Downloaded 11 times
![What are the capabilities of the security solutions?
Antivirus productvulnerabilitiesfrom the National VulnerabilityDatabase
0
10
20
30
40
50
60
70
2005 2006 2007 2008 2009 2010 2011 2012
NumberofVulnerabilitiesinAntivirusproducts[CVEs]
Year](https://image.slidesharecdn.com/opswat-benny-czarny-inss-2013-130724120941-phpapp02/85/Securing-data-flow-to-and-from-organizations-14-320.jpg)
Uploaded byOPSWAT
Securing data flow to and from organizations
This document discusses securing data workflow between organizations. It introduces OPSWAT, an IT security company, and describes some of their products including secure data transfer solutions. It then asks questions about threats, including that viruses are an NP-complete problem and there are known and unknown threats. Detection rates between antivirus vendors can vary, and using multiple engines in a multiscanning solution provides better protection. Sanitizing data and protecting security systems themselves are also discussed.
More Related Content
Similar to Securing data flow to and from organizations
Securing data flow to and from organizations
- 1. Securing data workflowto and from organizations Benny Czarny CEO OPSWAT,Inc.
- 2. Introduction to OPSWAT Founded 2002 Based in San Francisco Employees, contractors and interns: 115 Over 50 OEM customers Over 500 direct customers 100+ certified technical partners 1000+ certified applications
- 3. OPSWAT Technologies Secure ManageControl Company Development tools OESIS®, AppRemover and Secure Virtual Desktop Secure Data workflow Metascan and Metadefender Automated Testing platform and Cloud Sandboxing Nexperior Device manageability and security GEARS Cloud
- 4. SSL VPN andNAC Some Customers by Vertical Network Compliance and Vulnerability Assessment Support Tools Government Managed Services Antivirus Vendors
- 5. How to securethe data workflow ? What type of threats are we up against ? How many threats are we up against ? What are the capabilities of the security solutions ? Questionsto ask ourselves
- 6. What type ofthreats are we up against? Computer Viruses are an NP-complete problem NP complete problems cannot be solved in an easy to measure time in any known way http://www.dmst.aueb.gr/dds/pubs/jrnl/2002-ieeetit- npvirus/html/npvirus.pdf
- 7. What type ofthreats are we up against? Ways to solve NP complete problems include Approximation: -an "almost" optimal solution. Randomization: allow the algorithm to fail with some small probability. Heuristic: An algorithm that works "reasonably well".
- 8. What type ofthreats are we up against? Known threats Unknown threats
- 9. How many threatsare we up against ?
- 10. How many threatsare we up against? Source: McAfee Source: Av-Test.org Differencesin reporting the total amount of threats
- 11. How many threatsare we up against? Source: McAfee Source: Av-Test.org Differencesin detection rates for new malware
- 12. What are thecapabilities of the security solutions? Measuring the quality of antimalware engines How can we measure the quality of antivirus engines Detection coverage Response time Operating system compatibility Amount of False positives Certification by
- 13. What are thecapabilities of the security solutions? November 2010 February 2011 August 2011 AV Comparatives 97.6 % 95.8 % 92.1 % AV Test 97 % 99 % 96 % Measuring the quality of antimalware engines AMTSO’s mission is to develop and publish standards and best practices for testing of antimalware products
- 14. What are thecapabilities of the security solutions? Antivirus productvulnerabilitiesfrom the National VulnerabilityDatabase 0 10 20 30 40 50 60 70 2005 2006 2007 2008 2009 2010 2011 2012 NumberofVulnerabilitiesinAntivirusproducts[CVEs] Year
- 15. What are thecapabilities of the security solutions ? Antivirus Tested 30 known malware files (Disguised as documents or embedded within documents) Fewest number of engines detecting the threat was 10 (out of 43) Highest number of engines detecting the threat was 30 (out of 43)
- 16. What are thecapabilities of the security solutions ? Sandbox? Tested 30 known malware files (Disguised as documents or embedded within documents) Lowest number of threats detected was 3 Highest number of threats detected was 23
- 17. What are thecapabilities of the security solutions Sandboxing X1% Protection level : 100% Multiscannin g X2% Protection level: Measuring detection coverage
- 18. Conclusion Viruses andvulnerabilities are very hard to detect No current answer about the amount of threats No clear answer about the quality of the security solutions
- 19. Conclusion What can wedo Use many antivirus engines to protect against known and unknown threats using heuristics and sandboxes Sanitize the data to protect against unknown threats Protect the security system
- 20. Use many antimalwareengines This graph shows the time between malware outbreakandAntivirus detection by sixAntivirus engines for 75 outbreaks over three months. No Vendor detects every outbreak. Only by combining six engines in a multiscanningsolution are outbreaks detected quickly. By adding additional engines,zero hour detection rates increase further. Zero hour detection 5 min to 5 days No detection at 5 days
- 21. What are thecapabilities of the security solutions Sandboxing X1% Protection level : 100% Multiscannin g X2% Protection level: Measuring detection coverage
- 22. Sanitize the datato protect against unknown threats Sanitize the data in a well defined process 1. User Authentication 2. Input Policy Based on User Privileges 3. File Type Policy 4. Scan by Many Antivirus engines 5. Embedded Object and Macro Removal via File Type Conversion 6. File and Media Signature Verification 7. Notification to the user data is ready 8. File and Media Deletion Keep a healthy tradeoff between security and usability
- 23. Protect the securitysystem Execute sensitive tasks in an isolated virtualized environments Revert your system on an ongoing basis Check the memory integrity and the disk integrity of your system Patch the system and its components Constantly review the security architecture
- 24.
