By leveraging Cato's decade of experience, partners gain access to pre-built resources including training programs, service description templates, and marketing materials. This allows them to launch their SASE offering quickly and confidently.
Channel partners can close more deals, faster, with Cato's proven tools. Leverage Test Drive templates and a 70%+ conversion Proof of Concept methodology to ignite customer interest. Partners can operate more independently with assets like quoting tools, free trial accounts, and comprehensive knowledge base.
Partners can unlock profitability with Cato's capex-free SASE Cloud service. This eliminates upfront hardware and licensing costs, making SASE highly competitive against traditional solutions. Optional NOC and SOC services allow partners to execute now and invest later, while still offering customers security operations powered by AI and Cato's expert playbooks. Additional insights offer partners visibility into upsell opportunities.
With Cato MSASE, any channel partner, regardless of size or expertise, can become a SASE powerhouse.
The Equalizer: SASE for All
By delivering a true SASE platform through a robust channel ecosystem, Cato empowers organizations of all sizes to benefit from the security and agility of SASE. Large enterprises, small businesses, and everything in between now have access to a comprehensive SASE solution that is easy to deploy, manage, and scale. This levels the security playing field, allowing organizations of all sizes to focus on their core business while leaving their security worries behind.
Cato MSASE, delivered through the power of the channel ecosystem, is the key to unlocking equal opportunity in the ever-evolving world of cybersecurity.
Managed service providers tell us they see great opportunity from so many businesses migrating to SASE. But many struggle to take advantage of it. Why... Read ›
Cato’s game-changing MSASE Partner Platform: Because service providers also needed a break Managed service providers tell us they see great opportunity from so many businesses migrating to SASE. But many struggle to take advantage of it. Why is that?
In this post, we’ll examine why service providers can find it hard to build a Managed SASE (MSASE) service, and four things they need when launching one. We’ll explain how Cato is leveraging nearly 10 years of experience leading SASE, to disrupt the channel with a game-changing platform that helps service providers deliver managed SASE services. If you’re planning to launch MSASE, this post is for you!
What’s so hard about delivering a Managed SASE service?
SASE is the convergence of networking and security: from point products into a single service. SASE promised to make it easier for businesses to consume, and for service providers to deliver. But for many service providers, SASE has not proven simple to deliver at all. Why is that?
MSASE service providers build their services around a vendor’s SASE product. But many SASE vendors didn’t build a single converged SASE software stack from the ground up. Instead, they used point products, or legacy hardware solutions ported to virtual machines, or disparate software from the many companies they acquired.
These point products each require separate installation, configuration, maintenance, monitoring, and software upgrades. They might require identities and policies to be defined in multiple places, perhaps in multiple consoles. The effort and complexity leave little room to focus on delivering great customer service, making it hard to build a managed service and to integrate it with existing services.
A four-point plan for great Managed SASE service
After years of working with MSASE service providers, we identified four key requirements that every provider needs when they launch a Managed SASE service.
They want to offer a differentiated service.
This doesn’t just mean the very best underlying product. It also means the managed service they wrap around it. They want the vendor to do the daily maintenance work, allowing them to focus on excellent customer service. And they want tools to help them manage a large base of customers well.
They want to get to market fast.
It’s a tough gig launching a Managed SASE service. Providers who didn’t previously offer both network and security, can lack skills, processes, knowledge, tools and content in key areas. These can be expensive and time-consuming to develop. Many want help to build those procedures, documents and collateral, and to train staff.
They want to sell, deliver and monetize deals fast.
Time is money. They want help to find leads, to convert them to opportunities, to close them, to deliver them and to bill for them … fast. They want to price fast, without waiting for their vendor. They want help to convince customers that their service is the best. They want to deploy, configure, test and bill services fast.
They want to maximize profitability
They want a great cash flow, by avoiding up-front hardware costs. They want to run their services with as few staff as possible. If they’re adding network or security for the first time, they may want to delay hiring expensive new staff until they have customers on board. And they want tools to help them see which customers they should upsell, and which customers they need to retain.
A game-changer in networking and security: Cato’s MSASE Partner Platform
It’s challenging to launch an MSASE service and make it successful. There’s so much to do, and vendors with point products can make things more difficult. Service Providers need help!
So, let’s talk about how Cato can help. Our mission is to create world-class networking and security solutions for everyone. And our mission for partners is to enable world-class managed SASE services.
To achieve this mission, we recently launched the Cato MSASE Partner Platform: a commercial and technical framework to help partners deliver managed SASE services.
We don’t think we’re being immodest when we say this will be a game-changer for the channel. Nobody has gone this far to help partners create the best possible managed service and then to launch it fast, to sell and deploy fast, and to maximize profitability.
Cato’s MSASE partner platform is here to help partners with their four key requirements.
First, we help partners offer a truly differentiated service: by giving them our converged, cloud-native platform; by allowing them to focus on service while we handle maintenance and upgrades; and by allowing them to manage efficiently with a multi-tenant, partner-brandable platform.
We help them get to market fast: using our know-how, tools, collateral, training, sales support and marketing support.
We help them to win and deploy deals fast: with test drives, proven proof-of-concept templates (70% win rate!), with quoting independence, and with features to deploy and configure quickly.
And finally, we help them to be more profitable: with a capex-free service to ease cash flow, AI to make NOC and SOC teams more efficient, optional managed services to let them launch now and invest in hiring staff later, and tools to help manage upsells and re-signs.
If you’re an MSP, GSI or carrier, looking to launch or improve your Managed SASE service, talk to us!
When you build a Managed SASE service with Cato, our MSASE Partner Platform will help you to deliver the best possible experience, launch it quickly, win and deploy deals fast, minimize the effort to run the service and maximize profitability.
Find out more about the Cato MSASE Partner Platform.
Read the MSASE Partner Platform press release.
Ask for a conversation.
A New Reality The nature of the modern digital business is constantly and rapidly evolving, requiring network and security architectures to move at the same... Read ›
Addressing CxO Questions About SASE A New Reality
The nature of the modern digital business is constantly and rapidly evolving, requiring network and security architectures to move at the same speed. Moving at the speed of business demands a new architecture that is agile, flexible, highly scalable, and very secure to keep pace with dynamic business changes. In short, this requires SASE. However, replacing a traditional architecture in favor of a SASE cloud architecture to meet these demands can introduce heart-stopping uncertainty in even the most forward-thinking CxOs.
Most CxOs understand what SASE delivers; some can even envision their SASE deployment. However, they require more clarity about SASE approaches, requirements, and expectations. The correct SASE decision delivers long-term success; conversely, the wrong decision adversely impacts the organization. Avoiding this predicament requires due diligence, asking tough questions, and validating their use cases and business objectives.
Understanding the right questions to ask requires understanding the critical gaps in the existing architecture to visualize the desired architecture. Asking the right questions requires clarity on the problems the business is trying to solve. Considerations like new security models, required skills, or potential trade-offs should be addressed before any project begins.
We’ll answer some of those questions and highlight how the right SASE cloud solution delivers benefits beyond architectural simplicity and efficiency.
Answering CxO Questions
Determining which questions are relevant enough to influence a buying decision and then acting on them can be exhausting. This blog addresses those concerns to clarify SASE’s ability to solve common use cases and advance business goals. While the following questions only represent a small set of the possible questions asked by CxOs, they help crystalize the potential of a SASE Cloud solution to address critical questions and use cases while assuaging any concerns.
Does this fit our use cases, and what do we need to validate?
A key decision point for many CxOs is whether or not the solution solves their most pressing use cases. So, understanding what’s not working, why it’s not working, and what success looks like when it is working provides them with their north star, per se, as guidance. One would assume that answering this question is quite easy; however, looking closer we find the answers are rather subjective.
Through our engagements with customers, we’ve found that use cases tend to fall into one of three broad categories:
1. Network & security consolidation/simplification
Point solutions to address point problems yields appliance sprawl. This has created security gaps and sent management support costs through skyrocketing. This makes increasing IT spending harder to justify to the board, pushing more CxOs to explore alternatives amid shrinking budgets.
SASE is purpose-built to consolidate and simplify network and security architectures. The right SASE Cloud solution delivers a single, converged software stack that consolidates network, access, and security into one, thus eliminating solution sprawl and security gaps. Additionally, it eliminated day-to-day support tasks, thus delivering a high ROI.
2. Secure Access/Work-From-Anywhere
Covid-19 accelerated a new working model for modern digital enterprises. Hybrid work became the rule more than an exception, increasing secure remote access requirements.
SASE makes accommodating this and other working model easy to facilitate while ensuring productivity and consistent security everywhere.
3. Cloud Optimization & Security
As hybrid and multi-cloud becomes a core business & technology strategy, performance and security demands have increased. Organizations require compatible performance and security in the cloud as they received on-premise.
SASE improves cloud performance and provides consistent security enforcement for hybrid and multi-cloud environments.
The right SASE cloud approach addresses all common and complex use cases, thus becoming a clear benefit for modern enterprises.
[boxlink link="https://www.catonetworks.com/resources/sase-as-a-gradual-deployment-the-various-paths-to-sase/"] SASE as a Gradual Deployment: The Various Paths to SASE | Get the eBook [/boxlink]
How can we align architecturally with this new model? What will our IT operations look like? Can we inspire the team to develop new skills to fit this new IT model?
When moving to a 100% cloud-delivered SASE solution, it is logical to question the level of cloud expertise required. Can IT teams easily adapt to support a SASE cloud solution? How can we efficiently align to build a more agile and dynamic IT organization?
The average IT technologist joined the profession envisioning strategic thought-provoking projects that challenged their creative and innovative prowess. SASE cloud solutions enable these technologists to realize this vision while allowing organizations to think differently about how IT teams support the overall business. Traditional activities like infrastructure and capacity planning, updating, patching, and fixing now fall to the SASE cloud provider since they own the network infrastructure. Additionally, SASE cloud strengthens NOC and SOC operations with 360-degree coverage for network and security issues. The right SASE cloud platform offloads these mundane operational tasks that typically frustrates IT personnel and leads to burn out.
IT teams can now focus on more strategic projects that drive business by offloading common day-to-day support tasks to their SASE Cloud provider.
How can all security services be effectively delivered without an on-premises appliance? What are the penalties/risks if done solely in the cloud?
Traditional appliances fit nicely into IT comfort zones. You can see it and touch it, so moving all security policies to the cloud can be scary. Some will question if it makes sense to enforce all policies in the cloud and whether this will provide complete security coverage. These questions try to make sense of SASE, highlighted by a fear of the architectural unknown.
There is a reason most CxOs pursue SASE solutions. They’ve realized that current network architectures are unsustainable and require a bit of sanity. The right SASE Cloud platform provides this through the convergence of access, networking, and security into a single software stack. All technologies are built into a single code base and collaborate to deliver more holistic security. And, with a global private network of SASE PoPs, SASE Cloud delivers consistent policy enforcement everywhere the user resides. This simple method of delivering Security-as-a-Service makes sense to them.
What will this deployment journey be like, and how simple will it be?
Traditional network and security deployments are extremely complex. They require hardware everywhere, extended troubleshooting, and other unknown risks. These include integrating cloud environments; ensuring cloud and on-premise security policies are consistent; impact on normal operations; and licensing and support contracts, just to name a few.
Mitigating risks inherent with on-premises deployments is top-of-mind for most CxOs. SASE cloud solution deployments are straightforward and simple with most customers gaining a very clear idea of this during their POC. The POC provides customers with deep insight into common SASE cloud deployment practices and ease of configuration, and they gain clarity for their journey based on their use cases. Best of all, they see how the solution works in their environment and, more importantly, how the SASE cloud solution integrates into their existing production network. This helps alleviate any concerns for their new SASE journey.
What, if any, are the quantitative and qualitative compromises of SASE? How do we manage them?
CxOs face daunting, career-defining dilemmas when acquiring new technologies, and SASE is no different. They must determine how to prioritize and find necessary compromises when needed. Traditional solution deployments are sometimes accompanied by unexpected costs associated with ancillary technology or resource requirements. For example, how would they manage a preferred solution if they later find it unsuitable for certain use cases? Do they move forward with their purchase? Do they select another knowing it may fail to address a different set of use cases?
While priorities and compromises are subjective, it helps to identify potential trade-offs by defining the “must-have”, “should-have”, and “nice-to-have” requirements for a particular environment. Working closely with your SASE cloud vendor during the POC, you will test and validate your use cases against these requirements. In the end, customers usually find that the right SASE cloud solution will meet their common and complex access, network, and security use cases.
How do we get buy-in from the board?
SASE is just as much a strategic business conversation as an architectural one. How a CxO approaches this – what technical and business use cases they map to, their risk-mitigating strategy, and their path to ROI – will determine their overall level of success. So, gaining board-level buy-in is an important and possibly, the most critical part of their process.
CxOs must articulate the strategic business benefits of converging access, networking, and security functions into a single cloud-native software stack with unlimited scalability to support business growth. An obvious benefit is how SASE accelerates and optimizes access to critical applications and enhances security coverage while improving user experiences and efficiency. CxOs can also consult our blog, Talk SASE To Your Board, for board conversation tips.
Cato SASE Cloud is the Answer
A key advantage of Cato SASE Cloud is that it solves the most common business and technical use cases. Mapping the SASE cloud solution into these use cases and testing them during a POC will uncover the must/should/nice-to-have requirements and help customers visualize solving them with a SASE cloud solution.
CxOs and other technology business leaders will naturally have questions about SASE and how to approach potential migration. SASE changes the networking and security game, so embarking upon this new journey requires changing minds. Cato SASE Cloud represent the new secure digital platform of the future that is best positioned to allow enterprises to experience business transformation without limits.
For more advice on deciding which solution is right for your organization, please read this article on evaluating SASE capabilities.
Making the Paradigm Shift A paradigm shift away from traditional network and security architectures towards a more flexible and highly scalable cloud-native SASE Cloud architecture... Read ›
A CxO’s Guide: Tough Questions to Ask When Moving to SASE Making the Paradigm Shift
A paradigm shift away from traditional network and security architectures towards a more flexible and highly scalable cloud-native SASE Cloud architecture can be stomach-churning for many CxOs today. However, taking a holistic view of the drivers of this shift will help put things into perspective. Realizing desired outcomes like the reallocation of resources to more strategic initiatives, agility, speed, and scalability can bring about child-like anticipation of how this new world of SASE will feel.
Before CxOs achieve technology nirvana, however, they must take a few logical steps, and asking tough questions to understand the problem statements and desired outcomes is an important part of this. To better frame this picture, we’ve discussed this with a few of our customers to understand their thought processes during their SASE journey.
Define The Problem Statement
Organizations arrive at SASE decisions from different vectors. For some, it’s as easy as upgrading their WAN connectivity and adding better security. For others, it is exploiting a refresh cycle to explore “what’s next”. Whatever the drivers, understanding the true problems is essential for proper outcomes.
A simple problem statement might be, “Our network is a mess, so we need a different approach to this refresh cycle. Do we have the talent to pull it off?” This identifies two problems to solve: network performance and reliability, and the skillset deficit. Another problem statement might be, “Our current tools are too expensive to maintain, and we need more value for the money we spend.” This implies that managing network and security tools, equals more time spent on mundane support tasks than strategic projects.
While these statements are rather generic, they are no less real-world for most CxOs. Identifying the true problem statement can be exhaustive; however, this is the first step toward understanding the right questions to ask.
“The steep learning curve on our firewalls meant we were not getting value on the high costs we were paying. We needed a simpler, well-designed solution that our teams could more easily learn and manage.”
~ Joel Lee, CIO @ an Asia-Based Construction Firm
Ask The Tough Questions
Determining which questions are relevant enough to influence a buying decision and asking them can also be exhausting. Not all tough questions are relevant questions, and vice versa. Additionally, all questions must derive from the problem statements specific to your business situation. The following were the top questions our CxOs tend to ask:
1. Does this fit our use cases, and what do we need to validate?
“What problems are we trying to solve, and how should we approach this?” By asking this question of their teams, CxOs are basically asking what is not working, why it’s not working, and what success looks like when it is working. On the surface, it seems easy to answer; however, when digging deeper, many organizations find this to be a daunting question because the answer is sometimes a moving target and is almost always subjective.
2. Do we have the right skills?
When moving to a 100% cloud-delivered SASE solution, it is logical to question the level of cloud expertise required. However, a major relief for CxOs is realizing that their teams could easily be trained for a SASE Cloud solution. Additionally, they realize their teams have more time to expand other technical skills that benefit the broader organization. This allowed them to re-frame the question to, “what additional skills can we learn to build a more agile and dynamic IT organization?”
3. SD-WAN makes sense, but SASE? How will all security services be delivered without an on-prem device? What are the penalties/risks if done solely in the cloud?
