Attack surface – noun: The attack surface of an enterprise network environment is the sum of the different points (the attack vectors) where an unauthorized user can try to enter the network to execute a malicious intent, such as stealing data or disrupting operations.
A basic security measure is to keep the attack surface as small as possible. That’s a tall order as organizations undertake the simultaneous processes of digital transformation and network evolution. In addition to legacy data centers, enterprises now have extensive assets in the cloud as well as in branch and remote offices and, increasingly, in workers’ own homes. Such expansions have grown the attack surface exponentially.
The way to shrink it back to a manageable size is with effective network security solutions, which in their own right require an evolution from legacy security appliances to a secure access service edge (SASE) architecture. By converging networking and security in the cloud, SASE provides enterprises with the means to monitor all traffic in real-time and apply strong defense mechanisms at every point of the attack surface, thus minimizing an attacker’s ability to succeed in his nefarious mission.
SASE Solutions Converge Network and Security While Working with Legacy Architectures
Digital transformation is high on every executive’s to-do list, and it’s founded on the principles of innovation, business agility, and speed of delivery of products and services. For most organizations, the cloud is a critical piece of their transformation. This has necessitated a rethink of the WAN architecture. The legacy hub-and-spoke architecture is pure kryptonite to cloud application performance. This has led enterprises to adopt SD-WAN technology, which enables them to eschew bringing all traffic back to a central data center and route traffic directly to branches or the cloud, as needed. Direct Internet access (DIA) is enabled as well.
While SD-WAN can enhance application performance through traffic prioritization and steering, it fails to satisfy enterprise needs for strong security. What’s more, since SD-WAN appliances sit atop the underlying network infrastructure, the need for a high-performance and reliable network backbone is left unaddressed as well. Organizations require a WAN that is capable of optimizing traffic flow between any two points – not just to/from the enterprise LAN – without compromising security.
The Cato Cloud, the world’s first SASE platform, enables an organization to achieve this. Cato converges SD-WAN, a global private backbone, a full network security stack, and seamless support for cloud resources and remote workers and their mobile devices. It is an architectural transformation that will working with existing legacy technologies also allows enterprise IT teams to advance networking and security to provide a holistic, agile, and adaptable service for the entire digital business.
The Cato SASE solution is built on a cloud-native and cloud-based architecture that is distributed globally across 60+ Points of Presence (PoPs). All of the PoPs are interconnected with each other in a full mesh by multiple tier-1 carriers with SLAs on loss and latency, forming a high-performance private core network called the Cato Cloud. The global network connects and secures all edges—all locations, all users regardless of where they are, all clouds, and all applications.
The PoPs also are where security is deployed, making it available to all traffic entering the Cato Cloud network. This is far more practical and cost effective than deploying security appliances at the various branch and home office locations.
Native Security is a Core Component of the Cato Cloud
Security has never been an add-on feature for Cato; rather, it’s a core component that has been built-in from the ground up. The networking component and the security component are part of the same code base. As traffic passes through the network, it is evaluated simultaneously for security issues and network routing—and then it is routed over Cato’s private backbone.
Having network and security all on one platform, in a single-pass solution, has the advantage of deep visibility at wire-speed even if the traffic is encrypted. The security inspection tools see everything on the network, not just logs. This provides deep and broad context – in Cato’s case, the context of all customers, not just one – to understand everything that is happening on the network and catch threats earlier in the kill chain. And it’s all delivered as a service, so that customers don’t need to maintain anything.
Among the full stack of security detection tools provided by Cato are:
The Cato NGFW inspects both WAN and Internet traffic. It can enforce granular rules based on network entities, time restrictions, and type of traffic. The Deep Packet Inspection (DPI) engine classifies the relevant context, such as application or services, as early as the first packet and without having to decrypt the payload. Cato provides a full list of signatures and parsers to identify common applications. In addition, custom application definitions identify account-specific applications by port, IP address or domain.
Secure Web Gateway (SWG)
The SWG provides granular control over Internet-bound traffic, enabling enforcement of corporate policies and preventing downloads of unwanted or malicious software. There are predefined policies for dozens of different URL categories and support custom rules, enhancing the granularity of web access control. The SWG is easily managed through Cato’s management portal and covered by a full audit trail.
Next Generation Anti-Malware (NGAV)
Cato’s Malware Detection and Prevention leverages multi-layered and tightly-integrated anti-malware engines. First, a signature and heuristics-based inspection engine, which is kept up-to-date at all times based on global threat intelligence databases, scans files in transit to ensure effective protection against known malware. Second, Cato has partnered with SentinalOne to leverage machine learning and artificial intelligence to identify and block unknown malware. Unknown malware can come as either zero-day attacks or, more frequently, as polymorphic variants of known threats that are designed to evade signature-based inspection engines. With both signature and machine learning-based protections, customer data remains private and confidential, as Cato does not share anything with cloud-based repositories.
Intrusion Prevention System (IPS)
Cato delivers a fully managed and adaptive cloud-based IPS service. Cato Research Labs updates, tunes and maintains context-aware heuristics, both those developed in house (based on big-data collection and analysis of customers’ traffic) and those originating from external security feeds. This dramatically reduces the risk of false positives compared to other IPSs that lack an experienced SOC behind them. Cato Cloud scales to support the compute requirements of IPS rules, so customers don’t have to balance protection and performance to avoid unplanned upgrades as processing load exceeds available capacity.
Also known as Zero Trust Network Access, or ZTNA, a cloud-native software defined perimeter delivers secure remote access as an integral part of a company’s global network and security infrastructure. A global, cloud-scale platform supports any number of remote users within their geographical regions. Performance improves with end-to-end optimized access to any application using a global private backbone. Risk is minimized before and after users access the network through strong authentication and continuous traffic inspection for threat prevention. Cloud-native SDP makes mobile access easy — easy to deploy, easy to use, and easy to secure.
All the tools listed above are essential to enterprise security.
Cato also has a service offering of Managed Threat Detection and Response (MDR). Cato’s MDR enables enterprises to offload the resource-intensive and skill-dependent process of detecting compromised endpoints to the Cato SOC team. Cato automatically collects and analyzes all network flows, verifies suspicious activity, and notifies customers of compromised endpoints. This is the power of networking and security convergence to simplify network protection for enterprises of all sizes.
Full Network Security Couldn’t Be Easier
All of these network security solutions are delivered as a service, from the cloud, so there is never anything for the customer to install, update or maintain. The software and all its capabilities are fully integrated and always up to date. It is the best approach to keeping the attack surface of an enterprise network as small as possible, all while fully supporting an organization’s digital transformation needs.
For more information, contact Cato and ask for a demo today.