- 25. References Av-test.com Av-comparatives.com www.metascan-online.com Amtso Software system defectcontent prediction from development process and product characteristics - Harris institute McAfee
Editor's Notes
- #2 Hello Everybody my name is Benny Czarny CEO of OPSWAT the Manufacture of Thank west coast labs you for the opportunity to sponser West coast OESIS – Managability technology Metascan - Multiscanning technologies On demand desktop isolation technology AppRemover – technology to Uninstall Security applications I am sure that many if not all What I am going to talk about is trying to quantify multiscanning measurements
- #6 Before we begin lets quickly discuss Why Mutliscanning What is the trade off Lets try to simplify whyWhen you are trying to protect yourselves against any threat It does not have to be a virus What type of threat you are trying what is the capability of our solution For example you protect against Data loss – by implementing back up If you are trying to protect against an army –How many soldiers are planning to attack How many soldiers do we have , how they are equipped , How many threats we are against ?What is the capability of an antivirus to detect a threat
- #10 http://www.cknow.com/cms/vtutor/number-of-viruses.html
- #11 So what is the total number of threats ?Here are numbers I pulled from you from 2 different resources Mcafee and av-test.org There are many more resources such as Virus encyclopedias of multiple vendors This was simple to findSimple google image amount of malware IT is very clear to see that over a course of a year and a halfMfafee and AV-test did not reprt the same numberSYes I know that some would argue
- #12 Even more Total numbers of new threats is also inconclusiveHow can you check who detects 100% when you do not know what is 100%
- #13 Now lets see what is the capability of our antimalware engines We have antimalware engines How can you measure the quality of antimalware engines ?Detection coverageResponse time Operating system compatibility Amount of False positiveCompanies such as ICSA Labs AV comparatives west coast Labs AV test Virus Builtin came with their own metrics , and keep publish their research and testing results
- #14 In this example I outlined here for you how 2 different companies publish reports of quality of antimalware reports different numbers Each company has a different criteria's to measure the quality of the engines and different rating system I’d like to mention that the organization AMTSO ( founded at 2008 by Richard develop testing standards for antimalware ) We still see inconsistent numbers
- #15 Taken from the National Vulnerability DatabaseNumber of CVS found with a search of ‘antivirus’ – results were from various Antivirus products
- #18 The assumption that antiviurs engines are events that are not mutually exclusive So if we have the global amount of threats an antivirus can detect we should expect :Threats detected only by Antiviurs A Threats Detected only by Antivirus B Threats detected by Antivirus A and Antivirus B
- #19 The conclusion is obvious When you do not know what you are up against , When you can’t really measure the quality of the tools you are working with Multiscanining is a trivial choice
- #20 The conclusion is obvious When you do not know what you are up against , When you can’t really measure the quality of the tools you are working with Multiscanining is a trivial choice
- #21 Green is zero hour detectionYellow is 2 min to 5 daysRed is more than 5 days
- #22 The assumption that antiviurs engines are events that are not mutually exclusive So if we have the global amount of threats an antivirus can detect we should expect :Threats detected only by Antiviurs A Threats Detected only by Antivirus B Threats detected by Antivirus A and Antivirus B