Maximizing ROI: A CFO and CTO's Guide to Integrated Security and Optimization with Cato SASE Cloud (Austin Stewart & Abraham Gonzalez)
This is, IT Broker Tech Deep Dive with Cato Networks. I'm Max Clark, and I'm joined by joined with Austin Stewart and Abraham Gonzalez. And, today, we're talking about, Sassy, how Cato implements Sassy, what you what I need to know about Sassy, what you need to know about Sassy, everything you didn't wanna know about Sassy, and, hopefully, all that in a short amount of time. Thanks for doing this with me, and, and welcome. Our friends at Gartner, decided to brand this thing called Sassy.
Max:Besides having a really fun name to say over and over again, Sassy, Sassy, Sassy, Sassy, Sassy, Sassy, it encapsulates a lot of okay. Look. The description of Sassy is basically taking every point solution that company is buying related to security SD WAN network infrastructure and and merging it all together into 1 pile. And that immediately took and forced a lot of manufacturers and OEMs to go out and start acquiring technologies they didn't have and maybe they didn't have in house to to fill out this sassy road map. Cato is a little unique in this world in the sense that you weren't a legacy manufacturer.
Max:You weren't a legacy firewall vendor. You weren't a legacy SD WAN play. You came into the market already with this environment and this idea and this and this state and actually before Sassy was even dubbed. So, like, kick this off and and just give me an overview of Cato and how Cato views the world that is now called Sassy and and what this actually means and and how we make sense of all this.
Austin:Yeah. Awesome. Cool. I'll show a couple slides here for everyone to see where it came from, and that's a great introduction to it, describing it as Kato wasn't a legacy manufacturer. Because what's funny about that, that's how sassy that's how Cato came to be.
Austin:The inventors of Cato, the founders of Cato, Shlomo and Gir, both of these guys 30 years ago created the web application firewall and the actual firewall, the first commercial firewall 30 years ago. And then 20 years ago, the web application firewall, and they also helped get, Shlomo helped get Palo Alto off the ground. He was one of the first investors and, gave them guidance. And over the years, they said, this doesn't work. I mean, if all you are is, an equipment manufacturer and you have, like you mentioned early, all these different point solutions that don't connect together and aren't on the same platform that it just doesn't work, and it doesn't work in 2023.
Austin:It hasn't worked for the past 5 years, really, with the cloud being what it is and the Internet being what it is. So Cato started in 2015, with Shlomo and Ger building the foundation for 2 years, and we've been, general availability to all of our customers since 2017. And since then, now we you know, we've gone from 2 guys who founded the company to 750 employees. We have a massive global footprint, thousands of Cato instances deployed and over a 150 countries. So they didn't do this on a small scale.
Austin:They went from 0 to 100 very fast in developing Cato. And one of their big so so 3 of their big deals when they started it was it has to be simple. It has to be operationally easy, and it has to be super effective. It has to has to provide a lot of value for the customers using it. And, man, they've done that.
Austin:It's it's pretty amazing. So, I mean, you can see on here, this is just, a tiny bit about the customers that we have. So we have customers that are a one stop rural customer in Arkansas that can hardly get Internet out in the mountains, And we have customers that have thousands of locations globally, and they're all using Cato. So it's a very scalable solution for, any type of company and any size company, which is pretty cool. And this next piece goes to what you talked about, Max.
Austin:I mean, it goes to this is what the world I mean, for a lot of customers still looks like today. A lot of point solutions. They have old m p l s. They have a separate SD WAN provider. They have something for branch security.
Austin:They have some remote worker solution. They have all these disparate pieces, and that's what Cato that's why it came about is to put all of those different solutions on one platform, converged where everything talks together with a global backbone behind it all, and to take the complexity out of what is a super complex issue for enterprises is how do you secure it? But, also, how do you make it fast where all your users are getting all their apps and you're not having latency, and they're able to upload CAD designs, or they're able to get to their email and all the stuff that they're doing. And so that's that's what Cato that's what Cato did. You know?
Austin:Just from a from a high level, that's that's who we are, exactly what you said.
Max:The struggle that you we run into when we start talking about architecting and and blueprinting a design for for an environment is if you have a traditional firewall, you know, maybe that firewall claims to have introduce SD WAN functionality. And, actually, we should probably talk about what SD WAN functionality actually does for people because, you know, Internet optimization, WAN acceleration optimization, and MPLS replacement are very different functions of SD WAN implemented differently by different vendors. So then you have, you know, your firewall, and then you have your SD WAN. And then if you, you know, try to transition and go into some sort of overlaid, secure web gateway product that fits on top of it, and all of a sudden you've created the stack where you've got 3 very distinctly different things in that stack, plus what you have to do for remote users. You know, the telcos and and large MSPs try to solve this problem going back a decade by doing very large chassis based firewalls in their pops and the problem that we ran into with that was, you know, it would be pinned based on where the headquarter location was.
Max:So if you had an HQ in in Los Angeles, you'd end up with a firewall instance on a chassis firewall in Los Angeles or in in the LA region. And then you'd find out that you had development teams in Turkey that needed to connect to that that were pinned from Turkey to Los Angeles back to EMEA assets, and and that wasn't great as well. So let's spend a little bit of time. And I want I know and and talk about really the the differences of what Cato is doing in that context because these are things I'm really curious about and I wanna explore. And the idea of, like, oh, we do everything and it's magic is great, but, like, what does it actually mean, and how does this actually work?
Austin:That's funny, Rod. It does seem like magic. So I came from the world you just spoke of. So from my first 15 years in in IT, I was at a couple massive MSP providers. And the world that we lived in was what you said.
Austin:Hey. We have 30 different vendors. We would talk to the customer. What are you trying to achieve? What's your goal?
Austin:What's your budget? And then on the back end, we would go, well, here's 6 vendors that accomplish protecting you, giving you a firewall. Here's some routers, mobile user, you know, what was available through the years. Right? We would try to control it for them on the back end and deliver something to them that seemed very seamless to them.
Austin:We tried to make it seamless to them. Truly, it's not. They're putting in a ticket, and there's a couple of guys on the back end doing swivel chair. And they're in 7 different portals. And they're trying to put into action what your request was.
Austin:And did they do it right? You know, was that was that accomplished? And did we were we able to do it in 3 days? The SLA is, you know, 4 hours, but did we even really get it accomplished that week? Cato put everything in one portal.
Austin:And when I first saw Cato a year and a half ago, to be honest, I didn't know who they were a year and a half ago. And I saw it and I went, how have I not heard about Cato? The architecture is exactly what we've been trying to do as an MSP for 15 years, and they've built it on one platform where they can actually, you know, making one change and it going out to everyone, making it usable for an enterprise. Because I'm sure you, Max, I mean, it's the same as me and Abraham. Every customer we meet with, they don't have enough staff.
Austin:It's hard to retain really good staff that learn what they're using. And so to expect a staff even at I'm I'm talking really large customers. I mean, customers that have 40, 60 sites. They have a director of IT and a couple guys underneath them that are trying to support the entire enterprise, and you can't expect them to be able to run all these different solutions and all these different portals and the patches and updates that it takes. The nightmare that is incurred with all I mean, just it slows the business down.
Austin:Their business can't reach their customers and grow at the scale that it needs to and make a lot of money like the business is there for because of the the IT challenges. You know? Slow Mo and Gur, our founders went, man, we have gotta make whoever makes this simple and makes it easy and makes it but super powerful and effective, they're gonna own the IT landscape in several years and kind of how you open Max. All of our competitors that just had SD WAN or that were a traditional firewall company, you know, they're trying to acquire people and slam point solutions together, and they're trying to figure out how to create what Cato created from absolutely the ground up, and, you know, they can't. I mean, they're still left with 3 portals, and they have this sassy story, but they still have 3 portals that a customer has to go into to manage everything.
Austin:It's not converged. It doesn't look like this. It's better than this. It's better than what they had to to work with 10 years ago, but it's but it's not the future.
Max:What is Sassy, and how does and what does Cato deliver? Like, I mean, that's may maybe probably the the the core of this whole conversation is, you know, when Gartner says, okay. There's this thing called Sassy, and the company says, okay. This makes sense to me. I wanna go have this thing called Sassy.
