Upload
opswat
View
290
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Tony Berning, Senior Product Manager at OPSWAT, gave a talk on Securing Critical Infrastructure, using multiple anti-malware engines and other methods, to an audience of academic researchers, operators of power plants and other workers in critical infrastructure. The presentation introduced the basics of multi-scanning and the benefits of utilizing multiple anti-malware engines to scan files. The presentation also covered topics related to defining and setting appropriate security policies for various user groups and outlining common security architectures.
Citation preview
Using Multiple Antivirus Engine Scanning to Protect Critical
Infrastructure
Tony BerningSenior Product [email protected]
8 April 2014
Agenda
Introduction to Multi-scanning
Factors Shaping Portable Media Security Policies
Balancing Security Requirements with Business Needs
Common Network Architectures
Defining Acceptable Media and Content
Ways to Supplement Multi-Scanning in Data Security Workflows
Additional Resources
Overview of Multi-ScanningToo much malware, insufficient
detection
Over 220,000 new malware variants appear every day(AV-TEST)
“Cyber attacks on America’s critical infrastructure increased 17-fold between 2009 and 2011.”
http://www.csmonitor.com/Commentary/Opinion/2012/0808/Help-wanted-Geek-squads-for-US-cybersecurity
The rapid growth in the amount of malware continues to accelerate
No AV vendor can keep up with the number of new malware variants
Amount of Malware Exponentially Increasing
The Problem
The ProblemFactors affecting each antivirus product’s detection rate
Heuristics and other detection code
Size and coverage of the signature database
Update frequency of the signature database
Location of the AV vendor’s malware research lab(s)
Increase malware zero hour detection rates [via heuristics]
Decrease malware detection time after an outbreak [via new signatures]
Increase resiliency to antivirus engines’ vulnerabilities
Why use multiple antivirus engines ?
Combining Scan Results from Multiple EnginesEvery engine misses something
No single antivirus is perfect, however each product has its own strengths and weaknesses, and is more efficient at detecting some threats than others.
100%
AV 2Detection Rate:
AV1Detection Rate:
Results from using multiple antivirus engines
This graph shows the time between malware outbreak and AV detection by six AV engines for 75 outbreaks.
No single engine detected every outbreak!
Only by combining multiple engines in a multi-scanning solution were all outbreaks detected quickly.
By adding additional engines, zero hour detection rates increase even further.
Geographic Distribution of AV vendorsNote: Many vendors have centers in multiple locations
Defining Secure?Factors Shaping Portable Media Security
Policies
Contributing Factors
Regulatory Bodies
Industry Working Groups
Internal Security Groups
Contributing Factors Regulatory Bodies
Data security requirements are set by many different groups NIST
Nuclear Regulatory Commission
Etc
Many aspects are regulated Types of media allowed
Virus scanning requirements
Logging
Authentication
Contributing Factors Industry Working Groups
Data security working groups to discuss implementations What works
What doesn’t
Best Practices
Implementation Details
Contributing Factors Internal Security Groups
Multiple groups may have experts with ideas on how to implement security solutions IT
Security officers
The Right BalanceSecurity Requirements vs Business Needs
Security Requirements vs Business NeedsCost Considerations
Implementation Costs Security Solutions
Consulting Costs
Infrastructure Costs
Costs to Productivity Additional time to follow security procedures
Training time and cost
Potential downtime if systems fail
Security Requirements vs Business NeedsPotential Cost Savings
Remediation Costs System Downtime
Productivity Costs
Removal Costs
Impact to Reputation Lawsuits
Information Loss Classified Information
Sensitive Corporate Data
Security Requirements vs Business Needs Laptop as secure paperweight
Security Requirements vs Business NeedsLaptop as a secure productivity tool
How it’s DoneCommon Security Architectures
Common Security Architectures
Standalone Systems with no Network connectivity
In this deployment option, portable media scanning kiosks have no network connection. Virus definition updates are downloaded from a system connected to the Internet and copied to physical media to be transferred to each kiosk.
ProsNo network connection requiredConsUpdating virus definitions requires physically bringing media (USB drive/DVD/CD) to each kiosk and applying the update on each one
Common Security Architectures
Standalone Systems with Management Station
In this deployment option, a Management Station is installed on a dedicated system that has network connection to each kiosk. The have network connection only to the Management Station. Virus definition updates are downloaded on the system with the Management Station and updates are applied to the kiosks via the Management Station.
ProsEasier to deploy than standalone systems with no network connectivityConsRequires network connectivity between each kiosk and the Management StationDefinition updates need to be transferred over the networkRequires an additional system for the Management Station
Common Security Architectures
Distributed Systems (Metascan Server Offline)
In a distributed system, kiosks have only a client installed. The scanning server is installed on a dedicated system. In this deployment option, the server does not have access to the Internet, and the kiosks have network connection to the scanning server only. Virus definition updates are downloaded on a system with connection to the Internet and manually transferred and applied to the scanning server.
ProsOnly requires deploying virus definition updates to a single scanning serverThe server can be higher powered to allow for higher scan throughputConsRequires network connectivity between each kiosk and the scanning serverAll files being scanned will be transferred over the network
Common Security Architectures
Distributed Systems (Metascan Server Online)
In a distributed system, kiosks have only a client installed. The scanning server is installed on a dedicated system. In this deployment option, the scanning server has access to the Internet, and the kiosks have network connectivity to the scanning server only. Because of Internet connectivity, virus definitions automatically update on the scanning server.
ProsVirus definition updates are applied automatically to the scanning serverThe server can be higher powered to allow for higher scan throughputConsRequires network connectivity between each kiosk and the scanning serverAll files being scanned will be transferred over the networkRequires Internet connection for the scanning server
What’s AllowedDefining Acceptable Media Types and Files
Defining Acceptable Media Types and FilesTypes of Portable Media
Many Types of Media
USB Flash Drives
USB Hard Drives
CD/DVDs
SD Cards
Mobile Phones
Etc
Characteristics more important Read/Write
Encrypted
Multiple Partitions
Defining Acceptable Media Types and FilesTypes of Files
General Classes of Files
Office Documents
Archives
Executables
Text
Characteristics more important Encrypted
Embedded Objects
Digitally Signed
Defining Acceptable Media Types and FilesMethods of Control
Blacklisting/Whitelisting
Specific Types of files
Specific types of sources
Specific sources (based on serial number, etc)
Data Security WorkflowsHow to Supplement Multi-Scanning
Supplementing Multi-ScanningWhy Scanning with Multiple Antivirus Engines Sometimes isn’t
Enough Zero Day Attacks
Embedded Objects
HostFile
Data
New Header
Virus
Code
Supplementing Multi-ScanningWays to Supplement
User Authentication Set different policies for different users
Source Blacklisting/Whitelisting
File Type Filtering
File Type Conversion Remove embedded objects from files not detected by antivirus engines
Digital Signatures Validate all executables are digitally signed by a trusted source
Digitally sign all files after scanning to verify they have not been changed after scanning
Periodic Re-scanning
Dynamic analysis Sandbox solutions such as FireEye, Bluecoat, ThreatTrack, others
Human inspection and reverse engineering
Supplementing Multi-ScanningExample
Further Resources
My contact information Tony Berning [email protected]
White Paper: “Protecting Critical Infrastructure from Threats”
Demo Metascan Server and Metadefender installations available at https://my.opswat.com (requires creation of a free OPSWAT Portal account)
For further questions on Metascan or Metadefender contact [email protected]