Cyber File Surgery

Roughly two decades ago, I participated in a cool project with the White House to construct a Y2K Coordination Center. The center, which was situated on I Street in Washington, had the mission to solicit and ingest data, information, and gossip from around the world via fax, email, phone, and web. The goal was to determine exactly what was happening as the clock struck midnight on 01/01/00 (and yes, I do see the supreme irony in how I just abbreviated that year).

In retrospect, it seems surprising that we were not much concerned at the time with the structural integrity of files being ingested via email or other transmittal means during the brief operation of this fusion center. If such a collection center were operating today, then presumably some sort of content examination would be used to ensure that no malware or other destructive executable content was being accepted from a malicious or infected source.

I was reflecting fondly on that Y2K experience yesterday as I chatted with the principals from Sasa Software, a cyber security start-up with roots in Israel, and focused on provision of CDR solutions for enterprise. In case you’re not familiar with this CDR designation, it stands for Content Disarm and Reconstruction, which involves inspecting a file, cracking it open for deeper inspection, extracting anything suspicious, and then reassembling the file to a usable form.

“Our technology is designed to transform incoming files and emails into workable copies that are safe from dangerous executables and other unwanted content,” explained Oren Dvoskin, Global Marketing Director for Sasa Software. “We understand that today’s file-based attacks are highly evasive, so what we do is treat every file as suspicious, and we disarm these files to stop any file-based threats from causing serious problems for the receiving entity.”

During the discussion, I learned that Sasa GateScanner for email, app servers, and desktops, works via a multi-pass process using five different malware scanners and a next-generation detection engine to render an initial judgment about the presence of suspicious content. Once this is completed, a so-called TrueType procedure ensues, to prevent file spoofing and content tampering.  Finally, and at the core of CDR, is a disarm process which involves digging deeply into the content – a process that sounded a lot like file surgery to me.

“Removing macros is the most obvious case with CDR neutralization of a target file,” Dvoskin said, “but seeking other potentially harmful elements is essential, since the goal is to restructure the file to remove active content and to prevent deeply hidden attacks, APTs, ransomware, exploits, and zero days through examination and disassembly.” This sounded doable, but my question – and something anyone considering any CDR solution would ask was this: Once you dissemble a file, how do you put things back together again?

“The reconstructed file in CDR will look essentially the same as the original file, but without the undesirable content,” explained Bavelle Technologies’ Oren David, who participated in our discussion as an authorized agent in the US to support Sasa. And such basic reconstruction made sense to me, especially for use-cases where file structure is less important than information. We’d have used CDR, for example, in the Y2K Center if the technology had existed.

The operational concept is that the Sasa solution would be connected via MX records to the inbound email path through a DMZ. This ensures proper CDR coverage for incoming email file attachments. Other scenarios include applying CDR to files from portable media such as USB drives, perhaps from third parties. An additional process that I learned about involved presenting files to a Sasa Software cloud service for CDR surgery. I joked that this sounded like “taking your files to the cleaners,” and I think that analogy is interesting.

The business challenge for Sasa Software involves addressing the range of technologies offering competing concepts. It’s challenging to differentiate between scanning, detection, dynamic analysis, and the pure prevention approach offered by CDR. Competing CDR solutions are also available on the market from vendors such as Fortinet and Votiro, but the good news is that alternate CDR options for buyers will ensure that source selection can proceed rationally, and this area of protection is thus likely to see excellent growth across our industry.

If you haven’t considered CDR to address your file protection requirements, then I suggest that you give Oren Dvoskin and his Sasa Software team a call (and I suspect Oren David from Bavelle technologies would be happy to help American buyers as well). I found the technical discussion quite useful and I wish the company well as it helps enterprise teams protect the ecosystem through CDR surgery on files.