Max:What is Sassy, and what are you delivering within that world?
Austin:So Sassy has a lot of different definitions based on who you're talking to. So it is a marketing term, and it is very difficult to pin down one one person if and I think, in in my opinion, this is why Gartner hasn't made a magic quadrant of Sassy yet. I mean, they're still figuring out, you know, what what components are we gonna say are absolutely mandatory. But the components that you can't get away from, you have to have SD WAN. You have to have security.
Austin:And when you say security, we're not just talking a next gen firewall. We're talking a security stack underneath it. Intrusion prevention, anti malware, CASB to control applications, data loss prevention. You have to be able to do manage detect and response, and then you also have to have a managed services group that can help that customer out with it. And then you have to be able to support the remote worker.
Austin:So the three things you have to have are SD WAN, deep security stack, and you have to be able to support remote worker on
Abraham:a Sassy platform. But then it starts getting a little bit sideways
Austin:on a platform. But then it starts getting a little bit sideways on who you talk to because it's, oh, do you really just have to have one portal? I mean, Cato just has one portal. But you go to a competitor's of ours and they're acquiring people, So you have to go into a portal for the SD WAN and a portal. It may have one pane of glass, but you're really they really have tie ins to other things.
Austin:So, customers, I think, are really gonna decide what Sassy is and what's the most important to them. Customers are gonna go they're they're gonna end up going, it has to be really simple and it has to be this or, you know, they'll they'll decide what their dollars whether they're gonna allow hardware vendor that their stock is completely reliant on them selling firewalls and them stacking stuff on it or whether they're really gonna go to a cloud platform like Cato, and that's gonna be the SaaS e that customers choose.
Max:Some companies are greenfield. You know, they don't have infrastructure. Maybe they closed offices down because of timing work with the pandemic, and now they're opening offices back up and they're gonna redeploy infrastructure. And they've decided whatever we had that we put in the storage, we're just gonna depreciate any waste and we're gonna get new stuff. Right?
Max:But that's not normal. That's not the usual company. The usual company is already invested in switches and access points and firewalls because they had to have them in maybe routers and SD WAN. There's a certain I'm sure you deal with this a lot in this conversation, which is why I'm asking. You know, when you when you look at that and you say, okay.
Max:If Cato's delivering SD WAN and the firewall and the remote user access, you're displacing a lot of investment, both financially and operationally in in whatever is already there. And just by by the nature of that conversation of saying, hey. You know, you're gonna get rid of what you've invested you've committed to and invested into creates probably some resistance to this conversation. I mean, how do you how does that conversation get navigated?
Austin:So some customers are really excited to get away from the disparate pieces that they have. They don't like working in that many portals. Some customers where there is the firewall Schmee, He has invested a lot of time in learning about Palo, Fortinet, Zscaler, whatever. You know, he's wearing the t shirt, and he has the ball cap, and he really likes it because he really knows it. Sometimes it's a leadership person going, we have to remove complexity.
Austin:They're like, John, if you leave, who's gonna be able to get in and do all the firewalls for us and patch and update everything? You know, we we have to look outside of this. And then a lot of times, I mean, me and Abraham, we work with a lot of IT leaders and even the network admins that are doing work and they see this. I am blown away every day sitting with customers and them going, wow. It does that?
Austin:Oh, we can get rid of this too. Wow. Y'all y'all have a global backbone? The SD WAN provider that we have right now, we just bounce around the Internet, but y'all actually have a backbone that takes us across the world that's included in the price. Like, you're not, there's not a there's not a oh, that's a global add on fee for this.
Austin:So you really when you talk to them and they truly have an open mind, like, they're they really wanna do well for their company, they just end up amazed by Cato. And I sit in in meetings amazed that they're amazed. Like, every time I go, wow, man. These they they love it.
Max:RoCE is a fantastic product. They make great switches, access points, they've cameras. They have firewalls. The firewall say they include SD WAN. Really, that means that they do failover.
Max:They don't really you know? I mean, like, SD WAN is a loose terminology there depending on how you actually look at it. And they acquired OpenDNS to give them their secure web gateway product and proxy, and now they're including DLP. But these are different consoles. Right?
Max:You know, the portal the point of you manage your Meraki equipment in one interface, and you manage your umbrella infrastructure in another interface. Palo Alto has phenomenal firewalls. They don't sell switches. They don't sell access points. You've got different devices you're maintaining on your network in that situation.
Max:They have Prisma for global access. Right? Zscaler doesn't have SD WAN firewall on premise anything. And, you know, you you have to have something else in place in order to talk to Zscaler. I mean, all these solutions, it's just like I mean, look.
Max:I love Legos, but, like, to a certain degree, trying to make sense of, like, what do you put at what level to do what with it. And you get into these conversations. You start whiteboarding. You're like, okay. Well, we've got this thing, and this thing has to fit here.
Max:And it depends on this other thing that fits on you know, and you start kinda working backwards on it. You're like, what the heck are we doing here? You know? And why do we need this stuff?
Austin:I'll tell you what's confusing for people, Max, is that it's so integrated and it's so converged, but it's it's so simple, but it's so powerful. Sometimes they don't believe it at first. They look at it and they think they're, like, looking for the hidden camera going, dude, like, is this real? Is this vaporware? I mean, what are you start talking about other customers and use cases and what they're doing with it, and they go, wow.
Austin:I mean, this is this is real. This exists. I mean, they're like me watching their first Cato video a year and a half ago going, how did I not know about this? Like, where where is this gold been that it's it it is. And it takes customers it takes a lot of people, probably 3 or 4 meetings.
Austin:I mean, if they're heavily invested in network equipment, routers, switches, all these point solutions. It takes them several meetings to wrap their head around. Wow. I'm gonna like, all this is really in one place and one this easy to use, but it's really this powerful. It it takes a while to sink in.
Max:Cato has and sells an SD WAN appliance. It's part of your service. When you're talking about going into an existing infrastructure where people have stuff in place, are you immediately displacing the firewall and deploying just your own SD WAN? Are clients running both at the same time? What does and doesn't the you know, your your hardware do when a company deploys it?
Max:So if we've got an office, we've got multiple circuits and, you know, any reliable Internet connection, I wanna link in with Cato for your your I mean, next gen firewall, cloud firewall firewall, you know, what whatever marketing term, you know, people wanna actually use for this thing. But for your network layer and IPS, what is that how how do I tier for that deployment, and what are the phases?
Austin:Yeah. Hey, Abraham. I mean, I've I've talked. You wanna jump in here? You've done so many deployments.
Austin:So let me let me give a tiny let me let me brag on Abraham. So before Abraham was on the engineering side at Cato, he was on the real engineering side in the pro services group, and he turned up thousands of instances of Cato for customers. So he's had an awesome, history here the past several years of working with customers when they're deciding, man, are we gonna totally rip out our firewalls first and just do this? And how does the deployment look like? So, man, go for it, Abraham.
Abraham:Sure. So, very interesting question, Max. We we can find a way to fit in. Alright? And then the interesting pieces is a lot of time we, that model, like, where basically we sit, side by side with another solution provider there for the meantime.
Abraham:But a lot of time what we're seeing is the customer, they were expecting to move into completely to Cato in a year or 2 because they still have a contract or something. We've seen that changing fast. We've seen that basically changing within a few months when they start seeing the Cato the value that Cato brings in, the performance, the easy to manage, and all of that stuff. They're like, you know what? Let's just leave Cato here.
Abraham:Forget about the other solution, to be honest. Like, I've seen several customer with a year or 2 years left on different contract, for example, Meraki. And the plan was to use Meraki locally because Meraki do right? It's an appliance that do local security. They're like, okay.
Abraham:We have double security. But when they actually saw the Keto product working and they saw the performance and now the what how Keto was operating, they're like, we don't need the the Meraki. Right? And these are here's the difference. Right?
Abraham:These these endpoint solutions or, you know, appliances solution, they do everything on the actual appliance. Right? You put an appliance in the edge, the security is done at the edge. It's right there. In Cato, we have to change the mentality a little bit.
