Cato Networks was founded in Tel Aviv, Israel in 2015 by Shlomo Kramer, a co-founder of Imperva and cybersecurity/gear firm Check Point and Guy Shatz, a co-founder of Incapsula. The company’s initial focus was on launching its Network Security as a Service (NSaaS) platform aimed at changing “the way network security is delivered, managed and evolved for the distributed, mobile and cloud-based enterprise… for the way business gets done today”.
Cato’s primary goal then and now was on serving the “new shape” of business and securely connecting the employees within an enterprise who were working inside a new corporate perimeter i.e. employees working remotely and outside of the traditional firewall. Cato’s corporate perimeter is an innovative cloud solution, which encircles the user and in so doing, creates a new perimeter that protects the individual user. It encompasses everything from branch locations to mobile devices to the cloud.
The pair raised $20M in Series A funding at their outset. The round was led by U.S. Venture Partners (USVP) and Aspect Ventures. The co-founders leveraged the funding to support their go-to-market strategy and to hire additional staff to the existing 25 employees, in particular developers to refine their New Security as a Service (NSaaS) platform. They were also focused from the start on solving the middle-mile transport riddle that has primarily been the domain of MPLS.
Kramer is known for introducing the first firewall to the market at Check Point and later the first web application firewall as a co-founder and CEO of Imperva. Shatz meanwhile brought in a background in cloud-based web application security and acceleration, in part drawing on his background as CEO and co-founder of Incapsula. Many of the company’s founding employees also came from cybersecurity backgrounds. Kramer and Shatz’ goal in starting Cato Networks was to create the next chapter in the evolution of network security.
Back in 2016, we interviewed Kramer who succinctly described Cato’s goals: “We wanted to establish a holistic, elastic and effective method of securing the network. First, Cato creates a flat and simple network by re-establishing the network perimeter in the cloud and then secures the cloud with a unified enterprise-grade security policy and services”.
When we asked what made the company unique, Kramer had this to say: “A lot of people are getting into SDN but are not aggressively approaching the security aspect. We aim to fill the void in network cybersecurity. SDN is not only about separating the control and data plane, but it is also about making the data plane really really smart-converging the network and security aspects to implement both in the cloud with tremendous capacity. We use a modern architecture to provide network and security software that is highly agile”.
The company launched in beta, but by Q1 2016, it had launched its initial GA service, Cato Cloud, and in Q1 2017, Cato launched a SD-WAN focused upgrade. In Q3 2017, the company added IPS as a service.
Industry Recognition and Continued Growth
Cato has received a lot of industry attention along the way, including gaining attention from Gartner as a Cool Vendor for Security in Midsize Enterprises in 2017 capable of disrupting the security markets and competing with established mainstream vendors; becoming a finalist for the RSA Innovation Sandbox Contest and winning the UX Award for the Design of a SD-WAN Management Application.
The UX Award marked the first time an SD-WAN provider had won had a UX award and along with various large enterprise customer wins and strong channel adoption, attests to the continued growth of Cato Networks and its products.
One of the most outstanding aspects of the company is its ability to simplify environments: from implementing an SLA-backed WAN as an alternative to MPLS in the middle-mile and eliminating the security appliance stack, Cato is able to help enterprises reduce their bandwidth costs and streamline operations. This is a key part of their appeal.
Cato Networks Today
Cato Networks today is focused on “building the new software-defined WAN (SD-WAN) in the cloud, protected by a tightly integrated set of security services”. Its goal: to connect all business resources (from physical and cloud data centers to branches to mobile users to cloud infrastructure) into a single, global, unified, encrypted and optimized network. The entire network is supported by Cato’s set of security features, which protect all aspects of the business irrespective of source and destination.
Cato Cloud, or Cato’s SD-WAN as a Service, is comprised of two components:
Cato Cloud Network: A geographically distributed SLA-backed network of distributed, scalable and redundant PoPs, interconnected by numerous tier-1 providers with multi-gigabit links. The PoPs are meshed into a global overlay, which enables continuous monitoring of the carriers’ latency and packet loss to work out the best path between two locations.
Client enterprises connect to Cato through its Socket SD-WAN device, Cato Client or an ISP tunnel from a third party device. The Cato Socket is a zero-touch appliance, which draws on multiple ISP links to tunnel traffic to the Cato Cloud. Its primary purpose is to locate the closest available PoP and get the traffic there in order to ensure service continuity.
Cato Security Services: A fully managed group of network security capabilities, directly built into the cloud network. The architecture extends enterprise-grade network security protection to all business users and locations without the need for deployment of edge security appliances. Current services within the security stack include:
- Converged SD-WAN and security in the cloud
- SLA-backed global backbone
- A next-gen firewall/VPN
- Secure web gateway
- URL filtering
- Malware protection
- Advanced threat prevention
- Cloud and mobile access protection
- Cloud-based management
- Network Forensics
Inspection and enforcement are applied not only to WAN- and Internet-bound traffic, but also TLS encrypted traffic.
The network is managed by a cloud-based Management Application enabling enterprises and service providers to configure and customize their own security policies, and actively monitor network activity and security events.
Cato automatically updates Cato Cloud to guarantee service availability in the face of any spikes and peaks in traffic volume and offer continued protection against emerging security threats. This takes the pressure of maintenance off customers so they no longer need to patch software and/or upgrade hardware.
