Updated MDR solution continuously analyzes customer traffic for attributes that might disclose a threat
Cato Networks has released its managed detection and response solution – MDR 2.0 – built on its Secure Access Service Edge (SASE) platform. SASE effectively removes (it doesn’t eliminate) security into the cloud. Ideal for distributed environments and remote working, it channels work traffic from source to destination via its own cloud platform, where security and visibility is applied.
During its passage across the platform, Cato Networks is able to analyze the traffic looking for anomalous behavior much as a traditional threat detection system does on a local network. The difference here is that it is one system analyzing many thousands of different traffic flows.
In what the firm describes as ‘legacy’ MDR systems, normal network behavior baselines must be established over time before genuine security anomalies can be detected. As a result, it can be anything from 30 to 90 days from implementation before the MDR becomes operationally valuable. Cato claims to have eliminated that delay by providing instant and automatic threat detection.
“We’ve developed a simply massive data warehouse storing the metadata for every IP address, session, and flow crossing the Cato global backbone,” explains David Greenfield, director of technology evangelism, in an associated blog. “We do that over time, so we can see the historical and current traffic patterns across thousands of enterprises and hundreds of thousands of remote users worldwide.”
This data warehouse is combined with Cato’s threat hunting system (CTHS). What the firm describes as multidimensional machine learning algorithms learn the difference between benign and malicious event indications, and the MDR applies this learning to continuously analyze customer traffic for the attributes that might disclose a threat.
The baseline is already developed from thousands of networks and becomes available to new MDR 2.0 customers from implementation. “This is what allows us to bring value to Cato MDR customers from day-1 of the service,” comments Elad Menahem, director of security. “We continue to collect network flows as an inherent part of Cato, refining those baselines and hunting for additional insight without any customer involvement.”
The development of a globally applicable normal behavior baseline is possible because Cato’s MDR is a single system looking at the entirety of the traffic flows. While it is more than possible for a specific event to be benign on one customer’s network but malicious on another, the Cato MDR sees the complete context of the event. “It is the context of the event that allows us to distinguish between benign and malign behavior,” Etay Maor, senior director security strategy, told SecurityWeek.
This context can stretch over time. Because the traffic data is stored in an effectively limitless cloud data warehouse, MDR 2.0 can detect low and slow malicious beaconing to the same malicious IP, perhaps separated by a week or more and easily missed by many other systems.
“What MDR does,” continued Maor, “is capitalize on our ability to provide deep network visibility without having our customers do any of the work. This is a zero-footprint service. For many other systems you must install things on the endpoint, manage the end points and collect the data. This leads to a prolonged setup period – which doesn’t happen here. If you’re a Cato customer, you are already connected to our backbone. You just say, ‘I want MDR’, and then, bang, you’ve got it – it’s on and working.”
But he added, “There’s another advantage with COVID-inspired remote working. Many of these new remote systems are not managed by the company security teams, who have little or no visibility into them. If an adversary gets into these remote systems, the attacker can easily close down whatever security it has, and potentially launch from there into the corporate network. That cannot happen with the Cato SASE because traffic from the remote device to the corporate network is always via the Cato backbone which detects security issues and blocks them.” Now, with MDR 2.0, customers can not only see and stop the issue, but can understand it – meaning that security teams now get visibility into the remote endpoint and can guide their user towards a solution.
Cato has augmented its MDR 2.0 service with a 70-point security checklist, and a designated security engineer for each customer. The security checklist automatically compares a customer’s security posture with the best practices implemented by the best enterprises. Items inspected include proper configuration of network segmentation, firewall rules, and security controls, like IPS and anti-malware. “Much of what we’re highlighting in our 70-point checklist is probably common sense to any security-minded professional. But all too often, those practices have not been found in one actionable resource,” says Menahem.
The designated security engineer (DSE) serves two primary purposes. Firstly, it is a confidence source for customers still learning to trust machine learning algorithms by providing a single source of contact for any concerns. Secondly, the DSE can enhance the system’s threat hunting queries for specific customers who have specific requirements – such as added protection for particularly valuable assets.