Cato networks introduces network-based ransomware protection. Through this, they have the ability to detect and prevent the spread of ransomware across networks without deploying endpoint agents by leveraging machine learning algorithms and the Cato SASE Cloud’s deep network insight.
Etay Maor, senior director of security strategy at Cato Networks said, “Ransomware protection has become job one for every CISO and CIO, but too often enterprise defense strategies remain vulnerable whether by threat actors bypassing endpoint defenses or by manipulating insiders to spread ransomware. By identifying ransomware by its underlying network characteristics, security teams can protect the enterprise regardless of the threat vector.”
Extending Endpoint Ransomware Protection to the Network
Cato’s heuristic algorithms look for ransomware in all SMB (Server Message Block) protocol flows. Windows are using the SMB protocol to share files and folders.
Cato researchers have trained and tested these algorithms on Cato’s massive data warehouse, which contains end-to-end attributes for all traffic flows processed by the Cato SASE Cloud. It also has the network access to data that is normally obstructed by firewalls and NATs. Cato’s data lake contains over a trillion flows from all Cato-connected edges – sites, users, IoT devices, cloud-connected resources, and Internet resources.
After being trained, the machine-learning heuristic algorithms examine the live SMB traffic flows for a variety of network attributes such as:
- Specific file names, file extensions, creation dates, and modification dates are examples of file properties.
- Data from shared volumes is accessed, such as metrics on users accessing remote folders.
- Network behavior, such as creating specific files and moving across the network in specific ways, and time intervals, such as encrypting entire directories in seconds, are examples of time intervals.
Cato automatically blocks SMB traffic from the source device, preventing lateral movement or file encryption, and notifies the customer when ransomware is detected.