Cato EmployeeCASB Tech Hour Q&A
Yesterday, we hosted a live Tech Hour focused on CASB, and it sparked some fantastic discussions. A big thank you to everyone who joined and contributed questions!
We've compiled the full Q&A from the session:
Will we be getting this recording post this webinar?
Yes, the recording will soon be available in this link. You can find all live sessions recordings in Cato Academy > Live Sessions.
In application Control do we still get alerts for Sanctioned App if they have risk rating is 6 or higher? Can we setup on such way that sanctioned App will not be notified?
Getting alerts in the Cato Management Application is fully customizable so you can decide whether you get alerts or not for specific applications on given risk score and other parameters.
In Experience Monitoring we have good data for device and network performance however is there option to export the data ?
Today we have a few methods to get the data via reports or API. Export to CSV buttons are on our roadmap and will be added soon.
We know CASB requires TLS inspection to be enabled. What if the business bypasses TLS inspection on Microsoft services (apps/networks/IPs), how can we still control the tenant and personal instances of Microsoft services or is this not possible anymore with TLS bypassed?
With TLS inspection set to bypass Microsoft services, inline CASB controls will be somewhat limited and tenant control will not be available.
Is access to GenAI apps controlled by Sanctioned/Unsanctioned feature or are there other policies that control access specifically to GenAI apps?
GenAI apps are controlled by the application and data controls policies in the system. Sanctioned / Unsactioned labeling can be used as an attribute in those policies
We don't have the GenAI view. Do we have to set up a rule before hand to get that to show or enable something else?
The GenAI dashboard requires CASB license, onces that’s enabled, the default CASB policies automatically start collecting application and activity usage and populates the dashboards with insights
I always feel like sanctioned/unsanctioned is counter intuitive to your Zero Trust movement. I don't trust any app, whether it's MS or ServiceNow or ChatGPT. Therefore, I don't sanction any app. I understand the administration advantages but choose not to do it.
While this is a valid approach that can be easily configured through CMA, we see many customers labeling SaaS apps and setting up rules according to these principles.
To clarify my understanding - the CASB license provides in-line app activity and data protection controls and API SaaS monitoring - and if you want to enforce and data protection policies for SaaS API - that is an additional license? Is that correct?
SaaS Data Protection via API requires the “SaaS Security API” license
I had a new customer get a popup in Outlook saying "This message includes one or more recipients who aren't authorized to receive sensitive information". They do not have sensitivity labels configured, but they do have the O365 connector setup. Did this come from our CASB engine? If so, how?
Follow up with a support ticket as I’m lacking specific information and reproduction steps. Thanks!
Can automatic alerts be generated when there is abnormal activity?
Abnormal activity is detected using Cato’s XDR engine
How is Cato handling HTTP/3 (QUIC) encrypted communications and HTTP/2 SaaS apps that use certificate pinning and thus require TLS decryption exceptions for end users to use them?
Cato recommends blocking QUIC to force the session to fallback.
Applications that use cert pinning are being analyzed and bypassed by Cato security team.
More information can be found here.
Under "Applications" in this Cloud Activities dashboard, I can see 2 download activities, but when I click on it, nothing happens. How can I drill in more to see WHO performed those activities?
You can hover the application name and either add it as a filter to the dashboard or see them in the events discovery tab
As of now, my understanding is that the Data Protection API does not support automatic deletion or blocking of files that violate policies.
Are there any plans to expand the range of enforcement actions available in the future?
Cato API Data protection support remediation actions like Quarentine and Remove Shares.
We are constantly adding additional controls and applications.
Currently we are working on adding data protection API for ChatGPT.Data Protection API, requires configuring a connector and defining policy rules.
Without getting into app-specific differences, we can automatically remove share or move files to quarantine in case they match configured rules (i.e user action that violates AM/DLP policy)
CASB licensing is bandwidth-based? How does this work for SDP users?
It is bandwidth based, there is a BW model and an SDP model. We’ll be more than happy to follow up on this to provide more details
Many SaaS apps, including popular services from Microsoft, Google, Apple, etc all use certificate pinning and require TLS Decryption Exceptions be put in place for their sites to work. This negates the visibility needed to make informated decisions on end user traffic. Reposting the question a different way to hopefully get some clarification. Palo Alto has not solved this problem either.
Native applications who use cert pinning are not inspect-able hence inline inspection will not work (Cato bypasses them).
To gain visibility into them, API connectors are the way to go
Is there a demo environment for partners to use?
Yes, the MSASE_demo account is the Partners demo environment
Does Integrated Apps require SaaS API license or does it work with just CASB?
Just CASB license
The GenAI report available now. Will it have more data with the CASB license?
Yes, the CASB license will populate the report with all of the granular activities and data sources
Under Security > Cloud Activities > we notice there are files being uploaded to specific Applications. is it possible to view those files being uploaded to each application for DLP purposes?
That will require setting up a data control rule for content inspection. This will provide the visibility you are looking for.
Can we go setup DLP rule in application control Rule?
The app and data control page incorporates the CASB/DLP and File control rules
In regards to Data Protection Profiles, how are we to identify false positives? For example, if there is a rule that blocks upload of credit card numbers to SalesForce and there is a hit on the rule, how can we determine if this is a legitimate detection or a false positive?
Currently this requires checking the file that triggered the policy. We are working on adding forensics snippets from the matched content into the event for FP analysis.
Doesn’t the user just have to login to chatgpt with his corp email address to by pass this rule?
No, this level of control is deeper that identifying the login activity and as the tenant is extracted from the HTTP headers and compared to the policy
Can the client alert be disabled for given rules?
Currently not, it appears for all CASB/DLP hits. This is on our roadmap for later this year
He can still use a corp email address for a free account in chatgpt
Yes, but you can still configure a rule to block sensitive data and monitor that activity
I have a question regarding how DLP behaves.
My understanding is that the DLP scan supports files up to 20MB in size. If a file larger than 20MB is sent, does the DLP engine scan up to 20MB of the file before triggering a fail action?
Or is the file immediately treated as a failure without any scanning due to exceeding the size limit?
The file will be scanned up to 20mb
So basically we setup DLP rule in CATO by creating Data Control Rule right?
You got it right
Question, do you have a best practice to setup CASB and DLP?
Yes, you can refer to Cato's Default Recommended CASB/DLP Policy.
