Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Preventing Known and Unknown Threats

Benny Czarny, CEO at OPSWAT, presents at an OPSWAT Cyber Security Seminar in DC on February 9th. This presentation covers the benefits of multi-scanning and how organizations can receive protection from both known and unknown threats through leveraging OPSWAT's technology.

  • Be the first to comment

  • Be the first to like this

Preventing Known and Unknown Threats

  1. 1. Preventing Known and Unknown Threats Benny Czarny CEO & Founder OPSWAT benny@opswat.com February 9, 2016
  2. 2. Preventing Known and Unknown Threats Agenda  How much malware is out there  How to measure the quality of anti-malware products  The value of multi-scanning  Threat prevention
  3. 3. How much malware is out there? Known threats Unknown threats Targeted attack Outbreak
  4. 4. How much malware is out there?
  5. 5. How much malware is out there? How many known threats are we up against? 0 100,000,000 200,000,000 300,000,000 400,000,000 500,000,000 600,000,000 2010 2011 2012 2013 2014 2015 Differences in Reporting the Total Amount of Threats AV-Test McAfee
  6. 6. How much malware is out there? How many new known threats are we up against? 0 20,000,000 40,000,000 60,000,000 80,000,000 100,000,000 120,000,000 140,000,000 160,000,000 180,000,000 200,000,000 2010 2011 2012 2013 2014 2015 Differences in Detection Rates for New Malware AV-Test McAfee
  7. 7. How much malware is out there? Why are different measurements being used?  Different detection logic  Different engines  Different data sources  Different market share  Different honeypots
  8. 8. How much malware is out there? The power of crowdsourcing
  9. 9. How much malware is out there?
  10. 10.  Detection coverage  Response time for an outbreak  Amount of False Positives  Product quality and stability  Product Vulnerabilities  Operating system compatibility  Other metrics How to Measure the Quality of Anti-malware Products
  11. 11. How to Measure the Quality of Anti-malware Products Engine Name AV -Comparatives Performance Rating AV-Test Performance Rating Avira 90% 100% AVG 85% 70% Avast 83% 80% Panda 80% 90% McAfee 80% 80% Threat Track 80% 40% Trend Micro 78% 90% Sources: 1. AV-Test 2. AV- Comparatives Comparing AV-Test to AV-Comparatives
  12. 12. How to Measure the Quality of Anti-malware Products Measuring the quality of anti-malware engines – from AV-Comparatives AV Name Mar 2013 Sep 2013 Mar 2014 Sep 2014 Mar 2015 Sep 2015 Avira 99.6% 99.7% 99.2% 99.9% 99.9% 99.8% F-Secure 99.5% 99.7% 99.6% 99.6% 99.8% 99.7% Bitdefender 99.3% 99.5% 99.5% 99.6% 99.7% 99.8% Kaspersky 99.2% 99.0% 99.8% 99.7% 99.9% 99.5% Fortinet 98.6% 98.2% 99.6% 97.9% 99.6% 98.8% Trend Micro 98.4% 98.3% 99.0% 99.5% 95.1% 95.5% AVG 98.4% N/A 97.5% 98.4% 98.1% 93.4% McAfee 98.0% 98.2% 99.3% 99.8% 99.7% 97.5% Sophos 98.0% 96.5% 98.3% 98.2% 98.1% 97.2% Avast 97.8% 97.1% 97.7% 98.6% 99.4% 99.2% ESET 97.5% 97.1% 98.8% 98.7% 98.6% 99.2% AhnLab 92.0% 90.6% 89.0% 93.7% N/A N/A Microsoft 92.0% 90.1% 90.0% 90.2% 86.3% 91.4%
  13. 13. How to Measure the Quality of Anti-malware Products Individual Engine Vulnerabilities 0 2 4 6 8 10 12 14 Engine Vulnerabilities Over Last 4 Years 2015 2014 2013 2012 Source: National Vulnerability Database
  14. 14.  Do not know exactly how much malware is out there  No accurate/standard measure on quality of anti- malware engines  Quality of anti-malware engines changes from year to year  Anti-malware engines suffer from vulnerabilities  Well known vendors miss over 10% of known threats How to Measure the Quality of Anti-malware Products Conclusions