Traditional appliances fit nicely inside the IT happy place – an on-prem appliance with all configurations close by. So, can we really move all policy enforcement to the cloud? Can a single security policy really give us in-depth threat prevention? These questions try to make sense of SASE, highlighted by a fear of the architectural unknown. However, existing complexity is why these CxOs wanted to inject sanity and simplification into their operations. Security-as-a-Service delivered as part of a SASE Cloud made sense for them, knowing they get the right amount of security when needed.
4. What will the deployment journey be like, and how simple will it be?
Traditional infrastructure deployments require appliances everywhere, months and months of deployment and troubleshooting, multiple configurations, and various other risks that may not align with business objectives. This is a common mindset when pursuing SASE, and CxOs want to understand the overall logistics – “Will our network routing be the same? Will our current network settings be obsolete? Where will security sit? How will segmentation work? Is it compatible with my clouds, and how will they connect? Who supports this and how?” This is just a tiny subset of items to understand, intending to set proper expectations.
5. What are the quantitative and qualitative compromises?
CxOs need to understand how to prioritize and find compromises where needed. Traditional costs often exceed the monetary value and can veer into architecture and resource value. So, an effective approach proposed was using the 80/20 rule on compromises – what are my must-have, should-have, and could-have items or features? Answering this begins with knowing where the 80/20 split is. For example, if the solution solves 80% of your problems and leaves 20% unsolved, what is the must-have, should-have, and could-have of the remaining 20%?
How do you determine which is which?
How would you solve the must-haves differently inside the same architecture?
How will you adapt if an architectural could-have unexpectedly evolves into a must-have?
6. How do we get buy-in from the board?
SASE is just as much a strategic conversation as it is an architectural one. How a CxO approaches this – what technical and business use cases they map to, and their risk-mitigation strategy – will determine their overall level of success. So, gaining board-level buy-in was a critical part of their process. There were various resources that helped with these conversations, including ROI models. CxOs can also consult our blog, Talk SASE To Your Board, as another valuable resource that may assist in these conversations.
“What does this convergence look like, and how do we align architecturally to this new model?”
~ Head of IT Infrastructure @ a leading seaborne energy trader specializing in LNG
Mitigate Internal Resistance
Any new project that requires a major paradigm shift will generate resistance from business and IT teams. Surprisingly, our panel experienced very little resistance when presenting SASE to their teams. Each anticipated potential resistance to budgets, architecture change, resource allocations, etc. They determined what could and could not be done within those constraints and addressed them far in advance. This helped mitigate any potential resistance and allowed them to ease all concerns about their decision.
[boxlink link="https://www.catonetworks.com/resources/the-roi-of-doing-nothing/"] The ROI of Doing Nothing | Read now [/boxlink]
What Other CxOs Can Learn
Transitioning to SASE requires time and planning, like any other architecture project. Keys to making this successful include understanding your problem statement, identifying your outcomes, and learning from your peers. This last point is key because SASE projects, while relatively new, are becoming more mainstream, and the following advice should make any SASE journey much smoother.
Planning Your Project
Have a clear vision and seek upfront input from business and technical teams
Have a clear understanding of your “as-is” and “to-be” architecture
Don’t jump on the bandwagon – know your requirements and desired outcomes
Conduct Thorough Research
Do a detailed analysis of the problem, then do your market research
Understand Gartner’s hype cycle, roadmaps, predictions, etc.
Never stop researching solutions until your goals are finalized
You may discover something you needed that you did not realize - extended value
Evaluate The Solution and Vendor
Develop a scoring mechanism to evaluate vendor technology and performance
Understand your compliance requirements (NIST, PCI-DSS, ISO, GDPR, etc.) and how the solution will enable this
Examine their approach to delivering your outcomes, and pay attention to onboarding, training, and ongoing support
Be Confident in Your Decision
Don’t focus solely on costs
Examine the true value of the solution
Understand the extended costs of each solution – SLAs, ongoing maintenance, patching, fixing, scalability, refresh cycles, etc.
Be honest with yourself and your vendor and remain focused on your outcomes.
This approach benefitted our CxOs and guided them toward the Cato SASE Cloud solution.
“Know what you want to achieve upfront, then stay focused but flexible. Pay attention to skills and capacity requirements.”
~ Stuart Hebron, Group CIO, Tes
Make the SASE Decision
SASE is the ultimate business and technology transformation, and embarking upon this journey is an important step that every decision-maker will, understandably, have questions about. Are we compromising on anything? What risks might we face? Do we have the right skill set internally? Is it financially feasible? These are just a few of the key questions CxOs will pose when pursuing SASE. Asking them will provoke critical thinking and more holistic planning that includes all elements of IT and the broader organization. In the end, asking these questions will lead you to the obvious conclusion – a digital transformation platform like the Cato SASE Cloud solution is the best approach to prepare you for continuous business transformation without limitations.
For more advice on deciding which solution is right for your organization, please read this article on evaluating SASE capabilities.
Gartner introduced SASE as a new market category in 2019, defining it as the convergence of network and security into a seamless, unified, cloud-native solution.... Read ›
7 Compelling Reasons Why Analysts Recommend SASE Gartner introduced SASE as a new market category in 2019, defining it as the convergence of network and security into a seamless, unified, cloud-native solution. This includes SD-WAN, FWaaS, CASB, SWG, ZTNA, and more.
A few years have gone by since Gartner’s recognition of SASE. Now that the market has had time to learn and experience SASE, it’s time to understand what leading industry analysts think of SASE? In this blog post, we bring seven observations from analysts who recommend SASE and analyze its underlying impact. You can read their complete insights and predictions in the report this blog post is based on, right here.
1. Convergence Matters More Than Adding New Features
According to the Futuriom Cloud Secure Edge and SASE Trend Report, “The bottom line is that SASE underlines a larger trend towards consolidating technology tools and integrating them together with cloud architectures.”
Point solutions increase complexity for IT teams. They also expand the attack surface and decrease network performance. SASE converges networking and security capabilities into a holistic and cloud-native platform, solving this problem.
Convergence makes SASE more efficient and effective than point solutions. It improves performance through single-pass processing, improves the security posture thanks to holistic intelligence, and simplifies network planning and shortens time to resolve issues with increased visibility.
2. SASE is the Ultimate “Convergence of Convergence”
SASE is convergence. Gartner Predicts 2022 highlighted how converged security delivers more complete coverage than multiple integrated point solutions. Converged Security Platforms produce efficiencies greater than the sum of their individual parts.
This convergence can be achieved only when core capabilities leverage a single pass engine to address threat prevention, data protection, network acceleration, and more.
3. SASE Supports Gradual Migration: It’s an Evolution, Not a Revolution
According to David Holmes, Senior Forrester Analyst, “SASE should be designed to support a gradual migration. There is definitely a way not to buy everything at once but start small and grow gradually based on your need and your pace.”
SASE is a impactful market category. However, this doesn’t mean enterprise IT teams should suddenly rearchitect their entire network and security infrastructure without adequate planning. SASE transformation can take a few months, or even a few years, depending on the organization’s requirements.
[boxlink link="https://www.catonetworks.com/resources/7-compelling-reasons-why-analysts-recommend-sase/"] 7 Compelling Reasons Why Analysts Recommend SASE | Download the eBook [/boxlink]
4. SASE is about Unification and Simpliciation
According to John Burke, CTO and Principal Analyst of Nemertes, “With SASE, policy environments are unified. You’re not trying to define policies in eight different tools and implement consistent security across context.”
With SASE, networking and security are inseparable. All users benefit from the holistic security and network optimization in SASE.
5. SASE Allows Businesses to Operate with Speed and Agility
According to Andre Kindnes, Principal Analyst at Forrester Research “The network is ultimately tied to business, and becomes the business’ key differentiator.”
SASE supports business agility and adds value to the business, while optimizing cost structures. IT can easily perform all support operations through self-service and centralized management. In addition, new capabilities, updates, bug fixes and patches are delivered without extensive impact on IT teams.
6. SASE is Insurance for the Future
According to John Burke, CTO and Principal Analyst of Nemertes, “It’s pandemic insurance for the next pandemic.”
SASE future proofs the business and network for on-going growth and innovation. It could be a drastic event like a pandemic, significant changes like digital transformation, M&A or merely changes in network patterns. SASE lets organizations move with speed and agility.
7. SASE Changes the Nature of IT Work from Tactical to Strategic
According to Mary Barton, Consultant at Forrester, “IT staff is ultimately more satisfied, because they no longer deploy to remote sites to get systems up and running.”
She also says, “The effect is IT morale goes up because the problems solved on a day-to-day basis are of a completely different order. They think about complex traffic problems and application troubleshooting and performance.”
The health of your network has a direct impact on the health of the business. If there are network outages or performance is poor, the business’ bottom line and employee productivity are both affected. An optimized network frees IT to focus on business-critical tasks, rather than keeping the lights on.
Cato Networks is SASE
According to Scott Raynovich, Founder and Chief Analyst at Futuriom, “Cato pioneered SASE, creating the category before it existed.” He added, “They saw the need early on for enterprises to deliver global, cloud-delivered networking and security. It’s a vision that is now paying off with tremendous growth.”
Read the complete report here.
David Heinemeier Hansson lays out the economic case for why application providers should leave the cloud in a recently published blog post. It’s a powerful... Read ›
SASE Evaluation Tips: The Risk of Public Cloud’s High Costs on SASE Delivery David Heinemeier Hansson lays out the economic case for why application providers should leave the cloud in a recently published blog post. It's a powerful argument that needs to be heard by IT vendors and IT buyers, whether they are purchasing cloud applications or SASE services.
Hansson is the co-owner and CTO of 37Signals, which makes Basecamp, the project management software platform, and Hey, an email service. His "back of the napkin" analysis shows how 37Signals will save $1.5 million per year by moving from running its large-scale cloud software in the public cloud to running its cloud software on bare-metal hardware. If you haven't done so, I encourage you to read the analysis yourself.
Those numbers might seem incredible for those who've bought into the cloud hype. After all, the cloud was supposed to make things easier and save money. How's it possible that it would do just the opposite?
The cloud doesn't so much as reduce vendor costs as it allows vendors to get to market faster. They avoid the planning, deployment time, and investment associated with purchasing, shipping, and installing the hardware components, creating the redundancy plans, and the rest of what goes into building data centers worldwide. The cloud gives vendors the infrastructure from day one. Its elasticity relaxes rigorous compute planning, letting vendors overcome demand surges by spinning up more compute as necessary.
All of which, though, comes at a cost -- a rather large cost. Hansson realized that with planning, an experienced team could overcome the time to market and elements and elasticity requirements without the expenditures necessary for the cloud:
"…The main difference here is the lag time between needing new servers and seeing them online. It truly is incredible that you can spin up 100 powerful machines in the cloud in just a few minutes, but you also pay dearly for the privilege. And we just don't have such an unpredictable business as to warrant this premium. Given how much money we're saving owning our own hardware, we can afford to dramatically over-provision our server needs, and then when we need more, it still only takes a couple of weeks to show up.
The result: enormous capital savings (and other benefits).
From Productivity Software to Productive SASE Services
What Hansson says about application software holds for SASE platforms. A SASE platform requires PoPs worldwide. Those PoPs need servers with enough compute to work 24x7 under ordinary occasions and additional compute needed to accommodate spikes, failover, and other conditions.
It's a massive undertaking that takes time and planning. In the rush to meet the demand for SASE, though, many SASE players haven't had that time. They had no choice but to build out their SASE PoPs on public cloud infrastructure precisely because they were responding to the SASE market. Palo Alto Networks, for example, publicly announced their partnership with Google Cloud in 2022 for their ZTNA offering. Cisco announced its partnership with Google for global SD-WAN service. And they're not alone. With the purchasing of cloud infrastructure, those companies incur all the costs Hansson details.
[boxlink link="https://www.catonetworks.com/resources/inside-cato-networks-advanced-security-services/"] Inside Cato Networks Advanced Security Services | Download the White Paper [/boxlink]
Which brings us to Cato. Our founders started Cato in 2015, four years before SASE was even defined. We didn't respond to the SASE market; we invented it.
At the time, the leadership team, which I was fortunate enough to be part of, evaluated and deliberately avoided public cloud infrastructure as the basis for the Cato SASE Cloud. We understood the long-term economic problem of building our PoP infrastructure in the cloud. The team also realized that owning our infrastructure would bring other benefits, such as delivering Cato SASE Cloud into regions unserved by the public cloud providers.
Instead, we invested in building our PoPs on Cato-owned and operated infrastructure in tier-4 data centers across 80+ countries. Today, we continue with that philosophy and rely on our experienced operations team to ensure server supply to overcome supply chain problems.
High Costs Mean a Choice of Three Rotten Outcomes for Customers
Now, customers don't usually care about their vendors' cost structures. Well, at least not initially. But when a service isn't profitable because the COGS (cost of goods sold) is too high, there's only one of three outcomes, and none are particularly well-liked by customers. A company will go bankrupt, prices will grow to compensate for the loss, or service quality will drop.
Those outcomes are improbable if a vendor sells a service or product at a profit. The vendor may adjust prices to align with macroeconomics and inflation rates or decrease prices over time, sharing the economic benefit of large-scale operations with your customers. Or the vendor may evolve service capabilities and quality to meet customer needs better. Regardless, the vendor will likely be the long-term solution enterprise IT requires for networking or security solutions.
The Bottom Line Should Be Your Red Line
Using public clouds for large-scale cloud services allowed legacy vendors to jump into the then new SASE market and seemingly offer what any enterprise IT buyer wants – the established reputation of a large company with innovation that is SASE. It's a nice comforting story. It's also not true.
Building a SASE or application service on a cloud platform brings an excessively high COGS, as Hansson has pointed out. Eventually, that sort of deficit comes back to bite the company. Sure, a company may be able to hide its losses for a while. And, yes, if the company is large enough, like a Palo Alto Networks or Cisco, it's not likely to go out of business any time soon.
But if the service is too expensive to deliver, any vendor will try to make the service profitable – whether by increasing prices or decreasing service quality – and always at the customer's expense. Ignoring such a glaring risk when buying infrastructure and purchasing from a large vendor isn't "playing it safe." It's more like sticking your head in the lion's mouth. And we know how well that goes.
It’s not uncommon for enterprises to find themselves in a situation where they’ve purchased new technology but are then faced with the hurdle of understanding... Read ›
Deploying Cato SASE, Step by Step It's not uncommon for enterprises to find themselves in a situation where they've purchased new technology but are then faced with the hurdle of understanding what they've acquired and how to deploy it. This can often lead to confusion, deployment delays, and frustration with the new technology. Deploying the Cato SASE solution can be both simple and quick if you follow this checklist.
Planning
As with any new deployment, key stakeholder input and expertise will be required throughout the entire project. Those stakeholders can include members of management, security analysts, network engineers, application owners, and even your external partners (MSPs, VoIP, ISPs, etc.). The collaboration of this team will be crucial for the successful implementation of your Cato SASE platform.
The key deliverable from your planning meetings will be a formal SASE deployment plan, which will become the roadmap for your project. This will include key dates, milestone events, and success criteria for each milestone. The implementation plan should also remain somewhat flexible as sometimes external circumstances might require timelines or plans to change. In addition to the project timeline, the site deployment order, what SASE features will be adopted, and in what order those will be deployed.
Deployment
Once you have the completed and agreed-upon SASE deployment plan, you are ready to implement that plan. You should have received notification of access to the Cato Management Application (CMA), allowing you to start creating your sites and configuring your basic networking and security settings. It is a best practice to pre-configure your sites in the CMA before connecting the Cato Sockets or deploying IPSec tunnels to those locations. When the Cato Sockets arrive at your locations, you will be ready to connect them to the Internet and the Cato Cloud.
[boxlink link="https://www.catonetworks.com/resources/cato-sase-cloud-platform-sase-elegance-at-its-best/"] Cato SASE Cloud Platform: SASE Elegance at Its Best | Get it Now[/boxlink]
In addition to the locations around the world you are connecting via the Cato Cloud, you will also need to import your remote users to the CMA and deploy the Cato Software-Defined Perimeter (SDP) Client based on the deployment plan. Cato supports SCIM and LDAP sync for importing users and group membership data. Once the users are onboarded as Cato SDP users, like your sites, they will also use their closest point of presence (PoP) to connect to the Cato Backbone and have access to your corporate network worldwide.
Network Settings
After you have started deploying your sites, which often require minimal network configuration, several options are available that will help your organization adjust and scale your networking configuration in Cato. Some of these configuration options include:
DHCP
DNS
Bandwidth Management (QoS)
Link health
Configuring these settings in the CMA will push the configuration globally to all of the Cato PoPs to ensure that all your locations and users have the same global performance and experience.
Security Settings
Since Cato is a complete SASE solution, it includes such features as firewall-as-a-service, intrusion protection, anti-malware, and application control to name a few. Most of these features can be enabled with the flip of a switch in the CMA, and will require some configuration for policies, but otherwise work for basic protection right out of the box.