Abraham:The security, the IPS, the next gen firewall, the secure web gateway, z t n a, everything gets done on the cloud. When we push a change, when we do an update, you know, things like that, it's all on the cloud. We don't have to worry about pushing a policy to the box, the box getting disconnected, waiting for the box to get those policies. Right? And it we don't do it that way.
Abraham:Right? We do it looking at the cloud. The box is very it's it's a very lightweight, operating system. It actually takes less than a minute to boot up and be ready. When we update, when we patch those, basically, those get automated, but the customer also have the option to do it.
Abraham:They on their own on their own time. It take, like, 40 seconds to patch and reboot and done. And, obviously, we offer high ability if, the customer is interested in that. We run a very lightweight, obviously, with the SD WAN capabilities. We do the, packet duplication.
Abraham:We can do up to 3 different circuits active, all of them, and then we also provide the QoS that the customer is looking for. And we also have capabilities to do VLAN routing, dynamic routing, and so on, but majority of the horsepower and the stuff that we known for years at the box the security box used to do it's all done on the actual cloud.
Max:Okay. So, packet duplication is an interesting thing to talk about. So is this every packet is being duplicated across the different circuits, or you're doing selective packets, or this is configurable? I mean, how how deep into the into the engine can we control these things?
Abraham:Yeah. Yeah. So our solution is per packet flow. Right? Mhmm.
Abraham:And you can pick which, which packet get duplicated. Obviously, the recommended is voice video. Right? Because most of the time, the packet duplication is done on the UDP applications. Right?
Abraham:And then we also you can apply not only UDP, but you can also apply the the the priority or the QoS. Right? What what traffic, will have priority of it? What? And then you need it to get duplicated.
Abraham:Alright?
Max:So so so appliance, piece of hardware, circuits plugged into it, you set up to 3, connected to your PoP. So this is a Jerry or IPSec or or some other VPN tunnel to your your PoPs. Like, how what's the selection of PoP determination for the appliance work?
Abraham:Yes. So the appliance, first time it reached the Internet, it will build a DTLS tunnel. It's a 4:4:3, UDP 4:4:3. Very, very light. So it will build that tunnel.
Abraham:Obviously, the boxes are registered to the account. The boxes will find the account, and the user will get a notification saying, hey. There is a device ready to deploy it. That's it. So we basically encrypt the bar those those, ISP.
Abraham:Right? So all traffic coming from the LAN that hit the box, they will go out to our PUB in an encrypted tunnel. And basically, all the session, all the acknowledge gets done on the PAP. What basically from the PAP to our box, the only thing the traffic sees is just tunnels. That's why we can easily dynamically shift or basically aggregate up to 3 and use them as one pipe because everything gets done on the PAM.
Max:So, so then configuration for deployment, customer has to tell you their ISP details for you to preconfigure these boxes or ship them out with IP addresses and default gateways and whatever the subnet mask is and and that sort of network environment. Yes?
Abraham:Yes and and and and no. You can easily connect the Cato sockets like it is a laptop or a workstation. Right? You can just get the box and connect it to a LAN port. Right?
Abraham:The Cato will get an IP. And obviously, if you're allowing port 4 43 out, most of the time you are. Right?
Max:Probably.
Abraham:Cato will dynamically it will find the Internet. It will reach out to the Cato Networks where we have a what's called a steering server where basically we can tell where we located, you know, do a a geo IP DNS stuff there and find our closest spot. And boom, we connect it and the customer receives a notification. From that point, you can easily leave the Kato sockets behind another product because obviously we encrypting the other product, the other solution doesn't know anything about it. Mhmm.
Abraham:Or at that point from Dokanso, you can actually go into the device and change the IP to a static public IP if you like.
Max:So now if you're if you're replacing the firewall, there's a couple other functions that the firewalls may or may not be doing. Like, they're serving DHCP to the internal network. Right? It that maybe that's on the firewall, maybe that's on the switch infrastructure, maybe that's on a server inside the infrastructure. Do you replicate that?
Max:Or this is a you know, if you were running DHCP on your server, on your firewall, you know, move that to a different host before
Abraham:You can run DHCP DNS on Cato just fine or relaying to a server if we need to.
Max:Can you talk about can you expand on the VLAN routing for me?
Abraham:On the VLAN routing, yes. You can actually on the Cato's, LAN interfaces, you can create a static routing. Right? Let's say, you have a core switching where you trust the VLANs. Right?
Abraham:You just do a pairing with Cato Edge and your core and just tell Cato, hey, these are my networks that are on the core. Right? And then the core also knows about the networks that are behind Cato, which all the branches in case that you're doing static routing. If you wanna do dynamic, we support BGP. The other option is VLANs is obviously, if you're looking into isolate because you don't trust those VLAN or or or, compliances and, you know, and things like that then you create VLANs which in cater are totally isolated and then you can control them on the on the wind firewall.
Abraham:Basically, how those VLAN can talk to each other and how those VLANs can talk to other branches VLANs and others and also the users that are remote.
Max:Okay. So when you actually say configure a VLAN and trunk it to your clients off your network, you can then allow traffic between site to site VLAN to VLAN across Kato's network and you just say do this.
Abraham:Correct. And all of that, it gets done from the same console. You never change that.
Max:Okay. If you're replacing a firewall that's on premise that was doing this function, you have the firewall engines on-site. Right? You know, you've got a I mean, a really expensive firewall box with the firewall engines on-site. So if you do this on Cato, how much of this is the socket doing?
Max:Is the actual Cato appliance doing? And how much of this is is going going northbound up to your pop to actually make decisions? I mean, the question I'm asking is, if I've got a lot of traffic going between VLANs environment, it's a data center, it's an office to a data center, office to office environment, but I wanna have isolation between those VLANs or I wanna put policy on traffic between those VLANs. What do I have to know in terms of sizing, you know, network links and and accounting for latency and all that other good stuff?
Abraham:So, yes, you mentioned a good point. Right? VLAN to VLAN. They get, they get sent to the POP for inspection and feasibility, right, and then look at the rules, what access they have, and then come back. So a lot of customer have some time concerns about the bandwidth.
Abraham:But a lot of time, we're seeing that the actual concern when they see the the actual when during the testing, when they see the results, they're like, oh, okay. This is not what I what I thought. Right? But, yes, it's also it's always good to think about, you know, how much traffic you send from one VLAN to the other and also the latency. But a lot of time, the latency obviously, our recommendation is check with your application, database, whatever you have on-site, what are the expected latency.
Abraham:Right? Because, yes, you have a 1 or 2 milliseconds when you're going locally from a, security appliance, right, to the from the workstation VLAN to the server VLAN, 1 or 2 milliseconds. Okay? If you have a DIA, right, on your on your office, a lot of time we're seeing 1 to 2 milliseconds from our box to our PoP. That means going round trip is probably around 4 to 6 milliseconds.
Abraham:So that's the latency that we're basically adding for your VLAN to be protected to access the service side. Right? Is that within the requirements for the application or database expected latency? A lot of time, it's yes. So basically, the performance is not being it is is not hurt.
Max:Which, of course, is assuming that you still have applications on-site because a lot of people don't anymore. Right?
Abraham:Exactly. Exactly. Yeah. Some of the times do a legacy app or something. But a lot of time, when we when we go that route and then we've seen we do the test, the customer is comfortable with.
Abraham:Right? But, yes, it's it's it's always good, to to think about the sizing. And most of the time, right, because Keto provide SD WAN, one of the advantage of SD WAN is having 2 or 3 circuits. Right? So because now you're you know, you have a broadband, a DIA, a LTE or 5 gs, right, and you're utilizing those.
Abraham:You can also say, look, I want to use this circuit for this type of traffic, this other circuit for this type of traffic. Right? So you can actually split that if you like, or you can just use them as you want. So you have control over that. And you also you always can apply the the QoS policies to make sure that traffic that is critical always have, you know, a first in line.
Max:So what gets installed for remote users, and what do you do for, companies' cloud instances? Because you're obviously not putting hardware at everybody's remote location, or you're not putting hardware in an AWS or Azure cloud.
Abraham:Correct. For for public clouds, yes, we do have a virtual instance. It's the same field, same setup as the actual physical appliance, but obviously it lives on Azure and AWS. We also have options for IPsec. Right?
