Breaking Bad: How CDR and ‘known good’ are delivering on the promise of file safety


Author: Luke Robbertse, Head of Technology Operations, Glasswall

The way we open, share and collaborate on documents has changed forever and continues to evolve. Traditionally, email was the common platform for smaller files and FTP for larger. We now use an array of cloud sharing options like Dropbox, WeTransfer, Google Drive, OneDrive, and cloud object stores such as S3 or Blob. And that doesn’t even cover other collaboration tools like Slack or Microsoft Teams. Documents are more and more being transferred across networks and domains outside the email infrastructure. With the increased reliance on remote working, the need to safely transfer files from a public network to a more private network similarly increases. There has always been a need to evolve methods of defence against cyber threats, but as the amount of digital documents being transferred online for B2B, B2C and between individuals explodes, how should we now adapt to properly protect ourselves in the cloud? Simply layering one mousetrap onto another will deliver diminishing returns, so deploying complementary but contrasting technologies is the key. This is where CDR, an emerging segment in the cyber security landscape, now offers a truly effective solution. For those who haven’t yet come across it, here’s a summary of what CDR - or Content Disarm & Reconstruction - does and how it meets the challenge. To start, let’s define the threat. Malicious software, or malware, is typically hidden within the content of a file. But not all content is malware. Without elaborating too much, there are four kinds of content: passive, safe active, unsafe active and exploitive. The first two are safe, the second two are forms of malware and are dangerous. Layered onto the structure of the threat is the speed at which new malware is created, morphes and evolves. Verizon estimates that new, unknown malware is created every 4.2 seconds. This is inherently problematic when the foundation upon which your defence is grounded relies on knowing, or more often guessing, whether content is malicious.

“Rather than trying to detect and block ‘known bad’, CDR focuses on reconstructing files to a safe state of ‘known good’ by creating a new and benign file”

To illustrate this point, let’s look at the well-known and established defence of antivirus (AV) and sandboxes. AV looks for patterns of data that have characteristics of known, unsafe, active or exploitive content. AV engines essentially look for ‘known bad’. Detonation chambers, or sandboxes, attempt to detect malware by monitoring the behaviour of content when a file is opened or executed. They look for behaviours of malicious software, in other words ‘unknown bad’. CDR is the exact inverse of this methodology. Rather than trying to detect and block ‘known bad’, CDR focuses on reconstructing files to a safe state of ‘known good’ by creating a new and benign file. The leading CDR vendors do this in three ways: Deep-File Inspection: Reading the file into memory then inspecting the three distinct layers: Visual Content Layer – What users actually see when viewing or editing the file. The text and images on the page. Active Content Layer – Additional functionality in a file or program, such as Macros, JavaScript, embedded files or data connections. File Structure Layer – The framework within which the visual and active content is stored and managed.

Remediation: Remediation repairs a document’s structure, ensuring complete compliance with the specification set by the developer of that file type. For example, Adobe has an ISO 32000 specification that details all valid binary structures for PDF. Microsoft has its own specification for all legacy and binary Office file formats. Sanitisation: The removal of active content, mitigating the risk posed by unnecessary functional features in files. Controlled by policy, sanitisation allows users to get the document features they need and strips out the functions they don’t.

Further benefits of this approach are lighting fast reconstruction times, leading to seamless safety with no interruption to productivity. As file formats only change every few years, CDR also requires no patching or updates. And as files are regenerated rather than blocked, CDR doesn’t suffer from issues of false positives, the bane of every security professional’s life. CDR also has profound implications on the need for expensive, time-consuming and often ineffective security training. While security training in some form will always be an important part of an organisation’s strategy, by regenerating files to a safe standard, CDR greatly reduces the reliance on employees as the last line of defence. CDR allows them to focus on their jobs, without having to worry that the file they want to open is malicious. It’s time to stop making users the victims or culprits. After all, links are meant to be clicked, PDFs are meant to be opened and executables are meant to be run.

CDR is not a displacement of training or traditional technologies as each has their own place and purpose, but it’s a completely different methodology, delivering true defence-in-depth. Everyone in an organisation has the same aim, from the board through the CISO and security teams, right down to the users: maximum security with minimum impact on productivity. More than any other technology, CDR delivers against this objective. At Glasswall, we know that CDR has a major role to play in protecting organisations from the threat of malicious files and documents. But we’re not alone. While governments and the intelligence community in particular have long touted CDR as a required security standard, in Gartner’s June 2020 Hype Report, CDR was highlighted as “an important layer in any organisation’s defence-in-depth and content protection strategies”. Gartner also says “CDR can eliminate one of the most common infection vectors that is hard to deal with in other ways” and that it expects “CDR will ultimately be considered a best practice”. High praise indeed. --- While validation and endorsement of CDR by organisations such as Gartner are important, the community of CDR vendors as a whole are also working together to raise awareness, educate the industry and build the market. At the 2020 Open Security Summit, there was a session titled ‘CDR: How to Collaborate and Increase Adoption’ where representatives from Glasswall, OPSWAT and ReSec discussed collaboration initiatives and promotion of CDR as a concept. The session can be watched here. Where can you get a feel for CDR and better understand how it can be implemented or integrated? Glasswall offers a variety of ways to test its technology: - For individuals files, there is a free website where visitors can drop in a file and Glasswall returns the clean version with a report on how it was made safe. - As a developer, try out Rebuild API, which offers a test with the first 50 file requests free. - For larger organisations, consider the full range of solutions to help protect users and the business.

This content was created in partnership with Glasswall.