Yesterday, Cato Networks expanded its SD-WAN service with the addition of a context-aware IPS (Intrusion Prevention System). The managed system provides IPS inspection as a service, using big data from the Cato Cloud to update new signatures and software patches and has unlimited inspection capacity, including TLS inspection and extending to all cloud and mobile traffic. Cato’s service addresses common IPS shortcomings such as location-bound inspection and increased IT costs due to updates and software patches.
Cato’s context-aware IPS uses behavioral signatures that leverage their converged security services to identify malicious traffic with less false positives and negatives. The behavioral signatures can apply rules based on layer-7 awareness, user identity, and geolocation, and inspect browser type as well as true filetype, examining the data stream to detect attacks that appear benign due to altered filename extensions. In addition, the IPS can detect anomalies in DNS queries to find malware or domain generation algorithms, and uses in-house and external intelligence to identify and block communications with newly registered, unknown, or malicious domains and IP addresses.
As a result, two recent applications of IPS have prevented or thwarted recent attacks, including the WannaCrypt ransomware attack that occurred last May, affecting 45,000 computers in 74 countries. Cato’s IPS can detect malicious buffers that point to WannaCrypt’s ExternalBlue exploit, prevent inbound and outbound traffic with compromised users, and block suspicious locations through geolocation restriction. Immediately following the deployment of Cato IPS in the Cato Cloud, Cato also identified several infected machines from a leading manufacturing client that were communicating with a command and control (botnet) server spreading Andromeda malware.
Cato’s IPS is currently available as part of Cato’s converged security services, which include next-generation firewall, secure web gateway, URL filtering, and malware protection for all WAN and Internet based traffic on web and mobile.