Enterprises that have grown comfortable with Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (IaaS) are increasingly accepting of Network as a Service (NaaS). NaaS is a rapidly growing market. According to Market Research Future, NaaS is expected to become a US $126 billion market by 2022, sustaining an annual growth rate of 28.4 percent.
One of the key benefits of cloud-based networking is increased security for applications and data. Given that the traditional perimeter of on-premise networks has been decimated by mobile and cloud computing, NaaS builds a new perimeter in the cloud. Now it’s possible to unify all traffic – from data centers, branch locations, mobile users, and cloud platforms – in the cloud. This means an enterprise can set all its security policies in one place, and it can push traffic through cloud-based security functions such as next-generation firewall, secure web gateway, advanced threat protection, and so on.
These security capabilities are basically table stakes for NaaS providers. Customers expect to be able to pick and choose the security services they need.
One of the major players in the NaaS market, Cato Networks, is introducing an even more advanced security capability, threat hunting, as part of its networking service. This is the process of proactively searching the network for threats that have evaded preventative security measures.
Being able to proactively look for threats is a goal for many enterprises, but it’s not easy to achieve. Threat hunting is a data-heavy process that usually requires the installation of endpoint agents and/or hardware appliances to collect the metadata from network traffic. Massive amounts of data must be correlated and analyzed, and failure to incorporate even a few data sources could result in missing a threat. What’s more, threat hunting is still a human-intensive effort, and it’s hard for companies to afford (or even find) the skilled people who are qualified to do this job.
What makes Cato Networks’ threat hunting different?
Cato’s threat hunting service is unique in that it is totally contained within the global network that Cato operates. Customers do not need to install anything — no additional data collection hardware and no agents on endpoints. Cato gets all the data it needs from the traffic flows already on its network.
In hunting for threats, Cato uses data from the entirety of its network; i.e., metadata from all customers’ traffic. This gives Cato a much more complete set of data to analyze and a broader view of global threats than simply looking at the data collected by any one enterprise.
From a customer perspective, the threat hunting service is automatically and continuously happening in the background. Cato built its own data models and applies them to all the traffic data it has. A customer doesn’t have to do anything. Even the skilled security analysts are on Cato’s staff.
The threat hunting process is finely tuned and highly accurate. Cato analyzes the traffic metadata across multiple layers and in particular: client classification, time (repetitive communications), and target popularity.
In terms of client classification, Cato starts identifying flows with the typical entities such as source IP, username, and device name, used by most threat hunting systems. However, Cato expanded client classification to distinguish the source application type, such as Microsoft Office, Windows Update, or an unknown bot.
Another data layer that Cato looks at is time. Active malware shows network patterns over time, such as repeatedly communicating with a C&C server to exfiltrate data. Time (repetitiveness) is something many other security solutions typically do not consider.
The third context element that Cato analyzes is the target. Most security solutions define target by the IP or domain address that a client is connecting to. They typically use this information to check the target against a list of security feeds, for example, to check its reputation. Cato developed a method for ranking targets that it calls “popularity score.” The score is calculated based on the number of times clients communicate with a particular target IP address or domain from across Cato’s network. Scores of all targets are then bucketed; the lower the popularity rank, the greater the likelihood that the host is involved in a malicious event.
Even the best algorithms today can turn up false positives, so once events are identified as “critical,” Cato’s security team validates the results. If a threat is indeed found, the analysts contact the customer that was the source of the issue and work with the customer to mitigate the threat. Cato also updates its threat prevention systems, protecting allcustomers from the threat.
From a customer perspective, threat hunting can’t get any easier — customers literally don’t have to do anything. And yet it’s an incredibly valuable service to be able to find and mitigate security threats that could pose harm to an enterprise.