Cato’s firewall-as-a-service offers both an Internet and WAN firewall for external and internal traffic and operates in the Cato PoPs, removing most of the requirements for on-premise firewalls. The intrusion protection system uses a multi-layered approach to security, which includes reputation analysis, known vulnerability detection, anti-bot detection and blocking, and validation of network protocols to ensure traffic legitimacy.
Cato implements the SentinelOne Next-Gen Anti-Malware engine to provide a second layer of threat protection. This engine utilizes an AI model that detects anomalies in common file types that match known threats in its malware sample database. Machine learning then uses this information to match different features of both harmless and malicious files.
Since a vast amount of network traffic is encrypted, Cato offers TLS inspection as an option to decrypt, inspect, and re-encrypt traffic to ensure security even with encrypted traffic. Cato recommends using TLS inspection as a best practice to get the most out of the IPS, CASB, and anti-malware security modules.
Visibility and Integrations
Once you have deployed a few sites onto the Cato platform, you can see events and analytics flow into the CMA. These events are further processed into Cato XDR stories and displayed on the Stories dashboard. This data, combined with application and user awareness information, will offer a detailed view of your environment. With a SIEM-like experience in viewing and searching for events, your organization can utilize this rich and actionable data almost immediately after deploying your first site and users.
In Summary
Deploying SASE for enterprise is a clear-cut process with Cato. Download our white paper “SASE Deployment Made Simple with Cato” for more insight.
Today is an exciting one for us here at Cato. We opened our new, state-of-the-art corporate headquarters in the scenic Sarona neighborhood of Tel Aviv,... Read ›
Cato Continues Expansion with New Global Headquarters Today is an exciting one for us here at Cato. We opened our new, state-of-the-art corporate headquarters in the scenic Sarona neighborhood of Tel Aviv, Israel. The new offices span 17,000 square meters, more than triple the size of our previous headquarters (also based in Sarona).
The increased office space reflects how far we’ve come since moving into the now-old offices five years ago. Back then, few had heard of SASE, our Points of Presence (PoP) count spanned just 27 locations, and company emails were still on only a first-name basis (first name at catonetworks.com). Today, SASE is, well, everywhere. The Cato SASE Cloud Platform spans 90+ PoP locations, and company emails have added last names. Today, our global team includes more than 1,000 employees, and we’ve grown our Israel headcount in the past year by 100+ positions to over 500 employees.
The new Cato Networks facilities will address that growth with ample workspace. More than 1,000 workstations will be available as private offices and open-area workspaces.
“Bright, inclusive, and collaborative – these are words often used to describe our people and culture. They also capture the essence of our new global headquarters,” said Shlomo Kramer, CEO and co-founder of Cato Networks.
Left to right: Daniel Bleichman, Dalia Aderet, Gal Blushtein, Shiri Amit,
Zehorit Mulshanski
The diverse work and collaboration spaces will meet the wide-ranging needs of Cato teams. There will be a recording studio for broadcast interviews and video production. An auditorium will be available to hold large gatherings. Numerous conference rooms and meeting areas will be available, bearing names from Cato’s PoP locations.
The new headquarters will also let Cato address the broader needs of “Catonians.”
“At Cato, we are committed to the well-being and experience of our employees,” says Zehorit Mulshanski, vice president of human resources at Cato. “This commitment is reflected in everything we do, from the construction of our offices to the wellness service we provide to the ergonomic chairs and desks that can be adjusted for standing work. These were all designed to support maximum convenience, productivity, cooperation, and collaboration."
Cato employees will benefit from breakfast catered by R2M and served daily. Cafeterias and kitchenettes situated at various locations across the floors will be fully stocked 24/7 with treats and fresh ingredients. A shake bar, a fully equipped gymnasium, exercise and yoga rooms, and showers will also be provided on-site to encourage employee health and well-being.
A Headquarters Befitting a Global Category Creator
Cato has led the SASE revolution, transforming how IT leaders deliver and consume network and security services. The elegance of the Cato SASE experience has propelled the company’s success, leading to 59% revenue growth in 2023 with the addition of more than 700 new enterprise customers. Overall, Cato services more than 2,400 enterprise customers worldwide including Carlsberg Group, BoydCAT, AFI Properties, and the TAG Heuer Porsche Formula E Team.
Cato brings that same focus on usability to its work environment, creating a collaborative, modern-designed workspace. The new facility spans six floors of the prestigious Landmark Tel Aviv. The commercial and residential complex features an iconic atrium connecting two office wings on either side. The atrium features the largest cable wall in Israel, 160 meters high. Bridges cross the atrium, connecting the floors with a larger bridge every ten floors as a common area, providing an easily accessible open area for “Catonians” to collaborate and relax.
Natural lighting is promoted throughout the complex. In addition to the atrium, the two wings feature external glass walls, allowing for naturally lighted workspaces and providing views of Tel Aviv and the Mediterranean Sea.
Left to right: Misha Pak, Racheli Noyman, Brurya Kurman, Ishai Hunger
Sustainability is at the heart of the Cato SASE Cloud Platform and lies at the core of Landmark Tel Aviv. The building combines Double Skin Facade (DSF) facades with internal blinds, glazing with a low heat transfer coefficient, and high transparency (daylight input) to reduce the consumption of energy-efficient air conditioning systems. A fresh air flow meter controls how much fresh air enters the building. A low-lighting load design ensures energy savings while providing sufficient lighting. Parking for electric vehicles and 350 bicycles is planned.
“At Cato, we are building the next-generation IT security company,” says Kramer. “The new space was designed to equip our employees with everything they need so we can achieve that goal together.”
On May 6th, 2024, researchers from the Leviathan Security Group published an article detailing a technique to bypass most VPN applications, assigned as CVE-2024-3661 with... Read ›
Cato Networks’ Impact and analysis of CVE-2024-3661 – “TunnelVision” VPN vulnerability On May 6th, 2024, researchers from the Leviathan Security Group published an article detailing a technique to bypass most VPN applications, assigned as CVE-2024-3661 with a High CVSS score of 7.6. Researchers have labeled this technique 'decloaking' as while the VPN tunnel remains connected, it allows attackers to trick many VPN clients into sending traffic via a side channel and not through the encrypted tunnel. Traffic flows through the side channel unencapsulated and can be snooped by an attacker.
The attack requires introducing a rogue DHCP server to the local network. This is not easy on well-maintained networks, that use trust zones and DHCP snooping features to prevent this attack vector. Notably, the threat of an adjacent attacker on the local network is not limited to DHCP alone, untrusted networks may impose various other threats, such as ARP poisoning, LLMNR poisoning, and so on.In the case presented in the article, the malicious DHCP server poisons the routing table of its neighbor on the local network. Taking advantage of the broadcast nature of DHCP communications, as well as the fact it is UDP based, i.e. little source verification is performed, the fabrication of responses is easily achieved and can be done in various ways.
Specifically, the response sent by the malicious server to a lease request sent on the local network utilizes option 121 [RFC 3442] - allowing the DHCP server to push classless static routes into the neighboring client routing table.
Cato Client impact and recommended actions
The affected operating systems are:
Windows
Linux
MacOS
iOS
* Android is unaffected by the technique since it does not implement support for DHCP Option 121 altogether.
For recommendations for Windows Client users, see below. We are additionally working on updates to the other affected operating systems and updates will be issued as they become available.
Cato customers using the Windows Client may use a registry key to enable the “Delete Static Routes” feature on the Client, effectively configuring the Client to delete all static routes that are not managed by Cato upon connecting.The configuration will take effect the next time the Client connects to the Cato cloud. If Always-On is enabled, users may need to bypass Always-On. For more information on how to bypass always on see here.Also, if there are legitimate reasons for static routes to be present, this configuration may conflict with those routes and should be considered.
Registry key details:Location - Computer\HKEY_LOCAL_MACHINE\SOFTWARE\CatoNetworksVPNName: DeleteStaticRoutesValue: 1 - (type: DWORD)
The below one-liner can be used as well on Windows or distributed using known methods such as MDM tools or GPO policies.reg add "HKEY_LOCAL_MACHINE\SOFTWARE\CatoNetworksVPN" /v DeleteStaticRoutes /t REG_DWORD /d 1 /f
To improve security in managed networks or in scenarios involving public or otherwise untrusted networks, these additional recommendations may be used to mitigate the vulnerability:
Mitigating DHCP attacks on local networks: Admins can enable configurations on network switches such as DHCP Snooping to protect the network from the introduction of a rogue DHCP server.
Use Cellular Hotspots: Using a cellular network instead of public Wi-Fi mitigates the risk, as the network is controlled by the mobile device.
Disable Option 121: Disable it on endpoints where possible, keeping in mind that this may disrupt some network connectivity.
Cato Networks is not aware of any malicious exploitation of its ZTNA using this technique.
Details of the attack
When a VPN client operates, it begins by creating an encrypted version of the original packet received from its virtual network interface. This encrypted packet is then encapsulated within the VPN protocol layer, allowing secure communication with the VPN server.
Upon establishing a connection with the VPN server, the VPN client modifies the host's network settings to route all traffic through this secure tunnel.
The Role of DHCP in Network Configuration
DHCP (Dynamic Host Configuration Protocol) plays a critical role in network management by automatically assigning IP addresses and configuring network settings for devices on a network, ensuring seamless connectivity and efficient use of IP address space.
One of the advanced features of DHCP is Option 121, introduced in RFC 3442. Option 121, also known as the “Classless Static Route Option”, allows network administrators to define classless static routes for clients, specifying routes with both the destination subnet and the gateway address. This capability enhances routing flexibility by enabling the precise direction of traffic to specific subnets, improving network efficiency and control. For example, administrators can use Option 121 to route traffic for a particular subnet through a different gateway than the default, optimizing network traffic flow and enhancing security measures by directing traffic through designated security appliances or monitoring systems.
Methods of exploitation
The prerequisite is for an attacker to have his own malicious DHCP server in the network and for targeted users to treat it as the legitimate DHCP.
There are several methods by which an attacker on the same network as the targeted user can position themselves as the DHCP server:
DHCP Starvation Attack: By using a rogue DHCP server to perform a DHCP starvation attack against the legitimate DHCP server, the attacker can exhaust available IP addresses and respond to new clients.
Race Condition Exploitation: The rogue DHCP server can race to respond to DHCPDISCOVER broadcasts, taking advantage of the common client behavior of accepting the first lease offer received.
ARP Spoofing: The attacker can use ARP spoofing to intercept traffic between the legitimate DHCP server and clients, then wait for clients to renew their leases, redirecting them to the rogue DHCP server.
Attack Execution
Once a malicious DHCP is deployed on the same network as the targeted VPN user. The malicious server is configured to use itself as the default gateway. When traffic reaches this gateway, traffic forwarding rules are applied to relay it to the legitimate gateway, allowing traffic to be monitored/inspected while traversing through the malicious server, effectively performing an Adversary-in-the-Middle (AitM) attack.
Utilizing DHCP Option 121
A crucial part of the attack involves leveraging DHCP option 121 to inject custom routes into the VPN user’s routing table. Arbitrary routes can be set, and if needed, multiple routes. By pushing routes more specific than the default /0 CIDR range used by most VPNs, it is ensured that these routes have higher priority than those for the VPN’s virtual interface. For instance, by setting two /1 routes, the attacker can override the 0.0.0.0/0 all-traffic rule set by most VPNs.
Injecting these routes causes network traffic to be directed through the same interface as the rogue DHCP server, bypassing the VPN’s virtual interface. As a result, the traffic routed this way is not encrypted by the VPN and is instead transmitted via the network interface interacting with the DHCP server.
Summary
The "decloaking" technique highlights a vulnerability in VPN applications, allowing attackers to reroute traffic outside the encrypted tunnel. By exploiting DHCP and specifically Option 121, attackers can manipulate routing tables and compromise network security.The attack is not trivial to carry out, especially on well-maintained networks, and does not directly compromise the user, rather putting the attacker in a position to snoop on the traffic, which in most scenarios is already encrypted, e.g. HTTPS/TLS, before passing in the VPN. This discovery underscores the importance of securing DHCP configurations and being vigilant on public networks.
Since our founding in 2015, Cato Networks has been committed to being a partner-first company, where our channel partners, solution providers and resellers are at... Read ›
Cato’s Addie Finch Named to CRN’s Women of the Channel Power 100 List Since our founding in 2015, Cato Networks has been committed to being a partner-first company, where our channel partners, solution providers and resellers are at the forefront of our business strategy and growth. Our progress would not be possible without our channel ecosystem and, by extension, the guidance of Cato's channel leaders.
We are excited by this week’s news that Cato’s own Addie Finch (Area Vice President, Americas - VAR & Strategic Partners) has been named to CRN’s 2024 Women of the Channel Power 100 list. The Power 100 recognizes some of the most influential women leaders from technology vendors and distributors who consistently contribute their advocacy and expertise to advancing the channel.
In addition, Addie and three other Catonians were named to CRN’s 2024 Women of the Channel list. The Women of the Channel is an annual recognition of women from vendor, distributor and solution provider organizations whose vision and leadership have a beneficial influence on the technology industry. Cato’s honorees include:
Dianne Bruno, Global Channel Marketing Director
Juliette McDonough, Channel Account Manager
Komal Shruti, Director, Channels - APAC
CRN is acknowledging what we at Cato already hold in high regard; the contributions of these women and the teams they lead are integral in not only delivering value for channel partners, but in their efforts driving a necessary industry-wide shift.
Amidst a chaotic era in IT security, organizations are struggling to manage complex security infrastructures due to a point solution culture that was set up to build individual products to stay ahead of the latest threats. SASE is the antidote to this chaos by consolidating networking and security into a unified cloud-native platform.
Cato has been the category creator and leader of the SASE market since 2015 — before the term to describe the convergence of networking and security even existed — and our journey would not be the same without our channel leaders.
They are instrumental in driving SASE’s growth in the channel and across the industry. They embody Cato’s partner-first ethos by equipping our channel partners with the technology they need to not only meet evolving market demands, but also stay ahead of the curve. They are, among the many, bringing order to the chaos of the IT security landscape.
Please join us in congratulating the achievements of Cato's channel leaders and everyone honored on CRN’s 2024 Women of the Channel list!
In the ever-evolving threat landscape, identifying and blocking malicious IP addresses is an essential defense mechanism. However, this task presents unique challenges that demand careful... Read ›
Unmasking the Challenges of Blocking Malicious IP Addresses: Overcoming the Unknown In the ever-evolving threat landscape, identifying and blocking malicious IP addresses is an essential defense mechanism. However, this task presents unique challenges that demand careful consideration and innovative approaches.
Unlike domain names, the registration details for IP addresses are less transparent, making it more challenging to access ownership information, registration dates, and the responsible parties. Like domains, IP addresses are registered and can be queried through WHOIS services managed by registrars such as RIPE and ARIN. Nevertheless, the information available for IP addresses is often more obscure compared to the detailed records accessible for domain names.
This distinction significantly impacts the ability to assess and validate the entities behind IP addresses. Additionally, another obstacle arises with dynamic IPs, where the IP address of a device changes periodically, making it harder to track and block malicious activity effectively. It becomes even more challenging when an IP address serves as a shared hosting platform or a cloud provider, accommodating both legitimate and non-legitimate sources.
In this blog post we aim to shed light on the challenges of blocking malicious IPs and effective strategies to overcome them without blocking legitimate traffic.
The challenges
The absence of a comprehensive registration process for IP addresses hampers efforts to obtain ownership details, registration dates, and signers, creating difficulties in establishing accountability. Figure 1 presents the absence of readable information available from WHOIS service when researching IP addresses.
Figure 1: Limited Information on IP Addresses from WHOIS Service.
A couple phenomena of IP usage across the internet add a layer of complexity to correct identifications:
Dynamic IP addresses - often used by ISPs to move an IP between customers when it is no longer in use, making it harder to track and block malicious activity effectively. The constant fluctuation of IP addresses demands adaptable solutions capable of keeping pace with these changes.
Shared IP addresses - commonly used in shared hosting environments, where multiple websites and domains are hosted on the same IP address. This means that a single IP address can host both legitimate and non-legitimate sources simultaneously. Content Delivery Networks (CDNs), which use shared hosting to quickly and efficiently spread content across the internet, handle these shared resources with sophisticated mechanisms. These mechanisms ensure the swift delivery of content while attempting to mitigate security risks.
However, in the context of blocking systems, a false positive (blocking a legitimate site) is often considered more detrimental than a false negative (allowing a malicious site through). Hence, when faced with a situation where both legitimate and non-legitimate sites are hosted on the same IP, a cautious approach is necessary. Instead of solely relying on the IP address for blocking, it is imperative to employ different parameters and indicators to accurately identify and block the specific malicious target while ensuring uninterrupted operation for legitimate sites.
Figure 2 demonstrates that a significant portion of IP addresses, approximately a quarter, is associated with multiple domains. This shared hosting scenario can involve thousands of diverse domains, as shown in the accompanying map on the right.
