An Active Response to Removing Security Threats in Files and Emails

Files and emails are the main sources of information in the corporate network, and they can contain significant security threats. In this review, we will present the best active response achieved through CDR and understand why the conventional security technologies do not necessarily provide the required security response.

Today, files and emails do not have a simple structure; they are complex entities that contain embedded files and various objects, some legitimate and some hostile. Therefore, it is our duty to locate and neutralize the dangerous elements within them before allowing them to enter the corporate network.

It is common for every organization to already have security systems installations for incoming files and emails. The variety of these technologies is vast and includes, among others, Firewall, WAF, Mail Relay/Mail Gateway, Antivirus/Antimalware, Web Proxy/Secure Browsing, EDR/XDR, and Sandbox. But the question is - do these technologies provide an answer to the security threats contained within complex files?

We can already say that the majority of the standard technologies do not disassemble files into their components (analysis), do not remove dangerous elements from them, do not reassemble clean files (synthesis), and, in addition, are unable to deal with the threats that exist within many types of password-protected files, which means that when they encounter complex files that contain hostile objects, most of them will miss the internal threats. In the best case, they will block the files and emails, thus harming the continuity of the organization's work, and certainly, there will be no active removal of hostile objects from the files.

Disassembly and Reassembly
On the other hand, the technology known as CDR (Content Disarm and Reconstruction) focuses on actively reducing risks in files and emails.

In the CDR engines, we receive original complex files and emails, break them down (analysis) into their most basic components, examine the structure of each embedded file and object in relation to the standard, and strive to locate security risks and hostile objects, neutralize or remove the threats, and finally - reassemble (synthesis) files and emails which are clean and in high quality.

We will strive to develop dedicated CDR engines, each focused on specific file families, unlike the conventional security technologies, which usually do not contain dedicated capabilities developed according to the different file types.

Unlike other security solutions, with CDR, our goal is not to block but to provide the user with functional files and emails after they have undergone active removal of security threats.

Let's demonstrate the importance of CDR with WhatsApp. For example, if we received a password-protected ZIP file via WhatsApp, which contains an Excel file that includes a macro. Most of the known security technologies will approve the use of the ZIP file and all its contents because they do not know how to test it up to the level of the dangerous macro, or alternatively, they will block the ZIP file and all its contents because it is password-protected and they do not deal with password-protected files. In any case, the continuity of the organization's work will be hurt.

On the other hand, a quality CDR system will ask the user to provide the ZIP password and will block it only if the password is not provided or is incorrect. If the password is correct, it will open the ZIP, extract the Excel file from it, unpack the Excel file, and identify the macro inside it. The Excel and Macro will be handled as defined by the system administrator - should it block the Excel because it contains a Macro, remove the Macro from Excel and return a clean Excel to the user, or check whether the macro is a security threat and if not - provide it to the user. In other words, the CDR system will disassemble and reassemble a password-protected ZIP, which contains an Excel file that has been filtered for macros, and deliver it to the WhatsApp user.

Choosing the proper manufacturer
In the market, there are manufacturers that specialize in the development of CDR solutions, as well as manufacturers that supplement other security technologies with CDR capabilities of different kinds. When choosing a manufacturer and CDR solutions, it is necessary to check whether the solution includes dedicated capabilities that are dedicated to different file types or whether the solutions are generic and do not focus on the various threats that exist in different file types. In addition, it is important to examine to what extent the proposed solution is able to remove threats from files and emails and make them safe for use instead of just blocking them and disrupting work continuity.

It should also be checked whether the solution returns usable files whose quality and user experience are not compromised, which may happen when the filtering is based on file format conversions.

Additional points to be examined: is the filtering process fast, which does not delay work and does not create bottlenecks, and are high computing resources required to maintain good performance; Does the manufacturer provide a package of solutions that respond to all entry points of files and emails to the organization; And finally, has the manufacturer developed dedicated CDR capabilities by himself, or does he rely on capabilities provided by antivirus engines.

Installing anywhere and at all entry points
Historically, the integration of the CDR solutions has been consistent with the progress of the various regulations. The natural beginning was in security and government bodies and continued on to financial and health industries. Over the years, CDR solutions can now be found in diverse organizations such as local government, infrastructure, transportation, communication, education, industry, high-tech and law.

Since full CDR capabilities are also provided today as SaaS services in the cloud and not only as an on-premises installation on the customer's site, even small organizations can benefit from CDR as a Service.

We recommend installing the CDR solutions at every possible entry point of files into the organization, including emails (both local email servers and email services such as Microsoft 365), when downloading files from websites using browsers (e.g., Chrome, Edge), when receiving files via chat programs (such as WhatsApp), when inserting files from removable media (including mobile devices), and when files arrive in directories (after uploading via SFTP/HTTPS).

The author is the founder and CEO of YazamTech, which develops CDR engines for a large variety of file families and types, emphasizing actively removing security threats from files and emails and reducing their blocking. The company's solutions are installed in various entry channels of files and emails to the organization and are provided both as installations on-premises and as SaaS cloud services.

Website>>>
In collaboration with YazamTech