CDR: What Is It, & Why It Is the Ultimate Solution for Known & Unknown Threats
Thank you so much. Can you hear me? Okay. Yeah, that's great. Thank you. Looks like we're a small crowd. By the way for the ones in the back. If you guys want to kind of learn more about CDR really welcome you to come closer. It's pretty cozy here. I know I think it's a it's a bigger event. So I really welcome you don't have
to I'm not I I promise I'm not gonna I'm not gonna leave the stage. So first I want to say thank you to GovWare for the opportunity to go and be one of the sponsor of the events. So thank you so much. It's my first time to Singapore. This is great. And so I'm going to talk about CDR, though before we talk about CDR., let me introduce myself.
My name is Benny Czarny. That was the first computer I programed on. That x811k great great machine. So I founded the company called OPSWAT. We focus on critical infrastructure protection and initially I founded the company in 2004. It was
a bootstrap. and I was the VPR India was the VP sales. I was also the VP of coffee making. And then the company grew and and became bigger now VPs, regional VPs, SVPs, C-levels and so on. So I have more time to
spend my family do some sports and also here visit Singapore. A company grew so we are a global company protecting critical infrastructure. Critical infrastructure is everything that Homeland Security defines as critical infrastructure, which is banking water, manufacturing... everything that is defined as critical pretty much way of life. And for that we have built a platform a full
platform with 21 products. And what's unique that since 2011 we've building CDR that is powering each one of the platform. and and in 2014 there was an interesting attack called the BlackEnergy. Anybody remember what was the attack? BlackEnergy attack? There is some cool video in the background, anybody remember? BlackEnergy. What is what is all about? It was actually pretty trendy now it was in Ukraine.
There was a cybersecurity attack on Ukraine... 6,000 people were disconnected from power. Anybody know this? What kind of what happened there? How the attack happened? Anybody remember? Yes. it was anybody remember? It was an Excel file. Excel file with with a macro that ends up creating a disruption.
So... and that was and that I was checking in my head and say “Hey, it's like CDR could have prevent that. So hey, what's what's happening with that?” and since then we’ve been marketing CDR. We've been I was I'm personally and writing in the midst of writing a CDR book and I really want to share in these 28 minutes that is left for us is about CDR and to a point that the agenda is going to talk about First I'm going to talk about a different malware detection and prevention technologies After that, I'm going to talk about what is CDR.
And then I'm going to talk about what is Deep CDR. And after that I'm going to talk about several tips that each one of you can leave here how to select the right CDR vendor for your organization Okay. Anybody here know CDR before we begin? Anybody raise your hands... anybody knows CDR? What is CDR or anybody knows? Antivirus, raise your hand anybody know what is antivirus? Okay, sandbox, anybody knows? What is a... okay. So I'm going to talk about malware and vulnerability. So
I'm going to talk about focus on two different technologies... one is antivirus, and then second is sandbox. So first from... This is a AV Test.
AV Test is a German company over one billion malware is out there... way more. And then vulnerability is obviously hundreds of thousands. So we'll talk about big big, kind of big big numbers here of a malware and vulnerabilities.
So whenever we talk about antivirus there is I think a big confusion in the market about antivirus efficacy. And the two ways at least two ways to operate your antivirus that you know. One is the real-time way the real-time... whenever you install an antivirus on the machine, the real-time protection way, there is one way pretty much protecting a device and another one another way to operate your antivirus is either via API or command line to scan a file statistically so on on this operation the antivirus will need to pretty much needs to protect the device and assessing what's happening on device on a ongoing basis and scanning a file. It's all about looking at the file and predicting, “Is that good or bad?” before you execute that.
What is good for real-time protection is to actively protect your devices phones, whatever you install it on. However the static file scanning, it's used for other things: for your email scanning whenever you see email flowing in; USB scanning; file scanning whenever you have that drive scanning, USB scanning. Right, so it's two different ways to operate and why it's important to understand. It's very very important to understand these two ways to operate an antivirus because whenever we check the real-time protection. so what you see on this chart right now is AV Comparative... AV Comparative is a German another German
vendor and what they do is every month they check and test many on different antiviruses and write reports about their efficacy preventing malware. So in this report of AV tested I took from September 2021. You can see on this column the offline detection and here the online detection. And what you see here, it's like you see the numbers are changing. So you can see that there is a big gap between the offline detection and the online detection. Anybody knows
why? Why there's a big gap between those? And again, this is the real-time protection. This is whenever you install the antivirus to protect the device. Anybody knows why there's a big difference? Hint. I already talked about it before. A lot of malware right more than a billion malware.
