Cato Networks has announced a new managed detection and response (MDR) service to identify threats that have evaded prevention systems such as firewalls, IPSs, or anti-malware screeners. The service is available to customers of its Cato Cloud SD-WAN offering.
The goal of the managed service is to reduce dwell time: those magical hours, days, or months in which an attacker gets a foothold in your network, enumerates the good bits, and begins industriously gobbling your soft, chewy center.
The service combines automated analysis of traffic metadata and the human insights of Cato’s security analysts to spot potential threats.
If Cato’s security analysts detect a compromise, the service provides customers with detailed response options. It can also automatically block or isolate compromised systems if the customer is using Cato’s own firewalls.
How It Works
Cato Networks’ MDR service is pretty straightforward. Its SD-WAN service carries customers’ WAN traffic to Cato’s Points of Presence (PoPs) and across Cato’s own private backbone, whether from branch to cloud, branch to branch, or branch to corporate data center.
As the traffic passes through Cato’s PoPs, Cato can glean useful information about the packets (not the payload). In addition to standard five-tuple metadata, Cato can identify users, the browser type and version, the domain for Internet-bound traffic, and other details.
Cato can also associate application metadata with the packets via its next-gen firewalls. Note that the MDR service provides application identification even if customers aren’t using Cato’s firewalls. The company says it performs application identification on all traffic regardless.
Cato stores and analyzes all this data. The company says it has developed its own ML algorithms to look for anomalies.
The Human Touch
Anything tagged as suspicious is then turned over to Cato’s security analysts for manual review. The company says this human touch helps reduce false positives.
While I take all claims about ML and AI with a heaping tablespoon of salt, it does make sense to me to use automated processes to winnow a huge data set into something more manageable, and then have humans apply their expertise and insight to that smaller pile to weed out anomalous but harmless events from truly suspicious or outright malicious activity.
Threats that Cato can detect include malware infection, outbound communication to command and control servers, data leakage, lateral movement, and other problems.
If and when Cato analysts identify a threat, they issue a ticket to the customer through a dedicated portal, based on ZenDesk. The ticket includes specific information to help the customer identify affected devices and remediate the problem.
In addition, Cato also provides monthly reports with an overall status update.
As mentioned, if the customer also uses Cato’s firewalls, Cato can automatically isolate an infected device, or alert a customer and give them a push-button option.
Cato’s MDR service is available to customers of its SD-WAN offering. The company says customers don’t have to use its firewall or IPS services to take advantage of MDR, but those services are recommended.
Pricing is based on bandwidth, but the company didn’t elaborate.