Abraham:We have customers, they they have a a third party provider, a third party app, right, with the hosting company maintaining the hoster for you, but obviously you want that communication to be private, you can build an IPsec from the provider to, to Arcadopops. So that way, you know, you can still, leverage the the the SaaS solution even with an IPsec, you know, leverage security and visibility and also improve the performance. You mentioned, remote users. We do have a very lightweight client, right, the Cato SDP. It's it gets installed on the on the on the users and then the users can leverage, single sign on.
Abraham:Right? If a lot of the customer in these days, they leverage Office 365 or Google Apps, Okta, OneLogin, we can integrate Keto with those solution. Right? And now the users has the same feel like when they're in the office. Same email, same password, same MFA.
Max:So if a if a user has, a Kato client installed on their device and that's building a VPN tunnel and then they go into an office, do they have to disable the VPN client? Or does I mean, you don't wanna have, like, a VPN inside of a VPN inside of a VPN to connect to something.
Abraham:Yeah. No. So we have a functionality where the we detect they're in the office, and the VPN client doesn't disconnect. It just switch to remote office. K?
Abraham:So we basically have the client known that issue on the socket, but we detect. Like, if they change to another Internet, we, right away, can open bring the tunnel up using the SDP automatically. Right? Because, yeah, we have a functionality that it's it's where the user can turn it on and off the VPN, and we also have the functionality of always on where the user don't have any control.
Max:So you can deploy a policy from the admin when you push out the client to force it to always be on and that the user cannot turn on?
Abraham:Correct. Yeah. We can do it global. We can do it per user. We can do it per groups of users.
Max:So deployment, you're talking about physical office locations, your SD WAN box, remote users installing an application, cloud instances, a virtual application, virtual instance, legacy hosting environments or legacy application sites, IPSec tunnel. Everything feeds back into the Cato cloud. And so you use Cato cloud, but, like, the Cato infrastructure. Okay. Not not like your populace, but the actual Cato cloud functionality.
Max:And when you say next generation firewall, you know, what does that actually mean? I mean, that's a that's a pretty broad marketing term in today's world.
Austin:So I have a pretty cool slide for you, Max. I think this will this will bring some truth to we've been talking about a little here today because it shows our security stack is truly a single pass, and this is a really cool delineator. So when you talk to Cato compared to equipment vendors out there that have they're trying to sell, like, they're pushing hard their hardware, and then they have to put the security stack on top of it, and then you have to go to another web interface for another piece of it. Man, this is this is truth to me in a slide because it's so cool. You see the firewall, secure web gateway, all of the security stack there is on a single pass.
Austin:And all of them are talking to each other to contextualize the information and to provide security that other our competitors can't do because their platform isn't cross contextualizing these different pieces of these different security solutions that are, whatever, it's intrusion prevention, talking to the anti malware to see, oh, is this packet real? Is it not? Is there something wrong here? And is it contextualizing with the firewall and the CASB, the applications that they're using? I think this is an awesome litmus test of Sassy.
Austin:So going back to where we kinda started from at the first of the program, what's Sassy? Dude, this is Sassy. One platform, a single pass, your packet hits the Cato cloud. If you've purchased all these services from us, if you're using them all, I mean, that packet goes through all of these in one pass, which is awesome for latency. Like, their business users are able to pass through their files, the applications, the pieces of information, and it's not hitting 4 different point solutions.
Austin:Even if it's the same provider, even if it's a like you mentioned, the Meraki or Apollo, it's not having to go in and out of different ingestion engines that they have. We have one engine. So, man, this is I mean, you can talk about this a little bit, but I think this is awesome. This is a real litmus test and a real some real truth about Sassy and what a single platform provides.
Max:I got a few questions. As I understand it, commonly, a company might start with a firewall, which includes the secure web gateway URL filtering and, an IPS and anti malware and or or some variation of those things. The selection of these boxes is really what features have we enabled through licensing with Cato to say we want IPS or we don't want IPS right now. But when we want IPS, we can just say we want IPS. You're just enabling that functionality in your in your platform for them.
Max:This isn't there's no additional deployment requirements or or infrastructure changes or software being deployed. It's just, oh, okay. Check this box, configure the tool, and and go to town.
Austin:Exactly.
Max:So next question I have for you. So we talk about secure web gateway URL filtering, IPS, and, you know, like, anti malware. Also, technology terms that have been bastardized by most tech marketing company you know, budgets and and stuff to, like, shoehorn a lot of things in. You know? And, like, going back 20 years, you had WebSents.
Max:And WebSents would build, like, classifications of a URL. Right? Like, we know this is a sports site. We don't allow people to go to sports sites. You know, you could say no sports.
Max:By the way, we did this to our salespeople in an office 1 year for March Madness. It was really funny. The the problem with that, though, is in today's world, like, this stuff changes so fast. Right? So, like, what are you actually what is Cato actually doing from a a threat intelligence and a reputation, you know, an aggregation of data across your your entire environment platform customers to actually start making these decisions?
Max:Like like like, what are what is the actual like, what are you doing behind the scenes? Because, you know, you see these stories where it's like, oh, something got installed on an application, you know, on a on a computer. It was dormant for a period of time, and it woke up on, you know, Tuesday 28th and reached out and talked to a domain name that hadn't been registered yet. And then command and control kicked off and, like, all this bad stuff that happens to you. And that thing, right, that that command and control infrastructure has never been seen before, so nobody's filtering against it.
Max:If you mean, if you're just using using URL filtering and, like, basic, like like, this is good, this is bad. Like, you can go to Amazon. You can't go to other stuff. You don't see that stuff, and you can't protect against it.
Austin:So Yeah. That's proprietary information. We would have to kill you if we told you, Max.
Max:We're not allowed to.
Austin:No. Abraham was just talking about this, I believe, like, yesterday or the day before with a customer. They asked kind of that same question. So go for it, Abraham. The answer was awesome.
Abraham:Yeah. So one of the unique feature, right, because we receive feeds from basically where everybody receive feeds. Right? We read the same, what's it called? S v e
Max:CVs. News.
Abraham:Right. So we know that. Okay. What is our big difference is, and you mentioned before that, right, when you get into some competitors, they have SD WAN appliances, and then you have to find security, and then you have to, you know, different point solution. What happened with them is they don't know about each other.
Abraham:They don't know what's going on the network. They don't know what's going on on the security. They don't know what's going on with the CASB. Probably they have a URL filtering, a DNS security solution. When you have what we have, which basically what we call it is a shared context security of firewall, where basically all our our next gen firewall, secure web gateway, CASB DLP, IPS anti malware, next gen anti malware, they have eyes over the packet, over the flow at the same time.
Abraham:That's why we call it single single pass. We we and then another very, very important thing here is the TLS, decryption. Right? Because a lot of you know, on on this new world or, you know, this new technology that we're changing here, that everything is going more and more digital. Well, things are coming encrypted because of the security.
Abraham:Guess what? The attackers are also encrypting because they wanna hide their stuff. Right? So TLS is very, very important, which we do recommend, to to to turn on. So we knew on the crypto packet, now our solution have all our solution, our complete security stack, have eyes over that packet.
Abraham:And instead of one of them making a basically a decision of what they, you know, of what they see, what they saw, or doing it on kind of step by step. All of them, they talk to each other, and they make a decision like as a family. It's like in the neighborhood where you have somebody, kind of malicious, passing by. It will happen if one person sees it. Right?
Abraham:But what happen if if everybody get together and say, hey. Have you seen this card? Oh, yeah. Yeah. I've seen this this movie.
Abraham:And they're like, oh, now we can make a decision. I said, kind of like a unified decision, right, based on what everybody's seeing. So that way we can improve the overall performance because instead of waiting, going into Eurofiltering, application control, multi malware, IPS, no. We can even stop it right on the first one. Say, look, this is malicious because this IP has a bad reputation.
Abraham:This file has a signature that's been modified that we see from from here or there. Right? And we collect so much data across customers, right, across or basically what we've seen what happened across the Cato Networks. For example, Log 4 j. Why we why we were able to detect it in less than 24 hours?
