Gartner first gave name to the Secure Access Service Edge (SASE) model, effectively defining it. SASE combines WAN and security as a cloud service.
In 2019, Gartner wrote, “SASE is a new package of technologies including SD-WAN, SWG, CASB, ZTNA and FWaaS as core abilities, with the ability to identity sensitive data or malware and the ability to decrypt content at line speed, with continuous monitoring of sessions for risk and trust levels.”
Since that time, major security firms have been developing or acquiring SASE capabilities to build into their own platforms, leaving Cato Networks as one of the first and few pure SASE firm.
On March 25, 2021, Gartner wrote, “By 2025, at least 60% of enterprises will have explicit strategies and timelines for SASE adoption encompassing user, branch and edge access, up from 10% in 2020.”
Today, Cato Networks has released an analysis of the network flows across its platform during Q1, 2021, seeking anomalous behavior in approximately 200 billion traffic flows during Q1, 2021. It highlights hostile scans, attempts at exploitation, malware beacons and C2 communications. The result shows an increase in attempts to brute force remote administration tools, while attempts to target PHP vulnerabilities dominate remote code exploitation attacks.
For its analysis, the firm defines a network flow as any sequence of packets sharing a common IP and port, destination IP and port, and protocol. It found 16 billion events that triggered one of its security controls; 181,000 high risk flows based on its machine learning and data correlation; and 19,000 verified security incidents.
It found almost 5.7 billion network scans, almost 230 million attempts to communicate with domains known to have a bad reputation; 74 million vulnerability scans via OpenVAS, Nessus and others); 11,600,000 events triggered by malware; and 8,149,000 web application attacks.
The top five attack origin countries are the USA (by far), Venezuela, China, Germany, and Japan. Russia does not figure in the top five, leading Cato to suggest the firewall rules simply excluding countries like Russia might lead to a false sense of security.
“Blocking network traffic to and from ‘the usual suspects’ may not necessarily make your organization more secure,” comments Etay Maor, senior director of security strategy at Cato Networks. “Threat actors are hosting their Command & Control servers on ‘friendly’ grounds including the U.S., Germany, and Japan.”
The most popular cloud apps are dominated by Microsoft, with Office at number 1 and Skype/Teams at number 3. Google Apps is second. TeamViewer (remote access and remote-control software, allowing maintenance of computers and other devices) is fourth, with Cisco’s AnyConnect (modular software combining IPsec IKEv2 and VPN access using SSL for remote security) at fifth.
Noticeably, however, these corporate data flows included consumer applications. TikTok flows, despite all the concerns about the application’s security, were greater than Gmail, LinkedIn or Spotify flows.
Three out of the top five observed exploit attempts are PHP-related. These are CVE-2017-9841 (377,721 attempts); CVE-2019-9082 (186,275) used to target bugs in ThinkPHP, and CVE-2017-1001000 (125,794). Fourth was CVE-2020-8515 (43,640), which is one of 25 CVEs the NSA warned was being used by nation states.
Cato also notes that within the top ten, there are scans for vulnerabilities that are more than 20 years old – stressing the need for an effective patch policy that covers all devices.
The Cato report (PDF) notes the ability of SASE to analyze and correlate suspicious data flows. It highlights its own discovery of a new malware targeting enterprises. The malware uses a domain generation algorithm for its communications. Cato detected common factors in the domains: all of 32 characters using a hex string – and the domains (all recently registered with the same registrar) had the same TLD. The malware also uses the low and slow technique, only communicating with its C2 every two weeks.
The polymorphic nature of the malware means that legacy anti-malware would not likely keep up with the new variants. “By corelating these data points,” says the CATO report, its researcher “identified a new malware that would normally have snuck sneak under a legacy security control’s radar.”
Cato neither identifies nor names the malware in its report – but that’s not the purpose of the SASE software. It has recognized the payload as malware, and can detect its presence through communication regularity and domain destination, taking action itself or alerting the customer to take action as necessary.
Cato Networks was founded in 2015 by Gur Shatz (president and COO), and Shlomo Kramer (CEO). Headquartered in Tel Aviv, Israel, Cato Networks raised $77 million by in a Series D funding round in April 2020, followed by a further $130 million in a Series E round in November 2020.
Related: Getting SASE, Without the Hyperbole