  15. 15. Advantages  Detect both known and unknown threats  Some engines detect over 80% of known threats How to Measure the Quality of Anti-malware Products The value of a single anti-malware solution Disadvantages  Single point of failure  Vulnerabilities  Misdetection  Detection of outbreaks may be slower/delayed
  16. 16. The Value of Multi-scanning
  17. 17. Advantages  Improved malware detection  Decreased detection time for a new outbreak  Flexible patching for anti- malware engine vulnerabilities The Value of Multi-scanning Multi-scanning Disadvantages  More false positives  Decreased performance  Higher costs  more vulnerabilities
  18. 18. The Value of Multi-scanning Advantage 1 - Improved malware detection Antivirus 1 X1% Detection Rate: 100% Antivirus 2 X2% Detection Rate:P(A ∪ B) = P(A) + P(B) - P(A ∩ B)
  19. 19. The Value of Multi-scanning Advantage 2 – Decreased detection time for an outbreak https://www.metadefender.com/#!/results/file/5268027b71414692b64649318619e33f/history
  20. 20. The Value of Multi-scanning Advantage 2 – Decreased detection time for an outbreak *Simulated time
  21. 21. The Value of Multi-scanning Disadvantage 1 – more false positives Azarus package Trojan.Generic.6304836 Buchdruck package Gen:Variant.Zbot.29 Intrapact package Gen:Trojan.Heur.VP2.fm0@a5Koffgi Shellex package Gen:Variant.Kazy.17493 Skriptum package Exploit.CVE-2011-0977.Gen Virtualization package Gen:Trojan.Heur.KT.4.bq8@aqLITyf WinnerTw package Gen:Variant.Kazy.18603 WoodMahjongg package Gen:Variant.Kazy.14979 Antivirus 1 8 False Positives AbsoluteBlue package Win32:Malware-gen DateCalc package Win32:Trojan-gen DB2EXE package Win32:Malware-gen Fiman package Win32:Malware-gen FTPcontrol package Win32:Malware-gen Joshua package Win32:Malware-gen Sardu package Win32:Dropper-FRU Shannel package Win32:Fasec ShellPicture package Win32:Malware-gen xComposer package Win:32:SMorph Antivirus 2 10 False Positives Source: www.av-comparatives.org 14AbsoluteBlue package Win32:Malware-gen Azarus package Trojan.Generic.6304836 Buchdruck package Gen:Variant.Zbot.29 DateCalc package Win32:Trojan-gen DB2EXE package Win32:Malware-gen Fiman package Win32:Malware-gen FTPcontrol package Win32:Malware-gen Intrapact package Gen:Trojan.Heur.VP2.fm0@a5Koffg i Joshua package Win32:Malware-gen ShellPicture package Win32:Malware-gen Virtualization package Gen:Trojan.Heur.KT.4.bq8@aqLITyf WinnerTw package Gen:Variant.Kazy.18603 WoodMahjongg package Gen:Variant.Kazy.14979 xComposer package Win:32:SMorph
  22. 22. The Value of Multi-scanning Disadvantage 2 – decreased performance
  23. 23. The Value of Multi-scanning Disadvantage 2 – decreased performance reality
  24. 24. The Value of Multi-scanning Disadvantage 3 – more costly  Hardware requirements  Additional IT training  Licensing cost  Bandwidth consumption  Other costs
  25. 25. The Value of Multi-scanning Reduce the risk of malware that is targeting specific engines 0 2 4 6 8 10 12 14 Avira Kaspersky Avast Windows Defender ESET BitdefenderTrend Micro Engine Vulnerabilities Over Last 4 Years 2015 2014 2013 2012 Source: National Vulnerability Database
  26. 26. Advantages  Improved malware detection  Decreased detection time for a new outbreak  Flexible patching for anti- malware engine vulnerabilities The Value of Multi-scanning Multi-scanning Disadvantages  More False Positives  Decreased performance  Higher costs  more vulnerabilities
  27. 27. The Value of Multi-scanning Known Threats Unknown Threats
  28. 28. The value of multi-scanning Known Threats Unknown Threats
  29. 29. Threat prevention Data sanitization File may be harmful Data sanitization  Different file  Harmless
  30. 30. Threat prevention Data sanitization File may be harmful Reconstruct file Converting format Removing elements  Different file  Harmless
  31. 31. Q & A Benny Czarny Benny@opswat.com

×