Tony Berning, Senior Product Manager at OPSWAT, gave a talk on Securing Critical Infrastructure, using multiple anti-malware engines and other methods, to an audience of academic researchers, operators of power plants and other workers in critical infrastructure. The presentation introduced the basics of multi-scanning and the benefits of utilizing multiple anti-malware engines to scan files. The presentation also covered topics related to defining and setting appropriate security policies for various user groups and outlining common security architectures.

1. Using Multiple Antivirus Engine Scanning to
Protect Critical Infrastructure
Tony Berning
Senior Product Manager
aberning@opswat.com
8 April 2014

2. Agenda
 Introduction to Multi-scanning
 Factors Shaping Portable Media Security Policies
 Balancing Security Requirements with Business Needs
 Common Network Architectures
 Defining Acceptable Media and Content
 Ways to Supplement Multi-Scanning in Data Security Workflows
 Additional Resources

3. Overview of Multi-Scanning
Too much malware, insufficient detection

4. Amount of Malware Exponentially Increasing
Over 220,000 new
malware variants appear
every day
(AV-TEST)
“Cyber attacks on
America’s critical
infrastructure
increased 17-fold
between 2009 and
2011.”
http://www.csmonitor.com/Commentary/Opini
on/2012/0808/Help-wanted-Geek-squads-for-
US-cybersecurity
The rapid growth in the amount of malware continues to
accelerate
No AV vendor can keep up with the number of new malware
variants
The Problem

5. The Problem
Factors affecting each antivirus product’s detection rate
 Heuristics and other detection code
 Size and coverage of the signature database
 Update frequency of the signature database
 Location of the AV vendor’s malware research lab(s)

6. Why use multiple antivirus engines ?
 Increase malware zero hour detection rates [via heuristics]
 Decrease malware detection time after an outbreak [via new signatures]
 Increase resiliency to antivirus engines’ vulnerabilities

7. Combining Scan Results from Multiple Engines
Every engine misses something
No single antivirus is perfect, however each product has its own
strengths and weaknesses, and is more efficient at detecting some
threats than others.
100%
AV 2
Detection Rate:
Detection Rate:

8. Results from using multiple antivirus engines
This graph shows the time between
malware outbreak and AV detection by six
AV engines for 75 outbreaks.
No single engine detected every outbreak!
Only by combining multiple engines in a
multi-scanning solution were all outbreaks
detected quickly.
By adding additional engines, zero hour
detection rates increase even further.

9. Geographic Distribution of AV vendors
Note: Many vendors have centers in multiple locations

10. Defining Secure?
Factors Shaping Portable Media Security
Policies

11. Contributing Factors
 Regulatory Bodies
 Industry Working Groups
 Internal Security Groups

12. Contributing Factors
Regulatory Bodies
 Data security requirements are set by many different
groups
 NIST
 Nuclear Regulatory Commission
 Etc
 Many aspects are regulated
 Types of media allowed
 Virus scanning requirements
 Logging
 Authentication

13. Contributing Factors
Industry Working Groups
 Data security working groups to discuss implementations
 What works
 What doesn’t
 Best Practices
 Implementation Details

14. Contributing Factors
Internal Security Groups
 Multiple groups may have experts with ideas on how to
implement security solutions
 IT
 Security officers

15. The Right Balance
Security Requirements vs Business Needs

16. Security Requirements vs Business Needs
Cost Considerations
 Implementation Costs
 Security Solutions
 Consulting Costs
 Infrastructure Costs
 Costs to Productivity
 Additional time to follow security procedures
 Training time and cost
 Potential downtime if systems fail

17. Security Requirements vs Business Needs
Potential Cost Savings
 Remediation Costs
 System Downtime
 Productivity Costs
 Removal Costs
 Impact to Reputation
 Lawsuits
 Information Loss
 Classified Information
 Sensitive Corporate Data

