Press Release
Last Updated on August 13, 2024
Cybersecurity resembles an endless game of cops and robbers. As new digital technologies emerge, both legitimate organizations and cybercriminals seek to leverage them. When businesses get better at blocking one class of attacks, hackers switch to a new attack vector.
For example, as more companies deployed firewalls, cybercriminals moved from network-based attacks to exploiting unpatched vulnerabilities in commercial software. As firms got better at patch management, hackers began intensifying their social engineering attacks—many of which rely on malicious links or documents.
Can organizations break the “cops and robbers” cycle by thwarting more social engineering attacks and disarming more weaponized documents? This article shares Votiro’s novel approach, called content disarm and reconstruction (CDR), which filters out malware by rebuilding the known valid document content.
Maintaining the security/productivity balance
Why do users open so many malicious documents? These are probably the two biggest reasons:
- Users need to open documents to do their jobs.
- Hackers keep coming up with new and improved social engineering attacks, including weaponizing new document types (e.g., QR codes).
Aviv Grafi, founder and innovator at Votiro, relates: “Right before I started Votiro, I was doing security audits. After three or four days of interviews, I would present a report, and also demonstrate how I could hack the client.”
Aviv’s go-to technique was to send a weaponized resume to the client’s HR department. The recipient was usually someone who needed to open and peruse maybe hundreds of resumes per week.
“How can we tell them, ‘Think twice, maybe that’s a malicious actor?’” wonders Aviv.
Security and productivity need to balance out. But the more you impose conventional file scanning automation to weed out phishing attacks, the more it impacts user productivity.
Another balance issue is patching too soon and possibly causing downtime. But delaying patching increases the risk of hackers finding exploitable vulnerabilities in your attack surface.
How CDR works
How can organizations reduce the risks associated with social engineering attacks without diverting users from their core activities? CDR does this by flipping how malicious documents are filtered and passed along to recipients—to focus on the valid content rather than the malware.
For example, if an HR employee is about to receive a resume in PDF format, CDR technology will first strip out all the relevant content elements, such as text, formatting, images, and markup, and recapitulate those within a known safe PDF template. That way HR sees all the applicant’s pertinent information with no perceptible delay, and any malware that may have been present gets left behind.
Whether a document contains malware in the first place doesn’t necessarily impact what CDR does or what the user sees. All digital documents an organization receives are regenerated and 100% safe.
This zero-trust, cloud-based, API-supported approach to threat prevention removes all possible malware, known or unknown. Votiro’s CDR technology currently can rebuild over 180 file formats constituting 99%-plus of today’s business documents, and integrates with Teams, Slack, Dropbox, Box, and other internal and external repositories.
“It resolves the cops and robbers problem because we’re not trying to chase the bad thing,” Aviv explains. “We know what the good things are in the document, so we can regenerate a safe version.”
Reconstructing documents versus files
There is a fine line between documents and files. The distinction is somewhat arbitrary but still worth explaining:
- CDR focuses on documents, which contain content intended to be rendered for processing by humans.
- CDR does not process files with binary encoding intended for machine consumption, such as executable (.EXE) and dynamic link library (DLL).
- CDR treats human-readable program code like JSON and XML files as text files.
Many Votiro customers configure their CDR solution to block the transfer of executable files through email, Teams, Slack, and other channels. Another option is to configure how CDR handles executables in alignment with existing security tools or policy.
How Votiro handles password protected and encrypted content
Encrypted and password-protected documents present similar issues for both traditional and CDR anti-malware approaches. The automation requires a decryption key to view or deconstruct an encrypted document. Otherwise, it is blind to the contents.
Votiro solves this problem with a self-service workflow. When the software encounters a password-protected email, archive, or other document, it asks the user for the password. If they have it, Votiro can reconstruct the encrypted document and share it like any other document.
While the user’s productivity is still impacted, the time lost is much less than with traditional approaches that often require a help desk call, for example.
How Votiro uses AI to process macros in documents
The Votiro solution works from vendor-supplied file format information. It doesn’t require AI or machine learning to perform CDR as it is already an “expert system.”
However, AI is very useful to help Votiro distinguish between safe and malicious macros in spreadsheets and other documents. The “better safe than sorry” approach has been to strip all macros out of documents. But what about macros that users need for financial processing? Removing these macros would make a document effectively useless and greatly harm productivity.
But AI and machine learning can help train the software to analyze macro code and differentiate legitimate from dangerous macros. Simplistically, this involves dynamically identifying actions that are flagged as potentially risky, like interacting with storage or the network. Macros that strictly manipulate data within a worksheet are deemed most likely safe.
By taking more of the burden of identifying malicious document off both users and IT/security teams, Votiro’s CDR technology boosts productivity while providing a more effective defense against file-based attacks. The solution is quick to deploy and begins delivering value immediately.
What’s next?
For more guidance on this topic, listen to Episode 141 of The Virtual CISO Podcast with guest Aviv Grafi, founder and innovator at Votiro.