Abraham:Because we've seen Log 4 j a ton of customer accessing it every single day, every hour. Right? So we see how it behaves normally. When we saw how it start behaving a little different, that's when we raised alerts right away. And we're like, oh, hold on.
Abraham:Something is changing here. And this is all real time. We don't have to wait for for to for the CVE to get, you know, okay. Here's the information. Let me find now the, you know, the fix and deploy it.
Abraham:We were able to see the behavior. We were able to stop it and basically deploy to other customer, and they didn't have to do nothing about it. It was just all done for them, and that's one of the, you know, the the benefit or the advantage that we have, against other solutions.
Max:The craziest thing that I experienced now talking with companies about security is fits into kind of a 2 categories. And the first one is we get into when we're when we're evaluating and we're doing we'll just use evaluating. When we're doing evaluating, one of the things I'm looking for is, like, how mature is your organization? How big are you, and how much data do you have? Right?
Max:And and you find, you know, companies selling security, and you've and it's like, well, we have 12 people in our SOC, and we're using, you know, whatever point solution that we've integrated on top of. And these are good tools. Right? We're talking industry best of breed platforms, but they're relatively isolated to each other. And I always I I can take a step back from them and say, well, security is not this, like like, isolated thing anymore.
Max:You know? You need to have a lot of data. And I was watching a briefing the other day from Cato. And one of the slides that came up was a it it was showing, like, growth of your network was really the point of the marketing slide. But at that point, I think the slide was something like 1.3 trillion flows a month worth of data through your network, and I'm sure the number is even higher now.
Max:So if you know what the number is by all by all means, that's a lot of of data to actually be able to evaluate. I mean, you think about, like, a firewall enabling UTM or DPI, like like, it only sees what it sees. But I'm trying to contextualize, like, what 1.3 trillion flows a month worth of data actually means in terms of network traffic. And the other thing was interesting on the slide. It was it was top applications by use, you know, like, what destinations, of course, like Google and YouTube are huge and Amazon's huge and all these different things.
Max:But, you know, it was TikTok actually sits here in our rankings for our global customers of, like, how much of our global traffic actually goes to TikTok. And and that was also interesting to me too because that gets kinda gets into your CASB functionality where, you know, traditionally, CASB is like, I want to, restrict access to Salesforce from only our authenticated IP addresses. Right? But you've include functionality in CASB, which will tell a network what applications you're going to, what sites you're going to, and then allow people to restrict I mean, like, do you want your users going to TikTok on your corporate network or not? Right?
Max:Like, it's kind of where I go to immediately in my mind. Anyways, I I can you expand on this for me? But, like, really, you know, like, I'm an I'm a network nerd, so I wanna talk about this. Like, over a trillion flows, like, that's is a lot of data. Like, what do you I mean, are you is every flow evaluated in real time?
Max:I mean, how what are you what are you doing with these flows? How are you correlating this? How much of this is specific to us to a a unique customer? Like, I've got a business that talks to Nigeria because we've got an installation for water desalination in Nigeria. Like, is that something that you know about?
Max:And you could say, okay. That's normal for me or not normal for me. Or is it you know, like, how deep does this go?
Abraham:We look at all that data. Right? So, obviously, each network for the customer are isolated, but we, you know, we we read we can read, that malicious information, right, to basically help other customers and help the the overall network in in Cato network. So, yeah, we do have a a SOC. We do have a security research team that constantly looking at all of this.
Abraham:Right? We have our artificial intelligence running, and we always sanitizing our our security stack, our IPS solution based on because we see so much feed that we can actually tell. And that's why on our solution, it's very, very lower lower or or false positive because we keep sanitizing this. We keep, keeping it clean to make sure that the what the customer gets, it's accurate. It's not just, oh, we're just gonna do everything, and then later we we figure out.
Abraham:No. Cato is basically figuring out all all of that for you.
Max:You know, look. I mean, from a network admin or a security you know, firewall admin standpoint, you know, the dirty secret for for all of time is you configured the firewall. You configured your NAT rules. You had any external IP pointed to the internal service like your email server that you had to have. And then 99 out of a 100 times or 999 out of a 1000 times, you know, the rule said allow anything on the inside to go out.
Max:And and there's no real policy enforcement for for traffic egressing from your corporate office to the Internet. And then maybe maybe you got a policy directive at some point that said we have to block AOL Messenger. We have to block TikTok. We have to block something, and then you have to figure out how to block it. Now in those in that world, you don't really have a sophisticated granular blocking method.
Max:I mean, you can put in IP addresses by hand, but, you know, I I I think about this from experiences that I've had personally where it's like, okay. We're gonna allow 4 43 traffic from you know, to the Internet. Right? Like, it's important that people get to websites. But there's no, like, real overlay to say we have never talked to a website in the Bahamas before ever in the history of our business and and know when that happens and do something about it.
Max:And is is that functionality here that now we we get and see? I mean, is Kato doing this for for for people automatically? Is this something that you're just alerting on? Is this something that you know, I'm I'm I'm trying to understand, like, how deep this goes where, you know, if if I'm a Cato customer and I've been on your platform for 2 years and all of a sudden, like, boom, we're talking to some, you know, website in BVI, like, what kind of what kind of flags does that raise, or does that traffic even get there in the 1st place?
Abraham:Yeah. Yeah. So we do we do also have a functionality which is called suspicious activity, where you can easily set that up and or get it automatically, set that up for you. I'm sorry. And you can receive alerts if you want to.
Abraham:Right? Get an email about that suspicious activity so you can kinda aware, for example, that. Right? First time going to Bahamas if you're deemed that kinda suspicious. But we look like since we mentioned about the the shared context, we look at at right at at the whole packet.
Abraham:Right? So we look it's an IP to Bahamas, but then we look at who is the provider. Right? If it's a file or anti malware engine, it will scan it, and we'll look at the signature. It will look at the behavior.
Abraham:If it's a URL, we're gonna look at what type of URL, right, because it's probably, example, google.com. So and then probably Google has something hosted there. We're, like, it looks good basically on on all of this. It's the first time, but I don't see anything about bad about this IP. I see actually the file is clean.
Abraham:The URL is actually good. Let's send it, you know, let's send it over. Right? That's that's how the the whole, shared context work and perform. Right?
Abraham:Because they can see over everything. And not only one branch is doing this. This is we we're gathering other data from users, right, all the users connecting to your network and then all the branches because they go through the same engine. Right? We have eyes.
Abraham:And not only that, but we also see data from the network side. Right? That what what I was explaining since when you have different different point solution, it's it's it's hard for security to know about the network because they they don't know how to talk to each other. On our on our network, everything talk to to each other so we can gather more data to make it more accurate decisions about the traffic.
Max:Now what's not on this slide that you talked about earlier was MDR. And I'm really curious because this is not MDR is not functionality that's usually included from an SWG product. Right? Like, you don't you don't see this. Usually, MDR comes into, you know, a a a security overlay if somebody that's managing an EDR and a SIEM and performing SOC functions.
Max:So what is MDR in the Cato world, and what are you doing for MDR for customers?
Abraham:Obviously, it's an add on product where we can help you. Right? You probably have a set of security engineers, but, you know, there is obviously just certain points that they can do. Right? And sometimes you have 1 or 2, or I don't know, maybe you you have one security slash network, so it's kinda hard to know everything.
Abraham:So we give you that another set of eyes where basically is, since you're gonna send all traffic over Keter, we're gonna look at all of the data and basically we're gonna tell you what's going on. And maybe when you see that report, you're gonna be like, hold on a second. I didn't know that all of this was happening. And basically we give you best practice in how you can approach that, how you can fix that stuff. Right?
Abraham:And then we can include, you know, meetings with, with the team and basically how that gets done and recommendation, how you can remediate. That's that's kinda like what what is included on the MDR solution. Right? A lot of time, you're probably not aware, but you maybe have, for example, SMB 1, 2, and 3 open. But actually, nobody's using SMB 1 and 2, which has vulnerability.
Abraham:And you're like, oh, really? I can close it. Go ahead and close it. Right? SSH 1 and version 2.
Abraham:You have both open, but somebody the people that are doing SSH are only using 2, which is the actual good one. Right? SSH 1, you can close it. Right? And then you probably are open custom ports and and then, you know, for a specific, for a specific application or services.
