Securing data flow to and from organizations

Securing data workflow to and from organizations

Benny CzarnyCEO OPSWAT, Inc.

Introduction to OPSWAT

Founded 2002

Based in San Francisco

Employees, contractors and interns: 115

Over 50 OEM customers

Over 500 direct customers

100+ certified technical partners

1000+ certified applications

OPSWAT TechnologiesSecure Manage Control

Company Development tools

OESIS®, AppRemover and Secure Virtual Desktop

Secure Data workflow

Metascan and Metadefender

Automated Testing platform and Cloud Sandboxing

Nexperior

Device manageability and security

GEARS Cloud

SSL VPN and NAC

Some Customers by Vertical

Network Compliance and

Vulnerability Assessment

Support Tools Government

Managed Services

Antivirus Vendors

How to secure the data workflow ?

What type of threats are we up against ?

How many threats are we up against ?

What are the capabilities of the security solutions ?

Questions to ask ourselves

What type of threats are we up against?

Computer Viruses are an NP-complete problem

NP complete problems cannot be solved in an easy to measure time in any known way

http://www.dmst.aueb.gr/dds/pubs/jrnl/2002-ieeetit-npvirus/html/npvirus.pdf

What type of threats are we up against?

Ways to solve NP complete problems include

Approximation: -an "almost" optimal solution. Randomization: allow the algorithm to fail with some small

probability. Heuristic: An algorithm that works "reasonably well".

What type of threats are we up against?

Known threats

Unknown threats

How many threats are we up against ?

How many threats are we up against?

Source: McAfee

Source: Av-Test.org

Differences in reporting the total amount of threats

How many threats are we up against?

Source: McAfee

Source: Av-Test.org

Differences in detection rates for new malware

What are the capabilities of the security solutions?Measuring the quality of antimalware engines

How can we measure the quality of antivirus engines Detection coverage Response time Operating system compatibility Amount of False positives Certification by

What are the capabilities of the security solutions?

November 2010

February 2011 August 2011

AV Comparatives 97.6 % 95.8 % 92.1 %

AV Test 97 % 99 % 96 %

Measuring the quality of antimalware engines

AMTSO’s mission is to develop and publish standards and best practices for testing of antimalware products

What are the capabilities of the security solutions?Antivirus product vulnerabilities from the National Vulnerability

Database

2005 2006 2007 2008 2009 2010 2011 20120

10

20

30

40

50

60

70

Year

Num

ber o

f Vul

nera

biliti

es i

n An

tiviru

s pr

oduc

ts [C

VEs]

What are the capabilities of the security solutions ?Antivirus

Tested 30 known malware files (Disguised as documents or embedded within documents) Fewest number of engines detecting the threat was 10 (out of 43) Highest number of engines detecting the threat was 30 (out of 43)

What are the capabilities of the security solutions ?Sandbox ?

Tested 30 known malware files (Disguised as documents or embedded within documents) Lowest number of threats detected was 3 Highest number of threats detected was 23

What are the capabilities of the security solutions

Sandboxing

X1%Protection level :

100%

Multiscanning

X2%Protection level:

Measuring detection coverage

Conclusion

Viruses and vulnerabilities are very hard to detect

No current answer about the amount of threats

No clear answer about the quality of the security solutions

Conclusion What can we do

Use many antivirus engines to protect against known and unknown threats using heuristics and sandboxes

Sanitize the data to protect against unknown threats

Protect the security system

Use many antimalware engines

This graph shows the time between malware outbreak and Antivirus detection by six Antivirus engines for 75 outbreaks over three months.

No Vendor detects every outbreak.

Only by combining six engines in a multiscanning solution are outbreaks detected quickly.

By adding additional engines, zero hour detection rates increase further.

Zero hour detection

5 min to 5 days

No detection at 5 days

What are the capabilities of the security solutions

Sandboxing

X1%Protection level :

100%

Multiscanning

X2%Protection level:

Measuring detection coverage

Sanitize the data to protect against unknown threats

Sanitize the data in a well defined process

1. User Authentication2. Input Policy Based on User Privileges3. File Type Policy4. Scan by Many Antivirus engines 5. Embedded Object and Macro Removal via File Type

Conversion6. File and Media Signature Verification7. Notification to the user data is ready 8. File and Media Deletion

Keep a healthy tradeoff between security and usability

Protect the security system

Execute sensitive tasks in an isolated virtualized environments

Revert your system on an ongoing basis Check the memory integrity and the disk integrity

of your system Patch the system and its components Constantly review the security architecture

Questions

References

Av-test.com

Av-comparatives.com

www.metascan-online.com

Amtso

Software system defect content prediction from development

process and product characteristics - Harris institute

McAfee