Unleashing CDR

CDR- Disarming and reconstructing file content

Introducing CDR

At its core, the goal of gateway cybersecurity tools and platforms is the elimination of malware before it enters the network. Traditionally, this was done through detection, with solutions like antivirus software and network sandboxing that scan files and flag those that are suspicious.

As detection solutions alone cannot offer 100% security, Israeli defense organizations were looking for more. They wanted an airtight process that completely eliminated the risk of malicious code entering their network. To achieve this, they developed a new prevention technique that followed three key principles:

  1. Every file is treated as a threat
  2. The original document cannot be trusted and is therefore stored outside of the network
  3. A new file will be created, to serve as a clean replica of the original file

Some years after its development, this technology was coined “CDR” – Content Disarm and Reconstruction.

The initial versions of CDR essentially “flattened” the original document, eliminating any potential active code within the document. When Word or Excel files arrived, they were replicated as an image, losing native format and file functionality. All of the file’s content was readable, but the documents couldn’t be edited, copied, or manipulated in any way.

These defense organizations achieved ultimate prevention security, but at the expense of usability.

The Evolution of CDR

When CDR first reached the commercial market, it aimed to replace traditional detection-based security solutions. While all these solutions add value, they present significant limitations in security and/or usability. Typical limitations include inefficiency against unknown malware, lack of support of encrypted documents and large files, sandbox latency and scalability, and restriction of business flows.

For CDR to be embraced by mainstream enterprises, it needed to significantly enhance its usability offering. This was easier said than done. The first vendors offering CDR continued to rely on a flattened file, resulting in a read-only version of the document.

As with the Israeli defense organization’s use of the technology, the document generated was completely safe, offering enhanced security in comparison to traditional solutions. However, users were constantly frustrated by the loss of embedded files and file functionality.

These limitations doomed early CDR solutions to commercial failure. While there are applications for this capability, with several leading security vendors still offering this limited solution today, most enterprises require a more robust solution that enables full document usability, processing at scale, and in real time.

Blacklisting Elements

Shortly after, several Israeli pioneers attempted to break the paradigm by developing an advanced method of CDR. These companies made significant strides, but still struggled with the very fundamental security vs. usability challenge. To ensure usability was not compromised, these security vendors chose a blacklisting approach; this iteration of CDR copied the entire original document into a replica copy, then opened the replica and scanned each element for malicious code and known risks (e.g. macros, active content etc.). Finally, high-risk elements were removed, and the file was sent to the recipient.

In contrast to flattening, this method (sometimes referred by vendors as “deep-CDR”) provided users with a fully functional replica, with the exception of any macros or other active content it removed. This approach allowed vendors to improve usability – it was relatively fast, maintained document fidelity, and could scan embedded files.

However, this method did not uphold the security standards that original CDR technology promised its users. Much like traditional detection solutions and unlike prevention technologies, blacklisting is a reduced level of security that is vulnerable to zero-day attacks and to suspicious elements remaining in the new file. In other words, this iteration of CDR compromised on CDR security standards in order to achieve improved performance.

Resec Content Disarm and Reconstruction

Resec shifts the paradigm by fulfilling the true vision of CDR – unparalleled security coupled with full usability.

With Resec’s CDR, the original document is rendered into a digital representation containing all of the elements of the original document. It then reviews each element in the original document and quickly builds a new, visually identical file.

The resulting file looks like the original, but unlike blacklisting techniques, it has been completely rebuilt from scratch only using known and confirmed-to-be safe elements. This provides a document that is 100% safe from both known and unknown attacks.

All of this is done while maintaining native file format, full functionality, and processing at scale and in real time. It offers the ultimate solution to global enterprises aiming to enhance security without hindering business processes.

Zero Trust Prevention at the Gateway

Resec positioned itself ahead of the pack by building an innovative architecture with such enterprise customers in mind from day one. Resec’s Zero-Trust Prevention platform utilizes powerful security engines – including CDR – to provide unparalleled protection from known and unknown file-based malware threats. All common threat vectors are protected by Resec, including email, removable devices, FTP transfers, file portals, uploads, downloads and more.

Files reaching the gateway are immediately quarantined. Resec then offers the best of both worlds – powerful detection to block malicious and prohibited files, and unparalleled CDR prevention to eliminate false negatives and zero-day attacks.

This is all done while processing traffic at tremendous scale at least 90% faster than traditional sandboxes.

The result is a robust platform that is redefining gateway security by providing military-grade security and enterprise usability.