• United States



Cato Networks adds threat hunting to its SD-WAN services

News Analysis
May 24, 20185 mins
Advanced Persistent ThreatsInternet SecurityNetwork Security

Cato Threat Hunting System includes algorithms and procedures to alert on threats -- without adding endpoint or network monitoring tools to the customer network.

forensics threat hunter cyber security thumbprint
Credit: Getty Images

Being Canadian, I have a natural affinity to all things Royal Family. As expected, the recent wedding was filled with big hats, formal outfits, and pomp and circumstance that one would expect from such an event. It got me thinking about other traditions of the Royals that peasants like us don’t do. For example, most people don’t dress formally for dinner or wear tiaras to dinner parties. Also, I believe the Royal Family still engages in the age-old practice of hunting for foxes, as Prince Charles found them “romantic.” 

Hunting may be one of the few points of intersection of the Royals and the security professionals. While cybersecurity professionals don’t hunt foxes, they have taken an active interesting in threat hunting. And this week, SD-WAN vendor Cato Networks became the latest company to deliver threat hunting, but with a twist.

Cato Networks launches threat hunting as part of its SD-WAN service

The new threat hunting capabilities introduced by Cato are the latest security in its secure SD-WAN service. The Cato Cloud global SD-WAN service already provides security functions, such as next-generation firewall (NGFW), secure web gateways (SWG), and intrusion prevention systems (IPS). Now, with the Cato Threat Hunting System (CTHS), the company gives us algorithms and procedures developed by Cato Research Labs to alert on threats, which it claims is more accurate than other approaches.

The twist on Cato’s service is they accomplish that without adding endpoint or network monitoring tools to the customer network. I have no independent way of verifying the company’s claims on being more accurate, but the ability to find threats is based largely on a combination of algorithms and data, so it’s certainly plausible. Cato Research Labs will be using CTHS internally to alert customers to threats on their networks.

There’s definitely a need for threat hunting. Despite enterprises’ investment in perimeter security, they continue to battle malware infections daily. Dwell time, the time malware remains undetected on a network, exceeds 100 days, according to a number of sources.

But for many midsize enterprises, the tools to actively look for threats have been challenging to adopt. Endpoint sensors invariably miss some nodes, such as IoT devices that can’t run agents, or personal mobile devices. They also increase the overall deployment friction, as operating systems, antivirus, and other endpoint software updates often impact sensor operation. Network sensors often lack sufficient visibility. Firewalls and network address translation (NAT), as well as the widespread use of encryption, obscures network visibility. And regardless, highly skilled, trained staff is required to interpret the data.

Overall, threat hunting requires a significant investment in capital and operational expenses. That is why vendors such as Accenture, Cisco, and Fortinet have thriving threat hunting businesses.

Threat hunting without the pain

Enter Cato. As an SD-WAN vendor, Cato is the network that connects all sites, cloud resources, and mobile users to one another and the public internet. Cato Cloud already has visibility into all site-to-site and internet traffic. CTHS merely uses this rich dataset for threat hunting purposes, obviating the need for other data collection infrastructure.

Working with actual network traffic data and not logs is the key to the Cato approach, as it’s made easier with the proper context. Too often, though, security analysts lack the necessary information. It’s not that enterprises don’t have the data. They do. It’s just that the data is spread across multiple tools and platforms. Being able to work off of raw network data should increase that context.

Aside from the depth of the base dataset, Cato claims to have developed machine learning algorithms that spot threats by looking for symptoms in new ways. Of the three, the time element struck me as being particularly significant. Malware shows specific network characteristics over time, such as periodically communicating with a C&C server. Usually, security tools focus on distinct events and miss these broader patterns. With its data warehouse, though, Cato is able to look across time to identify network activity that might indicate a threat.

What’s more, instead of categorizing the source of a flow by a domain or IP address, CTHS identifies the type of application generating the flow. This is important because malware will share the domain and IP of benign applications in the same device. Being able to differentiate between an active, open browser window communicating across the internet from a minimized one is a big help.

The last dimension is the target. Typically, malicious targets, such as C&C servers, are identified in part by relying on third-party reputation services, which can be gamed by attackers. Cato Research Labs developed a “popularity” indicator that it claims is immune to such tactics. Popularity is calculated by the frequency access to a domain across all of Cato customers. Machine learning algorithms also detect auto-generated domain names — another risk factor pertaining to the target.

While no one element will identify a malicious event, the three contexts together — time, source, and target — should help Cato researchers hone in on the events that matter. Looking across customers should also help Cato spot and protect against threats faster and more efficiently than most individual enterprises. Once researchers validate flagged events as malicious, Cato notifies the customer.

There aren’t many global SD-WAN services out there with security services built into the network, and I can’t think of another that offers threat hunting. Cato’s approach should be particularly helpful as more organizations look to give branch offices secure, local internet breakout without on-site appliances. Joining SD-WAN and threat hunting is a natural marriage for Cato, one that might not be quite as closely watched as that marriage over the weekend, but very significant for IT pros nevertheless.

Note: Cato Networks is a client of ZK Research.


Zeus Kerravala is the founder and principal analyst with ZK Research, and provides a mix of tactical advice to help his clients in the current business climate and long-term strategic advice. Kerravala provides research and advice to end-user IT and network managers, vendors of IT hardware, software and services and the financial community looking to invest in the companies that he covers.