Figure 2: Distribution of Servers IPs by Number of Shared Domains
Refer to Figure 3 for an illustration of a shared hosting IP address hosting both a highly malicious phishing site - ultrasafe.co.in and a legitimate business and economy site - skygo.in.
This IP is managed by eWebGuru, a hosting service provider that allocates server resources to various clients. This example highlights the challenges in cybersecurity within shared hosting environments, where both benign and harmful sites can coexist on the same server.
Figure 3: Shared Hosting IP Address Hosting Multiple Domains.
Identification & Blocking Strategies
There are multiple strategies to take into consideration when tackling the above challenges, let's explore these strategies in detail:
From a network perspective
Analyzing the DNS lookup name associated with an IP address can provide valuable insights into the nature of the IP. Empty records or cases where the IP address string itself is returned instead of a regular host name, can serve as indicators of suspicious activity.
Examining the destination port used by the IP address can also yield valuable information. For example, the use of destination port 445 (SMB) over the internet is unlikely to be legitimate, and can raise suspicions about the IP's malicious intent.
From a Threat Intelligence perspective
Another strategy involves leveraging threat intelligence from multiple sources. Combining different threat intelligence feeds that all point to the same IP address as malicious can significantly increase confidence in its classification.
Collaborative Information and tracking approach
Malicious IP addresses often have low popularity, meaning they receive a minimal portion of traffic compared to more widely used addresses. In the context of IP addresses, popularity refers to how often a specific IP address is accessed by users. A low-popularity address means it is rarely visited, unlike well-known sites. This lower visibility is a characteristic that can help distinguish them from legitimate sources. However, an issue arises when, for example, a new Microsoft server or any other legitimate entity is assigned a new IP address. Initially, this IP address would fall into the category of addresses with low popularity, potentially leading to a false assumption of malicious intent. To address this concern, it becomes crucial to employ a powerful and final strategy.
To gain more confidence in the classification of an IP address, it is necessary to track its popularity over more than one day. By observing the IP address's behavior and monitoring its popularity over time, it becomes possible to assess whether its popularity remains consistently low, which would indicate a higher likelihood of it being associated with malicious activity. This multi-day tracking approach provides a more comprehensive understanding of the IP's patterns and helps mitigate the risk of false positives while strengthening the accuracy of IP blocking decisions.
By implementing these strategies, organizations can enhance their ability to identify and block malicious IP addresses effectively while minimizing the risk of blocking legitimate sources. These techniques provide a comprehensive understanding of IP behavior, improving the overall security posture and reducing the impact of potential false positives.
Real World Application & Conclusion
At Cato, as part of our comprehensive SASE solution, we leverage the power of big data, taking advantage of our vast data lake, enabling a precise differentiation between legitimate and illegitimate addresses. This is further enhanced by the wisdom of crowdsourced insights from all over our network. Additionally, Cato leverages AI/ML models to consolidate data from both internal and external sources, streamlining the decision-making process for blocking malicious IPs. These innovative strategies, rooted in data intelligence and data-driven approach, are fundamental in crafting robust cybersecurity measures that not only address current threats but are also adaptable to the evolving digital landscape.
The mission of blocking malicious IP addresses is indeed of utmost importance in establishing a secure perimeter. But this task poses unique challenges as we have highlighted. By implementing the recommended strategies, including analyzing the nature of the traffic, considering the popularity of the targets, integrating tracking, and utilizing multiple threat intelligence sources, organizations can fortify their networks and systems against malicious activities. This proactive approach helps safeguard sensitive data and ensures uninterrupted operations, contributing to a robust and resilient cybersecurity posture.
Retail and hospitality businesses prioritize delivering exceptional customer service and growing revenue. Just as their mission relies on a service-oriented staff and quality products, it... Read ›
SASE for Retail: Growing the Bottom Line Retail and hospitality businesses prioritize delivering exceptional customer service and growing revenue. Just as their mission relies on a service-oriented staff and quality products, it also requires secure and reliable connectivity. A high performing and secure network enables retailers to offer consistent and positive consumer interactions across online and physical stores around the world. This includes offering services such as e-commerce platforms, secure online payment processing, and digital customer support, while ensuring the protection of customer data and compliance with global privacy standards.
Networking and Security Challenges Retailers are Facing
Until recently, MPLS and VPNs were popular solutions of choice for many retailers. However, modern needs and threats require a new approach. Some of the new challenges retailers are dealing with include:
Unstable Connectivity Across Locations - Retailers require fast, secure connections across various global locations. This includes stores, branches, data centers, headquarters, and more. A high-performing network enables them to communicate, check inventory status, and process credit card transactions, among other activities. However, traditional MPLS or VPNs are costly, with limitations in reliability and security, lacking the scalable model necessary for modern retailer growth.
Security Threats and Risks - Retailers are dealing with organized threat actors and insider threats. According to the Verizon DBIR 2023, retailers are susceptible to ransomware, use of stolen credentials and even attackers embedding malicious code in checkout pages. In 2021, the average cost of a retail data breach was $3.27 million, per the IBM Cost of a Data Breach report.
High Costs, Low Productivity - Retailers need to reduce expenses while improving efficiency. However, MPLS is pricey, VPNs are complex, and using the public Internet often leads to performance issues due to ISPs prioritizing cost over quality.
Complex Tech and Administrative Management - Retailers need high-performing and secure systems, to support business platforms and customer-facing needs like self-checkout. However, handling the tech stack—procurement, management, updates—is complicated, and transferring services to the cloud can be as well.
The Solution to Retail Challenges: SASE
SASE (Secure Access Service Edge) is a network architecture that converges security services and networking capabilities into a single cloud service. SASE represents a shift in the way enterprises handle networking and security, moving away from traditional, hardware-based models to a cloud-native, as-a-service model. This provides organizations with more high-performing, scalable and secure networking solutions, which are simpler to use and manage.
[boxlink link="https://www.catonetworks.com/resources/sase-as-a-gradual-deployment-the-various-paths-to-sase/"] SASE as a Gradual Deployment: The Various Paths to SASE | Get it Now[/boxlink]
SASE answer retails challenges by providing:
Reliable Global Connectivity
Rather than using MPLS or other networking solutions, SASE provides built-in SD-WAN. SD-WAN ensures reliable connectivity via commodity broadband links and 4G/5G wireless connectivity. Globally, traffic is routed over a global private backbone with QoS bandwidth prioritization policies, TCP acceleration and packet-loss mitigation, to reduce latency, packet loss, and jitter.
Enhanced and Comprehensive Security
SASE provides holistic, full-stack security including FWaaS, CASB, DLP, SWG and ZTNA, within a unified, cloud-native service. This ensures access policies are applied, wi-fi is filtered, and retailers maintain data sovereignty and PCI compliance.
Cost-effective and Productivity Boosting
SASE offers an alternative to the costly, inflexible, and capacity-limited MPLS networks, as well as the unreliable Internet, reducing the cost per megabit. In addition, performance is enhanced, ensuring data flow to both on-site and cloud-based applications is optimized to its fullest potential. From a business standpoint, fast and effective communication allows operations to run more smoothly, enhancing sales.
Quick and Simple Deployment
SASE simplifies the process of linking multiple sites, regardless of their size, through a straightforward, single client or socket that's effortless to set up. This eliminates the necessity for numerous devices and, consequently, makes managing the network easier.
In addition, traffic flows directly to a network of cloud-native PoPs within the SASE framework, which can easily integrate with public cloud services in just a few steps. This network grants IT departments visibility into the flow of network traffic. Moreover, the whole setup is designed to scale effectively while remaining economically viable. For ongoing operations, an easy-to-understand UI and single management portal allow for easy and efficient management.
Conclusion
SASE provides retailers with connectivity and security that doesn’t add to complexity, administrative burdens, or expenses. On the contrary, SASE allows retailers to reduce disruptions and offer a positive customer experience that will boost sales. This is achieved through the cloud's agility and flexibility, advanced security features and management simplicity across sites and locations.
Learn more here.
Threat actors are always evolving. Whether it is nation-state actors, cybercrime groups, ransomware gangs, or niche teams targeting specific systems – new tools, techniques, and... Read ›
Cato CTRL Issues New SASE Threat Report Threat actors are always evolving. Whether it is nation-state actors, cybercrime groups, ransomware gangs, or niche teams targeting specific systems – new tools, techniques, and procedures are constantly introduced by attackers. Stopping those threats is challenging in large part because Cyber Threat Intelligence (CTI) remains fragmented. Telltale threat indicators are often available but spread across the threat information and network activity of inbound (and outbound) internet traffic, WAN traffic, cloud traffic, and remote user traffic.
Until the Cato SASE Cloud Platform, gaining 360-degree visibility was difficult, if not impossible, for most enterprises. This is why Cato has started Cato CTRL, Cato’s CTI group. By tapping the full power of Cato, Cato CTRL helps organizations with tactical data for the SOC, operational threat intelligence for managers, and strategic briefings for management and the board.
As part of that work, Cato CTRL routinely reports trends and significant events shaping the security industry. To those ends, Cato CTRL is excited to introduce the first of its revamped Cato CTRL SASE Threat Reports. The report summarizes the findings Cato CTRL gathered from Cato traffic flows across more than 2,200 customers, 1.26 trillion network flows, and 21.45 billion blocked attacks during the first quarter of 2024. (To put that in context, that’s nearly four times more flows than the 350 billion flows we analyzed for Q1 2022.)
[boxlink link="https://www.catonetworks.com/resources/the-cato-ctrl-sase-threat-report-q1-2024/"] Unlock Groundbreaking Cybersecurity Insights from Cato CTRL’s Inaugural Report | Get it Now[/boxlink]
What Makes Cato SASE Cloud Excellent for CTI?
Sharp-eyed readers will note that we said revamped report. Cato has long collected and reported on threat trends in the industry. However, we wanted to expand our scope of research and tap the full power of the Cato SASE Cloud.
As the global network to over 2200 enterprises, the Cato SASE Cloud Platform gathers insight into what’s happening on enterprise networks across multiple industries and countries. Cato stores the metadata of every traffic flow from every endpoint communicating across the Cato SASE Cloud platform in a massive data lake, which is further enriched with hundreds of security feeds and analyzed by proprietary ML/AI algorithms and human intelligence.
The result is a unique data repository providing Cato CTRL insights into security threats and their identifying network characteristics for all traffic, regardless of whether it emanates from or is destined for the Internet or the WAN, for all endpoints—sites, remote users, and cloud resources. Even where Cato’s multitiered defense strategy has blocked the attack, the threats are logged and identified, enabling this kind of analysis.
The new report contains trends and insights into how enterprises and associated industries are faring with mitigated CVEs, suspicious events to be aware of, and common enterprise security behaviors. We’ve also gathered insights from the dark web and hacking communities, particularly around the use of AI tools by threat actors. Finally, we provide practical advice on how to mitigate the threats and address the limitations discussed in the report.
The Key Findings
Some of the key findings from this 30+ page report include:
AI takes the enterprise by storm. The most common AI tools used among enterprises were Microsoft Copilot, OpenAI ChatGPT, of course, and one other that we think you likely want to know about.
Get a peek into the hacker underground. As part of its research, Cato CTRL monitors fascinating discussions from various hacker forums. The report found attackers are using LLM to enhance existing tools like SQLMap to be more efficient in finding and exploiting vulnerabilities. We spotted advertisements for services for generating fake credentials and creating deep fakes. We also continued to monitor recruitment to create a malicious ChatGPT.
Beware of where you shop. Threat actors are setting up domains that mimic well-known brands. We identified the most spoofed brands so you can configure the right filters to protect your users.
Enterprises are too trusting within their networks. Many enterprises continue to run unsecured protocols across their WAN—62% of all web traffic is HTTP, 54% of all traffic is telnet, and 46% of all traffic is SMB v1 or v2. As such, once threat actors penetrate a network, they will have less of a problem snooping critical data in transit across the network. Lateral movement—where attackers will move across networks—was identified particularly in the agriculture, real estate, and travel and tourism industries.
Zero-day is the least of your problems. While we in the industry pay a lot of attention to zero-day threats the reality is threat actors are often trying to exploit unpatched systems, eschewing using the latest vulnerabilities. Three years after its discovery, there’s one CVE that remains one of the most used exploits. Check out the report to see which one it is.
The “Un”adoption of DNSSEC. Our data indicates that only 1% of DNS traffic utilizes Secure DNS. We believe this is primarily due to DNS being a critical component of both the internet and organizational operations. Organizations fear that implementation complexities might result in misconfigurations, potentially disrupting their applications and services.
Grab the Report to Learn More
There’s a lot more to read and analyze. But don’t take our word for it, read the report yourself. You can grab your copy for free here. To learn more about Cato CTRL, visit us here: https://www.catonetworks.com/cato-ctrl/
Over the past twenty years, I have navigated a unique journey through the cybersecurity landscape. My path has taken me from the realms of hacking... Read ›
Cato CTRL: A New Vision in Extended Threat Intelligence Reporting Over the past twenty years, I have navigated a unique journey through the cybersecurity landscape. My path has taken me from the realms of hacking and academia into the heart of threat intelligence (TI), culminating in my current role. Since I joined Cato in 2021, I’ve been leading security strategy and am proud to share the culmination of Cato’s research efforts in Cyber Threat Research Lab (Cato CTRL), our cyber threat research team.
My career has been a natural progression from my curiosity as a child – fascinated by the inner workings of the technology that powered the world around me. That curiosity drew me into the world of hacking. The hacker mindset became not just a tool but a lens through which I viewed the digital world. This perspective was invaluable, teaching me to think like an adversary and anticipate their moves. My transition to academia allowed me to share this knowledge with the next generation of cybersecurity professionals, shaping their understanding of cyber threats and defenses.
However, it was my tenure as chief security officer of a TI company that truly deepened my understanding of the challenges within TI. While there, I was confronted with the myriad problems plaguing TI efforts. The fragmentation of intelligence sources, the overwhelming volume of data, and the daunting task of sitting through false positives to find actionable insights were constant challenges. The consequences of these issues were significant, leading to delayed responses, missed threats, and an overall inefficiency in cybersecurity defenses.
Joining Cato Networks marked a pivotal moment in my career. Cato is the first company that I know of to bring together networking and security in the cloud. With a massive data lake combining threat intelligence with the metadata of every flow traversing the Cato SASE Cloud Platform, Cato has unparalleled insight into the security and networking challenges facing enterprise networks.
[boxlink link="https://www.catonetworks.com/cato-ctrl/"] Cato CTRL –
The SASE Cyber Threats Research Lab | Learn More[/boxlink]
Now with Cato CTRL, I can address these challenges head-on with the launch of Cato’s Extended Threat Intelligence services. With nearly 50 data scientists and threat researchers focusing on security alone and many more investigating network-related issues, we can couple the best of human intelligence with this incredible data resource that is Cato to provide unparalleled threat intelligence through deep network visibility and insight.
Our extended TI capabilities are a fusion of TI and granular network visibility analyzed by AI/ML algorithms and human intelligence. This innovative approach allows us to deliver comprehensive insights that were previously out of reach. Our first quarterly threat report, slated for release in May, is just the beginning. We aim to equip our customers and partners with the intelligence they need, and only our SASE platform can provide, to navigate the complex cyber threat landscape effectively.
Our commitment extends beyond just gathering intelligence. We have dedicated ourselves to simplifying the integration and management of threat intelligence for SOCs, streamlining the process, and enabling more effective defense mechanisms. Our reports are designed to meet the strategic, operational, and tactical needs of our customers and partners, offering insights into global threats, industry-specific trends, and direct threats to individual organizations.
Ready for Whatever’s Next
As we look to the future, the Cato CTRL team is poised to play a pivotal role in shaping cybersecurity strategies, policies, and education. Our approach is to provide a more comprehensive understanding of cyber threats, moving away from piecemeal solutions to a more integrated information cybersecurity posture.
This journey from hacker to professor to leading Cato Networks’ TI efforts has been challenging and rewarding. It is a path that has given me a deep appreciation for the complexities of cybersecurity and the ever-evolving nature of cyber threats. At Cato Networks, we are ready for whatever comes next, armed with knowledge, tools, and a team to make a significant impact in the fight against cyber threats.
# # #
About Cato CTRL
Cato CTRL (Cyber Threats Research Lab) is the world’s first CTI group to fuse threat intelligence with granular network insight made possible by Cato’s AI-enhanced, global SASE platform. By bringing together dozens of former military intelligence analysts, researchers, data scientists, academics, and industry-recognized security professionals, Cato CTRL combines the best in human intelligence with the best in network and security insight to shed light on the latest cyber threats and threat actors.
On Friday, April 12, 2024, Palo Alto Networks PAN-OS was found to have an OS command injection vulnerability (CVE-2024-3400). Due to its severity, CISA added... Read ›
CVE-2024-3400: Critical Palo Alto PAN-OS Command Injection Vulnerability Exploited by Sysrv Botnet’s XMRig Malware On Friday, April 12, 2024, Palo Alto Networks PAN-OS was found to have an OS command injection vulnerability (CVE-2024-3400). Due to its severity, CISA added it to its Known Exploited Vulnerabilities Catalog. Shortly after disclosure, a PoC was published.
