You may trust your users, but can you trust their files?

In this Help Net Security podcast recorded at RSA Conference 2019, Aviv Grafi, CEO at Votiro, talks about their Content Disarm and Reconstruction (CDR) technology for protection against cyber threats.

content disarm and reconstruction technology

Here’s a transcript of the podcast for your convenience.

We’re here with Aviv Grafi, CEO of Votiro. Hello, how are you?

I’m great. How are you?

Great. Can you tell us a little bit about Votiro?

Sure. Votiro is a cybersecurity company, we ’re headquartered in Israel, and our mission is to prevent any inbound document threats out there. Nmatter what detection and protection measures we put on each and every source of document like email, web downloads – hackers can still evade that, and we still suffer from those kind of weaponized documents, fake invoices, and stuff like that. Our goal and mission is to stop that completely by doing a different thing.

You must be well versed in this FlawedAmmyy malware that has just been released, attacking Excel 4.0 macros. Is that right?

Yeah exactly. Actually, that’s one of the wonderful examples that we saw in the last year that those kind of protection like sandbox, antimalware and all those kinds of protection, they try to detect all the bad stuff, but we’re failing in actually predicting what the hacker will finally do. Definitely, that malware is something that caught the industry not ready. This is one of the things that we thought about in Votiro. This is a great example, because what we do is take those documents, for example those Excel spreadsheets, and instead of trying to look for the bad stuff, whether there is a bad image, bad link or embedded object, we know what the good stuff is.

We know that the formulas are OK, the pivot tables are fine, the graphs and everything. And then we reconstruct a safe version of that Excel spreadsheet. There’s no need for those legacy and very dangerous features that might be in those files. This is actually one of the great examples where hackers can think ahead of us, but we need to do something different to solve that.

You talk a lot about Content Disarm and Reconstruction technology. Can you talk about what that technology is and how your users are using it?

As I explained, one of the things that all those defense systems are actually doing, they’re trying to detect, they’re trying to look for the known malicious behavior, known malicious signatures, known malicious elements, hashes, some of them like antimalware using signatures, and sandbox using known malicious behavior. Machine learning, that’s great technology, it’s actually trying to learn from the past and predict the future, but we know that this is not sustainable. Our idea is instead of trying to look for the bad stuff, we know what the good stuff is.

For example, in PDF, like I explained, we take the text, take the images, bookmarks, everything that is really related to the user experience, and we know that this is the good content. This is actually what we need. By taking this out, generating a safe version of that document, we know that everything that might be nasty, might be malicious, maybe the hackers will use it in the future, will be kept outside the organization. This is the basic idea behind the content disarm and reconstruction.

When we actually pioneered that approach a few years back, it was very difficult to explain why we need it. But in the last couple of years it became even easier to explain, because all those detection systems actually failed. We need to have a different approach.

What you’re saying is interesting because your use cases can be outside of security, right? You’ve use cases within HR, you’ve use cases within insurance, anybody who’s receiving a document to their email could be at risk of getting attacked in this sort of way, correct?

Right. Actually, you’ve mentioned a very interesting use case, you’ve mentioned the HR. A recruitment department in companies today, their job is to screen hundreds of resumes a day, and the source of those resumes is from the outside. We cannot really trust who sent us those resumes.

On the one hand, they need to do the job to screen those resumes. On the other hand, the CISOs actually tell them: “think twice before you open a document, think twice before you actually copy something”. That poses a challenge to the organization – how to be secure but not compromise on productivity. In this challenge we are sure that the business should win. We need to allow the organization to work. For example, for the recruitment companies what we do is, we allow them to receive resumes in a safe version of those resumes, making sure we don’t need them to think twice before they open any document coming from the outside. Allow them to work seamlessly.

Can you talk a little bit about threat factors that you’re seeing? I know a lot of these documents or a lot of this malware can be delivered through phishing campaigns. Are you seeing that in the market? How is that manifesting itself?

One of the things that we see more and more is that phishing campaigns became more and more sophisticated. One of the phishing campaigns that actually was discovered a month ago, was someone that actually was sending an email from Bank of America. That hacker did a great job actually building a genuine attack saying that this is an email from Bank of America to a recipient with an attachment (Excel spreadsheet), weaponized with a malicious macro. Actually, the email address where it’s sent from is a legitimate email address of Bank of America.

That hacker built a LinkedIn avatar with the name of a Bank of America employee. It looks and feels exactly like a real Bank of America email. On top of that, those phishing attacks where we’re used to get some suspicious or dodgy links in emails, is not there anymore. They’re moving those attacks into the document because no one actually scans those documents. We see that the email is legit, we trust the attachment, we open the attachment, that’s it, we’re infected. We see that the attack is gone from the email body to the attachments.

Aviv, before you head back into the RSA fray, do you have anything to leave us with?

Yes. For our audience that thinks of security every day, you should think how you can provide your user, your colleagues to be productive. Security is not about putting fences. You need to think about how to let people work without compromising on security.

Aviv Grafi from Votiro. Thank you so much.

Thank you very much.