Dynamic Prevention is a behavior-based security engine that preemptively applies dynamic controls in response to detected threats to reduce the attack surface and mitigate threats early, before any impact occurs.
Instead of relying on static rules or signatures, Dynamic Prevention leverages Cato’s network-wide traffic visibility to continuously learn what is normal behavior across your network. It builds a behavioral baseline for each entity, representing typical usage patterns and expected activity.
When abnormal behavior is detected, Dynamic Prevention automatically applies temporary, dynamic controls. These adaptive dynamic controls block access to exposed services, actions, or access paths to reduce the potential attack surface. The controls enforce mitigation actions based on thorough analysis and research of numerous breach scenarios by Cato's research team.
Dynamic Prevention continuously reevaluates behavior over time and automatically adjusts or removes enforced controls as behavior changes. This enables early disruption of attack activity, reduces the exposed attack surface, and minimizes the need for manual intervention, while maintaining full visibility and administrative control.
To provide a more complete view of risky user behavior, block events triggered by Dynamic Prevention’s behavior-based security engine are incorporated into the user’s risk score. For more information, see Understanding the User Risk Level.
Dynamic Prevention requires an Advanced Threat Protection License
An employee at the company ABC fell victim to a phishing attack that compromised their endpoint. Shortly after the compromise, the attacker initiated discovery and network mapping attempts using legitimate tools. This legitimate activity that had never been observed on this device before. Dynamic Prevention immediately detected this behavior as a high-risk deviation from the established baseline, identifying it as malicious reconnaissance.
In response, the Dynamic Prevention engine applies an adaptive security control that prevents the download and execution of AnyDesk. The attacker was attempting to use this file for remote access and C2 communication. By automatically applying this control, Dynamic Prevention stopped the attack at an early stage. It prevented external control, halted further payload delivery, and eliminated the risk of lateral movement.
With Dynamic Prevention, company ABC neutralizes post-phishing threats automatically, without manual intervention, significantly reducing the attack surface, impact and strengthening its overall security posture.
Dynamic Prevention continuously analyzes activity across your environment to identify and stop suspicious behavior using the following four-step process:
- Build an Entity Baseline: Dynamic Prevention continuously monitors network activity over time to establish a normal behavior profile for each entity. An entity can be a host, such as a laptop or server.
- Detect Deviations: Dynamic Prevention collects real-time signals from multiple security engines, including inline and out-of-band services such as Anti-Malware, IPS, and DLP. It also analyzes long-term insights from the Cato data lake, which aggregates all security events. These signals are compared against the behavioral baseline to identify abnormal activity. Even actions that appear benign can be flagged if they significantly deviate from normal behavior.
- Dynamic Controls: To reduce the attack surface, when suspicious behavior is detected, Dynamic Prevention automatically applies an appropriate control.
- Block Malicious Action: If a malicious action is taken, it is blocked in real time to prevent threats.
- Adapt Dynamic Controls: Dynamic Prevention continuously reevaluates entity behavior and dynamically adjusts or removes applied controls as the risk level changes.
Many modern attacks consist of sequences of low-signal actions that appear legitimate in isolation but indicate malicious intent when correlated over time. While traditional security engines effectively enforce policy and block known threats at specific stages of the attack lifecycle, they typically operate within short-lived evaluation contexts. Detecting these threats requires correlating traffic, security events, and entity behavior across extended time windows, which otherwise demands complex policy tuning, manual baselining, and deep understanding of normal access patterns across the organization.
Dynamic Prevention adds an adaptive prevention layer that correlates signals across extended timeframes and multiple data sources. By analyzing traffic flows, events, and behavioral patterns together, it identifies advanced threats that emerge only when actions are viewed as part of a broader sequence rather than individual incidents.
When Dynamic Prevention detects suspicious behavior, it automatically applies graduated, context-aware enforcement to stop threat progression in real time. These adaptive restrictions are enforced immediately—without requiring custom rules or manual intervention—and are continuously adjusted based on updated risk assessment.
Together, existing security engines provide precise, event-level protection, while Dynamic Prevention delivers long-context detection and automated response. This combination lets you prevent sophisticated attacks that evade traditional controls, without increasing configuration complexity or operational overhead.
0 comments
Article is closed for comments.