18. Security Requirements vs Business Needs
Laptop as secure paperweight

19. Security Requirements vs Business Needs
Laptop as a secure productivity tool

20. How it’s Done
Common Security Architectures

21. Common Security Architectures
Standalone Systems with no Network connectivity
In this deployment option, portable media scanning kiosks have no network connection.
Virus definition updates are downloaded from a system connected to the Internet and
copied to physical media to be transferred to each kiosk.
Pros
No network connection required
Cons
Updating virus definitions requires physically bringing media (USB drive/DVD/CD) to each
kiosk and applying the update on each one

22. Common Security Architectures
Standalone Systems with Management Station
In this deployment option, a Management Station is installed on a dedicated system that has network
connection to each kiosk. The have network connection only to the Management Station. Virus
definition updates are downloaded on the system with the Management Station and updates are
applied to the kiosks via the Management Station.
Pros
Easier to deploy than standalone systems with no network connectivity
Cons
Requires network connectivity between each kiosk and the Management Station
Definition updates need to be transferred over the network
Requires an additional system for the Management Station

23. Common Security Architectures
Distributed Systems (Metascan Server Offline)
In a distributed system, kiosks have only a client installed. The scanning server is installed on a
dedicated system. In this deployment option, the server does not have access to the Internet, and the
kiosks have network connection to the scanning server only. Virus definition updates are downloaded
on a system with connection to the Internet and manually transferred and applied to the scanning
server.
Pros
Only requires deploying virus definition updates to a single scanning server
The server can be higher powered to allow for higher scan throughput
Cons
Requires network connectivity between each kiosk and the scanning server
All files being scanned will be transferred over the network

24. Common Security Architectures
Distributed Systems (Metascan Server Online)
In a distributed system, kiosks have only a client installed. The scanning server is installed on a
dedicated system. In this deployment option, the scanning server has access to the Internet, and the
kiosks have network connectivity to the scanning server only. Because of Internet connectivity, virus
definitions automatically update on the scanning server.
Pros
Virus definition updates are applied automatically to the scanning server
The server can be higher powered to allow for higher scan throughput
Cons
Requires network connectivity between each kiosk and the scanning server
All files being scanned will be transferred over the network
Requires Internet connection for the scanning server

25. What’s Allowed
Defining Acceptable Media Types and Files

26. Defining Acceptable Media Types and Files
Types of Portable Media
 Many Types of Media
 USB Flash Drives
 USB Hard Drives
 CD/DVDs
 SD Cards
 Mobile Phones
 Etc
 Characteristics more important
 Read/Write
 Encrypted
 Multiple Partitions

27. Defining Acceptable Media Types and Files
Types of Files
 General Classes of Files
 Office Documents
 Archives
 Executables
 Text
 Characteristics more important
 Encrypted
 Embedded Objects
 Digitally Signed

28. Defining Acceptable Media Types and Files
Methods of Control
 Blacklisting/Whitelisting
 Specific Types of files
 Specific types of sources
 Specific sources (based on serial number, etc)

29. Data Security Workflows
How to Supplement Multi-Scanning

30. Supplementing Multi-Scanning
Why Scanning with Multiple Antivirus Engines Sometimes isn’t Enough
 Zero Day Attacks
 Embedded Objects
New Header
Virus
Cod
e
Host
File
Data

31. Supplementing Multi-Scanning
Ways to Supplement
 User Authentication
 Set different policies for different users
 Source Blacklisting/Whitelisting
 File Type Filtering
 File Type Conversion
 Remove embedded objects from files not detected by antivirus engines
 Digital Signatures
 Validate all executables are digitally signed by a trusted source
 Digitally sign all files after scanning to verify they have not been changed after
scanning
 Periodic Re-scanning
 Dynamic analysis
 Sandbox solutions such as FireEye, Bluecoat, ThreatTrack, others
 Human inspection and reverse engineering

32. Supplementing Multi-Scanning
Example

33. Further Resources
 My contact information
 Tony Berning
 aberning@opswat.com
 White Paper: “Protecting Critical Infrastructure from Threats”
 Demo Metascan Server and Metadefender installations available at https://my.opswat.com (requires
creation of a free OPSWAT Portal account)
 For further questions on Metascan or Metadefender contact sales@opswat.com