Examples of AI/ML Usage in the Cato SASE Cloud Platform
Threat lntelligence
Timely threat intelligence is key to maximizing security efficacy and minimizing false positives. Adversaries know how enterprises struggle to maintain threat intelligence data, and leverage that to evade detection. Cato uses AI/ML in a purpose-built threat intelligence software that can process hundreds of feeds without any human involvement. Every 2 hours, the AI/ML based pipeline processes every IoC (Indicator of Compromise) in every feed, examining it against other IoCs, hit counters, age and other parameters to generate a popularity score, and using that to decide if to add, keep or remove it from a global blacklist of over 5 million IoCs.
To find out more about our Threat Intelligence mechanisms, read our blog: Security Testing Shows How SASE Hones Threat Intelligence Feeds, Eliminates False Positives
Threat Prevention
Attackers are continuously evolving their techniques to overcome standard prevention tools such as SWG, IPS, DNS security and others. Their advantage comes from the modus operandi of traditional tools being well known, and based on identifying patterns of known attacks. Cato built and trained ML engines to identify and block attacks in real-time without being dependent on such pattern matching. Instead, we use advanced mathematical models trained on data from our vast data lake, to calculate the maliciousness of a domain or a URL and use that score to decide whether or not to block.
Cato Networks was the first security vendor to use ML models in real-time prevention, and not just detection.
For more on AI/ML applications in real-time threat prevention in the Cato blog:
Client & Device Classification
Knowing which devices are observed on the network is imperative from a security perspective, identifying anomalies through unknown operating systems or unsanctioned devices on the corporate network is a small subset of the possible ways to secure a network. To keep up with the constantly changing landscape of OS’s and devices we use our data lake to train advanced ML models, creating accurate and robust network identification rules able to classify clients in real-time and apply security controls on them.
Find out more in our deep-dive blog posts on how ML is applied on the Cato blog:
Application Classification
The number of web applications (SaaS) is ever growing and maintaining it at scale can be done in one of two ways: employment of large teams of analysts and wasting time propping up the myth of the more applications in the catalog the better, or training AI/ML to do the work in a data-driven approach. Cato selected the latter. We use AI & ML to identify the most important and in-use unclassified applications from the network traffic that traverses our SASE Cloud. We then have the AI/ML mine meta data to enrich what we know about each application, and to calculate a risk score our customers can use in their access and governance decisions.
Find out more about how Cato manages its App Catalog on the Cato blog:
Detection and Response
SOC and NOC groups go through a daily and labor-intensive process of detection, investigation, and remediation of issues. In the Cato SASE Cloud Platform, AI and ML are used extensively to make SOC and NOC teams better informed and faster. Beyond the initial hunting and detection of issues in which AI/ML is table stakes, additional empowerment is provided. Generative AI is used to summarize incidents in seconds. ML engines suggest incident criticality for efficient triage, and flag incidents with similar characteristics to properly understand the magnitude of the issue or the attack. These and many more help identify and resolve issues in record-breaking time, minimizing and even eliminating damage.
For more details read our technical writeups on the Cato blog:
Autonomous, Self-healing Infrastructure
Building, scaling and operating a SASE cloud service is a huge engineering endeavor, especially when serving as the enterprise’s critical infrastructure and required to deliver a 99.999% uptime SLA. To achieve this, reliance on human involvement to identify and resolve issues in real-time is not a scalable option. Cato has been continuously developing and training software engines to monitor, analyze and identify infrastructural issues based on previous patterns and identifying early symptoms, responding to them proactively. With those purpose-built tools, our cloud service can self-diagnose and self-heal in real-time, making sure the service SLA delivered as promised. Cato’s expert operations teams step in after the issue has been resolved temporarily, analyze the root cause, and apply a permanent fix.