Using Multiple Antivirus Engine Scanning to Protect Critical

Infrastructure

Tony BerningSenior Product Manageraberning@opswat.com

8 April 2014

Agenda

Introduction to Multi-scanning

Factors Shaping Portable Media Security Policies

Balancing Security Requirements with Business Needs

Common Network Architectures

Defining Acceptable Media and Content

Ways to Supplement Multi-Scanning in Data Security Workflows

Additional Resources

Overview of Multi-ScanningToo much malware, insufficient

detection

Over 220,000 new malware variants appear every day(AV-TEST)

“Cyber attacks on America’s critical infrastructure increased 17-fold between 2009 and 2011.”

http://www.csmonitor.com/Commentary/Opinion/2012/0808/Help-wanted-Geek-squads-for-US-cybersecurity

The rapid growth in the amount of malware continues to accelerate

No AV vendor can keep up with the number of new malware variants

Amount of Malware Exponentially Increasing

The Problem

The ProblemFactors affecting each antivirus product’s detection rate

Heuristics and other detection code

Size and coverage of the signature database

Update frequency of the signature database

Location of the AV vendor’s malware research lab(s)

Increase malware zero hour detection rates [via heuristics]

Decrease malware detection time after an outbreak [via new signatures]

Increase resiliency to antivirus engines’ vulnerabilities

Why use multiple antivirus engines ?

Combining Scan Results from Multiple EnginesEvery engine misses something

No single antivirus is perfect, however each product has its own strengths and weaknesses, and is more efficient at detecting some threats than others.

100%

AV 2Detection Rate:

AV1Detection Rate:

Results from using multiple antivirus engines

This graph shows the time between malware outbreak and AV detection by six AV engines for 75 outbreaks.

No single engine detected every outbreak!

Only by combining multiple engines in a multi-scanning solution were all outbreaks detected quickly.

By adding additional engines, zero hour detection rates increase even further.

Geographic Distribution of AV vendorsNote: Many vendors have centers in multiple locations

Defining Secure?Factors Shaping Portable Media Security

Policies

Contributing Factors

Regulatory Bodies

Industry Working Groups

Internal Security Groups

Contributing Factors Regulatory Bodies

Data security requirements are set by many different groups NIST

Nuclear Regulatory Commission

Etc

Many aspects are regulated Types of media allowed

Virus scanning requirements

Logging

Authentication

Contributing Factors Industry Working Groups

Data security working groups to discuss implementations What works

What doesn’t

Best Practices

Implementation Details

Contributing Factors Internal Security Groups

Multiple groups may have experts with ideas on how to implement security solutions IT

Security officers

The Right BalanceSecurity Requirements vs Business Needs

Security Requirements vs Business NeedsCost Considerations

Implementation Costs Security Solutions

Consulting Costs

Infrastructure Costs

Costs to Productivity Additional time to follow security procedures

Training time and cost

Potential downtime if systems fail

Security Requirements vs Business NeedsPotential Cost Savings

Remediation Costs System Downtime

Productivity Costs

Removal Costs

Impact to Reputation Lawsuits

Information Loss Classified Information

Sensitive Corporate Data

Security Requirements vs Business Needs Laptop as secure paperweight

Security Requirements vs Business NeedsLaptop as a secure productivity tool

How it’s DoneCommon Security Architectures

Common Security Architectures

Standalone Systems with no Network connectivity

In this deployment option, portable media scanning kiosks have no network connection. Virus definition updates are downloaded from a system connected to the Internet and copied to physical media to be transferred to each kiosk.

ProsNo network connection requiredConsUpdating virus definitions requires physically bringing media (USB drive/DVD/CD) to each kiosk and applying the update on each one

Common Security Architectures

Standalone Systems with Management Station

In this deployment option, a Management Station is installed on a dedicated system that has network connection to each kiosk. The have network connection only to the Management Station. Virus definition updates are downloaded on the system with the Management Station and updates are applied to the kiosks via the Management Station.

ProsEasier to deploy than standalone systems with no network connectivityConsRequires network connectivity between each kiosk and the Management StationDefinition updates need to be transferred over the networkRequires an additional system for the Management Station

Common Security Architectures

Distributed Systems (Metascan Server Offline)

In a distributed system, kiosks have only a client installed. The scanning server is installed on a dedicated system. In this deployment option, the server does not have access to the Internet, and the kiosks have network connection to the scanning server only. Virus definition updates are downloaded on a system with connection to the Internet and manually transferred and applied to the scanning server.

ProsOnly requires deploying virus definition updates to a single scanning serverThe server can be higher powered to allow for higher scan throughputConsRequires network connectivity between each kiosk and the scanning serverAll files being scanned will be transferred over the network

Common Security Architectures

Distributed Systems (Metascan Server Online)

In a distributed system, kiosks have only a client installed. The scanning server is installed on a dedicated system. In this deployment option, the scanning server has access to the Internet, and the kiosks have network connectivity to the scanning server only. Because of Internet connectivity, virus definitions automatically update on the scanning server.

ProsVirus definition updates are applied automatically to the scanning serverThe server can be higher powered to allow for higher scan throughputConsRequires network connectivity between each kiosk and the scanning serverAll files being scanned will be transferred over the networkRequires Internet connection for the scanning server

What’s AllowedDefining Acceptable Media Types and Files

Defining Acceptable Media Types and FilesTypes of Portable Media

Many Types of Media

USB Flash Drives

USB Hard Drives

CD/DVDs

SD Cards

Mobile Phones

Etc

Characteristics more important Read/Write

Encrypted

Multiple Partitions

Defining Acceptable Media Types and FilesTypes of Files

General Classes of Files

Office Documents

Archives

Executables

Text

Characteristics more important Encrypted

Embedded Objects

Digitally Signed

Defining Acceptable Media Types and FilesMethods of Control

Blacklisting/Whitelisting

Specific Types of files

Specific types of sources

Specific sources (based on serial number, etc)

Data Security WorkflowsHow to Supplement Multi-Scanning

Supplementing Multi-ScanningWhy Scanning with Multiple Antivirus Engines Sometimes isn’t

Enough Zero Day Attacks

Embedded Objects

HostFile

Data

New Header

Virus

Code

Supplementing Multi-ScanningWays to Supplement

User Authentication Set different policies for different users

Source Blacklisting/Whitelisting

File Type Filtering

File Type Conversion Remove embedded objects from files not detected by antivirus engines

Digital Signatures Validate all executables are digitally signed by a trusted source

Digitally sign all files after scanning to verify they have not been changed after scanning

Periodic Re-scanning

Dynamic analysis Sandbox solutions such as FireEye, Bluecoat, ThreatTrack, others

Human inspection and reverse engineering

Supplementing Multi-ScanningExample

Further Resources

My contact information Tony Berning aberning@opswat.com

White Paper: “Protecting Critical Infrastructure from Threats”

Demo Metascan Server and Metadefender installations available at https://my.opswat.com (requires creation of a free OPSWAT Portal account)

For further questions on Metascan or Metadefender contact sales@opswat.com