Cato Cloud serves as a virtual cloud network, connecting and securing branch locations, mobile users and physical and cloud data centers. The Cato Threat Hunting System (CTHS), built into Cato Cloud, leverages rich traffic context to accurately pinpoint threats and dramatically reduce dwell time.
CTHS enables threat hunting without having to deploy dedicated and costly infrastructure within an enterprise.
“As an industry, our ability to detect threats has been significantly hampered by the complexity of collecting granular, relevant data over time and applying the right analytics and people to interpret that data,” stated Gur Shatz, co-founder and CTO of Cato Networks. “Virtual cloud networks, such as Cato Cloud, enable effortless access to such data, empowering our proprietary software and world-class SOC to hunt for threats on customer networks.”
Most threat hunting strategies today combine endpoint and network detection, third party event logs, SIEM platforms and managed detection and response services. These strategies have many drawbacks. First, sensors must be deployed to collect raw data. Enterprises must ensure sensors intercept all relevant traffic in branches, data centers and the cloud. Endpoint sensors complement network sensors, but can’t be deployed on all edge devices. What’s more, logs fed into SIEM platforms lack full network context, limiting their value for threat hunting. Finally, most organizations lack the skills and resources to analyze data and identify persistent threats.
CTHS, built into Cato Cloud, overcomes many of these issues by offering:
- Full visibility without sensors: Cato Cloud sees all WAN and internet traffic normally segmented by network firewalls and Network Address Translation (NAT). CTHS has full access to real-time network traffic for every IP, session, and flow initiated from any endpoint to any WAN or internet resource. Optional SSL decryption further expands available data for threat mining. CTHS can determine client applications communicating on a network and identify unknown clients. The raw data needed for this analysis is often unavailable to security analytics platforms, such as SIEMs, and is impossible to correlate for real-time systems, such as legacy IPS.
- Deep threat mining: Data aggregation and machine learning algorithms mine networks over time and across multiple enterprise networks. Threat mining identifies suspicious applications and domains using a unique “popularity” indicator modeled on access patterns observed throughout the customer base.
- Human threat verification: Cato’s SOC validates events generated by CTHS to ensure customers receive accurate notifications of live threats and affected devices. CTHS output is also used to harden Cato’s prevention layers to detect and stop malicious activities on the network.
- Rapid threat containment: Cato’s SOC can deploy policies to contain exposed fixed and mobile endpoints, in a matter of minutes.
“The network, threat and application data available through the Cato Cloud is an analyst goldmine,” said Cato head of security research Elad Menahem. “Using CTHS and its machine learning algorithms trained with data from hundreds of enterprise networks, we’ve been able to focus on the few security events that matter and identify malware infections in minutes.”
CTHS creates a deep threat hunting foundation that powers all Cato security services. At the same time, CTHS adheres to privacy regulatory frameworks such as GDPR.