Cato SASE Cloud Platform Capabilities

Cato SASE optimally and securely connects all enterprise locations, users, applications, and clouds, into a global and secure, cloud-native platform. Cato can be gradually deployed to replace security point solutions and legacy network services.

  • Connect
    • Cloud Network
    • Cloud On-Ramps
  • Protect
    • Network Security
    • Endpoint Security
  • Detect
    • Incident Life Cycle Management
  • Run
    • Management and API
  • Try Us

Connect Everything

Cato SASE consolidates all enterprise traffic, WAN, internet, and cloud, into a consistent, optimized, and resilient cloud network. Cato offers a range of cloud on-ramps to easily connect physical locations, end users, and cloud datacenters to the cloud network.

Consistent and Optimized Cloud Network

Global Private Backbone

Cato’s SLA-backed global private backbone underpins the global Cloud Network. The backbone is comprised of a dense footprint of physical Points of Presence (PoPs) hosted in regional top-tier datacenters and interconnected with multiple global and regional carriers. The backbone is designed to provide massive, fully encrypted, SLA-backed global connectivity through a consistent and predictable underlying network transports. Cato’s deep network engineering and operations expertise enables the optimal selection and integration of hosting providers and carriers into the backbone.

Global Traffic Optimization

Cato applies optimization and acceleration to all traffic going through the backbone to enhance application performance and the user experience. To ensure all users and locations benefit from the backbone capabilities, Cato optimizes traffic from all edges and towards all destinations (on premises and in the cloud). With this design Cato supports latency sensitive traffic such as voice, video, and transactional and legacy applications, to enable optimal user productivity. For SaaS traffic, Cato provides granular control of application traffic routing to ensure traffic is delivered via the optimized backbone to the PoP nearest to the application instance.

Cloud On-Ramps

Cato Socket SD-WAN device for Physical Locations

A full-fledged SD-WAN solution, the Cato Socket delivers access resiliency across multiple links, application aware quality of service, and automated high availability for local and cloud connectivity and failover scenarios. The Cato Socket connects a physical location to the nearest Cato PoP via one or more last mile connections. Customers can choose any mix of fiber, cable, xDSL, and cellular connections. The Cato Socket applies multiple traffic management capabilities such as active-active link aggregation, application- and user-aware QoS prioritization, dynamic path selection to work around link blackouts and brownouts, and packet duplication to overcome packet loss. The Cato Socket can also route site-to-site traffic over MPLS and the Internet to address gradual migration, regional and application-specific requirements.

Cato Client and Clientless Access

Cato provides an endpoint client for Windows, Mac, iOS, Android, and Linux. It enables secure and optimized remote access to private applications under the continuous inspection and control of the Cato SSE 360 security stack. The Cato Client can further secure the endpoint through an EPP/EDR engine that is seamlessly managed by the Cato Management Application. Lastly, clientless access is available through a secure web portal for users, such as external contractors, that can’t deploy the client.

Cross Connect, virtual SD-WAN device, Cloud IPSec

Cato provides multiple options to connect cloud datacenters to the Cato SASE Cloud Platform. These include a Cato vSocket virtual SD-WAN device that can be deployed in the cloud datacenter, a direct cross-connect from the cloud provider to the Cato PoP, and the creation of an IPSec tunnel between the Cato PoP and the cloud provider’s datacenter VPN edge.

Any IPSec-enabled Device

Existing IPSec enabled devices, such as routers and edge firewalls, can be used to forward traffic from physical locations to the nearest Cato PoP. While Cato’s SD-WAN capabilities do not apply, customers will benefit from Cato’s cloud-first architecture and the traffic will be fully secure and optimized by the Cato SASE Cloud Platform including the optimized cloud network and cloud-delivered security services.

Protect Everywhere

Cato embedded a full security stack, SSE 360, into the cloud platform to address the distribution, scaling, resiliency, and enforcement of unified security policies everywhere and on everyone. Cato further extends protection to the endpoint for end-to-end threat prevention and detection.

Network Security

SSE 360 – Security as a Service

Cato SASE Cloud Platform include a cloud-native security stack, SSE 360. It is based on Cato’s Cato Single Pass Cloud Engine (SPACE) architecture and converges the following capabilities: network segmentation and zero-trust (FWaaS), threat prevention (SWG, IPS, NGAM, DNS Security, RBI), and application and data protection (CASB, DLP, ZTNA). Cato’s SSE 360 is built to decrypt and inspect all enterprise traffic, without the need for sizing, patching, or upgrading of appliances and other point solutions. Security policies and events analysis are centrally and uniformly managed using the self-service Cato Management Application.

Network Segmentation and Zero Trust

The most fundamental security capability of Cato’s SSE 360 is Firewall as a Service (FWaaS). FWaaS controls traffic flow, across all ports and protocols, and in all directions both WAN (east-west), and the Internet (south-north). Firewall policies are used to segment the network based on network resources (such as VLANs) and logical elements such as identity, organizational units, applications, and services. Network segmentation in conjunction with continuous traffic inspection enables customers to sustain a zero-trust security posture.

Multi-Layer Threat prevention

Cato implements defense in depth with multi-layer threat prevention capabilities. Secure Web Gateway (SWG) protects users against risky web sites, phishing attacks and malware delivery. Intrusion Prevention System (IPS) detects and stops malicious traffic based on threat intelligence feeds, AI/ML inline controls, and deep heuristics that leverage granular context including identify, network, application, and data attributes. Next-generation Anti-Malware (NGAM) engine inspects every payload to stop inbound infections. DNS security inspects DNS queries and responses to prevent DNS tunneling and to block phishing attacks, malicious domains, malware communication and other DNS-based threat vectors. Remote Browser Isolation (RBI) further protects users by directing traffic to high-risk web sites into an isolated cloud-based browser session, thus minimizing the risk of endpoint compromise.

