Enterprises that have grown comfortable with Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (IaaS) are increasingly accepting of Network as a Service (NaaS). NaaS is a rapidly growing market. According to Market Research Future, NaaS is expected to become a US $126 billion market by 2022, sustaining an annual growth rate of 28.4 percent.\nOne of the key benefits of cloud-based networking is increased security for applications and data. Given that the traditional perimeter of on-premise networks has been decimated by mobile and cloud computing, NaaS builds a new perimeter in the cloud. Now it\u2019s possible to unify all traffic \u2013 from data centers, branch locations, mobile users, and cloud platforms \u2013 in the cloud. This means an enterprise can set all its security policies in one place, and it can push traffic through cloud-based security functions such as next-generation firewall, secure web gateway, advanced threat protection, and so on.\n\nThese security capabilities are basically table stakes for NaaS providers. Customers expect to be able to pick and choose the security services they need.\nOne of the major players in the NaaS market, Cato Networks, is introducing an even more advanced security capability, threat hunting, as part of its networking service. This is the process of proactively searching the network for threats that have evaded preventative security measures.\nBeing able to proactively look for threats is a goal for many enterprises, but it\u2019s not easy to achieve. Threat hunting is a data-heavy process that usually requires the installation of endpoint agents and\/or hardware appliances to collect the metadata from network traffic. Massive amounts of data must be correlated and analyzed, and failure to incorporate even a few data sources could result in missing a threat. What\u2019s more, threat hunting is still a human-intensive effort, and it\u2019s hard for companies to afford (or even find) the skilled people who are qualified to do this job.\nWhat makes Cato Networks\u2019 threat hunting different?\nCato\u2019s threat hunting service is unique in that it is totally contained within the global network that Cato operates. Customers do not need to install anything \u2014 no additional data collection hardware and no agents on endpoints. Cato gets all the data it needs from the traffic flows already on its network.\nIn hunting for threats, Cato uses data from the entirety of its network; i.e., metadata from all customers\u2019 traffic. This gives Cato a much more complete set of data to analyze and a broader view of global threats than simply looking at the data collected by any one enterprise.\nFrom a customer perspective, the threat hunting service is automatically and continuously happening in the background. Cato built its own data models and applies them to all the traffic data it has. A customer doesn\u2019t have to do anything. Even the skilled security analysts are on Cato\u2019s staff.\nThe threat hunting process is finely tuned and highly accurate. Cato analyzes the traffic metadata across multiple layers and in particular: client classification, time (repetitive communications), and target popularity.\nIn terms of client classification, Cato starts identifying flows with the typical entities such as source IP, username, and device name, used by most threat hunting systems. However, Cato expanded client classification to distinguish the source application type, such as Microsoft Office, Windows Update, or an unknown bot.\nAnother data layer that Cato looks at is time. Active malware shows network patterns over time, such as repeatedly communicating with a C&C server to exfiltrate data. Time (repetitiveness) is something many other security solutions typically do not consider.\nThe third context element that Cato analyzes is the target. Most security solutions define target by the IP or domain address that a client is connecting to. They typically use this information to check the target against a list of security feeds, for example, to check its reputation. Cato developed a method for ranking targets that it calls \u201cpopularity score.\u201d The score is calculated based on the number of times clients communicate with a particular target IP address or domain from across Cato\u2019s network. Scores of all targets are then bucketed; the lower the popularity rank, the greater the likelihood that the host is involved in a malicious event.\nEven the best algorithms today can turn up false positives, so once events are identified as \u201ccritical,\u201d Cato\u2019s security team validates the results. If a threat is indeed found, the analysts contact the customer that was the source of the issue and work with the customer to mitigate the threat. Cato also updates its threat prevention systems, protecting allcustomers from the threat.\nFrom a customer perspective, threat hunting can\u2019t get any easier \u2014 customers literally don\u2019t have to do anything. And yet it\u2019s an incredibly valuable service to be able to find and mitigate security threats that could pose harm to an enterprise.