TEL AVIV, Israel – Cato Networks, provider of the world's first SASE platform, announced today that as of last week, Cato Managed IPS customers were protected against the relevant vulnerabilities in third-party infrastructure identified by the US Cybersecurity and Infrastructure Security Agency (CISA). The CISA deadline was set for this week.
"CISA's new 'bundle of vulnerabilities' highlights once again the risk that comes with legacy network and security appliances," says Etay Maor, Senior Director of Security Strategy at Cato Networks. "Enterprises must wait for vendors to issue software patches or new IPS signatures, test them to ensure there are no false positives, and then only can they gradually deploy them on live traffic. With Cato, users receive seamless and swift remediation without the complex and cumbersome process of updating and managing on-premises security solutions and boxes."CISA: Essential for Government – Important for Enterprises
CISA's Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities identifies some 300 CVEs in appliances, applications, and server infrastructure. The directive imposes requirements on all US federal, executive branch, departments, and agencies to fix known vulnerabilities affecting various Internet-facing as well as internal-facing assets.
"The directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber-attacks," said Jen Easterly, CISA director.
Easterly noted that while the directive applies to federal civilian agencies, other organizations across the country, including those not on the list of 16 critical infrastructure industries, are targeted using these same vulnerabilities. Every organization can benefit from adopting the directive and prioritizing mitigation of the vulnerabilities listed in CISA's public catalog.Cato Stops Urgent, Network-based CVEs and More
Out of 300 CVEs, CISA asked that 113 be patched by November 17th. Of those, many will be addressed automatically by the software vendors as their software is routinely updated.
The bigger concern is the network infrastructure where patching and updating takes longer. Of these vulnerabilities, many of them are not public and will only be addressed by the vendors. Cato addresses the 35 vulnerabilities that are in scope of the Cato Managed IPS included in the Cato SASE Cloud. All vulnerabilities are for non-Cato equipment or software.
While Cato focuses on stopping network-based threats, Cato's mitigation mechanisms will also block potential exploitation of endpoint vulnerabilities further down the attack kill chain. Cato's Next Generation Anti-Malware, for example, will block malware dropping, and Cato's threat intelligence feed assessment engine will block malicious IPs or domains, CNC communication, and other Indicators of Compromise (IoCs). In addition, Cato identifies and mitigates the risk of previously unclassified threats by correlating network and security data.Immediate Protection Without False Positives
Cato has not only brought to market CISA compliance in record time, but did so in a way that introduces no false positives.
Beyond common protection for the latest vulnerabilities and exploits, the Cato IPS uses a set of advanced behavioral signatures that identify the suspicious traffic patterns indicative of an attack. These context-aware signatures synthesize indicators across multiple network and security domains unavailable to IPSes lacking SASE insight. This rich context makes Cato IPS signatures more accurate (reducing false positives) and more effective (reducing false negatives). For each CVE, Cato validates the IPS signature against real-traffic data from the Cato global private backbone. This unique data resource allows Cato to run through "what if" scenarios to ensure their efficacy. An internal study of more than 400 IPS customers over a three-month period shows a total of 7 false positives per month. Statistically, most Cato customers never experience a false positive.
Cato then updates Cato IPS, instantly protecting customer sites, remote users, and cloud resources everywhere. This process happens once and is managed by Cato engineers, saving IT the time spent testing IPS signatures, staging deployment for a maintenance window, and then deploying the signature. Time to protect with Cato IPS is instantaneous.
To ensure complete protection against attackers exploiting vulnerabilities, Cato advises following vendor advisories to mitigate and update systems and patch them to the latest version. Until then, companies can rely on Cato IPS for up-to-date protection.
To learn more about Cato IPS, CISA's approach to resiliency, and how to protect against supply chain attacks join our masterclass: Supply chain attacks & Critical infrastructure: CISA's approach to resiliency.