Cato Networks Ltd. has recently introduced a machine learning system that combines threat intelligence and real-time network information, eliminating the false positive (FP) alerts, thereby reducing the cybersecurity team’s work.
Cato Networks is the first networking startup to provide the SASE (Secure Access Service Edge) platform. It offers enterprise access to a global wide-area network operated by Cato, enabling customers to connect their offices, data centers, and public cloud deployments. They also include built-in security systems to scan customers’ data traffic for threats.
The security analysts receive numerous security alerts that are inappropriate. The false positives result in alert fatigue, increases the risk of infection as it leads the security team to block access to legitimate business resources, or disable their defenses. Cato’s fully automated system uses AI and ML algorithms only to stop genuine threats solving this issue.
A threat intelligence feed provides information about website domains and IP addresses used to launch hacking campaigns. The unusual elements are compared with the corresponding threat intelligence feeds to catch network-borne threats.
The threat intelligence feed often includes false positives. This misguides the cybersecurity team to investigate the cases that do not have any violations in reality. If many such false positives are received frequently, it may delay the investigation of actual threats straining the security reams, which is a massive concern in business networks.
The new system evaluates each alert’s various factors and creates a reputation profile based on these factors. By doing so, the Cato states that the new ML-based system assesses the alert’s validity on its own from threat intelligence, filtering all false positives significantly.
If Cato receives information from a threat intelligence feed about a website domain that is suspected to be malicious, it will check if any other feeds flagged the domain. The more threat intelligence providers recognize a given entity as harmful, the greater chance of actually being a threat and not a false positive. The dangers flagged by multiple feeds are assigned a higher score, while those reported unusually are assigned a lower score.
The system analyzes millions of data points from over 200 threat intelligence feeds before filtering the alerts. When assessing whether a warning is legitimate or not, the system also considers traffic volumes. If an IP address is new and draws little traffic, unlike a well-established website with many visitors, there is a higher chance that it is malicious. This is because hackers regularly change the domains and IP addresses they use in malware campaigns to avoid getting obstructed.