Elmer Fudd Goes Cyber Hunting As A Service

Time – they say – is of the essence (if not vanilla) but never more than in network detection and response (NDR) scenarios.

The problem with many products aimed at detecting network anomalies and resolving them – even in real-time – are that they take an age to deploy, as often then have to spend days and weeks (and months) gathering data to analyse the network in order to work out typical patterns of behaviour as a baseline, before they can then detect and understand anomalies, when present. I have indeed experienced many such products over the years, where even a Proof Of Concept (POC) becomes a seemingly never-ending project. Now, here’s the real killer; it’s common for threats to be resident in the network months before they are discovered. So, it doesn’t take a rocket surgeon or a brain scientist to work out that adding weeks and months of lead-time to the detection process simply hides more threats. If you can’t see it, how do you sort it? Oops  – too late…

This topic came up very quickly in a recent briefing with Kemp Technologies’ recently acquired Flowmon division – watch this space on that one for forthcoming reports – whereby reducing that deployment time to minutes means you detect from the first moment you press the “big red button”. Precisely the same logic has been applied by Cato Networks to its offering of detection response as a managed service, which it has recently upgraded to a shiny version 2.0, certainly the first managed service of this type that I’ve come across. An obvious element of appeal to the service variant is that it effectively emulates your “consultant on demand” which companies for decades employed only on encountering a problem (partly because of what consultants charged!).

Contemporary networks are simply way too complex to assume that 24×7 monitoring and detection is not required – it is! So, Cato’s MDR service provides that “instant consultant” role, with an automated 70-point checklist that automatically assesses enterprise security readiness, but doesn’t then go home and charge several grand to come back in the next day 😊 Since average malware dwell time exceeds 200 days, being able to instantly check for threats and do so in an ongoing fashion is surely a fundamental requirement nowadays, not a “nice to have” as it was once perceived. According to Gartner, “by 2025, 50% of organizations will be using MDR services for threat monitoring, detection and response functions that offer threat containment capabilities.” Now, I don’t always agree with Gartner, but in this instance…

With the service, Cato has built what it describes as ‘cross-organisational baselines of “normal” network behaviours’, so there’s instant visibility into enterprise traffic patterns which develops over time. The vendor combines this data store with its own threat hunting system; no, not a virtual Elmer Fudd, shooting at cyber eRabbits, but a set of multidimensional machine learning algorithms and procedures that continuously analyse customer traffic for threat indicators. This “eConsultant” approach makes a lot of sense. Cyber threats don’t wait for you to get organised or take weekends off, so why would you not deploy one 24×7? Go on, you know it makes sense!