Abraham:But guess what? When you do TCP, UDP, the attackers can actually still tunneling in. So what we recommend is like, look, change this to a service that we have here. It's a service that is that we we signed, Kato, and we look all the way to the Layer 7. So we can actually, you know, have a much better, understanding and visibility over the actual services.
Max:What do companies do that still have on premise applications? I mean, these are things that, you know, maybe need to be accessed by users that are not, you know, inside the organization. Right? So, I don't know. Maybe somebody's crazy and they still have a mail server on-site because they have an FTP server on-site.
Max:They're doing some sort of ETL. You know? They've got a remote desktop server that they want generally available for some crazy reason that isn't just, you know, accessible to their their own internal remote user. When Cato comes into play and you've got, you know, your SD WAN that's tunneling to your your is that still providing a mechanism for people to host applications in their at their offices? Or, you know, if they had a data center, you know, they could put their data center behind Cato as well?
Abraham:Yes. Yes. They can. Yeah. We still provide a one to one net.
Abraham:And and and guess what? You are now basically exposing that web server from the Cato data center, the Cato PoPs. Right? So now the session gets done like what we're saying on the PoP. And now if you have 2 or 3 circuits, we can leverage your 2 or 3 circuits to make sure your web server now has a better uptime because everything is done on the path level.
Abraham:So now you also apply security. You can also apply QoS. You can also apply, you know, TCP proxy if you need to, and and so on. But if you have a circuit that is not operating well and you actually wanna change it because of any reason, guess what? You can actually do that on the middle of the day without interrupting services.
Abraham:And that web server app doesn't get interrupted because the DNS, it's all done on the Keter public IP. Right? So you don't need to change the DNS to another public IP. You don't have to deal with anymore with the ISP public IP spaces.
Max:Okay. So and then this your one to one NAT is also solving the issue around UCaaS real time services because you're doing packet duplication if there's a SD WAN in play. But then in addition, you're pinning that through a pop so that way you don't have that boundary changes that you have to worry about and have voice calls.
Abraham:And and that's a, about voice. Right? Because it's it's most of the time it's UDP. But guess what? We we have other applications that we can actually accelerate and basically, increase the performance because we can find, the optimal egress.
Abraham:And since we have a network that we control, that we manage, right, that we provide IPSLA over that, you can leverage our, our backbone from moving from long distance communication. For example, let's say you're going your headquarters is in in Dallas. Right? And then your public application is hosted on Virginia. Right?
Abraham:The provider, the the the whoever make the application is hosting that app. Instead of you going from the public Internet from Dallas to Virginia, what you can do is on Cato, you can say, look, when these users or the entire network are going to my public application, a, b, and c, please egress on the Virginia and Ashburn data center, the Cato POP. What what we're gonna do is from from that path, right, from that, communication or, route that we're gonna take, we're gonna leverage the Cato backbone. K? And each POP that we touch, we're gonna do acknowledge, we're gonna do a TCP proxy, and then we're gonna accelerate the traffic.
Abraham:So from the standpoint of the destination, every time we get obviously, we touch a pop, it's lowered, we're lowering the the latency and increasing the performance. So when we go when we get all the way to the Ashburn POP, right, and let's say now we're gonna egress to the public to reach that application, if for any reason the packet drops, we don't need to go back to the source in Dallas. No. We just go to the last pop, the Dignitya knowledge, and we retransmit from there.
Max:I'm having flashbacks right now when you talk about TCP proxy latency and window sizing to Aspera and doing global accelerators around, like, calculating bandwidth delay product and trying to do window sizing to have applications actually perform over WAN links. Are you telling me that, like, a lot of that is already integrated into Catos and your Cato POP architecture where I don't have to you know, if I'm trying to transfer bulk data, you know, between 2 continents, that this isn't, like, go out and figure out some some appliance that can take and actually shove the stuff into UDP and, you know, pipe it across a network link as fast as possible and
Abraham:It's just there.
Austin:And a big reason for that, Max, is, you know, we provide a global backbone for our customers. And so we need that backbone to be as optimized as possible so everybody's traffic is flowing on it. So, you know, it's a great benefit to our customers, but it's something we had to do knowing the increased usage of traffic across the world. You know, we had to do that. Or, I mean, how many pipes do you have to put in between?
Austin:Because we have redundant connections between globally every single pop, and they're all meshed. And so we had to do it to keep traffic flowing as good as possible because we offer QoS across our backbone for video and voice applications for customers. And so we had to put these types of, window sizing and TCP in there so that traffic flows and customers' video and voice works really well.
Abraham:So Max, do you mind if I can go step back and explain a little bit of our our backbone if it's okay? Okay. So and then so you're gonna kinda understand why it's so important, right, the the the the Cato infrastructure on on the Cato SaaS, solution. So, obviously, like we mentioned, on the beginning, it's our Cato pops are actual physical buildings, right, physical data center, top tier data centers, and we're just renting basically the space. Right?
Abraham:We it's our equipment. It's our software. It's our switches, it's stuff that we manage and then we don't we don't use their, their their path or their their Internet provider, we we pick our own provider. Right? And we pick at least 2 and those are most of the time or all the time we try to get those basically, the top ISPs and then we pick those IP transit where we can actually manipulate the routing tables.
Abraham:Right? We have access to that. So now we can pick the as less hops as possible from one pop to the other pop. And then basically now we encapsulate that. Right?
Abraham:We use both links. We create that mesh between all of our pops. So now our customers, basically, they run on top of that. Alright? And another and another overlay.
Abraham:And and, basically, that's how they find or we find the best path, the best route available for them from one destination to the other. This is where a lot of of the other competition, they basically fell because they thought about SD WAN and security and now I can do SASE. K. But, okay, you can have a good security. You can have a pretty good SD WAN, but what happened from one place to the other?
Abraham:Right? If you don't have a good network, it's kinda like really hard to say, like, yeah. I like the security, but I want my packet to make it to the other destination. I want my data to flow. That's when Cato, the founders, they thought about all of this.
Abraham:And they saw the how kinda broken the whole Internet routing was around the world. And they're like, how are we gonna improve it? Right? That's why we designed when we designed the the architecture, it's basically we use the last mile, right, from the from the branch, the site. We use the last mile to connect as quick as possible to our PAP which is the middle mile which we have control.
Abraham:We manage it, and that's why we can provide an IPSLA of basically, I think, 4 or 5 nines. Right? Nobody else can do that. When you go ask other solution, they're like, hey. But we have, you mentioned Cato.
Abraham:Yeah. We're fully native on the cloud. They're like, oh, we haven't. We have the cloud. We have we are in Google, Azure, or AWS.
Abraham:We're still a virtual appliance over there. Right? And then you're just applying policies and and stuff like that. But can you offer me SLA on on this? I'm like, no.
Abraham:Because somebody somebody it's somebody else's network they're managing. Cato, we have full control and visibility over that.
Max:It's not just virtual appliances. You guys have, ExpressRoute and Direct Connect and, you know, you can you can
Abraham:Yeah. If you have, obviously, we understand that there's customer with needs of huge amount of data they transfer over. So we do have, direct access to the cross connect from from all of these top, top tier data centers. Right? And then we can send now the traffic basically privately over Cato POP to the provider.
Abraham:So instead of just, you know, the our way is to send it always to the Internet to the POP PAP scan and send it back in case that you have a huge amount of data. Obviously, cost can be a concern. So now we have we have the option of doing a a cross connect. Basically, from a side, a data center, we can peer, and now we can obviously send you to to wherever you go and look you can leverage that across, different, different branches. Yep.
Abraham:So so talking about that, right, the infrastructure, why it's so important is because now since we manage this and we have this logic of firewall all around all around our pops, that's where we can increase the performance, accelerate the performance and do all of these things. Right? If you think about an MPLS, MPLS is just a link between 2 sites. Right? There's nothing in between that is gonna accelerate the traffic that's gonna improve.
Abraham:That's why we, in a lot of cases, when we do park, we beat MPLS because we accelerate the traffic every time. So especially when we go overseas, people is like, what is going on? Like, tell me what what what is happening. And it's, you know, it's it's amazing. It's amazing even when in some cases, there's outages with vendor with big ISPs.