We have identified several attempts to exploit this vulnerability with the intent to install XMRig malware for cryptocurrency mining. Cato’s sophisticated multi-layer detection and mitigation engines have successfully intercepted and blocked all such efforts. The recent vulnerability in PAN-OS underlines the inherent vulnerable architecture of on-premises firewalls. This situation highlights the critical need to transition from legacy appliances to a more integrated and holistic native Secure Access Service Edge (SASE) solution. Cato’s cloud-native SASE platform incorporates a comprehensive, complete security stack, seamlessly integrating various security functions. This dynamic and adaptive approach is designed to respond to evolving threats effectively, ensuring superior protection across the entire business infrastructure.
CVE-2024-3400 Palo Alto Networks GlobalProtect PAN-OS
On Friday, April 12, Palo Alto Networks published an advisory on a zero-day vulnerability CVE-2024-3400. The CVE carries a 10, the highest rating in CVSS. It is found in multiple versions of PAN-OS, the operating system that powers Palo Alto’s firewall appliances.
This vulnerability allows unauthenticated threat actors to execute arbitrary code with root privileges on the firewall.
The vulnerability is in the “SESSID” cookie value, which creates a new file for every session as root. Following this discovery, it’s possible to execute code using bash manipulations. For a detailed vulnerability analysis, visit the Attackerkb blog.
Exploitation attempt
By analyzing the exploit, we can better understand what the threat actors were trying to achieve.
Malware downloader analysis – ldr.sh
The threat actors exploited the vulnerability to download a bash script named "ldr.sh" to the firewall machine. If the exploitation were successful, the script's commands would then run with root privileges and aim to disable and remove any security services and malware present on the infected system.
The threat actor would then download and run the XMRig malware from hxxp[://]92[.]60[.]39[.]76:9991/cron
The downloader downloads the cron malware into Path and then executes it [click for full-size]
After that, the threat actor tried to spread the malware to different hosts that the victim had access to, by searching for an SSH configuration. They would then connect to the machine and download the malware.
[Click for full-size]
After the threat actor would infect the current machine and spread to other hosts, they would cover their tracks by deleting logs.
Payload analysis – XMRig malware
After obtaining the malware sample, we started a basic analysis. The malware is written in Golang and has different variations for Linux and Windows operating systems.
An investigation of the IP address reveals that it is associated with a known Sysrv Botnet.
[Click for full-size]
Analyzing the malware using Ghidra, we found strings associated with XMRig.
[Click for full-size]
[Click for full-size]
We also ran the malware in a controlled environment and saw it periodically sends DNS requests to www[.]dblikes[.]top. If the malware cannot reach the website, it will not trigger the miner.
Running the malware has created requests to www[.]dblikes[.]top [click for full-size]
The malware connection to www[.]dblikes[.]top and the Sysrv botnet via Virus Total [Click for full-size]
Following our primary analysis, we concluded that it is the XMRig malware.
However, in addition to the payload for malware deployment, we also saw multiple attempts to probe for the vulnerability by sending out-of-bounds HTTP and DNS requests.
[Click for full-size]
True SASE to the rescue
Legacy security products relying on physical appliances are inherently vulnerable due to the limitations of their architecture. As cybersecurity threats evolve, these vulnerabilities can expose organizations to significant risks. A robust cloud-based Secure Access Service Edge (SASE) solution is crucial for the future of information security. A true SASE solution, updated continuously, is less susceptible to the vulnerabilities that plague traditional appliance-based products. Unlike these legacy systems, which can serve as initial access points for threat actors, a cloud-native SASE architecture is designed for resilience and is enhanced daily to combat new and emerging threats. This continuous improvement ensures a more secure and adaptive security environment.
Virtual patching vs. manual patching
Threat actors are quick to exploit vulnerabilities to disseminate malware. To address this, Palo Alto customers must apply the PAN-OS patch to every Palo Alto appliance, which is a significant drawback compared to virtual patching solutions. Products offering virtual patching, multi-layer detection, and mitigation, like SASE, offer rapid protection, representing a more agile and effective defense against emerging security threats. This advantage is crucial in environments where the speed of response impacts the ability to mitigate or prevent security breaches.
Cato Networks provides comprehensive protection for organizations, not only at the initial access point but throughout all stages of the kill chain. This includes defenses against lateral movement, malware deployments and DNS-based threats. By securing each kill chain phase, Cato ensures a robust defense mechanism that minimizes vulnerabilities and enhances overall security posture. This approach helps prevent attackers from advancing their objectives at any point, safeguarding critical assets and data against a wide spectrum of cyber threats.
We will provide further updates when we detect any new attempts to exploit.
IoC list
IPs
189[.]206[.]227[.]150
92[.]60[.]39[.]76:9991
92[.]60[.]39[.]76:9993
Domains
www[.]dblikes[.]top
Hashes
· Cron (UPX) -1BC022583336DABEB5878BFE97FD440DE6B8816B2158618B2D3D7586ADD12502
· Cron (Unpacked) -36F2CB3833907B7C19C8B5284A5730BCD6A7917358C9A9DF633249C702CF9283
· ldr.sh - 5CA95BC554B83354D0581CDFA1D983C0EFFF33053DEFBC7E0359B68605FAB781
· wr.exe (UPX) - A742C71CE1AE3316E82D2B8C788B9C6FFD723D8D6DA4F94BA5639B84070BB639
· wr.exe (Unpacked) - 4D8C5FCCDABB9A175E58932562A60212D10F4D5A2BA22465C12EE5F59D1C4FE5
MITRE techniques
· T1190 – Exploit Public-Facing Application
· T1059.004 – Windows Command Shell
· T1059.004 – Unix Shell
· T1562.001 – Disable or Modify Tools
· T1562.004 – Disable or Modify System Firewall
· T1070 .002 – Clear Linux or Mac System Logs
· T1070 .004 – File Deletion
· T1552.004 – Private Keys
· T1021.004 – SSH
· T1105 – Ingress Tool Transfer
· T1496 – Resource Hijacking
The tactics, techniques, and sub-techniques in the Mitre Attack Navigator [Click for full-size]
For International Women’s Day (March 8, 2024), the German language, software news site, entwickler.de, interviewed Cato product manager Shay Rubio about her journey in high... Read ›
Women in Tech: A Conversation with Cato’s Shay Rubio For International Women’s Day (March 8, 2024), the German language, software news site, entwickler.de, interviewed Cato product manager Shay Rubio about her journey in high tech. Here’s an English translation of that interview:
When did you become interested in technology and what first got you interested in tech?
I’m a curious person by nature and I was always intrigued by understanding how things work. I think my interest in technology was sparked during my military service in an intelligence unit, which revolved around understanding cyber threats and cyber security.
How did your career path lead you to your current position?
I am a product manager for Cato Networks, working on cybersecurity products like our Cato XDR, which we just announced in January. My interest in the cybersecurity space led me to search for a position in a top company in this field, but I still wanted a place that moves at the pace of a startup. Cato was the perfect blend of both.
Do you have persons, that supported you or did you have to overcome obstacles? Do you have a role model?
I was attending professional meetups searching for a mentor for some guidance in my career path. I approached a senior product manager and we clicked, and he’s been my mentor ever since, helping to guide me through obstacles. At Cato, we have some women in top tech positions and I take inspiration from them – they show me what’s possible and serve as role models for me and many other women in the industry.
What is your current job? (Company, position etc.) How does your typical workday look like?
Like I said, I am a product manager at Cato Networks, working on cybersecurity products like Cato XDR. As a PM, every day looks a bit different – and that’s what I love about it. In a typical day, I could be defining new features, collaborating with the engineering and research teams, taking customer calls showing them our new features, and collecting their feedback.
Did you Start a Project of your own or develop something?
I haven't yet started something of my own – yet. I have been very involved in Cato’s XDR. It almost feels like starting a project of my own.
Is there something you are proud of in your professional career?
I'm proud of driving collaboration within our team, encouraging everyone to speak their mind, and moving at the right pace. I think promoting diversity and inclusion within our team is key – each of us brings a unique perspective that eventually creates a better product. I have one example that comes to mind. During a brainstorming session, a team member shared her experience as a former customer support representative. Her insight into common user pain points helped us prioritize the right feature that directly addressed customer needs, resulting in higher user satisfaction and retention.
[boxlink link="https://www.catonetworks.com/resources/keep-your-it-staff-happy/"] Keep your IT Staff happy: How CIOs Can Turn the Burnout Tide in 6 Steps | Get Your eBook[/boxlink]
Is there a tech or IT topic you would like to know more about?
The cybersecurity landscape is changing so quickly – so you have to keep learning. I’m always happy to delve deeper into new threat actors techniques, threats and mitigation strategies.
How do you relax after a hard day at work?
I love to spend some quality time with my partner, relaxing with a good TV show, or going out for drinks in one of the great cocktail bars we have in Tel Aviv. When I need to clear my head, I love weight training while blasting hip-hop music, and I also try to maintain my long-time hobby of singing.
Why aren't there more women in tech? What's your take on that?
I think it’s important to have women role models in senior positions in tech companies. We are what we see – and if someone like me has managed to make it, it will feel way more achievable for someonelse to get there, too. In addition, in my opinion, we must have full equality in family life and managing the household tasks to get more women to pursue positions in tech.
If you could do another job for one week, what would it be?
I’ve always loved singing and music – and I try to incorporate it as a hobby in my day-to-day life, but we all know how it is – there’s never enough time for everything. I’d love to take a week and play around with music more, including learning the production side of music and creating my own tracks.
Which kind of stereotypes or clichés about women in tech did you hear of? Which kind of problems arise from these perceptions?
Stereotypes about women's technical abilities or leadership skills persist, even after countless talented, hard-working women have disproven them. These stereotypes hinder our progress – and I mean not only women’s progress, but our society‘s progress as a whole, since we’re missing out on amazing talent due to old, limiting beliefs. It's crucial to challenge these perceptions and advocate for change, for the benefit of us all.
Did the conditions for women in the IT and tech industry change since you first started working there?
While the conditions for women in tech have improved, more work is needed to ensure equal opportunities and representation. More women leaders will help young women feel like they belong in this industry and that options are open for them so they can aim high and achieve their professional aspirations.
Do you have any tips for women who want to start in the tech industry? What should girls and women know about working in the tech industry?
My advice for women entering the tech industry is to cultivate a growth mindset, embracing challenges (and failures!) as opportunities for learning and growth. Hard work and perseverance are key in overcoming obstacles and achieving success, especially in demanding environments like tech companies and startups.
Additionally, seek out mentors to build a strong support network, and never underestimate the power of your unique perspective in driving innovation and progress in the tech industry.
Every year, Bonnaroo, the popular music and arts festival, takes over a 700-acre farm in the southern U.S. for four days. While the festival is... Read ›
The Cato Socket Gets LTE: The Answer for Instant Sites and Instant Backup Every year, Bonnaroo, the popular music and arts festival, takes over a 700-acre farm in the southern U.S. for four days. While the festival is known for its diverse lineup of music, it also offers a unique and immersive festival experience filled with art, comedy, cinema, and more.
For the networking nerds among us, though, the festival might be even more attractive as a stress test of sorts. The festival is held in a temporary, rural location. There is no fixed internet connection to support the numerous vendors. And there’s no city WiFi to plug into. Still, that cute little booth selling the event’s hottest T-shirts needs to process customer transactions, manage inventory through the home office, and access cloud-based sales tools—all while ensuring data security and complying with industry regulations.
In short, the perfect problem for our newest Cato Socket – the X1600-LTE Socket. The Cato Socket has always worked with external LTE modems, but by integrating LTE into the Socket, there’s one less device to deploy and one less console to master. The LTE connection is fully managed within Cato, providing usage monitoring of the data plan and real time monitoring of the LTE link quality all within the same Cato Management Application as the rest of your infrastructure.
The new Cato X1600-LTE Socket includes two antennas and can operate at up to 150 Mbps upstream and 600 Mbps downstream.
LTE As the Secondary Access Link
Pop-up music and cultural festivals are hardly the only industries that will benefit from relying on the Cato X1600-LTE Socket. LTE is in high demand as a secondary link, particularly for geographically dispersed enterprises and enterprises relying on real-time data and communications.
Retail chains, for example, often have locations in areas of weak infrastructure but still require uninterrupted connectivity for critical operations like point-of-sale systems, inventory management, and secure communication. Logistics and transportation companies back in the headquarters need secondary access to ensure real-time communications with their trucks and fleet.
Cato SASE Cloud is particularly effective in carrying real-time communications. Our packet loss mitigation techniques, QoS, the zero or near zero packet loss on our backbone all make for a superior real-time experience. So, it’s no surprise that enterprises relying on real-time data and communication would be interested in the Cato X1600-LTE Socket.
[boxlink link="https://www.catonetworks.com/resources/socket-short-demo/"] Cato Demo: From Legacy to SASE in under 2 minutes with Cato sockets | Schedule a Demo[/boxlink]
Healthcare providers are looking at it for essential real-time data access for patient care, remote consultations, and medical device communication. Financial institutions require consistent connectivity to conduct secure transactions, data transfers, and communication. Cato X1600-LTE Socket provides a backup connection for a safety net during primary network downtime, minimizing financial losses and reputational damage.
LTE As the Primary Access Link
Like booths at Lollapalooza, many enterprises can use LTE as a primary connection to Cato SASE Cloud where there’s no DIA infrastructure available. Rural businesses and communities in regions with limited or unreliable fixed internet options will find LTE helpful in providing a readily available and potentially faster connection for essential services like education, healthcare, and communication.
Construction sites and temporary locations also will benefit where setting up fixed internet infrastructure can be expensive and impractical. Emergency response teams also need LTE during natural disasters or emergencies where primary communication infrastructure might be compromised. First responders can use LTE to coordinate search and rescue operations and citizen communication.
The same goes for mobility situations. Field service companies where technicians require constant internet access for diagnostics, repairs, and remote support can benefit from Cato X1600-LTE Socket. Transportation and logistics companies with delivery drivers, fleet managers, and transportation hubs can leverage Cato X1600-LTE Socket for secure real-time tracking, delivery route optimization, and communication, ensuring efficient operations on the move.
LTE Connectivity Serves Cato’s Mission to Connect Remote and Mobile Users
The new LTE-enabled connectivity option fits perfectly into the overall Cato Networks strategy of simplifying and enhancing customers’ network security and performance—especially for geographically dispersed organizations or those requiring consistent connectivity on the go. Regardless of where or how customers connect to the Cato SASE Cloud, they get access to a converged cloud platform that merges critical network and security functions into a single, streamlined solution.
A "single pane of glass" management approach provides organizations with a comprehensive view of their entire IT infrastructure, eliminating the need to manage disparate tools and vendors. Cato further simplifies operations by consolidating network security, threat prevention, data protection, and AI-powered incident detection into one platform, reducing complexity and cost and saving valuable time and resources.
Cato provides detailed LTE-relevant statistics such as Reference Signal Received Power (RSRP), Reference Signal Received Quality (RSRQ), and Reference Signal Strength Indication (RSSI) in the new LTE analytics tab of the Cato Management Application.
The LTE Socket is Now Available
The Cato X1600-LTE Socket is a mid-range SD-WAN device that enables optimized and secure enterprise WAN, Internet, and cloud connectivity. The Socket has fiber, copper, and LTE connectivity options. It has dual Micro SIM Standby (DSS), allowing for active standby in the event of failure of the cable connection. It supports up to 150 Mbps for upload, and up to 600 Mbps for download.
To learn more about the Cato Socket, visit https://www.catonetworks.com/cato-sase-cloud/cato-edge-sd-wan/.
Cato Networks has recently released a new data loss prevention (DLP) capability, enabling customers to detect and block documents being transferred over the network, based... Read ›
How Cato Uses Large Language Models to Improve Data Loss Prevention Cato Networks has recently released a new data loss prevention (DLP) capability, enabling customers to detect and block documents being transferred over the network, based on sensitive categories, such as tax forms, financial transactions, patent filings, medical records, job applications, and more. Many modern DLP solutions rely heavily on pattern-based matching to detect sensitive information. However, they don’t enable full control over sensitive data loss. Take for example a legal document such as an NDA, it may contain certain patterns that a legacy DLP engine could detect, but what likely concerns the company’s DLP policy is the actual contents of the document and possible sensitive information contained in it.
Unfortunately, pattern-based methods fall short when trying to detect the document category. Many sensitive documents don’t have specific keywords or patterns that distinguish them from others, and therefore, require full-text analysis. In this case, the best approach is to apply data-driven methods and tools from the domain of natural language processing (NLP), specifically, large language models (LLM).
