Cato Networks offers new capability for network-based ransomware protection

Cloud-native SASE (secure access service edge) provider Cato Networks is offering a new capability for network-based ransomware protection on the Cato SASE Cloud. The Cato cloud will use new machine-learning heuristic algorithms, combined with the platform’s network insights, to detect and prevent the spread of ransomware across a company without having to deploy endpoint agents.

By identifying ransomware via its underlying network characteristics, security teams can protect against sophisticated threat actors that have learned to bypass endpoint defences, said Etay Maor, senior director of security strategy at Cato Networks, in a company announcement.

SASE is a fairly new concept in network and cloud security. It was first defined in 2019 by consulting firm Gartner as the combination of traditional WAN management with key security functions--including cloud access security brokers (CASB), secure web gateways (SWG), virtual private networks (VPNs), firewall as a service (FWaaS), and data loss prevention (DLP)--to be built and delivered as a single cloud-native service at dispersed SASE point of presence (PoPs).

Bringing ransomware protection to the network

As an SD-WAN provider, Cato provides a network that connects sites, cloud resources, and mobile users to one another and the internet, and thus has visibility into site-to-site and internet traffic.

The basic principle used in the new network-based ransomware protection capability includes inspecting all server message block (SMBs) flows with Cato’s algorithms for ransomware activities. SMB is a network file sharing protocol used in Windows, allowing applications to read or write to files and also request services from a server program in a network.

Trained against Cato’s data lake of end-to-end attributes for all of Cato Cloud’s historic traffic flows--including from connected edges, sites, users, IoT devices, and other cloud-connected resources--the algorithms inspect live SMB traffic flows for a combination of network attributes. The inspected attributes include file properties, shared volume access data, network behavior, and encryption time intervals.

Upon detection of ransomware, the Cato technology is designed to automatically block the SMB traffic from the source device, preventing any file encryption or lateral movement and notifying the customer.

According to a company press statement, the announcement is part of Cato’s multilayered ransomware mitigation strategy, designed to tackle common ransomware tactics, techniques, and procedures (TTPs) underlined in the MITRE ATT&CK framework.

To that end, Cato Networks recently introduced a new risk-based application access control for combatting security threats and productivity challenges posed by remote working and bring your own device (BYOD) strategies.

The company has also teamed up with Windstream Enterprise, a managed communication, to launch a comprehensive, managed SASE solution.