Cato aims to bust cybermyths by extending network protections

As Secure Access Service Edge (SASE) specialist Cato Networks bolsters its cyber credentials by adding multiple features to its platform, the company’s Senior Director of Security Strategy, Etay Maor , urged users to challenge some of their preconceptions about security, using data pulled from Cato’s global network to counter some established cyber “truths.”

In June 2022, Cato became the first SASE vendor to add network-based ransomware protection to its platform, combining heuristic algorithms that analyze server message block (SMB) protocol streams for attributes such as file properties and network or user behaviors, with the in-depth information it already has in its network the traffic of its daily operations.

The algorithms were trained and tested against the company’s existing data lake drawn from the Cato SASE Cloud, which contains over a trillion streams from Cato-connected edges.

The company says this will allow it to detect and stop the spread of ransomware on an organization’s network by blocking SMB traffic to and from the source device to prevent lateral movement and file encryption.

Speaking to Computer Weekly, Maor, who joined Cato from IntSights and is also an adjunct professor at Boston College’s Woods College of Advancing Studies, described a Black Basta ransomware attack he responded to, in which the victim – a anonymous American organization – could have taken advantage of it.

When he got access to the victim’s security logs, Maor discovered that all the information about the arrival of a ransomware attack was there, the security operations center (SOC) just couldn’t see it.

“I know it’s cool to sit in front of six screens, but what the SOC analysts are trying to do is gather so much information and put it all together, so I understand why things are missing” , did he declare.

“In this case it was a remote desktop [RDP] to an Exchange server. Yes, they said, but that Exchange server no longer exists so why attack a server that isn’t there? So I had to introduce them to the ransomware as a service [RaaS].

“What happened was someone else who attacked them sold their network data to someone else who wrote a script to automate the attack. They weren’t there for weeks, they stayed there for a minute, they didn’t know that the victim had changed Exchange servers, but they had luck elsewhere.

“So if you can see east-west traffic, like trying to connect to a server that’s not there, that should be a red flag for the SOC,” he explained. “We created our heuristic algorithms to look for these quirks.”

Maor said he wanted to explode the myth – favored by presenters at security conferences – that attackers only need to be lucky once, while defenders need to be lucky. lucky all the time.

“When you watch MITER ATT&CK and see how attackers operate, you soon see that saying is the opposite of the truth. Attackers must successfully phish, gain endpoint, lateral movement, privilege escalation, upload malware payloads, etc.

“You actually realize attackers have to be right all the time, but defenders only need to be right at some point to protect, defend and mitigate,” he said.

Cato now goes one step further by adding a Data Loss Prevention (DLP) engine to protect data across all enterprise applications without having to implement “complex and cumbersome” DLP rules. It is part of Cato’s SSE 360 architecture and is designed to address what the company describes as the limitations of traditional DLP solutions.

For example, legacy DLP may have inaccurate rules that block legitimate activity – or, even worse, allow illegitimate activity – while the focus on public cloud applications leaves sensitive data exposed in both proprietary and non-proprietary applications. allowed.

Additionally, investing in legacy DLP solutions does not help provide protection against other threat vectors.

Cato believes it has solved these problems by introducing network scanning for customer-defined sensitive files and data. It is able to identify over 350 distinct data types and once identified, customer-defined rules will block, alert or allow the transaction.

Threat Visibility

Since joining Cato, Maor has created quarterly threat landscape reports using data pulled from the company’s global network, and the latest edition of this report also challenges established cyber thinking. respects.

For example, to spend a few days immersed in the security community, one might reasonably expect most cyberattacks to come from countries like China or Russia, but Cato’s data reveals that’s far from it. be the case.

In fact, in the first three months of 2022, the most malicious activity was initiated from the United States, followed by China, Germany, the United Kingdom, and Japan. Note that this data is related to malware command and control (C2) communications, therefore the data reveals which countries host the most C2 servers.

Maor said understanding the true origin of attacks should be a crucial part of a defender’s visibility into threats and trends. Attackers are well aware that many organizations will add countries such as China or Russia to their deny lists or, at the very least, closely inspect traffic from these jurisdictions. Therefore, he said, it makes perfect sense for them to base their C2 infrastructure in countries organizations perceive to be more secure.

Cato’s report also pulled data on the most used cloud apps — Microsoft, Google, RingCentral, AWS and Facebook in that order — with Telegram, TikTok and YouTube also trending, likely as a result of the Russian-Ukrainian war. .

The report also showed the most targeted common vulnerabilities and exposures (CVEs) – as you might expect, Log4Shell was the uncontrollable “winner” here, with over 24 million exploit attempts seen in Cato’s telemetry , but in second place was CVE-2009-2445, a 13-year-old vulnerability in Oracle iPlanet Web Server (formerly Sun Java System Web Server or Sun ONE Web Server) that allows an attacker to read arbitrary JSP files through a other data flow syntax.

“With vulnerabilities this old, people completely ignore them,” Maor said. “[It shows] the way defenders look at the network is completely different from how attackers do – defenders will send me a visual PDF of their servers, DMZ, cloud, etc., [but] attackers will say, “Hey, you have a 14-year-old server, that’s interesting”.

Source link