Securing data flow to and from organizations
Upcoming SlideShare
Loading in...5
×
 

Securing data flow to and from organizations

on

  • 453 views

Presented by Benny Czarny, OPSWAT CEO, at INSS Workshop 2013

Presented by Benny Czarny, OPSWAT CEO, at INSS Workshop 2013

Statistics

Views

Total Views
453
Views on SlideShare
453
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Hello Everybody my name is Benny Czarny CEO of OPSWAT the Manufacture of Thank west coast labs you for the opportunity to sponser West coast  OESIS – Managability technology Metascan - Multiscanning technologies On demand desktop isolation technology AppRemover – technology to Uninstall Security applications I am sure that many if not all What I am going to talk about is trying to quantify multiscanning measurements
  • Before we begin lets quickly discuss Why Mutliscanning What is the trade off Lets try to simplify whyWhen you are trying to protect yourselves against any threat It does not have to be a virus What type of threat you are trying what is the capability of our solution For example you protect against Data loss – by implementing back up If you are trying to protect against an army –How many soldiers are planning to attack How many soldiers do we have , how they are equipped , How many threats we are against ?What is the capability of an antivirus to detect a threat
  • http://www.cknow.com/cms/vtutor/number-of-viruses.html
  • So what is the total number of threats ?Here are numbers I pulled from you from 2 different resources Mcafee and av-test.org There are many more resources such as Virus encyclopedias of multiple vendors This was simple to findSimple google image amount of malware IT is very clear to see that over a course of a year and a halfMfafee and AV-test did not reprt the same numberSYes I know that some would argue
  • Even more Total numbers of new threats is also inconclusiveHow can you check who detects 100% when you do not know what is 100%
  • Now lets see what is the capability of our antimalware engines We have antimalware engines How can you measure the quality of antimalware engines ?Detection coverageResponse time Operating system compatibility Amount of False positiveCompanies such as ICSA Labs AV comparatives west coast Labs AV test Virus Builtin came with their own metrics , and keep publish their research and testing results
  • In this example I outlined here for you how 2 different companies publish reports of quality of antimalware reports different numbers Each company has a different criteria's to measure the quality of the engines and different rating system I’d like to mention that the organization AMTSO ( founded at 2008 by Richard develop testing standards for antimalware ) We still see inconsistent numbers
  • Taken from the National Vulnerability DatabaseNumber of CVS found with a search of ‘antivirus’ – results were from various Antivirus products
  • The assumption that antiviurs engines are events that are not mutually exclusive So if we have the global amount of threats an antivirus can detect we should expect :Threats detected only by Antiviurs A Threats Detected only by Antivirus B Threats detected by Antivirus A and Antivirus B
  • The conclusion is obvious When you do not know what you are up against , When you can’t really measure the quality of the tools you are working with Multiscanining is a trivial choice
  • The conclusion is obvious When you do not know what you are up against , When you can’t really measure the quality of the tools you are working with Multiscanining is a trivial choice
  • Green is zero hour detectionYellow is 2 min to 5 daysRed is more than 5 days
  • The assumption that antiviurs engines are events that are not mutually exclusive So if we have the global amount of threats an antivirus can detect we should expect :Threats detected only by Antiviurs A Threats Detected only by Antivirus B Threats detected by Antivirus A and Antivirus B

Securing data flow to and from organizations Securing data flow to and from organizations Presentation Transcript

