It is well recognized that behind many of the successful ransomware attacks in an organization, there is a simple security failure of an employee clicking an e-mail attachment containing a malicious code. Prevention of E Mail based attacks is therefore one of the important security measures to be taken by any enterprise. Statistics indicate that more than 70% of malicious email attachments are delivered through attachments in PDF and Ms Office Documents.
The anti virus software normally works on the principle of scanning a document to identify a known virus signature. This could work for known viruses but cannot protect against zero day attacks. Also non updation of anti virus also could defeat the security and allow intrusion of the malicious code.
The Sandbox method where the files are allowed to be processed in a controlled environment until they are cleared for security may delay the delivery of the incoming files for further processing.
Considering the unacceptable level of risk that arises in a ransomware attack, there is a need to fortify the security of emails to ensure that malicious codes in incoming data is identified at source and stopped at the gateway.
The CDR (Code Disarming and Reconstruction) technology (also referred to as Threat Extraction or data sanitization) is a technology where a file is deconstructed into separate components such as image, text etc using the vendor specified specifications for the document type. They are then reconstructed leaving out any malicious (non conforming) content so that the file is cleaned of any unwanted components that may be the potential source of a malicious code. In the process, any executable content in the document also gets removed. The safe content after removal of the undesirable content is forwarded to the user and the original file is held in safe storage to be accessed only if required and confirmed that it is benign say after a sandbox inspection.
It is expected that the CDR technology could introduce certain delays in releasing the file for operation based on the signature based identification since it works on “Zero Trust” and inspects every file by deconstruction and reconstruction. But considering the risks associated with ransomware in large corporations, enterprises should be tolerant of some delays in the interest of security.
While the CDR technology is expected to provide 99.9% reliability for removal of malware, there could be some operational issues to be contended with when the usability of the incoming file could be curtailed. The “Policy Setting” therefore becomes important to ensure that the system is useful.
In the market there appears to be many solutions available on CDR technology. While there could be solutions like Checkpoint-Harmony that integrates CDR technology to the legacy malware security systems, specialized CDR based malware security providers such as Odix, Glasswall Solutions, Fortinet OPSWAT, Sasa software etc are also trying to capture the markets.
Some of the service providers may provide “CDR as a Service” and cost effective solutions for SMEs. Odi-x from Israel is reported to be one of the solutions that SMBs may be able to afford particularly if they are working on the Microsoft environment.
It would be good if in future CDR technology becomes affordable to even individuals.
Naavi
P.S: Comments and additional information and user experiences are invited