Application and Data Protection

Cato enforces application access control and data protection on all access, both inline and out-of-band through SaaS API integrations. Cato Cloud Access Security Broker (CASB) provides broad visibility to the usage of both sanctioned and unsanctioned (“Shadow IT”) applications and the ability to enforce access policies based on application, user, and device risk. Data Loss Prevention (DLP) engine enforces access policies and granular actions on sensitive data across on-premises and cloud destinations from corporate and BYOD devices.

Endpoint Security

Cato Client for Endpoints

Cato extends access control and endpoint protection, detection and response to user devices using the Cato Client. The Cato Client is available for all major operating systems and is delivered though IT software distribution or as a self-service deployment. The Cato Client provides granular endpoint traffic management capabilities to selectively control WAN and internet traffic using Cato. It also supports always-on mode to ensure corporate endpoints are continuously protected.

Hybrid and Remote Work

The Cato Client Universal Zero Trust Network Access (ZTNA) capability enforces the organization’s risk-based application access policy, in the office, on the road, and at home. Cato ZTNA provides extensive device posture analysis and integration with multiple identity providers to ensure full authentication and compliance with corporate policies before application access is granted and throughout the session. Once the user is connected, all traffic is continuously inspected by Cato SSE 360 for threat prevention and data protection.

Endpoint Protection, Detection, and Response

The Cato Client includes an Endpoint Protection, Detection, and Response (EPP/EDR) capabilities. Customers can extend protection to the endpoint itself using a next generation anti-malware engine that detects malicious files and correlates on-device suspicious activity. The Cato Client delivers endpoint risk context and events to a cloud-based data lake. Correlated with the detailed network context provided by Cato SSE 360 engines, Cato XDR creates an accurate picture of security incidents across endpoint and network domains.

Detect what’s Hidden

Cato leverages its granular network, security, and endpoint context and events to deliver a complete Threat Detection Investigation and Response (TDIR) life cycle management.

Incident Life Cycle Management

AI/ML-Driven Incident Detection

Cato leverages its granular data set of network, security and endpoint events, proven AI/ML capabilities for anomaly and threat detection, and incident analysis and response tools to deliver a full XDR solution. Cato consolidates incident data generated by the Cloud Network and the Cato Client, as well as 3rd party EPP/EDR solutions, such as Microsoft Defender for Endpoints and CrowdStrike, into a unified, cloud-based data lake. Cato’s threat hunting, user behavior analysis and network degradation detection algorithms analyze the data to identify and prioritize incidents for further review. Cato XDR generates unique insights and recommendations based on similar incidents detected across multiple customers to improve accuracy and incident prioritization.

AI-assisted Incident Investigation and Response

Cato integrates its incidents detection engine with Gen-AI to produce human readable „incident stories“ that are made available through an analyst workbench. The workbench enables analysts to access granular details on the incident, consult AI-generated analysis based on insights from similar incidents, collaborate on incident resolution, and investigate related activity during the incident timeline. With Cato XDR, customer’s and partner’s analysts can leverage proven investigation and response capabilities already in use by Cato’s analysts delivering a managed extended detection and response (MXDR) service since 2019.

Managed Extended Detection and Response

For customers who prefer to partner with incident detection and response specialists, Cato and its partners offer a managed service that includes timely detection of threats, recommended remediation actions, and optional preventive measures. Cato’s MXDR ensures early detection of compromised endpoints to minimize threat dwell time, thus reducing the exposure to data breach and offloading a complex and time-consuming task from IT security.

Run Like a Champ

Management, Analysis, and Integration

Cato Management Application: Single Pane of Glass

The Cato SASE Cloud Platform is managed through the Cato Management Application, a single pane of glass to manage all policy configuration, network and security analytics, and real-time monitoring and troubleshooting. Cato scales its cloud-delivered management platform to store and process massive volumes of data and provide a high-performance interface to access and investigate all events data generated by the customer’s infrastructure. All current and future Cato capabilities are managed in the same way to ensure easy adoption by IT and quick delivery of new capabilities to the business.

Cato Universal API and 3rd party Integration

The Cato API enables configuration and analysis automation, and data sharing and integration with 3rd party systems. Using the API, customers can extract selected events from the Cato data lake and feed them into external data stores for further reporting or analysis. The API also provides the ability to automate the creation of policies, users, sites, and other objects within the Cato platform to streamline provisioning of resources. Cato periodically releases formal integrations with different 3rd party systems for security analytics, enterprise workflow management, and ticketing systems.

The Strategic Benefits of a True SASE Platform

Architected from the ground up as a true cloud-native SASE platform, all Cato's security capabilities, today and in the future, leverage the global distribution, massive scalability, advanced resiliency, autonomous life cycle management, and consistent management model of the Cato platform.

Consistent Policy
Enforcement 

Cato extends all security capabilities globally to deliver consistent policy enforcement everywhere and to everyone, from the largest datacenters and down to a single user device.

Scalable and Resilient Protection

Cato scales to inspect multi-gig traffic streams with full TLS decryption and across all security capabilities, and can automatically recover from service component failures to ensure continuous security protection.

Autonomous Life Cycle Management

Cato ensures the SASE cloud platform maintains optimal security posture, 99.999% service availability, and low-latency security processing for all users and locations without any customer involvement.

Single Pane of Glass

Cato provides a single pane of glass to consistently manage all security and networking capabilities including configuration, analytics, troubleshooting, and incident detection and response. Unified management model eases new capabilities adoption by IT and the business.

Try Cato

The Solution that IT teams have been
waiting for. Prepare to be amazed!

Contact Us