Lately, we can’t help noticing an endless cycle where the more enterprises invest in threat prevention; the more hackers adapt and continue to penetrate enterprises.
To make things worse, detecting these penetrations still takes too long with an average dwell time that exceeds 100 (!) days.
To keep the enterprise protected, IT needs to figure out a way to break this endless cycle without purchasing complex security and data analysis tools and hiring the right (skilled and expensive) security professionals to operate them.
An advanced security service, Managed Detection and Response (MDR), provides ongoing threat detection and response, leveraging AI and machine learning to investigate, alert, and contain threats.
MDR is becoming popular and gaining traction. In fact, Gartner forecasts that by 2024, 25% of organisations will be using MDR services, up from less than 5% today. And by 2024, 40% of midsize enterprises will use MDR as their only managed security service (source: Gartner’s Market Guide for Managed Detection and Response Services Published 15 July 2019 – ID G00367208).
MDR is the industry’s hope to break the cycle of adding more and more threat prevention tools, as hackers continuously increase their attack capabilities. Yet, to gain visibility into all network traffic – critical for effective detection and response – traditional MDR services require installing dedicated software and hardware across an enterprise’s network.
This deployment model is expensive and complex, causing many companies to put off implementing MDR services while leaving their network at risk.
Houston, we have a triple problem
1 — Every enterprise is a target for hackers, regardless of its size or type of business. According to Verizon’s 2019 Data Breach Investigations Report (DBIR), 43% of breaches involved small business victims; 10% were breaches of the Financial Industry, and 15% were breaches involving Healthcare organisations.
2 — On top of that, enterprises need always to assume the worst, as Gartner states clearly, “The assumption must be that the organisation will be compromised, that the hacker’s ability to penetrate systems is never fully countered. Continuous monitoring of systems and behaviour is the only way to reliably detect threats before it is too late.”
3 — As a result, enterprises must continuously stand guard, presenting a huge challenge for IT in terms of resources and in-house skills. Furthermore, according to the DBIR, “56% of breaches took months or longer to discover,” which during this long dwell time the malware distributes itself, spreads throughout the enterprise, and when activated, the damage caused is multiplied.
In short, if all enterprises are targets, and must always assume they’re under attack, then IT needs to be watching 24/7. Hmmm, does this sound impractical to anyone else?
Okay, we’ve had a problem – meet Cato MDR
Cato MDR is incorporated into Cato’s SASE platform, overcoming the complications of traditional MDR. Cato aims to break the endless cycle of increasing threats and lurking hackers. How? By enabling customers that use Cato Cloud, to offload the resource-intensive and skill-dependent process of detecting compromised endpoints, to its SOC team. The team has instant, clear visibility to all traffic, and there’s no need for customers to deploy any additional network probes or software agents.
Cato automatically collects, indexes, and stores the metadata of every WAN and Internet traffic flow traversing the Cato Cloud. Data aggregation and machine learning algorithms mine the full network context of Cato’s huge data warehouse, detecting any malware indicators across customer networks. Cato’s SOC team assesses the traffic flaws and alerts customers on any active threats.
A sneak peek behind the scenes
Cato claims that its MDR service stands guard for customers, and dwell time is reduced from months to just 1-2 days. We had to get a closer look to understand, if and how this is possible. Here’s what we found.
Cato’s MDR service delivers these key capabilities:
- Zero-footprint data collection: Cato can access all relevant information for threat analysis since it already serves as the customer’s network platform (remember, Cato MDR is integrated into Cato’s SASE platform). This eliminates the need for any further installations, and all that’s left for customers is to subscribe to the service.
- Automated threat hunting: Cato uses big data and machine learning algorithms to mine the network for suspicious flows, which are based on the many flow attributes available to Cato. These include accurate client application identification, geolocation, risk assessment of the destination based on IP, URL category, URL name structure, frequency of access, and more.
- Human verification: Cato’s SOC team inspects suspicious flows on a daily basis, closing the investigation for benign traffic.
- Network-level threat containment: Cato alerts customers in case of a verified threat, and based on a predefined policy, will apply network-level threat containment by blocking the network traffic.
- Guided remediation: Cato provides the context of threats for IT’s further reference and recommends the actions to be taken for remediation.
Additional cool capabilities
Cato has full visibility into all network traffic. From each network flow that passes through its MDR service, Cato extracts and collects metadata on the following:
- Source – Cato distinguishes between human and non-human traffic, client type, OS data,
- and more.
- Destination – Cato sees the popularity, category, and reputation.
- Behaviour – Cato knows the traffic patterns, such as frequency and volume of data.
Cato then stores all this metadata in its big data repository.
images from Hacker News