最初发表于《网络杂志》The Marker。
In an era where hackers conceal malicious code within pixels and metadata, OPSWAT utilizes Deep CDR™ Technology that deconstructs every file to its raw elements and rebuilds a completely clean version. Noam Gavish, a cybersecurity architect, explains the rationale behind the technology and together how they form a multi-layered defense system.
At one of Israel’s security organizations, the internal cybersecurity team began shifting uneasily in their seats due to a threat from an unexpected direction. Their concern wasn’t about infiltration — the common cyber threat — but rather about what might leak out, unnoticed. They feared that sensitive information — such as code names, locations, and identities — could be hidden inside seemingly innocent files: Word documents, image metadata, or even within the pixels themselves. DLP systems failed to detect it, experts didn’t know what to look for, and the situation felt like an invisible threat with no solution. That gap was bridged by OPSWAT’s Deep CDR™ Technology that breaks down the file to its essential components and rebuilds it from the necessary objects only.
“The idea is simple and based on the assumption that every file is suspicious, under the Zero Trust approach,” says Noam Gavish, a cybersecurity architect at OPSWAT. “The Deep CDR™ Technology system breaks down each file, retains only the elements necessary for its functionality, and rebuilds it — identical to the original, but completely clean. The end user’s ability to use the file remains the same, and the system allows tailoring the module's behavior based on file type and the specific channel. We don’t try to determine whether something in the file is good or bad. If it’s not essential — it doesn’t go in.”
为了说明其中的道理,加维什提到了 2001 年 9 月的炭疽袭击事件--911 事件发生一周后--在那次事件中,含有炭疽孢子的信件被寄给了美国多家媒体和两名参议员,造成 5 人死亡,17 人感染。"应用到我们的技术中--如果客户收到邮寄的信件,我们的系统会在新的一页上一字不差地重写信件--不包括有人可能撒在里面的可疑白色粉末"。
所以,你不是检查文件是否危险,而是假定它是危险的,根本不让它进入?
"没错。任何不必要的东西--即使我们无法解释原因--都不能通过。没有必要确定它是否是恶意的。如果不需要,就排除在外,"Gavish 强调说。"目标不是检测,而是将攻击面降到最低。即使威胁不可见,也不会有机会。这是基于深刻的心理洞察力:人们害怕他们不了解的东西,我们对待文件也是如此。这是一种生存机制。
平衡网络安全与信息可用性
The technology Gavish describes — Content Disarm and Reconstruction, or CDR — is not new to the market, but OPSWAT has enhanced it to handle highly complex files, including archives, media files, and documents with active macros. This expanded capability earned it the name Deep CDR™ Technology.
Still, Gavish emphasizes that Deep CDR™ Technology is just one component in a complete platform designed to protect organizations — especially critical infrastructure — across all information exchange channels. This begins with email systems, extends to USB devices connected to endpoints, and includes internal system interfaces. Every file, from any source, undergoes a multi-layered security scan.
随着攻击面的扩大,这一点变得越来越重要,尤其是在供应链攻击中,黑客会以第三方为目标进入企业。黑客还会找出组织的薄弱点,例如,人力资源部门每天都会收到几十份简历,这些简历通常是 PDF 或图片,背后隐藏着完整的操作系统。人力资源团队往往是 Office 文件的最大接收者,但他们的网络安全意识往往最低。另一个薄弱点:可移动媒体,其中可能包含恶意软件。
“We don’t rely only on Deep CDR™ Technology because no single module can address all challenges,” Gavish explains. “Before a file reaches CDR, it goes through multiple antivirus engines — over 30, depending on the package. Then it passes through Deep CDR™ Technology, and next to OPSWAT’s Sandbox system, which decodes the file, analyzes the code, and determines what it does — or would do — with specific input.”
The organizing principle is not to rely on a single detection mechanism, but on layered security: If antivirus misses something, Deep CDR™ Technology rebuilds the file. If Deep CDR™ Technology removes nothing suspicious or further clarity is needed, Sandbox analyzes its behavior. Only if nothing is deemed suspicious is the file allowed into the organization.
To demonstrate the power of OPSWAT as a comprehensive platform, Gavish compares the company’s security architecture to medieval castles — which used layered defenses to wear down attackers. “In cybersecurity, it’s all about layers. Like a castle: first a moat, then an iron gate, archers, and boiling oil poured from above. Deep CDR™ Technology isn’t magic — it’s another brick in the wall. And a castle without walls isn’t a castle.”
