Extended Detection and Response (XDR)

Cato XDR aggregates block events generated by Cato real-time security engines, and groups them into a single Threat Prevention incident. These incidents help security teams to overcome alert fatigue, promptly detect a compromised device and take appropriate containment and remediation actions.

Cato XDR Threat Hunting incidents are created by Cato’s AI/ML engines. The threat hunting engine continuously scan the data lake for anomalous indicators of resident threats that were not blocked by the prevention layers. The Threat Hunting engine groups the various signals into a single incident for further investigation by the security analysts. In addition, ML algorithms suggest a risk score to each incident to help security teams prioritize threat investigation.

Cato XDR integrates End-User Behavioral Analytics (EUBA) capabilities to identify unusual behavior that may indicate a malicious intent. Anomaly detection AI/ML engines compare user’s network activity with a precalculated baseline, and alert on suspicious deviations through the creation of Anomaly Detection incidents. Security teams are presented with detailed information and insights to efficiently investigate and determine if the reported incident is malicious or benign, and take action accordingly.

Cato XDR uses multiple AI technologies to enable efficient operations of security teams. Generative-AI is used in the Cato XDR incident ‘storyteller’, which seamlessly strings the data points of an incident to a threat narrative, crafting an easy-to-understand and simple-to-communicate summary.
To further assist in the threat and risk analysis, Cato XDR incidents map into specific MITRE ATT&CK TTPs (Tactics Techniques and Procedures), helping security teams accurately understand the attacker’s progress in the attack kill chain.

A common challenge with XDR solutions is that remediation actions are executed over disparate platforms.
Cato XDR is a native capability of the Cato SASE Cloud Platform, enabling security teams to remediate active threats all within the same solution. Firewall rules for endpoint and attack containment can be set in minutes, blocking malicious traffic to and from the internet, and preventing further malware distribution across the WAN. EPP scan can be triggered immediately, proactively cleaning endpoints that may be infected and compromised – all from one, single management application.

Cato XDR is an open XDR solution that collects, into a single data lake, raw data from native sensors of the Cato SASE Cloud Platform enriched with events from external sensors such as 3rd party EDR solutions. Cato XDR uses advance AI and ML algorithms for threat hunting and anomaly detection. The algorithms are developed by ex-military security and data analysts, trained on petabytes of data and trillions of events, and already proven across tens of thousands of confirmed security incidents. Cato XDR enables SOC teams to cut threat dwell time and rapidly remediate security incidents.

Cato XDR provides SOC teams with a single console to manage the entire incident life cycle. The XDR dashboard inside Cato Management Application (CMA) presents all the incidents, their status, and their ML-calculated risk and priority. Individual incident investigation is one click away, with a common structure of data presentation for further analysis, enriched by AI-powered insights and recommendations. Remediation is done through the same interface, helping SOC teams to avoid switching between management consoles, improving efficiency, and reducing human error potential.

Cato XDR uses the security capabilities of the Cato SASE Cloud Platform as its’ native sensors. Data from the Cato NGFW, SWG, IPS, NGAM, DNS Security, CASB, DLP and RBI is stored in the Cato data lake, serving as a high-quality input to Cato XDR. As native sensor’s data is not reduced at the source, the Cato XDR AI/ML algorithms are significantly less likely to miss critical signals than AI/ML processing data from external sources. SOC teams benefit from unparalleled level of incident accuracy and data richness for investigation.

Cato XDR is enriched by more than 250 threat intelligent sources, yielding over 5 million records of valid IoCs. Cato uses a purpose-built cloud-scale ML platform to ingest threat intelligence feeds from hundreds of sources, process and examine each IoC record in them, and maintain an accurate and up-to-date blacklist and whitelist – without human involvement.
Cato empowers security teams with up-to-date threat intelligence data for efficient operation with near-zero false positives.