Abraham:But our Cato customer, they don't see an issue.
Max:Anybody that's deployed MPLS at any scale understands that you need to have 2 different networks if you wanna have redundancy. And then you get deeper. An MPLS is just a private circuit of some sort of encapsulation implemented on on a on an ISP's backbone, right, a telco's backbone. So you're still flowing through the same routers in the same path, like, 99% of the time. So, yeah, I I laugh about but but, you know, it makes things easy.
Max:Like, for some you know, like, there's lots of applications where it's nice just to have, like, a private network. You know? And there's a reason why MPLS is still a $30,000,000,000 a year business. You know? It's, you know, it's I'm I'm not in the impulse as dying or not.
Max:I I just I think it's going to mutate into something else. You know? So
Abraham:Exactly. And and and we agree. Right? There is certain applications that they they need to have the the MPLS. Right?
Abraham:But a lot of our customers, when they see actually again, everything comes to the what type of services or application they need to access. And when they look at it on Cato, it performs like equally as an MPLS or even sometime or a lot of time, even better. And if that is the case, perfect. Right? It it will work.
Max:I'm thinking about this in the, like I mean, the phrase you know, I'll use is, like, what's the catch? Right? Like, there's nothing's perfect, and nothing is as easy as people pretend. And, you know, like, there's, like, a certain amount of, like, a natural disbelief that comes out of this. Right?
Max:So, Austin, maybe this is a good question for you, right, which is you know, you mentioned previous life selling other stuff and cobbling together all these different things and finding Cato, and and I think I had a very similar experience. But, like, there is a catch here. But what's the catch? Like, you know, are you guys, like, horrendously expensive? Or, you know, like, you you can't deploy sockets because you don't have hardware?
Max:Like, what what is what is the catch here?
Austin:Yeah. It's funny. You know, I I thought the same thing when I was watching the engineering videos before I joined Cato looking at how was it architected. You know, I haven't heard of them. How have I not heard of them if it's this great and it does all this?
Austin:And it's I have not found the catch yet. So global manufacturing wise, we have sockets. The end of the year and the next, like, we have no supply chain issues. The the pricing. So when we speak with customers, you know, I don't I don't lead with pricing.
Austin:It becomes irrelevant when we speak with customers. You know, at first, maybe they ask a couple questions about pricing. And once they hear everything it does, they they get a little, oh, like, what's the price? Well, is this gonna be, like, 2 x what I'm paying today? And most of the time, we're saving them money on maintenance costs.
Austin:A lot of the firewall vendors, the legacy equipment vendors, they make them pay for the entire I mean, if they buy Palow or Fortinet, they're paying for the entire 3 years upfront, the the whole bulk of it, and they're having to finance it to do it. And when they see with Cato, oh, I only have to pay year by year, or I can pay quarterly. Man, this is this is great, man. I haven't found a catch yet, Max. I mean, not compared to our competitors.
Austin:For sure not when it comes down to pricing with customers. I mean, I haven't there's been no customer I've worked with that's walked away from Cato because of cost. And not a single one of them has gone, oh, yeah. We're not gonna do Cato because y'all are more expensive. It's a great question.
Austin:It just seems I think that's why it takes customers several meetings with us and them asking questions like you're asking, like trying to poke holes in it. Oh, how what's my east west traffic? What's the remote worker? Is this really gonna work? And, you know, they ask enough questions to feel really solid about what it is.
Austin:You know, maybe they call a reference or 2 from us, and they go, yep. It it really works. It's not vaporware.
Max:I mean, if you've ever, spent $50,000 on a pair of firewalls plus 20% support for support and maintenance over 3 years. Right? So you're 60, $70,000, $70,000 over 3 years into a firewall. I mean, that's it's a lot. It's a lot of money for one location.
Max:You know? And it's a big site. You know? There's a big cost, and you have a lot of soft costs. You have training costs.
Max:You have admin costs. You have people costs. You have cost cost cost. So, I mean, there's a lot that goes into it. Have you had any customers deploy sockets at remote locations for, like, remote users instead of being just, hey.
Max:Here's software that installs in a computer. We're gonna give you, you know, give you this SD WAN piece of hardware, and you just plug it into your ISP, and, you know, we'll manage it that way.
Abraham:Yeah. Yeah. We we do have customers like that. A lot of time, it's kinda more executive level sometime in IT. Like, they have, like, a small office, stuff like that.
Abraham:And they but yes.
Max:I'm trying to think, like, what else I wanna talk to you guys about here and ask you. I'd actually I'd like to get into a little bit more detail around in DLP functionality. I feel like we just kinda glossed over that a little bit. And I I love these two acronyms because nobody really understands what they are, and nobody can really explain what they are ever. And everybody does it a little bit differently.
Max:A lot of this stems from, intellectual property and data protection. How do we protect our intellectual property and data that we have? And whether that's just, preventing access, you know, have we have we secured a a cloud vendor to a point where data cannot be accessed from the general Internet in the first place? Like like, just just completely lob off this. Somebody leaked, you know, credentials, and now, you know, somebody can access this this thing from, you know, out in the Internet somewhere.
Max:Right? I'm I'm, like, waving over the the distance out in the Internet. And the other side the other part of this that comes up a lot is, like, if we have data that's really important or we have customer data or PII or you know? I mean, there's different things between compliances. Right?
Max:We can talk about compliance and and the PHI or PII, and we can talk about, you've got data from your customers on your platforms. How do you prevent that data from, you know, being removed or egress? You know? Can people access Social Security numbers in in your system? And in some environments, actually implement and try to use DLP to solve these problems for them outside of their actual application.
Max:What are you using? What do you what functionality are you giving with CASB and DLP? And what problems are you solving for your customers that they're actually using you to solve?
Abraham:So let's start by the the the CASB and the and the DLP. Right? CASB is just a we go deeper into the application. Okay? And for that reason, we do recommend enabling TLS inspection because for have a those those URL, right, those those access are encrypted most of the time, especially if it says sensitive information.
Abraham:So we need to decrypt that. So Cato sits on the like the middleman and basically basically Cato opens that packet and now have full visibility. And now he can tell if somebody have access to, for example, OneDrive, SharePoint. Right? Let's start with that one.
Abraham:It's a business app. So we look at that, and now we can tell if the user is trying to download and upload. And now you can see that somebody is downloading. You're like, but why they're downloading so much file? Right?
Abraham:We can which on Keter, you can raise an alert or you can actually block that, or you can create a group of users that have access to upload and some other groups of users, they can actually download. Okay? So you can go to a Facebook marketing, they can go post, these people can actually do chat, these other can do Facebook live, and so on. So you can control that deep detail into each applications. 2nd, it's when basically you have DLP.
Abraham:Basically, DLP is complementing in the CASB because now DLP looks at the actual data. Right? It's a CASB is looking at the application and what they're doing. DLP, it's looking, okay, they're doing upload, download, or posting, but what they are posting? What type of data?
Abraham:And that's where we look for credit card information, Social Security numbers, and so on. And we can detect that based on type of files, PDF, Word, Excel, and so on, and then we can decide if that user is allow or not. Okay? This is when, it comes pretty handy, right, because we know a lot of this stuff were happening before the pandemic. Right?
Abraham:But a lot of the users, the IT, IT shadow IT, right, they're kind of like, I have 2, 300 users out there, and I don't know anything about it. Like, what are they doing? And I'm like and they're like obviously, everybody's like, yeah. And the the the c the c level are concerned because where is my data? It's in all of these workstation, personal computers.
Abraham:So this is when the, our our zDNA comes handy, obviously, with the CASB and DLP because, as we mentioned before, we can apply the always on and now you have always visibility on what is happening on that workstation. No matter where they're going, you always will have the visibility. So now you limit the expose of those public apps to the entire world to only Cato Networks.
Max:ZTNA isn't a specific additional module. It's just something that's included in in this CASB sorry, in the in the Cato remote access solution.
Abraham:Correct. Yeah. ZTNA is just limiting the access of that user.
