“Sanitized for your safety.” No, this isn’t an ad for healthcare products, household cleaning products or even a sign placed on a public restroom. It is the latest marketing statement from cyber security vendors launching CDR solutions with the promise that you can actually files that have been infected with malware.
What Is CDR?
Just when you thought you knew every security acronym, along comes a new one; in this case CDR. If you haven’t been exposed to this before, you might have guessed that CDR stands for: “Corruption Detection in Realtime” or perhaps “Content Detection and Remediation” or maybe even ??? Unfortunately, you would be wrong on all accounts. CDR actually stands for “Content Disarm and Reconstruction” and according to Wikipedia the definition of CDR is:
“a computer security technology for removing malicious code from files. Unlike malware analysis, CDR technology does not determine or detect malware's functionality but removes all file components that are not approved within the system's definitions and policies… CDR works by processing all incoming files of an enterprise network, deconstructing them, and removing the elements that do not match the file type's standards or set policies. CDR technology then rebuilds the files into clean versions that can be sent on to end users as intended.”
6 Reasons To Avoid CDR
In principle it sounds awesome to be able to identify malicious code and sanitize it out of the original file so that file can then still be used, unfortunately it isn’t always as nice as it seems. The six reasons to avoid CDR for your cyber threat prevention strategy include:
- CDR is slow: By definition of how CDR operates, every file that enters your email system will need to pass through the CDR sanitization scanner to ensure file type and consistency with named file types and then analyzed with named malware engines to identify unknow threats. This can add significant delays in communication, especially in organizations with tens of thousands to millions of emails and files transferred daily.
- CDR is resource intensive (read it’s expensive): Once files are determined to be infected, the file elements are separated into discrete components so that malicious elements can be removed and the file characteristics and meta data can be reconstructed. Usually the new files are then recompiled and renamed before delivery, so users can then “safely” use the file. This can be expensive from a hardware and software perspective, but also the human resources necessary to keep those environments current with latest updates is also not insignificant.
- CDR often fails to maintain integrity of the original files:in most cases this can completely destroy crucial elements, rendering files broken or not displayable, and in other cases stripping out critical data. For example, CDR will completely strip Macros (Excel native) from analyzed files and remove critical aspects of the document. In other cases, CDR can strip PDF forms, such ones that are used by the DHS (Department of Homeland Security) and other entities, rendering them unusable.
- CDR can be evaded:In attempts to better keep the integrity of reconstructed files, CDR tries to prevent the modification of crucial format elements, and by doing so, it can affect the exploit detection ratio and permit sophisticated malware to slip through undetected.
- CDR disables digital certificates:another flaw includes the disabling of digital certificates; for example, when CDR reconstructs a file, it completely ruins the file’s digital signature and fingerprint, potentially rendering those files non-trustworthy and removing a crucial identity control.
- CDR is email only:Finally, this type of technology focuses on email attachments only, and, as such, is limited to protecting only one type of threat.
SoleGATE™ had been planned with the right degree of flexibility to deliver end-to-end security across a changing threat landscape that could be initiated from different attack vectors such as: email, web, and cloud office applications. It is agnostic to the underlying infrastructure implemented and is able to protect in hybrid environments with a mix of virtual, hardware, and XaaS-consumed infrastructure. Whether on-premise or in the cloud, SoleGATE operates consistently, totally separating environment variables from security logic. Managed centrally, SoleGATE gives customers the flexibility and consistency to have a truly end-to-end security that is not restricted to a certain vertical.
Get Solebit’s whitepaper on a transformative, evasion-proof approach against modern cyber-attacks that doesn’t require sandboxing. It will outline how to strengthen your cyber defenses dramatically by preventing attacks before they enter and harm your organization, your customers and your brand. Remediation is costly, prevention is not.