Content Disarm and Reconstruction (CDR) Technology

The need to spot unknown threats is one of the great challenges in cybersecurity. Traditional anti-virus and anti-malware tools struggle with this. They check incoming messages and files for malicious content based on known threat signatures and correlated inferences like bad IP addresses.

The problem with this approach is that most of the worst threats are “zero days,” exploiting heretofore unknown vulnerabilities. Or, they’re advanced persistent threats (APTs), which use advanced technology to achieve stealth. An APT may not “detonate” in a sandbox, but the threat is still in the content when it crosses over into your network.

How can you defend against threats you can’t see? One approach that’s gaining traction is to establish what you do want to bring into your network and locking out everything else. You can identify a “known good” format, like a clean PDF or Word document. You then break down incoming files and reconstruct them in the “known good” format. This leaves anything bad outside the firewall.


What is CDR Technology?

Content Disarm and Reconstruction (CDR) technology protects digital assets by enforcing a “known good” format at the perimeter. As exemplified by Sasa Software, CDR solution deconstruct inbound files. It breaks files down into their elementary parts—defined by the vendor or standard specs. It scrutinizes file components, removing known malware. The tool is able to strip out any embedded active codes or scripts and reassembles the file into the “known good” format. The end result is a usable file that’s functionally identical to the one that was original.


Effectiveness of CDR

The CDR Approach is effective, with independent testing showing that Sasa’s CDR solution is able to catch 99.99% of known and unknown threats. Their toolset works in tandem with sandboxes and existing anti-virus solutions. The CDR process can also be applied to file redaction in data-loss prevention (DLP) processes applied to outgoing data flows.

The Sasa GateScanner product supports more than 300 different file types. These include password-protected files and DICOM files used in medical imaging. The solutions works with USB sticks, portable media uploads, safe browser downloads, email, appliances and cross-network file transfers. Processing is done on the client side. There is no vendor involvement.

 Photo Credit: theglobalpanorama Flickr via Compfight cc