Cato Unveils First SD-WAN With Revolutionary, Cloud-based Threat Hunting SystemCato NetworksMay 23, 2018
Cato leverages zero-footprint data aggregation, machine learning algorithms, and cross-enterprise traffic visibility to accurately pinpoint threats and dramatically reduce dwell time TEL AVIV, Israel, May 23, 2018 – Cato Networks, provider of Cato Cloud, the world’s first secure, global SD-WAN as a service, announced today a revolutionary approach for hunting threats on enterprise networks. Cato Cloud serves as the virtual cloud network for hundreds of organizations connecting and securing all branch locations, mobile users, and physical and cloud datacenters. The Cato Threat Hunting System (CTHS), built into the Cato Cloud, leverages the rich traffic context and unobscured network and endpoint visibility to accurately pinpoint threats and dramatically reduce dwell time. CTHS represents the first time that threat hunting is done without deploying a dedicated and costly data collection infrastructure within the enterprise. “As an industry, our ability to detect threats has been significantly hampered by the complexity of collecting granular, relevant data over time and applying the right analytics and people to interpret that data,” says Gur Shatz, co-founder and CTO of Cato Networks. “Virtual cloud networks, such as Cato Cloud, enable effortless access to such data, empowering our proprietary software and world-class SOC to hunt for threats on customer networks.”
Threat Hunting System at the Core of Cato CloudExisting approaches to threat hunting combine end-point and network detection, third-party event logs, SIEM platforms, and managed detection and response services. These approaches are challenged on several fronts. First, sensors have to be deployed to collect raw data. Enterprises must ensure sensors intercept all relevant traffic in branches, datacenters and the cloud. Endpoint sensors complement network sensors, but can’t be deployed on all edge devices (i.e. IoT devices). Second, logs fed into SIEM platforms lack the full network context, limiting their value for threat hunting. Finally, most organizations lack the skills and resources to analyze the data and identify persistent threats. CTHS, built into Cato Cloud, overcomes the cost and complexity of existing approaches to accurately detect threats. CTHS has the following capabilities:
- Full Visibility, No Sensors: Cato Cloud sees all WAN and Internet traffic normally segmented by network firewalls and Network Address Translation (NAT). CTHS has full access to real-time network traffic for every IP, session, and flow initiated from any endpoint to any WAN or Internet resource. Optional SSL decryption further expands available data for threat mining. CTHS uses its deep visibility to determine the client application communicating on the network and identify unknown clients. The raw data needed for this analysis is often unavailable to security analytics platforms, such as SIEMs, and is impossible to correlate for real-time systems, such as legacy IPS.
- Deep Threat Mining: Data aggregation and machine learning algorithms mine the full network context over time and across multiple enterprise networks. Threat mining identifies suspicious applications and domains using a unique “popularity” indicator modeled on access patterns observed throughout the customer base. Combining client and target contexts yields a remarkably small number of suspicious events for investigation.
- Human Threat Verification: Cato’s world-class Security Operations Center (SOC) validates the events generated by CTHS to ensure customers receive accurate notifications of live threats and affected devices. CTHS output is also used to harden Cato’s prevention layers to detect and stop malicious activities on the network.
- Rapid Threat Containment: For any endpoint, specific enterprise network, or the entire Cato customers base, the SOC can deploy policies to contain any exposed endpoint, both fixed and mobile, in a matter of minutes.