Cato Adds Threat Hunting Capabilities to Cato Cloud

Last week, we announced new security capabilities as part of our advanced security services. Cato Threat Hunting System (CTHS) is a set of algorithms and procedures developed by Cato Research Labs that dramatically reduces the time to detect threats across enterprise networks. CTHS is not only incredibly accurate but also requires no additional infrastructure on a customer’s network.


It’s no secret that despite their investment in perimeter security, enterprises continue to battle malware infections. According to Gartner, “Midsize enterprises (MSEs) are being targeted with the highest rate of malware in email traffic, representing one in 95 emails received.  Worse yet, 80% of breaches go undetected. The median attack dwell time from compromise to discovery is 101 days.”*

Traditional threat hunting attempts to reduce malware dwell time by proactively looking for network threats using end-point and network detection, third-party event logs, SIEM platforms, managed detection and response services, and other tools. These approaches require deploying dedicated collection infrastructure whether on endpoints or the network and the application of specialized human expertise.

Endpoints sensors invariably miss IoT devices, which can’t run agents, personal mobile devices, and other network devices. They also make deployment more complicated as sensor operation is frequently impacted by updates to endpoint software, such as operating systems and anti-virus software. At the same time, network sensors often lack the necessary visibility. Network address translation (NAT), firewalls, as well as the widespread use of encryption often obscure the visibility of network sensors.

And the collected log data passed to the SIEM run by security analysts lacks sufficient context to hunt threats. The security tools generating the event logs necessarily omit details irrelevant to their operation but very relevant to finding threats. URL or Web filterers, for example, will indicate if there’s been an attempt to access a “bad URL” but fail to provide the additional flow information to determine if the cause is a live infection or simply a user’s bad browsing habits.


By leveraging Cato Cloud, CTHS addresses the deployment challenges, data quality, and lack of context limiting threat hunting systems. As the corporate network connecting all sites, cloud resources, and mobile users to one another and the public Internet, Cato Cloud already has visibility into all site-to-site and Internet traffic. CTHS uses this rich dataset; no additional data collection infrastructure is necessary. Working with actual network traffic data, not logs, provides CTHS with the full context for every IP address, session, and flow. SSL traffic can be decrypted in real-time to deepen that dataset.

Multidimensional, machine-learning algorithms developed by Cato Research Labs continuously hunts that massive data warehouse for threats across Cato customers. One dimension evaluated is that of the clients generating flows. Instead of categorizing the flow source by a domain or IP address, CTHS identifies the type of application generating the flow. A browser window accessed by a user over a keyboard is very different than a browser that communicates with the Internet without a window presented to the user. The nature of the client application is a high-quality indicator of malware activity.

Another dimension is the destination or target. Typically, threat detection systems in part rely on third-party reputation services to identify C&C servers and other malicious targets. But attackers can game reputation service, potentially masking malicious targets. Instead, Cato Research Labs developed a “popularity” indicator that’s immune to such tactics. Popularity is calculated by the frequency access to a domain across all of Cato customers. Low-frequency access is a risk factor that can be validated against other dimensions. Moreover, machine learning algorithms are applied to detect auto-generated domain names — another risk factor pertaining to the target.

The third dimension is time. Malware shows specific network characteristics over time, such as periodically communicating with a C&C server. Usually, security tools are unable to spot these trends as they only look for events at specific points in time. CTHS, however, looks across time to identify network activity that might indicate a threat. By putting those three contexts together — source, target and time — CTHS can spot communications likely to indicate a threat.

Cato’s world-class Security Operations Center (SOC) then validates events flagged by CTHS. Because of the multi-dimensional analysis, a considerable number of events and indicators can be reduced to a small number of events that require human verification. If a threat is verified, the Cato SOC team notifies the customer and uses the CTHS output to harden Cato’s prevention layers to detect and stop future malicious activities for all Cato customers. By learning from all customer traffic, Cato can spot and protect against threats far faster and more efficiently than any one enterprise.


Cato Threat Hunting System is a natural extension of Cato Cloud security services that requires no additional hardware to bring threat protection to locations, mobile users, and cloud resources.

To learn more about CTHS, visit us at InfoSec London, stand H60. Elad Menahem, head of security research, and Avidan Avraham, security researcher, will be presenting details of CTHS in their InfoSec Tech Talk entitled “Improved C&C Traffic Detection Using Multidimensional Model and Network Timeline Analysis,” on Wednesday, 6th June, at 16:00 – 16:25.

Can’t make it there? You can learn more about our advanced threat protection services or drop us a line for specific information about how CTHS here.

*Gartner, Inc. “Midsize Enterprise Playlist: Security Actions That Scale,” Neil Wynne and James A. Browning, May 2018 (login required)


Related Articles