LLMs for Document Similarity
LLMs are artificial neural networks, that were trained on massive amounts of text, commonly crawled from the web, to model natural language. In recent years, we’ve seen far-reaching advancements in their application to our modern-day lives and business use cases. These applications include language translation, chatbots (e.g. ChatGPT), text summarization, and more.
In the context of document classification, we can use a specialized LLM to analyze large amounts of text and create a compact numeric representation that captures semantic relationships and contextual information, formally known as text embeddings. An example of a LLM suited for text embeddings is Sentence-Bert. Sentence-BERT uses the well-known transformer-encoder architecture of BERT, and fine-tunes it to detect sentence similarity using a technique called contrastive learning.
In contrastive learning, the objective of the model is to learn an embedding for the text such that similar sentences are close together in the embedding space, while dissimilar sentences are far apart. This task can be achieved during the learning phase using triplet loss.In simpler terms, it involves sets of three samples:
An "anchor" (A) - a reference item
A "positive" (P) - a similar item to the anchor
A "negative" (N) - a dissimilar item.
The goal is to train a model to minimize the distance between the anchor and positive samples while maximizing the distance between the anchor and negative samples.
Contrastive Learning with triplet loss for sentence similarity.
To illustrate the usage of Sentence-BERT for creating text embeddings, let’s take an example with 3 IRS tax forms. An empty W-9 form, a filled W-9 form, and an empty 1040 form. Feeding the LLM with the extracted and tokenized text of the documents produces 3 vectors with n numeric values. n being the embedding size, depending on the LLM architecture. While each document contains unique and distinguishable text, their embeddings remain similar. More formally, the cosine similarity measured between each pair of embeddings is close to the maximum value.
Creating text embeddings from tax documents using Sentence-BERT.
Now that we have a numeric representation of each document and a similarity metric to compare them, we can proceed to classify them. To do that, we will first require a set of several labeled documents per category, that we refer to as the “support set”. Then, for each new document sample, the class with the highest similarity from the support set will be inferred as the class label by our model.
There are several methods to measure the class with the highest similarity from a support set. In our case, we will apply a variation of the k-nearest neighbors algorithm that implements the classification based on the neighbors within a fixed radius.
In the illustration below, we see a new sample document, in the vector space given by the LLM’s text embedding. There are a total of 4 documents from the support set that are located in its neighborhood, defined by a radius R.
Formally, a text embedding y from the support set will be located in the neighborhood of a new sample document’s text embedding x , if
R ≥ 1 - similarity(x, y)
similarity being the cosine similarity function. Once all the neighbors are found, we can classify the new document based on the majority class.
Classifying a new document as a tax form based on the support set documents in its neighborhood.
[boxlink link="https://www.catonetworks.com/resources/protect-your-sensitive-data-and-ensure-regulatory-compliance-with-catos-dlp/"] Protect Your Sensitive Data and Ensure Regulatory Compliance with Cato’s DLP | Get It Now [/boxlink]
Creating Advanced DLP Policies
Sensitive data is more than just personal information. ML solutions, specifically NLP and LLMs, can go beyond pattern-based matching, by analyzing large amounts of text to extract context and meaning. To create advanced data protection systems that are adaptable to the challenges of keeping all kinds of information safe, it’s crucial to incorporate this technology as well.
Cato’s newly released DLP enhancements which leverage our ML model include detection capabilities for a dozen different sensitive file categories, including financial, legal, HR, immigration, and medical documents. The new datatypes can be used alongside the previous custom regex and keyword-based datatypes, to create advanced and powerful DLP policies, as in the example below.
A DLP rule to prevent internal job applicant resumes with contact details from being uploaded to 3rd party AI assistants.
While we've explored LLMs for text analysis, the realm of document understanding remains a dynamic area of ongoing research. Recent advancements have seen the integration of large vision models (LVM), which not only aid in analyzing text but also help understand the spatial layout of documents, offering promising avenues for enhancing DLP engines even further.
For further reading on DLP and how Cato customers can use the new features:
https://www.catonetworks.com/platform/data-loss-prevention-dlp/
https://support.catonetworks.com/hc/en-us/articles/5352915107869-Creating-DLP-Content-Profiles
A severe backdoor has been discovered in XZ Utils versions 5.6.0 and 5.6.1, potentially allowing threat actors to remotely access systems using these versions within... Read ›
XZ Backdoor / RCE (CVE-2024-3094) is the Biggest Supply Chain Attack Since Log4j A severe backdoor has been discovered in XZ Utils versions 5.6.0 and 5.6.1, potentially allowing threat actors to remotely access systems using these versions within SSH implementations.
Many major Linux distributions were inadvertently distributing compromised versions. Consult your distribution's security advisory for specific impact information. While the attacker's identity and motivation remain unknown, the sophisticated and well-hidden nature of the code raises concerns about a state-sponsored attacker.
Cato does not use a vulnerable version of “XZ / liblzma” and Cato's code and infrastructure are not vulnerable to this backdoor / RCE.
Cato recommends that enterprises patch immediately. They should update XZ Utils from their Linux distribution's repositories as soon as possible. In addition, they should review all SSH configurations for potentially impacted systems, implement strict security measures (e.g., strong authentication and access controls) and actively monitor network traffic and system logs for anomalies, especially related to SSH activity on vulnerable systems. This situation is still developing. Monitor sources like your distribution's security advisories and trusted security news outlets for updates and enhanced detection methods.
What is XZ?
XZ Utils is a collection of free software tools used for highly efficient lossless data compression. It works with the .xz file format, known for its superior compression ratios compared to older formats like .gz or .bz2. The primary tools within XZ Utils (xz, unxz, xzcat, etc.) are used through your system's terminal or command prompt.
xz: Main command-line tool for compression and decompression.
liblzma: A library with programming interfaces (APIs) for use in development.
Many major Linux distributions (Debian, Ubuntu, Fedora, etc.) employ XZ to compress software packages within their repositories. This significantly reduces storage costs and speeds up users' downloads.The main Linux kernel source is distributed as an XZ-compressed tar archive. Mac OS also comes preinstalled with XZ.
It’s important to note that XZ is open source.
How was the Backdoor Discovered?
Andres Freund, a PostgreSQL developer and software engineer at Microsoft, discovered the backdoor on March 29, 2024. He observed some unusual behavior on Debian testing systems. Logins via SSH were consuming abnormally high CPU resources, hence, slower SSH performance, and he also encountered valgrind errors (a memory debugging tool) related to liblzma (a core component of XZ Utils).
He posted his discovery on “Openwall”. Openwall is a project aimed at enhancing computer security by providing a collection of open-source software, resources and information to improve system and network security.
This is a screen from the discussion that Andres Freund started in Openwall.
Delving into the source code, he discovered a very odd and out-of-place M4 macro. This macro appeared to be intentionally designed to introduce malicious code during the build process. The backdoor logic was heavily obfuscated to avoid easy detection.
What is Known About the Backdoor So Far?
The backdoor was committed on February 23, 2024 by “JiaT75”.
Even if you have the “XZ” (liblzma) vulnerable version, it does not mean that you are affected.
In the build code itself, multiple conditions trigger the payload.
Here are a few examples:
This condition checks that the target build is for x86_64 and Linux systems. Otherwise, it terminates.
This condition checks that the build process should be done with “gcc”. Otherwise, it terminates.
From what we know so far here, are the steps in the malicious build process:
Checking various configuration settings and environment variables to ensure the build environment meets certain criteria (e.g., using GCC compiler, GNU linker, x86-64 architecture, etc.).
If the build environment is suitable, the script modifies the Makefiles and build configuration to enable the injection of the malicious code.
The script checks for specific source files related to CRC (cyclic redundancy check) algorithms used in XZ.
The script then attempts to inject a modified version of the CRC code into the XZ utility. It does this by:Extracting and decrypting a payload file (good-large_compressed.lzma) using a decryption algorithm.Saving the decrypted payload as liblzma_la-crc64-fast.o.
Replacing the original CRC code with the modified version, including the decrypted payload.
The script compiles the modified CRC code using the GCC compiler with specific flags and options.
If the compilation is successful, the script replaces the original CRC object files (.libs/liblzma_la-crc64_fast.o and .libs/liblzma_la-crc32_fast.o) with the modified versions.
The script links the modified object files into the XZ library (liblzma.so).
After the build and successful installation, the backdoor intercepts execution by substituting ifunc resolvers for crc32_resolve() and crc64_resolve() , changing the code to call _get_cpuid()
“ifunc” is a glibc mechanism that allows you to implement a function in different ways and choose between implementations while the program is running.
Afterwards, the backdoor monitors the dynamic connection of libraries to the process through an immediately installed audit hook, waiting for the connection of the RSA_public_decrypt@got.plt library.
Having seen the RSA_public_decrypt@got.plt connection, the backdoor replaces the library address with the address of the controlled code.
Now, when connecting via SSH, in the context before key authentication, the process will execute code controlled by the attacker.
As you can see, it’s a sophisticated and stealthy attack that can only be carried out by a nation-state-sponsored adversary.
The “xz” Github and the official site were taken down.
[boxlink link="https://catonetworks.easywebinar.live/registration-88"] Supply chain attacks & Critical infrastructure: CISA’s approach to resiliency | Watch Master Class[/boxlink]
Who is Behind the XZ Backdoor?
The backdoor commit was made by an individual using the name "Jia Tan" and the username "JiaT75". This GitHub account was created in 2021 and has been active since then. They “contributed” to a few projects, including “OSS-Fuzz” by Google. But they were mainly active in the “xz” project.
How was “JiaT75”’s commit to “xz” approved? You can read the full chain of events on Evan Boehs’s blog. In short, the path to implementing the backdoor began approximately two years ago. The project’s main developer, Lasse Collin,was accused of slow progress. User Jigar Kumar insisted that xz needed a new maintainer for development. They demanded that patches be merged by Jia Tan, who contributed to the project voluntarily.
In 2022, Lasse Collin admitted to a stranger that he was in a difficult position: mental health issues, lack of resources and physical limitations were hindering his progress and the project's pace. However, with Jia Tan's contributions, he said he might be able to take on a more significant role in the project.
In 2023, Jia Tan replaced Lasse Collin as the main contact for oss-fuzz, a fuzzer for open-source projects from Google. In 2024, he commits the infrastructure that will be used in the exploit. The commit is attributed to Hans Jansen, a user who seems to have been created solely for this purpose. Jia Tan submits a pull request to oss-fuzz urging the disabling of some checks, citing the need for ifunc support in xz.
In 2024, Jia Tan changed the project link in oss-fuzz from tukaani.org/xz to xz.tukaani.org/xz-utils and completed the backdoor's finishing touches.
Jia Tan, whoever he may be, started building this attack in 2021, gaining the trust of the primary maintainer of the XZ project. The amount of time and dedication from Jia Tan can only be attributed to a persistent adversary.
What Does This Mean for Other Open-source Projects?
Creating a validation process for entities that commit the code is important, especially for repositories that can affect other software.
As demonstrated by @hasherezade, it is very easy to spoof the account that commits to Github.
Conduct a proper code review until you understand what is being committed.
In the “XZ” backdoor commit, that backdoor is in the “XZ” file. You could spot the malicious code only if you had run and analyzed it.
Maintaining open-source projects requires a lot of time and dedication. You need to vet the person you want to hand the project over to.
What Can Cato’s Customers Do?
Check Which Version of “XZ” is Installed On Your Systems
Check the version of “XZ” on your system. Versions 5.6.0 or 5.6.1 are affected.
Run the following command in your terminal:
xz –version
apt info xz-utils
You can also check https://repology.org/project/xz/versions for affected systems.
Downgrade to an older version if possible.
XZ malicious package detection
We've verified that there have been no indications of downloading the known malicious files based on hashes or file names for the past six weeks —this is at least for customers who have TLSi enabled. (Note, however, that it is possible that malicious files could reach users in other forms of distribution, i.e., part of a package.)
The BitDefender Anti-Malware engine classifies the XZ package files as malicious files and blocks them if Anti-Malware is enabled.
SSH Traffic
Until the verification and downgrade process are completed, apply strict access policies on Inbound SSH traffic - limiting access to trusted sources and only in case of actual necessity.
Cato’s Multi-layer Detection and Mitigation Approach
Cyber-attacks are usually not an isolated event. They have multiple steps. Cato has multiple detections and mitigations across the entire kill chain, including initial access, lateral movement, data exfiltration, and more.
Cato’s Infrastructure
After checking Cato’s infrastructure, we can confirm that Cato is not using the vulnerable version of XZ / liblzma.
Final Thoughts
We still do not know the full extent of this backdoor's impact. There is always fallout in such cases as the security community delves deep and uncovers more information about possible attacks.
The initial commit was on February 23, 2024 and it was discovered on March 29, 2024. This is a significant window for malicious activity to occur.
In security incidents, multiple layers of detection and mitigation capabilities are crucial to halt the attack through various means.
We are continuing to research and monitor for further developments.
This blog post is based on research by Avishay Zawoznik, Security Research Manager at Cato Networks. The Cloud Conundrum: Navigating New Cyber Threats in a... Read ›
Outsmarting Cyber Threats: Etay Maor Unveils the Hacker’s Playbook in the Cloud Era This blog post is based on research by Avishay Zawoznik, Security Research Manager at Cato Networks.
The Cloud Conundrum: Navigating New Cyber Threats in a Digital World
In an era where cyber threats evolve as rapidly as the technology they target, understanding the mindset of those behind the attacks is crucial. This was the central theme of a speech given by Etay Maor, Senior Director of Security Strategy, of Cato Networks at the MSP EXPO 2024 Conference & Exposition in Fort Lauderdale, Florida. Titled, “SASE vs. On-Prem A Hacker’s Perspective,” Maor’s session provided invaluable insights into the sophisticated tactics of modern cybercriminals.
Maor’s presentation painted a vivid picture of the ongoing battle in cyber work. He emphasized that as businesses transition to cloud-based solutions, hackers are not far behind, exploiting these very platforms to orchestrate their malicious activities. Trusted cloud services and applications, once seen as safe havens, are now being used to extract sensitive data, distribute malware, and launch phishing campaigns.
The session highlighted a concerning trend: many organizations are still anchored in an on-premises mindset. This approach, unfortunately, is increasingly inadequate in countering modern cyber threats. Maor’s argument was supported by a series of case studies detailing real-life attacks, showcasing how these threats are not just theoretical but present and active dangers.
[boxlink link="https://www.catonetworks.com/cybersecurity-masterclass/"] Discover the Cybersecurity Master Class[/boxlink]
Embracing SASE: A New Frontier in Cybersecurity
One of the most interesting parts of the session was the live demonstrations. These demonstrations brought to light the ease with which hackers can penetrate systems that rely on outdated security models. Maor also shared insights from underground forums, offering a rare glimpse into the ways hackers plan and execute their attacks. This peek into the hacker’s world underscored the need for a more dynamic and forward-thinking approach to cybersecurity.
In contrast to the traditional on-premises solutions, Maor extolled the virtues of SASE architecture. He delineated how SASE’s convergence of network and security services into a single, cloud-native solution offers a more robust defense against the complexities of today’s cyber landscape. SASE’s adaptability, scalability, and integrated security posture make it a formidable opponent against the tactics employed by modern hackers.
The key takeaway from Maor’s speech was clear: the transition to cloud-based infrastructures demands a paradigm shift in our approach to cybersecurity. Traditional methods are no longer sufficient in this new digital battlefield. Businesses must embrace innovative solutions like SASE to stay ahead of cybercriminals.
As we navigate this complex cybersecurity landscape, Maor’s insights are not just thought-provoking but essential. To delve deeper into these concepts and fortify your organization’s cybersecurity posture, don’t miss Cato Networks’ Cybersecurity Master Class. This comprehensive resource offers a wealth of knowledge and strategies to combat the ever-evolving threat landscape.
Visit Cybersecurity Master Class webpage today and take the first step towards a more secure digital future.
The Need for Speed The rapidly evolving technology and digital transformation landscape has ushered in increased requirements for high-speed connectivity to accommodate high-bandwidth application and... Read ›
Winning the 10G Race with Cato The Need for Speed
The rapidly evolving technology and digital transformation landscape has ushered in increased requirements for high-speed connectivity to accommodate high-bandwidth application and service demands. Numerous use cases, such as streaming media, internet gaming, complex data analytics, and real-time collaboration, require we go beyond today’s connectivity trends to define new ones. Our ever-changing business landscape dictates that every transaction, every bit, and every byte will matter more tomorrow than it does today, so these use cases require a flexible and scalable network infrastructure to keep pace with innovation.
10G Enabling Industries
Bandwidth-hungry use cases continue to evolve, and the demand to accommodate them will continue to grow. To accommodate these use cases, today’s organizations must aggregate multiple 1G links, which introduces its own set of issues, including configuration, reliability, scalability, and maintenance. However, achieving these high-performance business requirements is now possible with 10 gigabits per second (10G) bandwidth, which is poised to become a key enabler of digital business. 10G has rapidly evolved into a necessity for modern digital companies, institutions, and governments, and all stand to benefit from this increased capacity. So, whether it is telemedicine, enterprise networking, or cloud computing, the requirement for 10G bandwidth will be driven by the requirement for predictable and reliable user experiences. This will revolutionize modern-day use cases across numerous industries and bring about new business opportunities for customers and service providers alike.
