Cato Networks, which sells an SD-WAN service, has added a new threat-hunting capability to detect compromised devices on customer networks that may be communicating with command-and-control systems or exfiltrating data.
The capability, which is currently included as part of Cato’s advanced services in its SD-WAN offering, takes advantage of Cato’s view of key network metadata from its customers’ traffic.
Cato’s SD-WAN approach is built around what it calls an MPLS alternative: the company has purchased transit capacity from global network providers and then built an overlay on top to create a private network.
Appliances deployed at customer branch and headquarters offices connect to one of 39 PoPs where Cato has a presence, and then send traffic across Cato’s private network. Cato also has a mobile client that can connect remote users to Cato’s network.
This gives Cato visibility into essential traffic metadata, including source and destination ports and IP addresses, protocols and applications in use, and client network behavior.
To drive its threat-hunting capability, Cato feeds this metadata and other information into a data warehouse, sanitizes and tags it, and then creates an index against which it can run machine learning algorithms to identify suspicious communication patterns that may indicate a compromised device.
Cato analysts (yes, actual humans) review and investigate alerts to validate and verify an issue, and then inform customers of the suspicious activity. For customers that use Cato’s add-on security services, the company can also take actions such as adding a firewall rule to block the communication.
Note that this threat-hunting capability doesn’t require customers to deploy additional infrastructure or devices; it’s built into the service itself.
The Post-Infection Approach
Despite the vast array of perimeter and end point security products that enterprises deploy, infections still happen. Cato’s approach with its threat hunting capability is to focus on the post-infection phase.
Rather than try to spot the single instance of infection, post-infection analysis aims to identify the ongoing communication that occurs between malware and its command-and-control system.
Besides monitoring network flows, Cato’s threat-hunting capability draws on IP address reputation, as well as fingerprinting techniques to identify whether the client is a known entity such as a Web browser or update engine or an unknown entity that could be a bot.
Because Cato’s threat-hunting models require analysis of traffic and behavior over time, it may not spot a compromise the instant it happens. However, the company says it should be able to spot an incident within a handful of days.
If that claim is true, it’s pretty good. According to a 2017 story in Dark Reading, average dwell time of an intruder on a network (that is, the time between compromise and detection) is 89 days.
Obviously, the faster you find and remediate an intrusion, the less damage you suffer. An intruder with a week’s head start can cause problems, but not nearly as much as one that’s been burrowed in your organization for three months.
The Limits Of Prevention
Cato Networks offers customers a suite of security services that can be included with its SD-WAN offering, including a next-gen firewall, a secure Web gateway, and advanced threat protection.
The fact that it’s also offering a threat-hunting capability is an admission that these security controls have their limits.
But that shouldn’t be held against Cato. The same limitations apply to every security vendor.
It’s probably impossible to develop an impregnable network—or at least it’s more expensive and labor-intensive than the vast majority of organizations could manage.
Unfortunately, infection and compromise are a fact of life. As part of a pragmatic approach to risk management, organizations need to be vigilant for signs of compromise and be able to respond quickly.
Cato isn’t the first vendor to address this aspect of security. Many existing vendors, as well as startups, offer various capabilities to spot signs of compromise, lateral movement, and data exfiltration. That said, Cato is smart to leverage its position in the network to make this capability available to customers.
Threat hunting is currently available for select Cato customers.