Cato Networks Ltd. today introduced a machine learning system that it says can ease cybersecurity teams’ work by eliminating so-called false positives, or cases when a breach alert is generated because of an event that later turns out to be harmless.

Cato Networks is a heavily funded networking startup that offers a so-called SASE platform. The platform provides access to a global wide-area network operated by the startup that enterprises can use to connect their offices, data centers and public cloud deployments with each other. There are also built-in security systems that scan customers’ data traffic for threats.

The standard method of catching network-borne threats is to compare suspicious items against threat intelligence feeds. A threat intelligence feed is a service that provides information about website domains and IP addresses used to launch hacking campaigns. There are hundreds of such feeds in the market, some of which are paid services maintained by cybersecurity firms while others are open source.

The issue Cato’s new machine learning system tackles is that threat intelligence often contains false positives. This creates scenarios where cybersecurity teams receive alerts about potential breaches only to find out, after an investigation, that no breach occurred in reality. It’s a big issue in enterprise networks: Too many false positives strain security teams and delay the investigation of real threats.

Cato says that its system can filter practically all false positives for customers by automatically assessing the validity of alerts from threat intelligence feeds. It does this by evaluating multiple factors about each individual alert, then creating a “reputation profile” based on those factors.

For example, if Cato receives information from a threat intelligence feed about a website domain that is suspected to be malicious, it will check if the domain was flagged by any other feeds. The rationale is that the more threat intelligence providers identify a given entity as malicious, the better the chance it is in fact a threat and not a false positive. Cato gives a higher score to threats that are flagged by multiple feeds and a lower score to more rarely-reported ones.

The startup’s system also considers traffic volumes when assessing whether an alert is valid or not. Hackers frequently change the domains and IP addresses they use in malware campaigns to avoid being blocked. This means that if a domain or IP address is new and receives little traffic, it has a higher chance of being malicious than a well-established website with a large number of visitors, which Cato takes into account.

Cato says that its system analyzes millions of data points from more than 200 threat intelligence feeds to make alert filtering decisions. Since rolling out the system to its SASE platform, the startup claims that most customers statistically “never experience a false positive.”

“Security analysts face a daily flood of security alerts most of which are simply irrelevant,” said Elad Menahem, Cato Networks’ director of security. “These false positives result in alert fatigue that lead security professionals to block access to legitimate business resources or simply disable their defenses, increasing the risk of infection. Using artificial intelligence and machine learning algorithms, Cato’s fully automated system solves this problem.”

Photo: Cato Networks