Contributed by Ken Soh, Chief Executive Officer, Athena Dynamics Pte Ltd
This paper focuses on the long-neglected pitfall of today’s cyber protection technologies and why incidents continue to happen despite substantial investment into cyber protection.
To address such pitfall, detectionless technology of “Content Dis-arm Reconstruction (CDR)” or “Content Deconstruction, Neutralization and Reconstruction (CDNR)” technology is discussed. The paper also provides concise and important verification guideline to help readers identify a true CDR/CDNR tool from many that claim to be one.
Today, advanced threats are not detectable. Unfortunately, security leadership continues to focus only on detection centric technologies. Be it multi-AV, sandboxing, machine-learning, threat-intelligence etc, they are all working on the same fundamental of “exploiting the most advanced technologies to detect the bad in order to remove the bad”. Such paradigm works but is dangerously inadequate for the basic reason that we cannot detect many of the advanced threats in the first place. Even if they are detected today, it cannot be done so tomorrow. We cannot be focusing on running a never-ending catch-up game.
Detection-only mindset provides a dangerously false sense of security. “We have deployed the most marketed, most well-known world-class cyber security protection technologies and we are now safe”. For security leaders who protect with such mindset, not only that there is no 100% security, most likely the “most well-known world class” technologies are detection centric. It is important to have detection centric protection. However, it is dangerously incomplete without complementing it with detectionless technologies.
Detectionless technology is a broad term that I use to describe any technology that does not protect by “sensing out the bad”. In many occasions when I mention that we protect detectionlessly, I am likely be mistaken by “ah certainly, you are referring to pre-empted, pro-active prevention”. Many do not get the point the first time. I typically need to educate them that I am not referring to “protection by prevention only”. We prevent detectionlessly. Unfortunately, from experience, this concept typically takes time to share and educate. This could be due to the fact that the detection oriented mindset is deeply ingrained in most peoples’ minds all this while.
What do we mean by Neutralization? In lay-man’s words, we do not “detect”, just “detox”. There are too many examples that detection-based parameter defences would screen and approve incoming traffic for users positively, only ending up users being attacked by advanced threats via such “approved clean traffic” eventually. We cannot detect advanced threats. Detect nothing does not mean it is safe in today’s threat landscape.
So what do we do via Neutralization? At file level, Neutralization re-constructs files via file conversation implemented as a highly scalable, enterprise cross-domain or e-mail platforms. At packet level, re-construction is implemented via packet conversion platform that accepts user-exits that interfaces with custom user-defined deconstruction and reconstruction routines. Both technologies have already protected numerous CIIs at classified and secret levels.
In a nutshell, Neutralization is a zero-trust, white-listing approach at its conceptual level. While it is difficult to identify the bad, we simply pick up the good since we know what are the good better than what are the bad. By simply removing the “bad’ or “impurities” regardless of whether it is malware, by sieving out only the required good that we know best, we achieve high level of protection since the impurities could be known or unknown malware, which could be zero-day viruses or even unborn viruses.
Neutralization has been realized well since early 2010 via Content Disarm & Reconstruction (CDR) or Content Deconstruction, Neutralization and Reconstruction (CDNR) Technologies, protecting CIIs and achieving virtually zero incident since then.
While the market starts to understand the strength of CDR/CDNR just like decades ago when the term “Firewall” first emerged, it is also risky to choose a CDR/CDNR platform at face value. Now that CDR/CDNR has started to reach the peak of the technology hype curve, various propositions are starting to claim their availability of CDR/CDNR feature. How hence could we identify the real McCoy? For that, we would recommend some key identifying facts that end-users could reference in their procurement evaluation effort:
1. Fidelity of neutralized files/packets
Every vendor would claim that they are the best. Use case oriented stress testing is therefore the most direct and useful approach to identify the “real McCoy”.
2. How many file types does the solution support?
A matured CDR/CDNR product should support at least all common file types which would usually amount to around 100 types. It would be unfortunate to realize after deployment that the platform does not support certain file types needing to be neutralized. On this, we have also observed claims of supported file types only to be qualified as “under beta”. Buyers need to be vigilant about such misleading pitfalls.
3. Track record
When did the product start to offer CDR capabilities? How many productive CIIs does the product protect till date? It is observed that some security products claim to have enhanced with CDR/CDNR capabilities. Deeper assessment based on this list is key.
4. Is there deep CDR/CDNR at finer granularity of files and emails?
Many perform CDR/CDNR at just the file or email level. There is benchmark that proves multiple folds of efficacy of threat prevention to perform CDR/CDNR at finer granularity of file or email.
5. Does the solution handle encrypted email attachment?
Encryption protects privacy for us for the longest time in the history of information sharing. Unfortunately, today, it also protects viruses. A well implemented CDR/CNDR enterprise platform should have matured process flow to handle and CDR/CNDR encrypted attachments, providing a good balance between security and productivity operationally.
6. Does it support a highly scalable enterprise platform?
Since enterprise CDR/CDNR typically forms an integral part of businesses, it is important that it comes with highly scalable capability that allows scaling up and down without the need for down time.
7. Does the vendor have credible, local presence?
Since CDR/CNDR will be an integral protection shield of the organization’s crown jewel, it is important to verify that the supplier has a credible local presence for ongoing support requirements.
8. Does it offer external connectors to other solutions in the workflow for situations when checking of executables are necessary? e.g. SCADA domain.
CDR/CNDR provides strong protection. Unfortunately, the technology by nature does not support executable binaries. The platform should therefore provide flexible SDK/API and connectors for customized workflow in use cases when executables needs to be shared.
Due to the high order protection nature of CDR/CDNR, it is most valuable for protection of CIIs, crown jewels and classified/sensitive network. e.g. governmental networks, OT plants, military bases, banking backends, healthcare/medical platforms. CDR/CDNR when coupled with the appropriate use of data diodes, provide a highly strengthened security posture that is unmatchable by common cyber security practices.
With the understanding of detection centric vs detectionless cyber protection paradigm, the typical technical strategy is therefore to complement detection-based hygiene level protection with detectionless innovations as per the following illustration. We do not oppose the use of detection technology. Detection operation typically saves time. However, since we cannot detect advanced threats in the first place, it is best to complement existing detection strategy with the detectionless technology to complete the loop.
Disclaimer: The outcome of best practices introduced in this material may vary due to environmental and contextual parameters. Neither BH Global Corporation Ltd, Athena Dynamics Pte Ltd nor the writers is responsible for any direct or indirect implications/impacts to the readers due to the adoption of these practices.
SGTech's Smart Nation Chapter has created a series of thought leadership articles on holistic smart city solutions provided by smart technology innovators and adopters for both the Singapore and international markets.
Read the other articles in the series here.
SGTech's Smart Nation Chapter aims to promote and facilitate the growth of an ecosystem of smart technology innovators and adopters to provider holistic smart city solutions for both the Singapore and international markets.
Please contact [email protected] if you’d like to join or find out more about the chapter.