Another motivator for the move to 10G is the insatiable demand for scalable global connectivity. This demand dictates optimized networking and capacity that scales with the business as non-negotiable requirements for the future of digital business. 10G can deliver on these demands to accelerate networking capabilities, allowing it to exceed previous constraints to improve performance. However, despite the numerous enhancements 10G brings to modern bandwidth-hungry industries, an innovative platform that scales performance and ensures reliability is required to realize its full potential.
Achieving these benefits requires a unique architectural approach to scaling network capabilities while securely accelerating business innovation. This approach extracts core networking and security functions from the on-prem hardware edge. It then converges them into a single software stack on a global cloud-native service, making it easier to expand existing capacity to 10G without expensive hardware upgrades. This requires a SASE service that delivers the enhanced performance needed for digital industries and achieves maximum efficiency and effectiveness. This is only possible with a powerful platform like Cato.
[boxlink link="https://www.catonetworks.com/customers/from-garage-to-grid-how-cato-networks-connects-and-secures-the-tag-heuer-porsche-formula-e-team/"] From Garage to Grid: How Cato Networks Connects and Secures the TAG Heuer Porsche Formula E Team | Read Customer Story[/boxlink]
More Efficient 10G with Cato SASE Cloud Platform
The Cato SASE Cloud platform is a global service built on top of a private cloud network of interconnected Points of Presence (PoPs) running the identical software stack. This is significant because the single-pass cloud engine (SPACE) powers the platform. Cato SPACE is a converged cloud-native engine that enables simultaneous network and security inspection of all traffic flows. It applies consistent global policies to these flows at speeds up to 10G per tunnel from a single site without expensive hardware upgrades. This is only possible because of the power of Cato SPACE and improvements made to our core to enable faster performance at the cloud edge.
Cato provides customers and partners with multi-layered resiliency built into an SLA-backed backbone that drives improved 10G performance, security, and reliability without compromise. Industries like manufacturing, media, healthcare, and performance sports present unique opportunities for predictable, reliable, high-performance experiences that only a robust platform can deliver. The Cato SASE Cloud and 10G dramatically alter the performance conversation for transformational industries and bring a new digital platform approach to modernizing their networks.
Cato SASE Cloud Platform and the TAG Heuer Porsche Formula E Team
Cato has introduced 10G at the 2024 Tokyo E-Prix, the perfect venue to highlight Cato's breakthrough performance. In the fast-paced world of Formula E, every second counts. The sport is intensively data-driven, where teams rely on their IT networks to analyze data and make critical, split-second strategy decisions to achieve a winning edge. Multiple computers in the car produce 100 to 500 billion data points per event, with more than 400 gigabytes of data generated and sent back to the cloud for analysis.
With 16 E-Prix this season, many in regions lacking Tokyo's developed infrastructure, the ABB FIA Formula E Word Championship presents an incredible networking and security stress test. Cato SASE Cloud provides fast, secure, and reliable access to the TAG Heuer Porsche Formula E Team, regardless of location.
To learn more about Cato SASE Cloud, visit us at https://www.catonetworks.com/platform/
To learn more about Cato's partnership with the TAG Heuer Porsche Formula E Team, visit us at https://www.catonetworks.com/porsche-formula-e-team/.
Cato XDR breaks the mold: Now, one platform tackles both security threats and network issues for true SASE convergence. SASE, or Secure Access Service Edge,... Read ›
When SASE-based XDR Expands into Network Operations: Revolutionizing Network Monitoring Cato XDR breaks the mold: Now, one platform tackles both security threats and network issues for true SASE convergence.
SASE, or Secure Access Service Edge, represents the core evolution of today’s enterprise networks converging network and security functions into a single, unified, cloud-native architecture. Today's global work-from-anywhere model amplifies this need for IT to have centralized management of both network connectivity and comprehensive security. While simply said, comprehensive security entails the complexity of an amalgam of many different security tools. Complementing the SASE revolution is XDR (Extended Detection and Response), a powerful tool that analyzes data from various security solutions to provide a unified view of potential threats across the enterprise. SASE and XDR are powerful tools on their own, but even greater security benefits can be achieved by enabling them to work together more seamlessly. How do we make this happen?
Unlocking Security Potential: SASE + XDR
Tighter alignment between SASE and XDR unlocks the full potential of both, for a more robust security posture. While XDR tools excel in analyzing data from various security solutions, they could do much more with the right quality of data. This is where Cato recently announced our SASE-based XDR, which includes the industry’s broadest range of native security sensors. Traditionally, the XDR tool needs to “normalize” the diverse set of security data it ingests before it can be analyzed, and threat levels can be established. This “normalization” dilutes the quality of the data and adds a layer of complexity. When data is diluted or of low quality, it becomes more challenging to distinguish legitimate threats from false positives. By eliminating the necessity normalize data from disparate security solutions, and instead utilizing a broad range of pure, native data before determining threat levels, Cato’s XDR delivers a higher level of security with faster response times, all within the single management application of the Cato SASE Cloud Platform.
What SASE Needs From XDR
Cato XDR represents a significant advancement in security incidents detection and response, emphasizing quality and efficiency. However, SASE is a combination of network and security. The intent of SASE is to empower the cohesiveness of network and security in order for enterprises to truly move at the speed of business. This means that a logical expectation for the XDR capabilities of a SASE platform is to also help IT detect issues on the network unrelated to security. Integrating robust network health monitoring capabilities into the central SASE architecture is vital. And guess what? This is precisely the direction we're headed!
[boxlink link="https://www.catonetworks.com/resources/the-industrys-first-sase-based-xdr-has-arrived/"] The Industry’s First SASE-based XDR Has Arrived | Download Whitepaper[/boxlink]
Cato XDR: Security Stories Plus Network Stories
Introducing Network Stories for XDR, by Cato Networks. Network stories for XDR focuses on detection and remediation of connectivity and performance issues. It uses the exact same XDR practices previously developed to detect cyber threats and attacks. Together, it offers a singular SASE-based XDR solution for SOC and NOC teams to collaborate on.
With Cato XDR, network stories and security stories seamlessly integrate within the same overarching SASE platform. For IT teams, this consolidation means managing the entire network and security infrastructure from a single, unified platform. From configuration and policy management, to ongoing monitoring, and now - also to detection and remediation, network and security teams can collaborate efficiently using a single pane of glass. This unified, converged approach helps resolve both security and network issues faster, more cohesively, and more efficiently than ever before. Amazingly, in true platform architecture agility, Cato XDR is delivered with a flick of a switch, not by buying-deploying-integrating an entirely new product that adds complexity to the network and security stack.
Cato XDR unlocks the power of true SASE convergence, enabling security and network teams to collaborate seamlessly on a single platform.
The Role of AI in Network Stories for XDR
Cato XDR takes network incident detection to the next level with AI-powered Network Stories. These AI algorithms, in true SASE fashion, go beyond security, collecting network signals to pinpoint root causes to issues like blackouts, brownouts, BGP session disconnects, LAN host downs, and general HA (high-availability) impacts. Similar to security stories, AI/ML is utilized for incident prioritization based on calculated criticality, empowering IT teams to focus on incidents that have the biggest impact on business performance. This technology is true “battle-tested” and proven effective through servicing Cato’s own NOC. Remediation time is further reduced with playbooks that contain guided steps for fast resolution.
Pushing SASE Limits for NOC/SOC Convergence
Cato provides the world’s leading single-vendor SASE platform as a secure foundation specifically built for the digital business. The Cato SASE Cloud Platform converges networking with a wide range of security capabilities into a global cloud-native service with a future-proof platform that is self-maintaining, self-evolving and self-healing.
Cato XDR takes SASE convergence a step further with Network Stories. It leverages Cato's proven AI and machine learning expertise, traditionally used for security analysis, and applies it to network health. Network Stories for XDR identify and remediate network issues such as blackouts and high-availability, empowering IT teams to focus on incidents that most significantly impact business performance. This unified approach streamlines collaboration between security and network teams, enhancing efficiency and enabling faster resolution of issues. With Cato XDR, enterprises can realize the full potential of SASE convergence, achieving robust security and network performance on a single, future-proof platform.
Phishing remains an ever persistent and grave threat to organizations, serving as the primary conduit for infiltrating network infrastructures and pilfering valuable credentials. According to... Read ›
Evasive Phishing Kits Exposed: Cato Networks’ In-Depth Analysis and Real-Time Defense Phishing remains an ever persistent and grave threat to organizations, serving as the primary conduit for infiltrating network infrastructures and pilfering valuable credentials. According to an FBI report phishing is ranked number 1 in the top five Internet crime types.
Recently, the Cato Networks Threat Research team analyzed and mitigated through our IPS engine multiple advanced Phishing Kits, some of which include clever evasion techniques to avoid detection.In this analysis, Cato Networks Research Team exposes the tactics, techniques, and procedures (TTPs) of the latest Phishing Kits.
Here are four recent instances where Cato successfully thwarted phishing attempts in real-time:
Case 1: Mimicking Microsoft Support
When a potential victim clicks on an email link, they are led to a web page presenting an 'Error 403' message, accompanied by a link purportedly connecting them to Microsoft Support for issue resolution, as shown in Figure 2 below:
Figure 2 - Phishing Landing Page
Upon clicking "Microsoft Support," the victim is redirected to a deceptive page mirroring the Microsoft support center, seen in Figure 3 below:
Figure 3 – Fake Microsoft Support Center Website
Subsequently, when the victim selects the "Microsoft 365” Icon or clicks the “Signin" button, a pop-up page emerges, offering the victim a choice between "Home Support" and "Business Support”, shown in Figure 4 below:
Figure 4 – Fake Support Links
Opting for "Business Support" redirects them to an exact replica of a classic O365 login page, which is malicious of course, illustrated in Figure 5 below:
Figure 5 – O365 Phishing Landing Page
Case 2: Rerouting and Anti-Debugging Measures
In this scenario, a victim clicks on an email link, only to find themselves directed to an FUD phishing landing page, as illustrated in Figure 6 below. Upon scrutinizing the domain on Virus Total, it's noteworthy that none of the vendors have flagged this domain as phishing. The victim is seamlessly rerouted through a Cloudflare captcha, a strategic measure aimed at thwarting Anti-Phishing crawlers, like urlscan.io.
Figure 6 – FUD Phishing Landing Page
In this example we’ll dive into the anti-debugging capabilities of this phishing kit. Oftentimes, security researchers will use the browser’s built-in “Developer Tools” on suspicious websites, allowing them to dig into the source code and analyze it.The phishing kit has cleverly integrated a function featuring a 'debugger' statement, typically employed for debugging purposes. Whenever a JavaScript engine encounters this statement, it abruptly halts the execution of the code, establishing a breakpoint. Attempting to resume script execution triggers the invocation of another such function, aimed at thwarting the researcher's debugging efforts, as illustrated in Figure 7 below.
Figure 7 – Anti-Debugging Mechanism
Figure 8 – O365 Phishing Landing PageAlternatively, phishing webpages employ yet another layer of anti-debugging mechanisms. Once debugging mode is detected, a pop-up promptly emerges within the browser. This pop-up redirects any potential security researcher to a trusted and legitimate domain, such as microsoft.com. This is yet another means to ensure that the researcher is unable to access the phishing domain, as illustrated below:
Case 3: Deceptive Chain of Redirection
In this intriguing scenario, the victim was led to a deceptive Baidu link, leading him to access a phishing webpage. However, the intricacies of this attack go deeper.Upon accessing the Baidu link, the victim is redirected to a third-party resource that is intended for anti-debugging purposes. Subsequently, the victim is redirected to the O365 phishing landing page.
This redirection chain serves a dual purpose. It tricks the victim into believing they are interacting with a legitimate domain, adding a layer of obfuscation to the malicious activities at play. To further complicate matters, the attackers employ a script that actively checks for signs of security researchers attempting to scrutinize the webpage and then redirect the victim to the phishing landing page in a different domain, as demonstrated in Figure 9 below from urlscan.io:
Figure 9 – Redirection Chain
The third-party domain plays a pivotal role in this scheme, housing JavaScript code that is obfuscated using Base64 encoding, as revealed in Figure 10:
Figure 10 – Obfuscated JavaScript
Upon decoding the Base64 script, its true intent becomes apparent. The script is designed to detect debugging mode and actively prevent any attempts to inspect the resource, as demonstrated in Figure 11 below:
Figure 11 – De-obfuscated Anti-Debugging Script
[boxlink link="https://catonetworks.easywebinar.live/registration-network-threats-attack-demonstration"] Network Threats: A Step-by-step Attack Demonstration | Register Now [/boxlink]
Case 4: Drop the Bot!
A key component of a classic Phishing attack is the drop URL. The attack's drop is used as a collection point for stolen information. The drop's purpose is to transfer the victim's compromised credentials into the attack's “Command and Control” (C2) panel once the user submits their personal details into the fake website's fields. In many cases, this is achieved by a server-side capability, primarily implemented using languages like PHP, ASP, etc., which serves as the backend component for the attack.There are two common types of Phishing drops:- A drop URL hosted on the relative path of the phishing attack's server.- A remote drop URL hosted on a different site than the one hosting the attack itself.One drop to rule them all - An attacker can leverage one external drop in multiple phishing attacks to consolidate all the phished credentials into one Phishing C2 server and make the adversary's life easier.A recent trend involves using the Telegram Bot API URL as an external drop, where attackers create Telegram bots to facilitate the collection and storage of compromised credentials. In this way, the adversary can obtain the victim's credentials directly, even to their mobile device, anywhere and anytime, and can conduct the account takeover on the go. In addition to its effectiveness in aiding attackers, this method also facilitates evasion of Anti-Phishing solutions, as dismantling Telegram bots proves to be a challenging task.
Bot Creation Stage
Credentials Submission
Receiving credentials details of the victim on the mobile
How Cato protects you against FUD (Fully Undetectable) Phishing
With Cato's FUD Phishing Mitigation, we offer organizations a dynamic and proactive defense against a wide spectrum of phishing threats, ensuring that even the most sophisticated attackers are thwarted at every turn.
Cato’s Security Research team uses advanced tools and strategies to detect, analyze, and build robust protection against the latest Phishing threats.Our protective measures leverage advanced heuristics, enabling us to discern legitimate webpage elements camouflaged in malicious sites. For instance, our system can detect anomalies like a genuine Office365 logo embedded in a site that is not affiliated with Microsoft, enhancing our ability to safeguard against such deceptive tactics. Furthermore, Cato employs a multi-faceted approach, integrating Threat Intelligence feeds and Newly Registered domains Identification to proactively block phishing domains. Additionally, our arsenal includes sophisticated machine learning (ML) models designed to identify potential phishing sites, including specialized models to detect Cybersquatting and domains created using Domain Generation Algorithms (DGA).
The example below taken from Cato’s XDR, is just a part of an arsenal of tools used by the Cato Research Team, specifically showing auto-detection of a blocked Phishing attack by Cato’s Threat Prevention capabilities.
IOCs:
leadingsafecustomers[.]com
Reportsecuremessagemicrosharepoint[.]kirkco[.]us
baidu[.]com/link?url=UoOQDYLwlqkXmaXOTPH-yzlABydiidFYSYneujIBjalSn36BarPC6DuCgIN34REP
Dandejesus[.]com
bafkreigkxcsagdul5r7fdqwl4i4zg6wcdklfdrtu535rfzgubpvvn65znq[.]ipfs.dweb[.]link
4eac41fc-0f4f23a1[.]redwoodcu[.]live
Redwoodcu[.]redwoodcu[.]live
The ABB FIA Formula E World Championship is an exciting evolution of motorsports, having launched its first season of single-seater all-electric racing in 2014. The... Read ›
Lessons on Cybersecurity from Formula E The ABB FIA Formula E World Championship is an exciting evolution of motorsports, having launched its first season of single-seater all-electric racing in 2014. The first-generation cars featured a humble 200kW of power but as technology has progressed, the current season Gen3 cars now have 350kW. Season 10 is currently in progress with 16 global races, many taking place on street circuits. Manufacturers such as Porsche, Jaguar, Maserati, Nissan, and McLaren participate, and their research and development for racing benefits design and production of consumer electric vehicles.
Racing electric cars adds additional complexity when compared to their internal combustion counterparts, success relies heavily on teamwork, strategy, and reliable data. Most notable is the simple fact that each car does not have enough total power capacity to complete a race. Teams must balance speed with regenerating power if they want to finish the race, using data to shape the strategy that will hopefully land their drivers on the podium.
