Getting Started with Cato XDR

This article describes the Security and Network operations capabilities of the Cato XDR platform, and what's included in the different XDR license tiers.

Overview

The Cato XDR platform enables Security operations and Network operations teams to monitor the organization's network for both potential security threats and network performance issues. The platform includes advanced correlation engines of many different types that analyze traffic data to find matches for specific indications of threat activities or network issues. When an engine finds a match, it produces a story that can be reviewed and investigated in the Cato Management Application (CMA). CMA refers to these engines as Producers.

Each XDR story contains data from traffic flows with common properties that relate to the same threat or network issue. The Stories Workbench page shows the details of each story to help you understand and analyze them. You can sort and filter the stories to find the most important potential attacks, and then drill-down on a story to further investigate the details.

Detection__Remediation_Stories_Workbench.png

Understanding the XDR Producers

These are the names and descriptions of the various XDR story producers:

  • Threat Prevention - The Cato XDR Threat Prevention producer detects a specific set of attack behaviors in events generated by Cato’s real-time security services such as IPS and Anti-Malware. The Threat Prevention stories help analysts focus on immediate, high-confidence threats.

    Threat Prevention stories are usually based on correlated block events, meaning events for traffic that was blocked by one of the Security services. However, even though the traffic was already blocked, it is possible that this traffic relates to an ongoing threat. The XDR story lets you investigate the context and details of the suspicious traffic to help determine if there is still a threat that requires further mitigation.

    For more about Threat Prevention stories, see Drilling-Down and Analyzing XDR Security Stories.

  • Threat Hunting - The Threat Hunting producer continuously scans the vast amount of historical traffic data stored in the data lake to detect traffic patterns that indicate potential threats. As opposed to the Threat Prevention producer which focuses on recent events, the Threat Hunting producer looks for correlations over time in the stored traffic data. Further, while the Threat Prevention producer looks at data in the event logs, the Threat Hunting producer analyzes a broader set of data from the traffic flows. This producer can therefore detect more evasive threats.

    The following is the Overview page for a Threat Hunting story that identified 40 different traffic flows (signals) relating to a cybersquatting phishing threat:

    Intro_to_XDR_-_Threat_Hunting.png

    For more about Threat Hunting stories, see Drilling-Down and Analyzing XDR Security Stories.

  • Usage Anomaly - Part of Cato's User and Entity Behavior Analytics (UEBA) capabilities, this producer compares user and site network activity with baselines calculated by machine learning algorithms, and generates stories for suspicious deviations from baseline usage levels. For example, a specific user is detected using more upstream bandwidth than usual.

    For more about Usage Anomaly stories, see Analyzing XDR UEBA Stories for Usage and Events Anomalies.

  • Events Anomaly - Another element in Cato's UEBA capabilities, this producer detects indications that involve an entity on the network triggering an unusual number of Security events. For example, a user is associated with an unusually large number of IPS block events for traffic to a specific direction, which can indicate a potential infection on the user's device.

    For more about Events Anomaly stories, see Analyzing XDR UEBA Stories for Usage and Events Anomalies.

  • Microsoft Endpoint Alerts - Customers that use Microsoft Defender for Endpoint can integrate the Defender alert data with Cato XDR to produce stories for endpoint devices. The Microsoft Endpoint Alerts producer creates a story by correlating data from Defender Alerts that occurred on the same device within a 24-hour period. Endpoint Alert stories include all relevant evidence for the Alert detected by Defender. By expanding the focus to the endpoint, these stories help you get a more complete picture of potential threats in your network.

    For more about integrating Defender for Endpoint with Cato XDR, see Reviewing XDR Stories for Microsoft Defender for Endpoint Alerts.

  • Cato Endpoint Alerts - The Cato EPP solution natively integrates with Cato XDR to generate stories for endpoint devices. The Cato Endpoint Alerts producer creates a story by correlating data from all Cato EPP alerts that occurred on the same device within a 24-hour period. Cato Endpoint Alerts stories include all relevant evidence detected by Cato EPP.

    For more about Cato Endpoint Alerts stories, see Reviewing XDR Stories for Cato Endpoint Protection (EPP) Alerts.

  • Network XDR - Cato XDR features the unique Network XDR producer that converges Network operations with Security operations into a single XDR platform. This producer detects different indications and metrics related to connectivity and performance, and generates stories that correlate data for issues concerning the network. For example, if a WAN link is intermittently experiencing high packet loss, the producer creates a single story with all the relevant data for the link.

    For more about Network stories in Cato XDR, see Reviewing XDR Network Stories.

Understanding the XDR License Tiers

Your XDR license determines the producers available for your account, and whether the service is managed by Cato. All license tiers benefit from the XDR platform tools in the Cato Management Application, including:

The table below describes the XDR license tiers and explains which producers are available for each tier. Please contact your Cato representative or official reseller for more information on purchasing XDR licenses.

License

Description

XDR Core

Available at no extra charge for customers with a Threat Prevention license. XDR Core includes the following basic set of producers:

  • Threat Prevention

  • Microsoft Endpoint Alerts

  • Cato Endpoint Alerts

  • Network XDR

XDR Pro

A paid, non-managed tier that includes the following comprehensive set of producers:

  • Threat Prevention

  • Threat Hunting

  • Usage Anomaly

  • Events Anomaly

  • Microsoft Endpoint Alerts

  • Cato Endpoint Alerts

  • Network XDR

Managed XDR (MXDR)

A paid tier including a managed security service provided by the Cato MXDR team and including the following comprehensive set of producers:

  • Threat Prevention

  • Threat Hunting

  • Usage Anomaly

  • Events Anomaly

  • Microsoft Endpoint Alerts

  • Cato Endpoint Alerts

  • Network XDR

Was this article helpful?

0 out of 0 found this helpful

0 comments

Add your comment