You can't expect to have a database with a billion malware on a device to a point that antivirus will be effective or efficient to go the to see a big gap between them. now whenever you look at the same report that I took for you for March 2022. What you see is the numbers completely. different. A great antivirus became a terrible antivirus
and a terrible antivirus became a great antivirus. So you can see that the quality of the antivirus efficacy on real time is changing Let's look at the false positive. False positive is another issue of antiviruses. Anybody here ever got a false positive. Anybody got it's annoying. It's again,
we need to live with that. It's like we live with some diseases. So if you look at comparison then The real-time protection protect devices. The malware prevention. We're talking about moving between the form 87 to 99% to 40 to 92.3 whenever you disconnect an antivirus from the internet. This is very
important protecting critical infrastructure. Okay, whenever we look at the supported file types... Any false positive? Yes vulnerability. I'm not going to talk about too much about don't have enough time to talk about vulnerability. So it does detect some vulnerabilities. The analysis performances is millisecond however the prevention quality is keep changing and you need to remember that so a great antivirus today could be a terrible tomorrow. So we said that two ways right to test to operate in antivirus one is real time. And another one is it's kind of fine.
So we didn't find a public a third party testing that tests that. So we build MetaDefender Cloud. If you end up after this presentation, you can go and visit www.MetaDefender.com And what what you see there, you take a file and you can scan it with like 40 different antivirus engines.
You can also CDR files there. It's all for free. And we operate this website is a free website so we can millions of files every day many of them are malware. and we test. the efficacy of static scanning of each one of these antiviruses. We take the top 10,000 files 10,000 files by the
way, and we keep showing the statistics on the website. So we check that the top 10,000 malware that we see that most common 10,000 malware and we run it by different antiviruses. So in this report, you see 37 antiviruses. So you see the best results we
get is 76.32% on these specific day, by the way, it is changing. The worst performer talking about 6.2% Which means the the efficacy of static scanning is significantly lower than the real-time protection.
Now, let's look at false positive rate very similar to real-time also false positive sometimes. Some antiviruses are really terrible some antiviruses are yes, we should expect. False positive very similar to the real-time protection as well. The performance analysis were talking about milliseconds. So it is slightly slower than the real-time protection whenever they can the device is operating, tho we are talking about milliseconds, depends on the file, depends on the antivirus.
So, let's see what we have here. So if we have on this table that we have so we have again. Let's compare the file scanning to the realtor and protection so we can see that the difference is data flow or something is very obvious here. Is that The protection level of file scanning is significantly lower than the real-time protection.
Okay, let's go to sandboxes. So like 10 years ago sandboxes became a big deal, right? So send boxes. And what is the sandbox? Anybody know sandbox take a file. Let it run explode in its own virtual environment. And then you monitor this virtual environment and trying to predict. Is that going to be a malware or not, right? So And we have by the way, we have a Sandbox as well.
One of the Technologies. We need to analyze malware too so we have a Sandbox. I'm not going to go and start promoting our products however what I'm talking about is simply CDR technology.
So and we compare Vendor A to Vendor B in our lab. I'm not going to tell you which one is ours though. We and it's so sandboxes. Is very much depends on the file types that you do and again, it is a predicting and it's very effective for file flows.
So you can put sandbox on your email flow on other flows. Though again. We see some really nice results not nicer than static scanning, though not 100%.
Whenever we look at false positive rates, typically we see it higher than an antiviruses and here we see three different vendors that we looked at sandbox comparison. So we see sandboxes slightly higher false positives. however, whenever we go to Performance This comes the big issue. We're talking about not milliseconds.
