Cato Networks Adds Smarts to Threat Intelligence

Cato Networks has added automated assessment of threat intelligence to its security services in a move that highlights the vendor’s ongoing evolution as a secure edge and SASE service provider.

Called the Cato reputation system, the newly announced function combines network flow analytics with scoring algorithms and machine learning (ML) to determine which threats to a network are false alarms, or so-called false positives. These false reports have become an issue for enterprise networks as threats proliferate.

Suppose, for instance, that an open-source threat intelligence system reports an indicator of compromise (IoC) for a particular URL. Without the right tools, security personnel at an enterprise that interacts with that URL might decide to disable all corporate access to the address. Later, the threat proves to be a false alarm. Legitimate business has been delayed or thwarted, and valuable security resources diverted, even as attack vectors emerge elsewhere.

The announcement spotlights Cato’s efforts to keep ahead of trends in its managed service network, which comprises a readymade software-defined wide-area network (SD-WAN) of roughly 55 worldwide points of presence (PoPs) to which customers link with lightweight on-premises appliances or software clients. The network packs a range of cybersecurity features (including access rights based on identity rather than IP address), as well as SLAs, VPN and mobile access, and automatic rerouting in the event of link failure.

Earlier this year, Cato scored $77 million in funding that brings its total purse to over $200 million — which is being poured into growing Cato's network and adding improvements such as the one announced today.

How Cato Is Solving for False Positives

As a security service provider, Cato already gathers data on millions of IoCs from about 200 open-source and commercial threat intelligence data sources. With the new system, each IoC is profiled, based partly on information about the number of sources reporting the IoC. Cato then draws on what it describes as a warehouse of SASE flow metadata from the network to determine the actual risk to the network for that IoC, eliminating false alarms in the process.

Making sense of cybersecurity alerts through ML and artificial intelligence (AI) is an ongoing trend in cloud-based enterprise environments. Nearly every router, switch, and firewall supplier, including Cisco (CSCO), Fortinet (FTNT), and Juniper (JNPR), claims to apply intelligent alert sifting to its products. Arista Networks (ANET) bought Awake Security in October to add AI-based security to Arista's Campus Flow Tracker management solution. And makers of security information and event management (SIEM) systems, such as Splunk (SPLK), have augmented their platforms with machine learning that can be applied to security.

Using traffic analytics to help adjudicate security alerts also has become a suggested approach for security professionals. Earlier this year, for instance, Check Point Software Technologies (CHKP) teamed with startup Stellar Cyber to use log data and security analytics to identify false positives.

The Outlook for Cato and Others

When it comes to network security, the permutations of device, service, and software seem limitless for enterprise clouds these days. But in Cato’s case, the ability to offer a service that integrates functions normally requiring multiple products, or that call for DevOps and SecOps integration, should be a differentiator.

Of course, some customers will prefer to stick with a particular combination of products, trading off any management challenges to get specific product-dependent benefits, such as those related to certain switching, routing, or SASE systems. Still, as requirements for security increase with the spread of multi-cloud networking and edge connectivity, any approach such as Cato's that simplifies the network -- or part of the network -- is likely to be in demand.