Attackers never stop innovating. We know that, motivated by the rich prizes that await criminals that can penetrate a business network, threat actors will always look for new solutions and workarounds in their quest to beat enterprise security. It’s why defenders never stand still either, and seamlessly integrating new layers of defense is a key part of staying on top of the cyber security challenge while maintaining business productivity and flexibility. As part of meeting that challenge, we’re pleased to announce that Sasa Software has partnered with SentinelOne to integrate the SentinelOne NextGen AI engine into the Sasa Software GateScanner CDR technology. In this post, we’ll explain what this means and how it works.
What is Content Disarm and Reconstruction?
Content Disarm and Reconstruction (CDR) is designed to provide a safe, hassle-free solution for the prevention of file-based attacks. Instead of relying on signature-based scanning or sandbox behavioral analysis, the technology breaks the file into its components and then re-creates them, omitting all the insecure elements before the file enters the organization.
This approach, championed by Sasa Software, has proven itself to a point where Gartner mentioned the technology as a “Best Practice” in its recent Hype Cycle for Threat Facing Technologies, noting that “CDR protects against exploits and weaponized content that have not been seen before”.
How SentinelOne Fits Into the Picture
To pre-emptively block files that are malicious, GateScanner utilizes multiple highly-optimized AV engines that detect known signature-based threats. However, malware can be easily mutated to bypass these “static” AV engines. By introducing the capability to scan the files with the SentinelOne advanced AI engine, it is possible to catch malicious files based on their characteristics even if they are entirely novel, never-seen-before malware.
By incorporating the SentinelOne Nexus Embedded SDK, Sasa Software GateScanner Content Disarm and Reconstruction technology can now leverage SentinelOne’s predictive models to classify files as benign or malicious based on their characteristics, without using signatures or cloud lookup. It is extremely fast (classification is done within milliseconds) and provides information about various characteristics that exist in the analyzed files that are indicative of maliciousness. For example, an executable may be classified as malicious due to its high entropy or unusual binary format.
How SentinelOne Helps With Files That Cannot Be Disarmed
Technically, the SentinelOne Nexus SDK has been embedded as an additional scanning technology in Sasa Software’s CDR engines as part of the “Deep Threat Scans” capability.
The combined process will begin with scanning the files using multiple highly optimized AV engines, including SentinelOne. All files, whenever possible, will then continue to the disarm process, to prevent undetectable attacks.
In addition, the SentinelOne Nexus SDK provides a significant new capability for enhancing the security of customers using files that cannot be disarmed, including binaries (PEs) and documents containing active content such as MS-Office Macros and PDF scripts. This is especially crucial for OT network users as they often introduce SCADA updates, control files, and other operational files that cannot be disarmed.
SentinelOne’s AI technology is able to extract features from a given file and predict whether the file is a threat or not, based on a statistical model trained on millions of samples to correlate features of both malicious and benign files.
With this technology, customers can be assured that they are getting the best protection available anywhere, today.
Sasa Software engineers have worked closely with the R&D team at SentinelOne to verify the effectiveness and performance of the solution in detecting highly mutated and previously unknown malware. The Sasa Software GateScanner Content Disarm and Reconstruction technology integrated with SentinelOne Advanced AI engine is available to all Sasa Software customers across all solutions: Portable (USB) media security, Email, Appliance Security, APIs, and Sasa’s new multi-route Security Dome. Please contact SentinelOne or Sasa Software to learn how you can enjoy using the SentinelOne AI engine today.