Eliminating content-borne threats to industrial enterprises
With increased digital connectivity providing a wider canvas to cyber adversaries, organizations, particularly across the industrial and critical infrastructure sectors, are faced with rising instances of malware attacks that continue to rise. As traditional cybersecurity defenses become less effective, while malware techniques are growing in complexity and becoming increasingly successful at evading traditional anti-malware engines and sandboxes, organizations are pushed to adopt newer technologies that protect themselves against these threats without impacting productivity and operational downtime.
There are sophisticated threat prevention tools available that aren’t reliant on detection. Borrowing from the ‘zero trust’ principle, the technology works on the premise that all files are malicious and need to be sanitized and rebuilt ensuring full usability with safe content. By doing this, any hazardous elements are removed from files before putting them back together again. The technology is highly effective in safeguarding against known and unknown threats, such as zero-day targeted attacks and other malicious threats and activities.
Using CDR to sanitize content
Enter Content Disarm and Reconstruction (CDR) technology. “Acting as a content firewall, all files that are destined for the OT are first relayed to CDR file-sanitization engines, located outside the OT, for disarming. Thereby establishing and maintaining a malware-free ‘clean room’ environment for the segmented OT network,” Yakov Yeroslav, CEO and co-founder of Sasa Software, told Industrial Cyber, in an exclusive interview. “The external, remote location of the CDR engines – either on the cloud or on-premises in the DMZ – makes for high-availability of CDR sanitization across multiple geo-locations, delivered through standard, secure communication protocols.”
The CDR technology is independent of and not reliant on malware detection, and as such, it is capable of neutralizing both known, as well as previously unseen (signature-less) malware, such as zero-day and polymorphic malware. It is this independence from the need to detect that gives CDR an undisputed edge over detection-based anti-malware technology, making it an indispensable layer in critical network security.
An advanced anti-malware technology that excels in the obstruction of content-based malware, such as malware arriving through email or shared files, CDR works by applying extreme deconstruction and reconstruction processes to incoming files, achieving superior AV detection before transforming the file in a way that breaks up any possibly embedded malware. It then reconstitutes the files, in strict adherence to their vendor specifications, disrupting in the process any remaining, undetected malware.
Largely preventative in nature, Yeroslav details that the technology is located outside the network, in the DMZ (demilitarized zone), establishing a virtual ‘content perimeter’ by blocking the entry of malicious code through email and file exchange.
“Rather than attempting to detect signs of an attack that is already underway from within the network – as detection-based EDR/XDR/MDR solutions do – CDR preempts attacks by foiling the first crucial step – the ‘initial access’ phase,” according to Yeroslav. “Customer penetration tests repeatedly show that CDR solutions deliver extremely high protection levels, reaching up to 100 percent prevention rates for known and unknown email and file-based malware – results that are beyond the reach of detection-based AVs,” he disclosed.
Enter Sasa Software, with its GateScanner solution suite
Sasa Software’s primary client base consists of government organizations – at all levels – and hundreds of enterprises from the manufacturing, financial services, healthcare, utilities, and critical infrastructure sectors. Additionally, the Israeli-based vendor has a strong presence in the Singaporean government and is currently forging inroads into maritime, transportation, and energy sectors in the U.S. and Europe.
The GateScanner modules include a secure email gateway (SEG) with Office 365 and Microsoft Exchange integration, USB import stations either stand-alone or through centrally managed networked stations, and web-based secure MFT, with vaults and remote file sharing. It also delivers CDR through API/ICAP, offers an inter-application (API-less) file exchange solution, and provides a secure web download browser plugin.
These network security modules have been designed to intercept incoming files on every content channel, sending them to CDR engines for sanitization, and then returning, storing, or forwarding them – as be the case. It includes firmware and software updates, with the aim is to cover all content gateways to enable securing a ‘sterile area’ behind these modules.
The GateScanner suite of solutions, and especially the USB Kiosk, have become staple security components in critical networks in Israel, where the company is based.
Consisting of core CDR engine technology, the GateScanner suite comes coupled with six application-specific modules, delivering CDR security for a wide range of network scenarios.
The GateScanner Kiosk covers portable media safe import stations, across both physical stations and as a PC application/stand-alone or networked.
The GateScanner Mail gateway offers a full-featured SEG with CDR, which plays a key role when it comes to weaponized emails containing zero-days, exploits, and evasive malicious code continually overcome the reactive detection measures provided by SEG, leading to the continued rise in data breaches and ransomware incidents.
The GateScanner Security Dome delivers a web-based, managed file transfer and vaults (large file and high-volume processing), with Outlook and Chrome plugins for secure file-share via email and secure web downloads, and API access – with CDR file sanitization. The range of use cases for the Dome is wide, from a one-off file share, to steady routine third-party partnerships.
CDR delivered via REST API for programmatic insertion at any point in the data flow, includes integrations to remote browser isolation solutions for secure downloads.
Unique GateScanner characteristics
Detailing how GateScanner is different from other CDR offerings in the market, Yeroslav said that GateScanner has been protecting high-security installations – in a highly targeted country – since 2013, accruing unparalleled experience and expertise that are incorporated into the solution. “While other CDR vendors migrate to the cloud, Sasa Software continues to support on-premises installations, as preferred by many industrial customers. This orientation towards OT was reflected in Sasa Software’s inclusion in Gartner’s ‘Cool Vendor in Cyber Physical Systems’ report of 2020.”