78 seconds to 300 seconds to run an executable or another file type to make a decision or to predict whether it's going to be good or not. So file types different sandboxes support the different file type. So if you if you're selecting sandbox To protect your data flow too. Another thing you want to go and check. What are the file types that these specific sandbox support? Okay, so let's compare what we have now. So you can see that the antimalware file scan you see six to 76 and I see a higher rate. However, the big big big deal that
we have here is that the file type supported for sandboxes is limited where in antivirus theoretically, it's not . It is, tho theoretically it's not. And the speed is way way slower talking about order of magnitude slower than an antivirus technology. So clearly we see a very big flaw in the industry. Right, there's so much and I'm not not blaming because you see there's so much marketing budget in the event just just behind us. and the big flaw in the industry is about that all of these Technologies are based on detection.
Even the best antivirus you get AI it's all based on detection. You see a file see a behavior and then you need to make a decision whether it's good or bad and based on that getting action. And the another is that you see all of the evidence here is that this is not perfect. This sometimes slow. Sometimes fast depends. This is also sometimes depending on specific file types.
And that's getting our whole industry to a whole thing about okay detection response prevention. Okay detection. Oh and then and then to some extent. The industry is going all these detection is not going to work. So
I'm gonna do it again and again and again. That is why you have all incident response and a whole industry around that and pretty much the market is used to to all of that. So what is CDR? CDR taking the exact same concept of let's assess that and assume it's all bad. And taking a file. Regenerating the file to a new file, discard the file it you suspect it's going to be bad and use the new file.
So again, why do we even make a decision whenever you can really regenerate the file? Assume everything is bad. Trust no file. Assume everything is a virus you're going to regenerate if you have if you can truly trust you can regenerate the file in the secure way. Why should be a malware in the first first place? Okay. So another way to go and illustrate is okay you go camping. You get some water you you are not sure whether it is bacteria there the viruses in the water so you can distillerize the water and you can get get the Steam and after that purify the water and then the drink the water purify the water. That's one way to look at kind of
the concept and anybody here knows who is Dory the Sheep. Dolly the Sheep anybody knows who is Dolly the sheep? Okay. So so you see you have a sheep you want to eat the Sheep. I'm hoping nobody is vegetarian and they want to eat the Sheep you so you take a DNA or you don't have either the viruses they were not so you take a DNA sample the regenerate the sheep in a secure and safe environment and you grow the sheep and then you take this sheep and pet it or eat it or whatever you want to do. and It's another way to another concept to go and look and think about CDR.
so also whenever you look at CDR, I've seen by the way. We work in 81 countries. I've seen all kinds of description to CDR. Some of them are politically correct. Some of them are not politically correct. And you can see by the way we ask our Channel Partners who are very strong with Channel Partners. We ask them to help us to with this translation. You can see it in in Korean in Arabic
in German in Japanese in Vietnamese. So all kinds of kind of ways to go and describe that I hope you can find. And by the way if you guys taking pictures, I'll be very happy to share with you the slides and after that you can get the business card for me or Malcolm here with the country is a VP of APAC is here at the first first row. And so what is good for CDR? It's good for file-based malware, for known malware and by the way we should not take known malware for granted. We can prove to you today. Go to MetaDefender Cloud. There are tons of known malware other that not even known antivirus is not detect his malware.
File based, unknown malware. So we have a targeted attack on anything coming to you very effective. File based known vulnerability, known vulnerability in a file based means that you can get take to take like a JPEG with a buffer overflow and hack with that your IoT device or your computer bunch of vulnerabilities around that. Okay. or file-based unkown vulnerability so we have government based.
So if you have running a governmental operation and you have afraid that another foreign government is going to be sitting on a huge database on filed on file based unknown vulnerability going to attack your critical infrastructure. extremely effective. extremely effective.
What's not good for? It's definitely not good to analyze malware because you can't analyze malware if you regenerate the file... it discards the file. You assume it's bad you regenerating a regenerating a file. You cannot assume to go and use that. It's not good for executables. I'm not aware about the way.
To regenerate an executable using CDR. and it's someone saying “Hey, why can't you kind of do that?” Many executables are encrypted. So it's literally very hard to regenerate that.