Specific unique features added over time include:
Alternative to MPLS: A Global SD-WAN Powered by IP Transit Backbone
Many organizations have been looking for an alternative to MPLS for some time. The challenges are manifold: it is expensive to run, rigid and inflexible, takes a long time to deploy and is increasingly incompatible with the growing demand for direct cloud and access to the Internet. Cato’s approach to building a credible alternative has been to focus on addressing “global orchestration that enables dynamic routing based on end-to-end route quality” while keeping costs and complexity low.
IP Transit has been the solution for Cato. Various global providers use it, including NTT, PCCW, Telia and GTT. The global backbones of these carriers have huge capacity that carry the majority of Internet traffic. No single carrier covers the whole globe; however, each one has a significant international footprint. Capacity has been added across IP Transit. Cato’s purpose-built cloud network is able to leverage the low costs, high capacities and SLAs that IP transit providers offer. The company uses advanced software to dynamically optimize its routing globally over several IP transit providers. By additionally using commodity hardware and its own software, Cato is able to offer competitive pricing.
Cato’s global network of PoPs is a result of it directly contracting with multiple tier-1 IP transit providers and buying massive SLA-backed capacity. Its PoP software can exploit the global underlying providers to generate a fully meshed, tunnel overlay between all its PoPs and continuously measure route quality via monitoring statistics like packet loss and latency rates. WAN optimization techniques then minimize the impact on RTT in real time.
The Next-Gen Firewall and Firewall as a Service (FWaaS)
At the company’s outset, Cato Networks had already built its NG firewall from the ground up. The goal: to control WAN and Internet traffic with application control and awareness. More recently, Cato has taken to describing its offering in the space as Firewall as a Service (FWaaS) taking the lead from Gartner’s 2017 report, Hype Cycle for Threat-Facing Technologies in which analyst Greg Young describes FWaaS as a category “on the rise” with a “high benefit” rating. Young notes that Firewall as a Service lets customers partially or completely move security inspection to a cloud infrastructure and entirely eliminates the appliance. With FWaaS, an enterprise’s sites are connected to a single, logical worldwide firewall with a security policy that is unified and application-aware.
Cato’s FWaaS offers improvements to scalability (offering an elastic capacity that allows for the quick deployment of new sites and changes in bandwidth needs), indeed provides a unified security policy across traffic for all locations and users, improves visibility and transparency (all WAN and Internet traffic, unencrypted and encrypted, is visible to the firewall), and simplifies management procedures, eliminating the appliance lifecycle management.
IPS as a Service
Cato’s Intrusion Prevention System (IPS) was launched in July 2017 as part of the Cato Cloud service. The cloud-based IPS is integrated with the rest of Cato’s security stack; it is an industry first in terms of its integration with a global SD-WAN service, offering “context-aware protection to users everywhere”.
At its launch, there were various challenges with current IPS appliances, including the fact that inspecting encrypted traffic can actually degrade IPS performance; next that IPS inspection is location bound and typically doesn’t extend to cloud and mobile traffic; finally, that appliances must be continually updated with software patches and new signatures, increasing operations expenses.
The IPS as a service that Cato offers aims to solve these issues by the following means:
- Managed and Adaptive Cloud Service: Cato’s Research Labs is able to take advantage of the big data insights it has derived from the Cato Cloud to update, tune and maintain IPS signatures without the need for customer involvement. New signatures can be validated on real traffic, allowing them to be optimized for effectiveness before being applied to actual production traffic.
- Advanced Security for All Branch Offices and Mobile Users: Internet and wide area network (WAN) traffic is scanned and protected for all branch offices and mobile users irrespective of location.
- Unlimited Inspection Capacity: The Cato IPS does not have capacity constraints and is able to inspect all traffic, including TLS traffic.
The Cato IPS also offers context-aware protection meaning it deploys a host of advanced behavioral signatures to identify potentially malevolent traffic patterns. Again, as it has access to the rich dataset provided by Cato Cloud, more domains are available to the Cato IPS than a standard IPS. This context allows it to make IPS signatures both more accurate, cutting down on false positives and more effective, reducing false negatives. Context attributes include:
- User Identity Awareness
- Layer-7 Application Awareness
- User Agent and Client Fingerprinting
- True Filetype Inspection
- DNS Queries and Activation
- Domain or IP Reputation Analysis
Threat Hunting Capabilities
This May, Cato announced new security capabilities in its security stack, namely the Cato Threat Hunting System (CTHS), a set of machine-learning algorithms and procedures that Cato’s Research Labs developed to reduce the time necessary to detect threats across the enterprise network.
CTHS leverages Cato Cloud and in doing so, is able to address “the deployment challenges, data quality, and lack of context limiting threat hunting systems”. Cato Cloud provides ready-made visibility into all site-to-site and Internet traffic. CTHS can immediately draw on this rich dataset without the need to gather additional information.
Rather than working with logs – as in standard practices, CTHS is able to work with actual network traffic data. This provides CTHS with the complete context for each IP address, session, and flow. SSL traffic can also be decrypted in real-time to further enrich the Cato Cloud dataset.
Watch this space. No doubt this thriving, innovative company will have the next wave of cloud and cybersecurity features soon.