Securing data workflow to and from organizations
Benny CzarnyCEO OPSWAT, Inc.
Introduction to OPSWAT
Founded 2002
Based in San Francisco
Employees, contractors and interns: 115
Over 50 OEM customers
Over 500 direct customers
100+ certified technical partners
1000+ certified applications
OPSWAT TechnologiesSecure Manage Control
Company Development tools
OESIS®, AppRemover and Secure Virtual Desktop
Secure Data workflow
Metascan and Metadefender
Automated Testing platform and Cloud Sandboxing
Nexperior
Device manageability and security
GEARS Cloud
SSL VPN and NAC
Some Customers by Vertical
Network Compliance and
Vulnerability Assessment
Support Tools Government
Managed Services
Antivirus Vendors
How to secure the data workflow ?
What type of threats are we up against ?
How many threats are we up against ?
What are the capabilities of the security solutions ?
Questions to ask ourselves
What type of threats are we up against?
Computer Viruses are an NP-complete problem
NP complete problems cannot be solved in an easy to measure time in any known way
http://www.dmst.aueb.gr/dds/pubs/jrnl/2002-ieeetit-npvirus/html/npvirus.pdf
What type of threats are we up against?
Ways to solve NP complete problems include
Approximation: -an "almost" optimal solution. Randomization: allow the algorithm to fail with some small
probability. Heuristic: An algorithm that works "reasonably well".
What type of threats are we up against?
Known threats
Unknown threats
How many threats are we up against ?
How many threats are we up against?
Source: McAfee
Source: Av-Test.org
Differences in reporting the total amount of threats
How many threats are we up against?
Source: McAfee
Source: Av-Test.org
Differences in detection rates for new malware
What are the capabilities of the security solutions?Measuring the quality of antimalware engines
How can we measure the quality of antivirus engines Detection coverage Response time Operating system compatibility Amount of False positives Certification by
What are the capabilities of the security solutions?
November 2010
February 2011 August 2011
AV Comparatives 97.6 % 95.8 % 92.1 %
AV Test 97 % 99 % 96 %
Measuring the quality of antimalware engines
AMTSO’s mission is to develop and publish standards and best practices for testing of antimalware products
What are the capabilities of the security solutions?Antivirus product vulnerabilities from the National Vulnerability
Database
2005 2006 2007 2008 2009 2010 2011 20120
10
20
30
40
50
60
70
Year
Num
ber o
f Vul
nera
biliti
es i
n An
tiviru
s pr
oduc
ts [C
VEs]
What are the capabilities of the security solutions ?Antivirus
Tested 30 known malware files (Disguised as documents or embedded within documents) Fewest number of engines detecting the threat was 10 (out of 43) Highest number of engines detecting the threat was 30 (out of 43)
What are the capabilities of the security solutions ?Sandbox ?
Tested 30 known malware files (Disguised as documents or embedded within documents) Lowest number of threats detected was 3 Highest number of threats detected was 23
What are the capabilities of the security solutions
Sandboxing
X1%Protection level :
100%
Multiscanning
X2%Protection level:
Measuring detection coverage
Conclusion
Viruses and vulnerabilities are very hard to detect
No current answer about the amount of threats
No clear answer about the quality of the security solutions
Conclusion What can we do
Use many antivirus engines to protect against known and unknown threats using heuristics and sandboxes
Sanitize the data to protect against unknown threats
Protect the security system
Use many antimalware engines
This graph shows the time between malware outbreak and Antivirus detection by six Antivirus engines for 75 outbreaks over three months.
No Vendor detects every outbreak.
Only by combining six engines in a multiscanning solution are outbreaks detected quickly.
By adding additional engines, zero hour detection rates increase further.
Zero hour detection
5 min to 5 days
No detection at 5 days
What are the capabilities of the security solutions
Sandboxing
X1%Protection level :
100%
Multiscanning
X2%Protection level:
Measuring detection coverage
Sanitize the data to protect against unknown threats
Sanitize the data in a well defined process
1. User Authentication2. Input Policy Based on User Privileges3. File Type Policy4. Scan by Many Antivirus engines 5. Embedded Object and Macro Removal via File Type
Conversion6. File and Media Signature Verification7. Notification to the user data is ready 8. File and Media Deletion
Keep a healthy tradeoff between security and usability
Protect the security system
Execute sensitive tasks in an isolated virtualized environments
Revert your system on an ongoing basis Check the memory integrity and the disk integrity
of your system Patch the system and its components Constantly review the security architecture
Questions
References
Av-test.com
Av-comparatives.com
www.metascan-online.com
Amtso
Software system defect content prediction from development
process and product characteristics - Harris institute
McAfee
Top Related