  • Securing data workflow to and from organizations Benny Czarny CEO OPSWAT,Inc.
  • Introduction to OPSWAT  Founded 2002  Based in San Francisco  Employees, contractors and interns: 115  Over 50 OEM customers  Over 500 direct customers  100+ certified technical partners  1000+ certified applications
  • OPSWAT Technologies Secure Manage Control Company Development tools  OESIS®, AppRemover and Secure Virtual Desktop  Secure Data workflow  Metascan and Metadefender  Automated Testing platform and Cloud Sandboxing  Nexperior  Device manageability and security  GEARS Cloud
  • SSL VPN and NAC Some Customers by Vertical Network Compliance and Vulnerability Assessment Support Tools Government Managed Services Antivirus Vendors
  • How to secure the data workflow ? What type of threats are we up against ? How many threats are we up against ? What are the capabilities of the security solutions ? Questionsto ask ourselves
  • What type of threats are we up against?  Computer Viruses are an NP-complete problem  NP complete problems cannot be solved in an easy to measure time in any known way http://www.dmst.aueb.gr/dds/pubs/jrnl/2002-ieeetit- npvirus/html/npvirus.pdf
  • What type of threats are we up against?  Ways to solve NP complete problems include  Approximation: -an "almost" optimal solution.  Randomization: allow the algorithm to fail with some small probability.  Heuristic: An algorithm that works "reasonably well".
  • What type of threats are we up against?  Known threats  Unknown threats
  • How many threats are we up against ?
  • How many threats are we up against? Source: McAfee Source: Av-Test.org Differencesin reporting the total amount of threats
  • How many threats are we up against? Source: McAfee Source: Av-Test.org Differencesin detection rates for new malware
  • What are the capabilities of the security solutions? Measuring the quality of antimalware engines How can we measure the quality of antivirus engines  Detection coverage  Response time  Operating system compatibility  Amount of False positives  Certification by
  • What are the capabilities of the security solutions? November 2010 February 2011 August 2011 AV Comparatives 97.6 % 95.8 % 92.1 % AV Test 97 % 99 % 96 % Measuring the quality of antimalware engines AMTSO’s mission is to develop and publish standards and best practices for testing of antimalware products
  • What are the capabilities of the security solutions? Antivirus productvulnerabilitiesfrom the National VulnerabilityDatabase 0 10 20 30 40 50 60 70 2005 2006 2007 2008 2009 2010 2011 2012 NumberofVulnerabilitiesinAntivirusproducts[CVEs] Year
  • What are the capabilities of the security solutions ? Antivirus  Tested 30 known malware files (Disguised as documents or embedded within documents)  Fewest number of engines detecting the threat was 10 (out of 43)  Highest number of engines detecting the threat was 30 (out of 43)
  • What are the capabilities of the security solutions ? Sandbox?  Tested 30 known malware files (Disguised as documents or embedded within documents)  Lowest number of threats detected was 3  Highest number of threats detected was 23
  • What are the capabilities of the security solutions Sandboxing X1% Protection level : 100% Multiscannin g X2% Protection level: Measuring detection coverage
  • Conclusion  Viruses and vulnerabilities are very hard to detect  No current answer about the amount of threats  No clear answer about the quality of the security solutions
  • Conclusion What can we do  Use many antivirus engines to protect against known and unknown threats using heuristics and sandboxes  Sanitize the data to protect against unknown threats  Protect the security system
  • Use many antimalware engines This graph shows the time between malware outbreakandAntivirus detection by sixAntivirus engines for 75 outbreaks over three months. No Vendor detects every outbreak. Only by combining six engines in a multiscanningsolution are outbreaks detected quickly. By adding additional engines,zero hour detection rates increase further. Zero hour detection 5 min to 5 days No detection at 5 days
  • What are the capabilities of the security solutions Sandboxing X1% Protection level : 100% Multiscannin g X2% Protection level: Measuring detection coverage
  • Sanitize the data to protect against unknown threats Sanitize the data in a well defined process 1. User Authentication 2. Input Policy Based on User Privileges 3. File Type Policy 4. Scan by Many Antivirus engines 5. Embedded Object and Macro Removal via File Type Conversion 6. File and Media Signature Verification 7. Notification to the user data is ready 8. File and Media Deletion Keep a healthy tradeoff between security and usability
  • Protect the security system  Execute sensitive tasks in an isolated virtualized environments  Revert your system on an ongoing basis  Check the memory integrity and the disk integrity of your system  Patch the system and its components  Constantly review the security architecture
  • Questions
  • References Av-test.com Av-comparatives.com www.metascan-online.com Amtso Software system defect content prediction from development process and product characteristics - Harris institute McAfee