And also network based vulnerability so it's not really effective for that. So if you're looking to do that, I think it's important the industry needs that CDR is not going to be it's not gonna help you with it. Let's give you some examples so you can take this example so you can even share you with the link with MetaDefender Cloud. So we have a Sandbox there you can go and analyze those there. So. This is a vulnerability CV 200. You can see the numbers there. And then this is an unknown vulnerability.
It was a zero day for years and then it was discovered and then in order object with HTML protocol. Known malware such as a largest Trojan bot and could have prevented by global CDR implanted in implementation worldwide. You can also see that after that for the ones of you we have links to the specific malware that we analyzed in the cloud. Another one is for stenography. So if somebody is trying to take a malware. Embed it into the image to a point you can decode that so the regenerating format is gonna also regenerate the file and also create a a file format to to do that and we have a lot of kind of those if you want to do some more reading about that.
and we have some online data about that. So let's compare CDR to our technology so we can see that the CDR is again is for dataflow. So I put together here malware prevention for 100% with apostrophe here. So we've been working with Homeland Security.
on several file formats that we are not aware about the way to hack those. It doesn't mean that it's not possible. So I take it with a grain of salt though. We are not aware and the US Department of Homeland Security is not aware about the way to hack those.
and Malware detection is not really effective. Though be aware that the file types support is limited to the specific file formats that you have, right? The false positive is not really available. It's not really kind of applicable here. The vulnerability prevention effective not for all. Or some Network base that's not going to be applicable to.
and then The performance is very similar to the file scanning of an antivirus, okay? And then the prevention quality is constant wherever sandbox and others keep changing. So again, it's not good for everything, tho extremely effective if you know how to use it on specific parts of your network. So I promise we'll talk about deep CDR, right? So what is CDR and what is Deep CDR? anybody knows what's common to this five types? anybody knows what's what's unique about this file types on this one? Archives good Five Points. That's great archive see all archives. So today. Not only zip doc. Excel PowerPoint PDF. They're all archives. Many file
types today. became archives. So a PDF, I think version 4 already became an archive so And what what it created create us? a big challenge here because if you put an image inside a PDF And stick it in the Word document. That's a
big challenge, right? So it may sound easy to some and if you have Engineers here on the any engineer here on the on on in this in the crowd anybody's in anybody here is an engineer. Nobody's an engineer. Anybody can code anybody can code here. Okay, so so it's it's a some would say. Oh, it's a CDR is a recursion recursion means that take the PDF. You'll need to open it up and put the PowerPoint inside and then open it up and open it up and continue doing that recursively up until you pretty much CDR’d the whole document recursively. So recursive CDR is
a Deep CDR. and and why is that important because many malware today are coming and that's really how to do an effective way. CDR is complex by its own thing by its own mean CDR is very hard to do. So doing recursively whenever you have different file formats changing and you need to do the whole thing in a secure way. It's very hard, especially when malware writers such as Embedded the document that we can actually have you an example here and also another CVE a Microsoft CVE that also is a applicable only on a archive files. In this specific .doc file that actually download an HTML
file and all the object extremely complex. However deep CDR is effective here. And for that also, we have some samples for the ones a few interested. There is a
live link you can go to a online that you can see how the file is being scanned. You see in this specific case only nine different antiviruses. Detected this malware as a threat and however, it was a malware and then on the Zero date was actually 0 after the 35. So we talked about CDR we talked about Deep CDR. We talked about different antimalware Technologies. Now I'm going to talk about how to select your CDL vendor, right? So the number one question to ask yourself Does it really work? I've seen so many companies claiming to have CDR technology.
Though, how can you really test that it worked? They're tested you're going to test it yourself. Do you have a lab to test the CDR technology? You see lots of folks saying. Oh we have CDR, it's great though test it really test it. Or if you don't you cannot test it ask to to read the test plan.
