Cato Intrusion Prevention System (IPS)

Attackers often use techniques like Domain Squatting and Domain Generation Algorithms (DGAs) to evade reputation-based prevention tools. Cato’s IPS integrates complex AI/ML models in its real-time inspection engine to detect Domain Squatting and DGAs. Threats are identified using deep learning models and correlation of data points such as domain popularity, age, letter patterns and more. Brand impersonation is detected through analysis of webpage components such as favicon, images, and text.
Moving tools that were previously available only in post-mortem analysis into real-time prevention dramatically improves prevention efficacy and the enterprise security posture.

A successful ransomware attack requires delivery of the ransomware, command and control (C&C) communication with the attacker, and propagation across the network for maximal impact.
Cato IPS has full visibility to both Internet and WAN traffic. It prevents malware delivery and C&C communication by blocking malicious files download, and access to domains and IP addresses associated with ransomware and malicious activity. Propagation across the WAN is prevented by detection and blocking of lateral movement patterns and indicators.
The comprehensive visibility of Cato IPS provides not just a reduction in ransomware exposure, but also minimizes the potential impact of a ransomware attack.

Enterprises often struggle with the process, resources and time it takes to protect their networks from emerging CVEs. Cato IPS provides virtual patching to rapidly secure our customers’ networks when mitigation time is critical. Cato dedicated team of experts build, test and deploy new IPS rules in record time to quickly adapt to new CVEs without requiring any customer involvement. This “virtual patching” provides enterprises with the assurance that they are protected from high-risk emerging threats while they are updating and patching their impacted systems.

Leveraging the power of cloud-native architecture, Cato delivers an elastic and scalable IPS, allowing organizations to inspect all traffic, including TLS-encrypted traffic. Massive cloud compute resources eliminate the need to fine-tune signature sets or limit traffic sent to the IPS. All locations and users, including cloud infrastructure, branch locations, and remote users are protected with Cato’s IPS, eliminating the need to scale and upgrade FW/IPS appliances. With Cato, organizations no longer end up with an IPS that is only inspecting some traffic or use a limited set of signatures due to resource constraints.

One of the simplest methods of reducing your organization’s attack surface is to block countries that your organization has no business need to interact with. Cato’s IPS allows you to quickly block traffic of specific geographies (inbound, outbound, or both) with a single global policy that applies to all users and locations.

Cato IPS uses heuristics to identify threats and attacks in real time. Heuristics are comprised of a set of conditions examined against real network traffic.
A part of Cato’s Single Pass Cloud Engine (SPACE), Cato IPS has visibility to data standalone IPS solutions cant consider including URL classification, app id, target risk score, target popularity, device fingerprint, user authentication, and more.
With a purpose-built heuristics language that is designed to leverage true SASE convergence, enterprises benefit from a robust prevention of threats in real-time.

Up-to-date threat intelligence is key to IPS efficacy against malware, phishing, and command and control (C&C) sites, and reduced friction caused by false positives. Cato IPS uses a purpose-built AI-based reputation system that autonomously aggregates and scores information from 250+ threat intelligence feeds. The system continuously maps and clears overlaps between feeds, measures threat records quality and relevancy, and simulates potential impact on real traffic. An updated and aggregated blacklist is automatically published to all Cato PoPs, ensuring up-to-date protection with near zero false positives and no customer involvement.