Building an effective cybersecurity strategy draws many parallels with the high-pressure world of Formula E racing. CISOs rely on accurate and timely data to manage their limited resources: time, people, and money to stay ahead of bad actors and emerging threats. Technology investments designed to increase security posture could require too many resources, leaving organizations unable to fully execute their strategy.
Adding to the excitement and importance of strategy in Formula E racing is “Attack Mode.” Drivers can activate attack mode at a specific section of the track, delivering an additional 50kW of power twice per race for up to eight minutes total. Attack mode rewards teams that can effectively use the real-time telemetry collected from the cars to plan the best overall strategy. Using Attack mode too early or too late can significantly impact where the driver places at the race's end.
[boxlink link="https://catonetworks.easywebinar.live/registration-simplicity-at-speed"] Simplicity at Speed: How Cato’s SASE Drives the TAG Heuer Porsche Formula E Team’s Racing | Watch Now [/boxlink]
In a similar way, SASE is Attack Mode for enterprise cybersecurity and networking. Organizations that properly strategize and adopt cloud-native SASE solutions that fully converge networking and security gain powerful protection and visibility against threats, propelling their security postures forward in the never-ending race against bad actors. While the overall strategy is still critical to success, SASE provides superior data quality for investigation and remediation, but also allows faster and more accurate decision making.
As mentioned above, cars like the TAG Heuer Porsche Formula E Team’s Porsche 99x Electric have increased significantly in power over time, and this should also be true of SASE platforms. At Cato Networks, we deliver more than 3,000 product enhancements every year, including completely new capabilities. The goal is not to have the most features, but, like the automotive manufacturers mentioned previously, to build the right capabilities in a usable way.
Cybersecurity requires balancing of multiple factors to deliver the best outcomes and protections; like Formula E, speed is important, but so is reliability and visibility. Consider that every SASE vendor is racing for your business, but not all of them can successfully deliver in all the areas that will make your strategy a success. Pay keen attention to traffic performance, intelligent visibility that helps you to identify and remediate threats, global presence, and the ability of the vendor to deliver meaningful new capabilities over time rather than buzzwords and grandiose claims. After all, in any race the outcomes are what matter, and we all want to be on the podium for making our organizations secure and productive.
Cato Networks is proud to be the official SASE partner of the TAG Heuer Porsche Formula E Team, learn more about this exciting partnership here: https://www.catonetworks.com/porsche-formula-e-team/
In a recent ad on a closed Telegram channel, a known threat actor has announced it’s recruiting AI and ML experts for the development of... Read ›
WANTED: Brilliant AI Experts Needed for Cyber Criminal Ring In a recent ad on a closed Telegram channel, a known threat actor has announced it’s recruiting AI and ML experts for the development of it’s own LLM product.
Threat actors and cybercriminals have always been early adapters of new technology: from cryptocurrencies to anonymization tools to using the Internet itself. While cybercriminals were initially very excited about the prospect of using LLMs (Large Language Models) to support and enhance their operations, reality set in very quickly – these systems have a lot of problems and are not a “know it all, solve it all” solution. This was covered in one of our previous blogs, where we reported a discussion about this topic in a Russian underground forum, where the conclusion was that LLMs are years away from being practically used for attacks.
The media has been reporting in recent months on different ChatGPT-like tools that threat actors have developed and are being used by attackers, but once again, the reality was quite different. One such example is the wide reporting about WormGPT, a tool that was described as malicious AI tool that can be used for anything from disinformation to actual attacks. Buyers of this tool were not impressed with it, seeing it was just a ChatGPT bot with the same restrictions and hallucinations they were familiar with. Feedback about this tool soon followed:
[boxlink link="https://www.catonetworks.com/resources/cato-networks-sase-threat-research-report/"] Cato Networks SASE Threat Research Report H2/2022 | Download the Report [/boxlink]
With an urge to utilize AI, a known Russian threat actor has now advertised a recruitment message in a closed Telegram channel, looking for a developer to develop their own AI tool, dubbed xGPT. Why is this significant? First, this is a known threat actor that has already sold credentials and access to US government entities, banks, mobile networks, and other victims. Second, it looks like they are not trying to just connect to an existing LLM but rather develop a solution of their own. In this ad, the threat actor explicitly details they are looking to,” push the boundaries of what’s possible in our field” and are looking for individuals who ”have a strong background in machine learning, artificial intelligence, or related fields.”
Developing, training, and deploying an LLM is not a small task. How can threat actors hope to perform this task, when enterprises need years to develop and deploy these products? The answer may lie in the recently announced GPTs, the customized ChatGPT agent product announced by OpenAI. Threat actors may create ChatGPT instances (and offer them for sale), that differ from ChatGPT in multiple ways. These differences may include a customized rule set that ignores the restrictions imposed by OpenAI on creating malicious content. Another difference may be a customized knowledge base that may include the data needed to develop malicious tools, evade detection, and more. In a recent blog, Cato Networks threat intelligence researcher Vitaly Simonovich explored the introduction and the possible ways of hacking GPTs.
It remains to be seen how this new product will be developed and sold, as well as how well it performs when compared to the disappointing (to the cybercriminals end) introduction of WormGPT and the like. However, we should keep in mind this threat actor is not one to be dismissed and overlooked.
If you’re an administrator running Ivanti VPN (Connect Secure and Policy Secure) appliances in your network, then the past two months have likely made you... Read ›
When Patch Tuesday becomes Patch Monday – Friday If you’re an administrator running Ivanti VPN (Connect Secure and Policy Secure) appliances in your network, then the past two months have likely made you wish you weren't.In a relatively short timeframe bad news kept piling up for Ivanti Connect Secure VPN customers, starting on Jan. 10th, 2024, when critical and high severity vulnerabilities, CVE-2024-21887 and CVE-2023-46805 respectively, were disclosed by Ivanti impacting all supported versions of the product. The chaining of these vulnerabilities, a command injection weakness and an authentication bypass, could result in remote code execution on the appliance without any authentication. This enables complete device takeover and opening the door for attackers to move laterally within the network.
This was followed three weeks later, on Jan. 31st, 2024, by two more high severity vulnerabilities, CVE-2024-21888 and CVE-2024-21893, prompting CISA to supersede its previous directive to patch the two initial CVEs, by ordering all U.S. Federal agencies to disconnect from the network all Ivanti appliances “as soon as possible” and no later than 11:59 PM on February 2nd.
As patches were gradually made available by Ivanti, the recommendation by CISA and Ivanti themselves has been to not only patch impacted appliances but to first factory reset them, and then apply the patches to prevent attackers from maintaining upgrade persistence. It goes without saying that the downtime and amount of work required from security teams to maintain the business’ remote access are, putting it mildly, substantial.
In today’s “work from anywhere” market, businesses cannot afford downtime of this magnitude, the loss of employee productivity that occurs when remote access is down has a direct impact on the bottom line.Security teams and CISOs running Ivanti and similar on-prem VPN solutions need to accept that this security architecture is fast becoming, if not already, obsolete and should remain a thing of the past. Migrating to a modern ZTNA deployment, more-than-preferably as a part of single vendor SASE solution, has countless benefits. Not only does it immensely increase the security within the network, stopping lateral movement and limiting the “blast radius” of an attack, but it also serves to alleviate the burden of patching, monitoring and maintaining the bottomless pit of geographically distributed physical appliances from multiple vendors.
[boxlink link="https://www.catonetworks.com/resources/cato-networks-sase-threat-research-report/"] Cato Networks SASE Threat Research Report H2/2022 | Download the Report [/boxlink]
Details of the vulnerabilities
CVE-2023-46805: Authentication Bypass (CVSS 8.2)Found in the web component of Ivanti Connect Secure and Ivanti Policy Secure (versions 9.x and 22.x)
Allows remote attackers to access restricted resources by bypassing control checks.
CVE-2024-21887: Command Injection (CVSS 9.1)Identified in the web components of Ivanti Connect Secure and Ivanti Policy Secure (versions 9.x and 22.x)
Enables authenticated administrators to execute arbitrary commands via specially crafted requests.
CVE-2024-21888: Privilege Escalation (CVSS 8.8)Discovered in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x)
Permits users to elevate privileges to that of an administrator.
CVE-2024-21893: Server-Side Request Forgery (SSRF) (CVSS 8.2)Present in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x), and Ivanti Neurons for ZTA
Allows attackers to access restricted resources without authentication.
CVE-2024-22024: XML External Entity (XXE) Vulnerability (CVSS 8.3)Detected in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x), and ZTA gateways
Permits unauthorized access to specific restricted resources.
Specifically, by chaining CVE-2023-46805, CVE-2024-21887 & CVE-2024-21893 attackers can bypass authentication, and obtain root privileges on the system, allowing for full control of the system. The first two CVEs were observed being chained together in attacks going back to December 2023, i.e. well before the publication of the vulnerabilities.With estimates of internet connected Ivanti VPN gateways ranging from ~20,000 (Shadowserver) all the way to ~30,000 (Shodan) and with public POCs being widely available it is imperative that anyone running unpatched versions applies them and follows Ivanti’s best practices to make sure the system is not compromised.
Conclusion
In times when security & IT teams are under more pressure than ever to make sure business and customer data are protected, with CISOs possibly even facing personal liability for data breaches, it’s become imperative to implement comprehensive security solutions and to stop duct-taping various security solutions and appliances in the network.
Moving to a fully cloud delivered single vendor SASE solution, on top of providing the full suite of modern security any organization needs, such as ZTNA, SWG, CASB, DLP, and much more, it greatly reduces the maintenance required when using multiple products and appliances. Quite simply eliminating the need to chase CVEs, applying patches in endless loops and dealing with staff burnout. The networking and security infrastructure is consumed like any other cloud delivered service, allowing security teams to focus on what’s important.
Over the past year, countless articles, predictions, prophecies and premonitions have been written about the risks of AI, with GenAI (Generative AI) and ChatGPT being... Read ›
Demystifying GenAI security, and how Cato helps you secure your organizations access to ChatGPT Over the past year, countless articles, predictions, prophecies and premonitions have been written about the risks of AI, with GenAI (Generative AI) and ChatGPT being in the center. Ranging from its ethics to far reaching societal and workforce implications (“No Mom, The Terminator isn’t becoming a reality... for now”).Cato security research and engineering was so fascinated about the prognostications and worries that we decided to examine the risks to business posed by ChatGPT. What we found can be summarized into several key conclusions:
There is presently more scaremongering than actual risk to organizations using ChatGPT and the likes.
The benefits to productivity far outweigh the risks.
Organizations should nonetheless be deploying security controls to keep their sensitive and proprietary information from being used in tools such as ChatGPT since the threat landscape can shift rapidly.
Concerns explored
A good deal of said scaremongering is around the privacy aspect of ChatGPT and the underlying GenAI technology. The concern -- what exactly happens to the data being shared in ChatGPT; how is it used (or not used) to train the model in the background; how it is stored (if it is stored) and so on.
The issue is the risk of data breaches and data leaks of company’s intellectual property when users interact with ChatGPT. Some typical scenarios being:
Employees using ChatGPT – A user uploads proprietary or sensitive information to ChatGPT, such as a software engineer uploading a block of code to have it reviewed by the AI. Could this code later be leaked through replies (inadvertently or maliciously) in other accounts if the model uses that data to further train itself?Spoiler: Unlikely and no actual demonstration of systematic exploitation has been published.
Data breaches of the service itself – What exposure does an organization using ChatGPT have if OpenAI is breached, or if user data is exposed through bugs in ChatGPT? Could sensitive information leak this way?Spoiler: Possibly, at least one public incident was reported by OpenAI in which some users saw chat titles of other users in their account due to a bug in OpenAI’s infrastructure.
Proprietary GenAI implementations – AI already has its own dedicated MITRE framework of attacks, ATLAS, with techniques ranging from input manipulation to data exfiltration, data poisoning, inference attacks and so on. Could an organization's sensitive data be stolen though these methods?Spoiler: Yes, methods range from harmless, to theoretical all the way to practical, as showcased in a recent Cato Research post on the subject, in any case securing proprietary implementation of GenAI is outside the scope of this article.
There’s always a risk in everything we do. Go onto the internet and there’s also a risk, but that doesn’t stop billions of users from doing it every day. One just needs to take the appropriate precautions. The same is true with ChatGPT. While some scenarios are more likely than others, by looking at the problem from a practical point of view one can implement straightforward security controls for peace of mind.
[boxlink link="https://catonetworks.easywebinar.live/registration-everything-you-wanted-to-know-about-ai-security"] Everything You Wanted To Know About AI Security But Were Afraid To Ask | Watch the Webinar [/boxlink]
GenAI security controls
In a modern SASE architecture, which includes CASB & DLP as part of the platform, these use-cases are easily addressable. Cato’s platform being exactly that, it offers a layered approach to securing usage of ChatGPT and similar applications inside the organization:
Control which applications are allowed, and which users/groups are allowed to use those applications
Control what text/data is allowed to be sent
Enforcing application-specific options, e.g. opting-out of data retention, tenant control, etc.
The initial approach is defining what AI applications are allowed and which user groups are allowed to use them, this can be done by a combination of using the “Generative AI Tools” application category with the specific tools to allow, e.g., blocking all GenAI tools and only allowing "OpenAI".
A cornerstone of an advanced DLP solution is its ability to reliably classify data, and the legacy approaches of exact data matches, static rules and regular expressions are now all but obsolete when used on their own. For example, blocking a credit card number would be simple using a regular expression but in real-life scenarios involving financial documents there are many other means by which sensitive information can leak. It would be nearly pointless to try and keep up with changing data and fine-tuning policies without a more advanced solution that just works.
Luckily, that is exactly where Cato’s ML (Machine Learning) Data Classifiers come in. This is the latest addition to Cato’s already expansive array of AI/ML capabilities integrated into the platform throughout the years. Our in-house LLM (Large Language Model), trained on millions of documents and data types, can natively identify documents in real-time, serving as the perfect tool for such policies.Let’s look at the scenario of blocking specific text input with ChatGPT, for example uploading confidential or sensitive data through the prompt. Say an employee from the legal department is drafting an NDA (non-disclosure agreement) document and before finalizing it gives it to ChatGPT to go over it and suggest improvement or even just go over the grammar. This could obviously be a violation of the company’s privacy policies, especially if the document contains PII.
Figure 1 - Example rule to block upload of Legal documents, using ML Classifiers
We can go deeper
To further demonstrate the power and flexibility of a comprehensive CASB solution, let us examine an additional aspect of ChatGPT’s privacy controls. There is an option in the settings to disable “Chat history & training”, essentially letting the user decide that he does not want his data to be used for training the model and retained on OpenAI’s servers.This important privacy control is disabled by default, that is by default all chats ARE saved by OpenAI, aka users are opted-in, something an organization should avoid in any work-related activity with ChatGPT.
Figure 2 - ChatGPT's data control configuration
A good way to strike a balance between allowing users the flexibility to use ChatGPT but under stricter controls is only allowing chats in ChatGPT that have chat history disabled. Cato’s CASB granular ChatGPT application allows for this flexibility by being able to distinguish in real-time if a user is opted-in to chat history and block the connection before data is sent.
Figure 3 – Example rule for “training opt-out” enforcement
Lastly, as an alternative (or complementary) approach to the above, it is possible to configure Tenant Control for ChatGPT access, i.e., enforce which accounts are allowed when accessing the application. In a possible scenario an organization has corporate accounts in ChatGPT, where they have default security and data control policies enforced for all employees, and they would like to make sure employees do not access ChatGPT with their personal accounts on the free tier.
Figure 4 - Example rule for tenant control
To learn more about Cato’s CASB and DLP visit:
https://www.catonetworks.com/platform/cloud-access-security-broker-casb/
https://www.catonetworks.com/platform/data-loss-prevention-dlp/
As a Chief Information Security Officer (CISO), you have the enormous responsibility to safeguard your organization’s data. If you’re like most CISOs, your worst fear... Read ›
Fake Data Breaches: Why They Matter and 12 Ways to Deal with Them As a Chief Information Security Officer (CISO), you have the enormous responsibility to safeguard your organization's data. If you're like most CISOs, your worst fear is receiving a phone call in the middle of the night from one of your information security team members informing you that the company's data is being sold on popular hacking forums.
This is what happened recently with Europcar, part of the Europcar Mobility Group and a leading car and light commercial vehicle rental company. The company found that nearly 50 million customer records were for sale on dark web. But what was even stranger was that after a quick investigation, the company found that the data being sold was fake. A relief, no doubt, but even fake data should be a concern for CISO. Here's why and what companies can do to protect themselves.
A screenshot from an online hacking forum indicating a data breach at Europcar.com, with a user named "lean" offering personal data from 50 million users for sale.
Why Care About Fake Data?
The main reason for selling fake data from a "breach" is to make money, often in ways potentially unrelated to the target enterprises. But even when attackers are profiting in a way that doesn’t seem to harm the enterprise, CISOs need to be concerned as attackers may have other reasons for their actions such as:
Distraction and Misdirection: By selling fake data, threat actors could attempt to distract the company's security team. Whi