Max:Correct. So how granular how far in terms of policies can you go with users when you start talking about authenticating? So, like, if I, you know, what would be a good example? Like, could I take my laptop and go to China and connect to, you know, and connect to my corporate resources or could you define a geofence and say, you know, this user has to be in these locations I mean, like, what like, what what sort of policies and entitlements can be built with CTNA with Cato?
Abraham:It's going with the user identity, right, who is the user and what type of device they're using. You can do pastures on those devices. Right? You can check if they have a certificate that is a corporate certificate. You can check if that device has been managed by the MDM solution.
Abraham:You can check if that device has an Altium malware and which one is it. You can check if that device has a firewall and what type of firewall is it, if it's on or off and what version they're in. Right? You can limit based on the country, where that device is, where they're connecting from. Right?
Abraham:And if that device is a Windows, Mac, iOS, or an Android, right, or Linux. So you can set all of those on the rules like from a I'm going to put myself, right, Abraham has this Windows laptop, make sure they have all of these, profile checks so then I can access this type of application. Alright. So you can go pretty, really, really granular with this and not only to the Internet but also to your private traffic, to your data center.
Max:You guys need to talk about this more because so many people that are out in the market pushing zTNA are not. Little simple things like, you have MDM running with a certificate present on the device in order to authenticate on this box to connect to this network and do something. It's incredible, like, what that actually enables for you in terms of access policy and and protection. Favorite question of mine lately that I've been asking a lot of people in the security world is what do you implement for a company in what order? So if you if you were hired in as a CSO for a business and it had nothing, you know, like like and you were looking at, okay, now we have to create security policy and increase posture.
Max:What do you do in order? And my personal belief for this is, you know, of course, starting with strong identity and and multifactor authentication is like, just turn it on because you're already using a platform that supports it. So it's like identity and SSO is like foundational to all of this. But at some point you get to a point, you know, you get to a question you start talking about, especially with remote users, are you licensing and deploying EDR or SWG? And at what order do you do these two things?
Max:And EDR is like a very popular step next step up. Right? Because it gives you a lot of visibility. But I think I mean, I'm not knocking EDR. Everybody should have it.
Max:But I think of EDR as more of like a it's more like a defensive reactionary thing. Like, what happened on this computer? And can we track what happened on it? And then can we revert what happened on it? And it's, you know, after the fact versus, you know, when I think of a SWG more of like an offensive measure, like, you know, if you don't get the virus on the computer, you don't need to have something to take the virus off the computer, you know, almost in that fact.
Max:Now now you should probably have, like, a really strong email security platform as well because, like, everything comes from email. But what I'm I'm kind of been chewing on a little bit thinking about this is, you know, modern network architecture. Right? You have to have an SD WAN. Like, you're crazy if you don't.
Max:You you, of course, have a firewall. You have to. And and is the SWG just become, like, foundational? Like, you don't even have to think about it in terms of the order of, like, what are you deploying? Because you just end up getting it if you deploy Kato because it's just here, and this isn't like a the question isn't really well formed, but I'm I'm thinking about this more along the lines of, like, is the SWG just become table stakes and not really a a point of conversation of, like, at what point do we license and deploy this thing now because this is just foundational for our network.
Abraham:You mentioned a very, very important point there. Obviously, I kinda have a very similar, like, a way, how I started. Basically, it's MFA, whenever you have MFA. The other thing is a single sign on. Right?
Abraham:Because now instead of users having their own password everywhere and the tracking tracking what those logins are, what type of data, right, now you manage all your public application, all the private application through one login. Right? So whenever that person whatever happens, you just go one place, shut it down. Right? That's it.
Abraham:MFA is obviously very, very important. And, yes, endpoint protection, I think, is is always good. But you mentioned very interesting and and very important is, what is actually happening on this day on the local computer? The only thing that is happening still are USB. Right?
Abraham:Somebody, you know and that's one of the top reason can I recommend that is because somebody come with infected USB? You never know. Right? Plug it in, and now it's on the workstation. But it's even that is very minimum that users are doing.
Abraham:Right? Because now you have your Dropbox, Box, OneDrive, like, all the data is there and where is it? On the cloud. Right? So next, having a a good security, it's always good.
Abraham:Right?
Max:I have USB drives that I bought, sealed from a manufacturer, from a supply chain I trust, that have been in my possession their entire life cycle, that I will never plug into a computer ever again because I'm so paranoid because I've seen all these things happen out of USB drives.
Abraham:It's just like and it's
Max:like I know where this thing has been the entire time that it came out of a sealed package. Right? And and it's completely fine. There's no reason why I can't plug this thing in, but it's just I just can't do it anymore because it's I I don't know. It's just like guys, this is incredible.
Max:I mean, Austin, you said this earlier, and and it was a similar experience for me when you start actually digging into, know, the kind of things that you want. And we kinda glossed over this a little bit of just being able to say, hey. We're gonna create 1 firewall policy, 1 you know, and apply it to everybody everywhere regardless of where they are. Doesn't matter if this is an an office in LA versus an office in New York versus an office in London or a remote user that's working from their home, you know, in Texas or wherever they happen to be, and and being able to manage and have visibility across that in a single place. It's just if you've ever done anything opposite to that, you just I don't think you really have to it it doesn't take a lot to really understand, like, why this is a really good idea.
Max:Right? You know, just just having everything going and flowing through a single location where you can control it or not even control it, but just inspect it and be aware of it and track it and and take action against it. It's such a a powerful idea to to think about. And if and coupling that with, you know, really this what do you do about now? A percentage of your users are always gonna be remote.
Max:A percentage of your devices are always gonna be remote. You know, applications are all over the place. What applications are you even using? And I I get back to my earlier question. It's just it's like, you know, to a certain degree, it sounds you know, it seems too good to be true.
Max:But this really does feel like what life should be like for people that are managing networks and security infrastructure for their businesses at this point. And, you know, I'm, was very happy to have found Cato and be able to have these kind of conversations. Any, any last words? I'll give you the parting parting shot here.
Abraham:I I can add, and it's you you ask a very good question. It's about, obviously, the concerns that customer have is trusting. Right? Trusting something in new technology. Obviously, we've been here since, 2015.
Abraham:We've just been growing. And then one thing I can say is, look at the who are the founders? Right? These are the founders that basically are pioneers on the security. You know, our our our founder, Shlomo Kramer.
Abraham:Right? Checkpoint, Imperva, and Capsula. 1st founders on Palo Alto. So if you think about it, you're like, okay. These people kinda should know security if you're concerned about security.
Abraham:Right? And then and second is, you know, live examples. I've seen customers, right, Fortune 500s, where they go with Cato but still maintaining PLS and still maintaining other things just to make sure, like, if it doesn't work, I have something in place, which it made completely sense because obviously you want a business to continue running, right, something affected but that that that's the whole point of this, right, to to make sure you always have a good uptime. And what I've seen is when I talk to them, it's like, yeah, I'm keeping my MPLS, this thing here, for around a year or 2. When we start deploying Ketero and they start basically seeing how Ketero performed, Literally, they're coming back to us like, I'm actually gonna remove all of this within 6 6 months or less.
Abraham:Because, obviously, they get it they get that, like a, you know, like a comfy blanket, you know, like this in case this doesn't work, obviously, because they don't see a 100% confident. But I've seen it over and over, customer that still have another solution and how they're like, forget about the year left. Let's go for Kato. Forget about the MPLX. Put the, you know, the the removal notice.
Abraham:Let's go with Kato. Because they've seen it. They they are now testing it, and they see the value. They're like, yeah. This is a no brainer.
Abraham:So that's that's something I wanna add, obviously, for the people there that still have concern about this new technology. I was kinda in the same shoes. Right? Because I'm coming from a big MSP, I used to do data centers config, network configuration, different type of firewall, huge firewall migrations. So it took me a little bit to understand that technology, the concept of getting why we're doing it.
Abraham:But when you think about it, when you give it a chance, you're gonna see the value. You're gonna see, like, wow. This is actually it is, like, it is the future. It is where we're going. Right?
Abraham:So the so it's, it's pretty amazing. It's pretty fun, and it's a technology that, obviously, we'll love customers to give it a shot because it it works. And thank you, Max, for your time and the opportunity.
Max:Amazing, guys. Thank you so much for this.