On the technical side, Yeroslav added that GateScanner CDR engine scanning profiles are highly configurable, providing deep granular control, enabling administrators to tailor scanning policies to combinations of users, domains, file types, sources, and destination attributes, and flexibly control the order and intensity of the CDR process components.
GateScanner also provides an integration engine that enables easy integration of third-party tools, such as sandboxes, into the CDR process flow. The GateScanner CDR engines run on Win10 IOT LTSC vendor-hardened appliances, in a dynamic, active-active grid topology that enables ‘on-the-fly’ scalability and supports very high-volume batch processing.
Yeroslav detailed that GateScanner Security Dome is a web-based solution providing secure remote sharing, with CDR file sanitization built in. Dome users can upload files to the Dome’s vaults for sharing with other Dome users, or with external users, via email, and even receive files from them, through a return link in the email.
“The Dome also supports automated file transfer between designated folders so that technical staff of a third-party support team could regularly place files in a designated folder, which would then be automatically transferred, with sanitization, into a target folder in the OT, for use onsite by technicians,” he added.
Addressing how GateScanner deals with unknown malware, Yeroslav said that CDR disarms unknown malware through its file reconstruction phase, which alters the file in a way that breaks up any contained malicious code.
Covering GateScanner’s ability to protect against the risk of increasingly complex file formats, Yeroslav said that the solution’s reconstruction process is agnostic to the type of malware or characteristics of the content, such as character encoding. “It produces a new file that contains only the operationally valuable content of the original file while discarding any code that resides in unused sections of the file format – places where malware can easily be hidden.”
Also, he added that an encrypted file cannot be opened or scanned without a key, and therefore GateScanner prompts users to provide passwords for encrypted files to enable their scanning and disarming.
When it comes to dealing with archival data, GateScanner recursively unpacks archive files down to their lowest level and supports all major types of archives, including ZIP, RAR, CAB, ISO, 7Z, GZ, and GZIP.
Providing details on vendor support and frequency of updates, as it has a bearing on the operational efficiency of the GateScanner solution, Yeroslav said that “Sasa Software recommends multiple daily updating of OEM AV definitions, which are provided directly from within the GateScanner solution. GateScanner CDR products are updated quarterly. All GateScanner products support audit trails.”
Weaving CDR into industrial environments
Industrial networks, especially those that support critical infrastructure, are high-value targets for attackers. These networks also face unique security challenges stemming from a prevalence of legacy systems, their need to secure physical components, and the growing interconnectivity with other networks, including the Internet.
Yeroslav revealed that network segmentation is a key component of OT security, aiming to isolate the critical production layer from the exposed IT environment. “However, content, in the form of system and firmware updates, as well as technical documentation, must routinely be transferred into the OT in order to maintain operations. Secure MFT solutions provide end-to-end secure data transfers, and diodes ensure one-way data flow, but they cannot ensure that the actual content being transferred is itself safe,” he added.
Protecting the Supply Chain with CDR
In an increasingly toxic global network environment wherein state-backed hackers and cyber-crime syndicates initiate attacks on societal infrastructures almost daily – it’s becoming extremely difficult, not to say impossible, to secure a truly trusted content channel, even between long-time partners.
Yeroslav estimates that supply-chain vulnerability is now a given. “Organizations can no longer afford to trust files and emails arriving from the outside – not because of a lack of trust in their supply-chain partners – but because they realize that neither they nor their partner can be sure that the partner hasn’t been breached.”
Consequently, adopting a ‘zero trust’ approach to incoming content seems to be a logical step, Yeroslav pointed out. “CDR is in fact, a ‘zero trust’ implementation of content security. No matter what the source is – all incoming content, on any channel, must be aggressively disinfected to maintain network integrity. Nothing comes without a cost. The process adds a negligible latency and requires careful configuration to closely match risks, and specific use cases, but more and more network security teams are realizing that the CDR layer is no longer an option – it’s an imperative,” he added.
Ultimately, CDR frees the security team from attempting to establish a secure supply chain data channel.
Cybersecurity mandates that seek implementation of CDR
Yeroslav outlined cybersecurity mandates that call for the implementation of CDR across various domains. He began with the NIST SP 800-82 Revision 3 document where under ‘6.2.1.2 Physical Access Controls (PR.AC-2),’ the document said that when it comes to portable devices, ‘organizations should apply a verification process that includes, at a minimum, scanning devices (e.g., laptops, USB storage, etc.) for malicious code prior to allowing the device to be connected to OT devices or networks.’
The same document, under 5.1.2 covering ‘Defense-in-Depth Strategy,’ defined defense-in-depth as ‘a multifaceted strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of the organization. It’s considered a best practice. Many cybersecurity architectures incorporate the principles of defense-in-depth, and the strategy has been integrated into numerous standards and regulatory frameworks.’
Addressing OT-specific guidance and recommendations, it added that a ‘defense-in-depth strategy is particularly useful in OT environments because it can focus attention and defensive mechanisms on critical functions. Additionally, the principles of defense-in-depth are flexible, and organizations may find that they can be applied to a wide range of OT environments, including ICS, SCADA, IoT, IIoT, and hybrid environments.’
Yeroslav added that CDR also plays a defense-in-depth role in handling content with browser isolation solutions.
Though, he added that “NIST 800-53 Revision 5 recommends ‘scanning storage devices,’ however, prefers wiping them, or blocking them altogether.”
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
