2. Introduction to OPSWAT
Founded 2002
Based in San Francisco
Employees, contractors and interns: 115
Over 50 OEM customers
Over 500 direct customers
100+ certified technical partners
1000+ certified applications
3. OPSWAT Technologies
Secure Manage Control
Company Development tools
OESIS®, AppRemover and Secure Virtual Desktop
Secure Data workflow
Metascan and Metadefender
Automated Testing platform and Cloud Sandboxing
Nexperior
Device manageability and security
GEARS Cloud
4. SSL VPN and NAC
Some Customers by Vertical
Network
Compliance and
Vulnerability
Assessment
Support Tools Government
Managed
Services
Antivirus Vendors
5. How to secure the data workflow ?
What type of threats are we up against ?
How many threats are we up against ?
What are the capabilities of the security solutions ?
Questionsto ask ourselves
6. What type of threats are we up against?
Computer Viruses are an NP-complete problem
NP complete problems cannot be solved in an easy to
measure time in any known way
http://www.dmst.aueb.gr/dds/pubs/jrnl/2002-ieeetit-
npvirus/html/npvirus.pdf
7. What type of threats are we up against?
Ways to solve NP complete problems include
Approximation: -an "almost" optimal solution.
Randomization: allow the algorithm to fail with some small probability.
Heuristic: An algorithm that works "reasonably well".
8. What type of threats are we up against?
Known threats
Unknown threats
10. How many threats are we up against?
Source: McAfee
Source: Av-Test.org
Differencesin reporting the total amount of threats
11. How many threats are we up against?
Source: McAfee
Source: Av-Test.org
Differencesin detection rates for new malware
12. What are the capabilities of the security solutions?
Measuring the quality of antimalware engines
How can we measure the quality of antivirus engines
Detection coverage
Response time
Operating system compatibility
Amount of False positives
Certification by
13. What are the capabilities of the security solutions?
November 2010 February 2011 August 2011
AV Comparatives 97.6 % 95.8 % 92.1 %
AV Test 97 % 99 % 96 %
Measuring the quality of antimalware engines
AMTSO’s mission is to develop and
publish standards and best practices for
testing of antimalware products
14. What are the capabilities of the security solutions?
Antivirus productvulnerabilitiesfrom the National VulnerabilityDatabase
0
10
20
30
40
50
60
70
2005 2006 2007 2008 2009 2010 2011 2012
NumberofVulnerabilitiesinAntivirusproducts[CVEs]
Year
15. What are the capabilities of the security solutions ?
Antivirus
Tested 30 known malware files (Disguised as documents
or embedded within documents)
Fewest number of engines detecting the threat was 10 (out of 43)
Highest number of engines detecting the threat was 30 (out of 43)
16. What are the capabilities of the security solutions ?
Sandbox?
Tested 30 known malware files (Disguised as documents
or embedded within documents)
Lowest number of threats detected was 3
Highest number of threats detected was 23
17. What are the capabilities of the security solutions
Sandboxing
X1%
Protection level :
100%
Multiscannin
g
X2%
Protection
level:
Measuring detection coverage
18. Conclusion
Viruses and vulnerabilities are very hard to detect
No current answer about the amount of threats
No clear answer about the quality of the security
solutions
19. Conclusion
What can we do
Use many antivirus engines to protect against known and
unknown threats using heuristics and sandboxes
Sanitize the data to protect against unknown threats
Protect the security system
20. Use many antimalware engines
This graph shows the time between
malware outbreakandAntivirus detection
by sixAntivirus engines for 75 outbreaks
over three months.
No Vendor detects every outbreak.
Only by combining six engines in a
multiscanningsolution are outbreaks
detected quickly.
By adding additional engines,zero hour
detection rates increase further.
Zero hour detection
5 min to 5 days
No detection at 5 days
21. What are the capabilities of the security solutions
Sandboxing
X1%
Protection level :
100%
Multiscannin
g
X2%
Protection
level:
Measuring detection coverage
22. Sanitize the data to protect against unknown threats
Sanitize the data in a well defined process
1. User Authentication
2. Input Policy Based on User Privileges
3. File Type Policy
4. Scan by Many Antivirus engines
5. Embedded Object and Macro Removal via File Type Conversion
6. File and Media Signature Verification
7. Notification to the user data is ready
8. File and Media Deletion
Keep a healthy tradeoff between security and usability
23. Protect the security system
Execute sensitive tasks in an isolated virtualized
environments
Revert your system on an ongoing basis
Check the memory integrity and the disk integrity of your
system
Patch the system and its components
Constantly review the security architecture
Hello Everybody my name is Benny Czarny CEO of OPSWAT the Manufacture of Thank west coast labs you for the opportunity to sponser West coast OESIS – Managability technology Metascan - Multiscanning technologies On demand desktop isolation technology AppRemover – technology to Uninstall Security applications I am sure that many if not all What I am going to talk about is trying to quantify multiscanning measurements
Before we begin lets quickly discuss Why Mutliscanning What is the trade off Lets try to simplify whyWhen you are trying to protect yourselves against any threat It does not have to be a virus What type of threat you are trying what is the capability of our solution For example you protect against Data loss – by implementing back up If you are trying to protect against an army –How many soldiers are planning to attack How many soldiers do we have , how they are equipped , How many threats we are against ?What is the capability of an antivirus to detect a threat
So what is the total number of threats ?Here are numbers I pulled from you from 2 different resources Mcafee and av-test.org There are many more resources such as Virus encyclopedias of multiple vendors This was simple to findSimple google image amount of malware IT is very clear to see that over a course of a year and a halfMfafee and AV-test did not reprt the same numberSYes I know that some would argue
Even more Total numbers of new threats is also inconclusiveHow can you check who detects 100% when you do not know what is 100%
Now lets see what is the capability of our antimalware engines We have antimalware engines How can you measure the quality of antimalware engines ?Detection coverageResponse time Operating system compatibility Amount of False positiveCompanies such as ICSA Labs AV comparatives west coast Labs AV test Virus Builtin came with their own metrics , and keep publish their research and testing results
In this example I outlined here for you how 2 different companies publish reports of quality of antimalware reports different numbers Each company has a different criteria's to measure the quality of the engines and different rating system I’d like to mention that the organization AMTSO ( founded at 2008 by Richard develop testing standards for antimalware ) We still see inconsistent numbers
Taken from the National Vulnerability DatabaseNumber of CVS found with a search of ‘antivirus’ – results were from various Antivirus products
The assumption that antiviurs engines are events that are not mutually exclusive So if we have the global amount of threats an antivirus can detect we should expect :Threats detected only by Antiviurs A Threats Detected only by Antivirus B Threats detected by Antivirus A and Antivirus B
The conclusion is obvious When you do not know what you are up against , When you can’t really measure the quality of the tools you are working with Multiscanining is a trivial choice
The conclusion is obvious When you do not know what you are up against , When you can’t really measure the quality of the tools you are working with Multiscanining is a trivial choice
Green is zero hour detectionYellow is 2 min to 5 daysRed is more than 5 days
The assumption that antiviurs engines are events that are not mutually exclusive So if we have the global amount of threats an antivirus can detect we should expect :Threats detected only by Antiviurs A Threats Detected only by Antivirus B Threats detected by Antivirus A and Antivirus B