Debunking cybersecurity jargon part two – what is a deep content inspection engine?

Given the prevalence of jargon and technical terms within the cybersecurity sector, we have launched a series of blog posts that look to debunk some of those terms and explain what they are in more detail.

We have already looked at Adaptive Redaction, a technology that Clearswift brought to the sector, now we turn our attention to Content Filtering and Inspection and ask..

What is a Deep Content Inspection Engine?

Every product in the Content Filtering market has some form of Content Inspection Engine.

Its purpose is to understand the structure of a transfer and what content is contained within it. It checks that the content does not include PCI, PII or other such sensitive data that might violate the rules defined by the organization. It also checks for harmful files such as executables that can be hidden within zip files and contain a potentially damaging virus.

Transport protocols such as SMTP and HTTP and file formats are often abused. Sometimes this is accidental, but mostly it is in a deliberate attempt to avoid detection or to cause an impact to mail servers or clients in the form of buffer overruns. In April 2020, there was a case where hackers used SMTP to exploit a vulnerability in Apple’s iOS mail client in an attempt to highjack VIP phones.

Clearswift developed its filtering technology with both security and performance in mind. If it spots potential violations, files are flagged for inspection or configured to pass through policy. The inspection process takes place on traffic coming in and out of the organization and it can handle multiple protocols.

The content scanning is a multi-stage process. For each file it:

• Identifies the file type by file signature
• Verifies the file structure conformity (checking to see if data is piggybacking onto other files)
• Extracts content that violates rules in zipped or compressed files, document body, headers, footers, or embedded objects
• Strips metadata from documents and image files
• Records what it removed

By default, Clearswift’s Content Inspection Engine iterates down to 50 levels. The level of structural verification and content inspection it performs is far greater than other products on the market, hence the name Deep Content Inspection Engine.

Game-changing Technology

The Clearswift Deep Content Inspection Engine was the first product to perform the automatic redaction and sanitization of content. As well as decomposing file formats, the Deep Content Inspection Engine modifies the content to remove the threat – whether that’s sensitive data or malicious code – and rebuilds the file in its original format. Other products perform a similar task but generate an alternative or read-only file format which typically breaks workflows, carries no resemblance to the original file, or just takes time. With automatic Adaptive Redaction there is no delay, and the recipient receives a sanitized, workable copy of the file.

Clearswift also added Optical Character Recognition (OCR) technology so that when the Deep Content Inspection Engine finds images (in attachments or embedded in documents), it scans for text. If it finds text that breaks policy, it is redacted, the file is then rebuilt in its original format and sent on its way.

Steganography can be used to exfiltrate information by concealing valuable intellectual property or hiding malware in plain sight. To prevent this, the Deep Content Inspection Engine also sanitizes image files to ensure that data or malware has not been embedded using steganographic tools.

Keeping Organizations Safe and Secure

The Deep Content Inspection Engine lies at the heart of all Clearswift cybersecurity solutions. It filters and closely inspects content as it enters or leaves the organization, keeping it safe from threats and preventing unwanted data breaches. To find out more, why not ask us for a demo.

Ask us for a demo

Related resources:

Debunking cybersecurity jargon part one – what is Adaptive Redaction?