Tony Berning, Senior Product Manager at OPSWAT, gave a talk on Securing Critical Infrastructure, using multiple anti-malware engines and other methods, to an audience of academic researchers, operators of power plants and other workers in critical infrastructure. The presentation introduced the basics of multi-scanning and the benefits of utilizing multiple anti-malware engines to scan files. The presentation also covered topics related to defining and setting appropriate security policies for various user groups and outlining common security architectures.
CNIC Information System with Pakdata Cf In Pakistan
Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
1. Using Multiple Antivirus Engine Scanning to
Protect Critical Infrastructure
Tony Berning
Senior Product Manager
aberning@opswat.com
8 April 2014
2. Agenda
Introduction to Multi-scanning
Factors Shaping Portable Media Security Policies
Balancing Security Requirements with Business Needs
Common Network Architectures
Defining Acceptable Media and Content
Ways to Supplement Multi-Scanning in Data Security Workflows
Additional Resources
4. Amount of Malware Exponentially Increasing
Over 220,000 new
malware variants appear
every day
(AV-TEST)
“Cyber attacks on
America’s critical
infrastructure
increased 17-fold
between 2009 and
2011.”
http://www.csmonitor.com/Commentary/Opini
on/2012/0808/Help-wanted-Geek-squads-for-
US-cybersecurity
The rapid growth in the amount of malware continues to
accelerate
No AV vendor can keep up with the number of new malware
variants
The Problem
5. The Problem
Factors affecting each antivirus product’s detection rate
Heuristics and other detection code
Size and coverage of the signature database
Update frequency of the signature database
Location of the AV vendor’s malware research lab(s)
6. Why use multiple antivirus engines ?
Increase malware zero hour detection rates [via heuristics]
Decrease malware detection time after an outbreak [via new signatures]
Increase resiliency to antivirus engines’ vulnerabilities
7. Combining Scan Results from Multiple Engines
Every engine misses something
No single antivirus is perfect, however each product has its own
strengths and weaknesses, and is more efficient at detecting some
threats than others.
100%
AV 2
Detection Rate:
Detection Rate:
8. Results from using multiple antivirus engines
This graph shows the time between
malware outbreak and AV detection by six
AV engines for 75 outbreaks.
No single engine detected every outbreak!
Only by combining multiple engines in a
multi-scanning solution were all outbreaks
detected quickly.
By adding additional engines, zero hour
detection rates increase even further.
11. Contributing Factors
Regulatory Bodies
Industry Working Groups
Internal Security Groups
12. Contributing Factors
Regulatory Bodies
Data security requirements are set by many different
groups
NIST
Nuclear Regulatory Commission
Etc
Many aspects are regulated
Types of media allowed
Virus scanning requirements
Logging
Authentication
13. Contributing Factors
Industry Working Groups
Data security working groups to discuss implementations
What works
What doesn’t
Best Practices
Implementation Details
14. Contributing Factors
Internal Security Groups
Multiple groups may have experts with ideas on how to
implement security solutions
IT
Security officers
16. Security Requirements vs Business Needs
Cost Considerations
Implementation Costs
Security Solutions
Consulting Costs
Infrastructure Costs
Costs to Productivity
Additional time to follow security procedures
Training time and cost
Potential downtime if systems fail
17. Security Requirements vs Business Needs
Potential Cost Savings
Remediation Costs
System Downtime
Productivity Costs
Removal Costs
Impact to Reputation
Lawsuits
Information Loss
Classified Information
Sensitive Corporate Data
21. Common Security Architectures
Standalone Systems with no Network connectivity
In this deployment option, portable media scanning kiosks have no network connection.
Virus definition updates are downloaded from a system connected to the Internet and
copied to physical media to be transferred to each kiosk.
Pros
No network connection required
Cons
Updating virus definitions requires physically bringing media (USB drive/DVD/CD) to each
kiosk and applying the update on each one
22. Common Security Architectures
Standalone Systems with Management Station
In this deployment option, a Management Station is installed on a dedicated system that has network
connection to each kiosk. The have network connection only to the Management Station. Virus
definition updates are downloaded on the system with the Management Station and updates are
applied to the kiosks via the Management Station.
Pros
Easier to deploy than standalone systems with no network connectivity
Cons
Requires network connectivity between each kiosk and the Management Station
Definition updates need to be transferred over the network
Requires an additional system for the Management Station
23. Common Security Architectures
Distributed Systems (Metascan Server Offline)
In a distributed system, kiosks have only a client installed. The scanning server is installed on a
dedicated system. In this deployment option, the server does not have access to the Internet, and the
kiosks have network connection to the scanning server only. Virus definition updates are downloaded
on a system with connection to the Internet and manually transferred and applied to the scanning
server.
Pros
Only requires deploying virus definition updates to a single scanning server
The server can be higher powered to allow for higher scan throughput
Cons
Requires network connectivity between each kiosk and the scanning server
All files being scanned will be transferred over the network
24. Common Security Architectures
Distributed Systems (Metascan Server Online)
In a distributed system, kiosks have only a client installed. The scanning server is installed on a
dedicated system. In this deployment option, the scanning server has access to the Internet, and the
kiosks have network connectivity to the scanning server only. Because of Internet connectivity, virus
definitions automatically update on the scanning server.
Pros
Virus definition updates are applied automatically to the scanning server
The server can be higher powered to allow for higher scan throughput
Cons
Requires network connectivity between each kiosk and the scanning server
All files being scanned will be transferred over the network
Requires Internet connection for the scanning server
26. Defining Acceptable Media Types and Files
Types of Portable Media
Many Types of Media
USB Flash Drives
USB Hard Drives
CD/DVDs
SD Cards
Mobile Phones
Etc
Characteristics more important
Read/Write
Encrypted
Multiple Partitions
27. Defining Acceptable Media Types and Files
Types of Files
General Classes of Files
Office Documents
Archives
Executables
Text
Characteristics more important
Encrypted
Embedded Objects
Digitally Signed
28. Defining Acceptable Media Types and Files
Methods of Control
Blacklisting/Whitelisting
Specific Types of files
Specific types of sources
Specific sources (based on serial number, etc)
30. Supplementing Multi-Scanning
Why Scanning with Multiple Antivirus Engines Sometimes isn’t Enough
Zero Day Attacks
Embedded Objects
New Header
Virus
Cod
e
Host
File
Data
31. Supplementing Multi-Scanning
Ways to Supplement
User Authentication
Set different policies for different users
Source Blacklisting/Whitelisting
File Type Filtering
File Type Conversion
Remove embedded objects from files not detected by antivirus engines
Digital Signatures
Validate all executables are digitally signed by a trusted source
Digitally sign all files after scanning to verify they have not been changed after
scanning
Periodic Re-scanning
Dynamic analysis
Sandbox solutions such as FireEye, Bluecoat, ThreatTrack, others
Human inspection and reverse engineering
33. Further Resources
My contact information
Tony Berning
aberning@opswat.com
White Paper: “Protecting Critical Infrastructure from Threats”
Demo Metascan Server and Metadefender installations available at https://my.opswat.com (requires
creation of a free OPSWAT Portal account)
For further questions on Metascan or Metadefender contact sales@opswat.com