因此,它既是一种技术组合,也是一个工艺系列?
“Yes, because Deep CDR™ Technology is good for some things, Sandbox for others — together they provide full coverage. Alone, they can’t handle every scenario. For example, we combine Deep CDR™ Technology with antivirus scans and Sandbox to detect sophisticated attacks that each layer alone might miss. We’re not just offering a point security solution — but a multi-layered platform. We’ve built a circular security platform, not isolated barriers: multi-engine scanning, behavioral analysis, and the core — Deep CDR™ Technology that rebuilds each file cleanly, without asking questions.”
该平台目前支持 190 种文件类型,包括 DOC、PDF、ZIP、图像、音频、视频等,是行业标准的两倍。它还可根据文件路径、配置和目的地定制安全级别。
"Gavish 说:"保护范围涵盖整个威胁环境,但每种威胁都有其自身的性质。"我们也不想阻止数据流或延迟运行。我们的想法不是封锁世界,而是以一种干净的方式重新引入世界,同时兼顾安全性和可用性。就像饮用可能受到污染的溪水一样--你使用了净水药片,却在此过程中放弃了矿物质。但如果药片更聪明,它就能净化并保存矿物质。这就是我们的目标--以原始结构提供数据,去除隐藏的恶意内容--始终根据您的需求进行定制。
确保每个组织入口的安全
OPSWAT 成立于 2002 年,其愿景是保护关键基础设施免受网络威胁,目前为 80 多个国家的约 2000 家客户提供服务。公司在北美、欧洲(包括英国、德国、匈牙利、瑞士、罗马尼亚、法国和西班牙)、亚洲(印度、日本、台湾、越南、新加坡和阿联酋)等地设有办事处。
在以色列,OPSWAT 为数百家领先机构提供网络安全解决方案。
自 2007 年以来,Gavish 本人一直沉浸在网络安全领域,在进攻和防御之间转换。他最初在国防工业工作,后来在网络公司担任 "红队 "和 "蓝队 "的角色。OPSWAT 以保护关键基础设施(水、电、交通和国防)而闻名,但事实上,其网络安全平台适用于任何组织。
"我建议扩大'关键基础设施'的定义。每个组织都有关键的东西。如果一家报纸因为恶意软件关闭了印刷机而无法印刷,那就是一场灾难。对他们来说,印刷机就是关键基础设施。如果一家医疗保险公司泄露了敏感的客户数据,那将是毁灭性的。在这种情况下,数据就是关键基础设施。如果黑客破坏了电梯控制器(这是一个非常真实的场景),控制器就会变得至关重要。数据的任何接触点--入口或出口--都是潜在的风险,我们已经做好了保护数据的准备。我总是说:在保护关键系统时,不要只考虑互联网,要考虑每一个可能的关口。有时,它不是服务器或端口,而是 30 楼的后门。在这个世界上,你可以通过一封电子邮件或一个看似无辜的文件受到攻击,只有那些从各个角度考虑问题的人才能真正做好准备。OPSWAT系统就是为此而生:保护端点、电子邮件服务器、连接外部设备的自助终端,甚至单向文件传输系统(数据二极管)。在这个世界上,即使是一个简单的图像文件也可能包含嵌入式攻击代码,将其分解并重建干净是完全合理的,而不是妄想。
与时俱进,您使用人工智能的程度如何?
"人工智能已成为一个时髦的流行词,但OPSWAT 并不把人工智能当作摆设,而是将其用于真正有帮助的地方。99%声称使用人工智能的杀毒引擎都在使用 ML(机器学习)。也就是说,人工智能在构建新的攻击技术方面非常出色,因此分层防御至关重要。我们不能仅仅依靠已知签名"。
不过,即使是分层安全也不是密不透风的。在网络安全领域,不存在 100% 的保护。
"没错,在OPSWAT,我们明白这一点。这就是为什么我们的方法能够消除威胁,而不管它们是否被检测到、是否为已知或是否列在任何数据库中。攻击者和防御者之间的 "猫捉老鼠 "游戏永远不会结束,因此我们不会试图用一种工具来赢得这场游戏。我们建造城墙、城门、桥梁,并部署弓箭手。没有百分之百的成功,但有一个值得信赖的平台。