Oh ask for third party validation or if there is anything or ask the vendor, do you do crowdsourcing? I want to see the log results that's another way to go and do if somebody is hiding that information from you. I would advise not to work with them. So we talked about that that CDR is very much depending on file types. So How many file types are supported and asked to see the performance analysis per file type. So to a
point? What are the supported file types? Anybody knows how many file types are out there? anybody thinks less than 500 raise your hand. more than 500 everybody else is asleep. Okay. So they're more than 5,000 file types, and it's growing growing and growing and growing and each file type is multiple versions. So supported file types, and you also want to check that these supported file types. are effective for your organization because if you are for example you deal with AutoCAD files? Then you want to make sure that AutoCAD AutoCAD is a huge Vector for attacks right away. And you want to see that AutoCAD files are support. Data channels. So CDR is a technology the
end of the day. It's not like a product. It's not CDR is not a product. You need to see what type of data channels are supporting the organization. So for example, do you have an email product? You can over you're not expecting to going to build your own email security product in to take the CDR and bring that to the email so ask do we have an email plugin? do you have integration to the network traffic Does it have API has to review the APIs. Ask your engineers to review the APIs if you want plan to embed it to your data flow. Does it have a removable media integration or storage integration? Another thing you want to go and check is the quality of the construction and that's back by the way easy to go and check doing the POC just install the product and run different file formats.
throughout the system move video files if the vendor support video files or images and try to see the files before in the file after to see the quality changing. We talk about Deep CDR. So we want to see that archives are supported.
And with archives, please be careful though multiple attacks on archives. And so for example, there's an archive bomb anybody knows what is an archive bomb. So put an archive in an archive and by creating an archive bomb, you're literally attacking the CDR or the archiving engines. So you want to make sure that the vendor is not only supporting the archives also supporting.
prevention for attacks that are targeting archive performance So whenever you look at performance. It's very file type specific. So if a vendor is telling you all we support everything is 0.1 milliseconds. Okay, which file type? Ask to see a performance analysis profile attack, that's extremely and also see that the file types that you really care about. Security of the sanitization process so sanitization regenerating a file. It's A it's a process to take a file and create a new file.
And after that take the original file, open it up and many times. It's a malware. And take the files and then regenerated the new file. So it's a very complex system. So you need to ask the vendors show me a design diagram.
Of your CDR engine. How do you protect your CDR engine? Attackers are attacking the CDR. They know the CDR is more and more used. I mean, we're more than 1500 customers and pretty sure that attackers knows that and trying to target and trying to target our CDR. So what is the security?
Another thing you want to ask yourself, “Is this a secure development lifecycle?” Do you really kind of how your engineering work? Is there a static code analysis? How is that being done? Ask to see a report of the static code analysis of the CDR? Nothing wrong with that. Debug mode, so another thing that we found is that and using CDR and implementing CDR in many organizations is We get a lot of initially we had a lot of resistance for CDR deployment. So debug mode enables you to actually run CDR and see exactly what's happening in the CDR like okay opening the archive, getting these, rebuilding that, and ask to see a detailed log file of the CDR. If the vendor is trying to hide that from you be careful. because be careful because again from experience that's that's something to go and ask for. Another thing that you want to go and check is the compliance and the certification of the vendor, specifically Common Criteria that is looking for design of how you radical and others the certification of the vendor that you want to share. Make sure that your your really believing in and very
applicable to your company. and lastly this example of BlackEnergy, you can see that actually 19 engines today actually detects that as a malware or as I mentioned before we see the CDR the malware and disruption to 6,000 households could have been prevented. So I'd like to thank each one of you and I have a minute to go. So maybe any questions that the audience have.
*Audience asking question* Yes. *Audience asking question* Say again? Oh and look at the product in action. Yeah, definitely. You can go to MetaDefender Cloud, I welcome each one of you can take any file you upload.
We limit it only to like 10 different file formats on online very soon, we're going to open up the rest of the file formats. You can also download the whole product on our portal on OPSWAT.com and you can use the product and actually check the CDR. The best is also
you can talk to we have Sales Engineers here. So with pleasure, we'll be able to go and meet after that and you can see. Or again you can do the online MetaDefender Cloud, you can see it also online. We have a live sandbox that we can actually can also analyze malware live with the sandbox. Any other questions?
Okay, so let me summarize... so we talked about malware prevention Technologies. We talk about CDR. What is CDR we compare the folks for the ones of you that interested in the copy of the presentation. Please come here. We'll be able to go and I'll personally make sure that you get a copy. Thank you so much guys and thank you for GovWare for this hospitality.