using multiple antivirus engine scanning to protect critical infrastructure
DESCRIPTION
Tony Berning, Senior Product Manager at OPSWAT, gave a talk on Securing Critical Infrastructure, using multiple anti-malware engines and other methods, to an audience of academic researchers, operators of power plants and other workers in critical infrastructure. The presentation introduced the basics of multi-scanning and the benefits of utilizing multiple anti-malware engines to scan files. The presentation also covered topics related to defining and setting appropriate security policies for various user groups and outlining common security architectures.TRANSCRIPT
![Page 1: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/1.jpg)
Using Multiple Antivirus Engine Scanning to Protect Critical
Infrastructure
Tony BerningSenior Product [email protected]
8 April 2014
![Page 2: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/2.jpg)
Agenda
Introduction to Multi-scanning
Factors Shaping Portable Media Security Policies
Balancing Security Requirements with Business Needs
Common Network Architectures
Defining Acceptable Media and Content
Ways to Supplement Multi-Scanning in Data Security Workflows
Additional Resources
![Page 3: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/3.jpg)
Overview of Multi-ScanningToo much malware, insufficient
detection
![Page 4: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/4.jpg)
Over 220,000 new malware variants appear every day(AV-TEST)
“Cyber attacks on America’s critical infrastructure increased 17-fold between 2009 and 2011.”
http://www.csmonitor.com/Commentary/Opinion/2012/0808/Help-wanted-Geek-squads-for-US-cybersecurity
The rapid growth in the amount of malware continues to accelerate
No AV vendor can keep up with the number of new malware variants
Amount of Malware Exponentially Increasing
The Problem
![Page 5: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/5.jpg)
The ProblemFactors affecting each antivirus product’s detection rate
Heuristics and other detection code
Size and coverage of the signature database
Update frequency of the signature database
Location of the AV vendor’s malware research lab(s)
![Page 6: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/6.jpg)
Increase malware zero hour detection rates [via heuristics]
Decrease malware detection time after an outbreak [via new signatures]
Increase resiliency to antivirus engines’ vulnerabilities
Why use multiple antivirus engines ?
![Page 7: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/7.jpg)
Combining Scan Results from Multiple EnginesEvery engine misses something
No single antivirus is perfect, however each product has its own strengths and weaknesses, and is more efficient at detecting some threats than others.
100%
AV 2Detection Rate:
AV1Detection Rate:
![Page 8: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/8.jpg)
Results from using multiple antivirus engines
This graph shows the time between malware outbreak and AV detection by six AV engines for 75 outbreaks.
No single engine detected every outbreak!
Only by combining multiple engines in a multi-scanning solution were all outbreaks detected quickly.
By adding additional engines, zero hour detection rates increase even further.
![Page 9: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/9.jpg)
Geographic Distribution of AV vendorsNote: Many vendors have centers in multiple locations
![Page 10: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/10.jpg)
Defining Secure?Factors Shaping Portable Media Security
Policies
![Page 11: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/11.jpg)
Contributing Factors
Regulatory Bodies
Industry Working Groups
Internal Security Groups
![Page 12: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/12.jpg)
Contributing Factors Regulatory Bodies
Data security requirements are set by many different groups NIST
Nuclear Regulatory Commission
Etc
Many aspects are regulated Types of media allowed
Virus scanning requirements
Logging
Authentication
![Page 13: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/13.jpg)
Contributing Factors Industry Working Groups
Data security working groups to discuss implementations What works
What doesn’t
Best Practices
Implementation Details
![Page 14: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/14.jpg)
Contributing Factors Internal Security Groups
Multiple groups may have experts with ideas on how to implement security solutions IT
Security officers
![Page 15: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/15.jpg)
The Right BalanceSecurity Requirements vs Business Needs
![Page 16: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/16.jpg)
Security Requirements vs Business NeedsCost Considerations
Implementation Costs Security Solutions
Consulting Costs
Infrastructure Costs
Costs to Productivity Additional time to follow security procedures
Training time and cost
Potential downtime if systems fail
![Page 17: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/17.jpg)
Security Requirements vs Business NeedsPotential Cost Savings
Remediation Costs System Downtime
Productivity Costs
Removal Costs
Impact to Reputation Lawsuits
Information Loss Classified Information
Sensitive Corporate Data
![Page 18: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/18.jpg)
Security Requirements vs Business Needs Laptop as secure paperweight
![Page 19: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/19.jpg)
Security Requirements vs Business NeedsLaptop as a secure productivity tool
![Page 20: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/20.jpg)
How it’s DoneCommon Security Architectures
![Page 21: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/21.jpg)
Common Security Architectures
Standalone Systems with no Network connectivity
In this deployment option, portable media scanning kiosks have no network connection. Virus definition updates are downloaded from a system connected to the Internet and copied to physical media to be transferred to each kiosk.
ProsNo network connection requiredConsUpdating virus definitions requires physically bringing media (USB drive/DVD/CD) to each kiosk and applying the update on each one
![Page 22: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/22.jpg)
Common Security Architectures
Standalone Systems with Management Station
In this deployment option, a Management Station is installed on a dedicated system that has network connection to each kiosk. The have network connection only to the Management Station. Virus definition updates are downloaded on the system with the Management Station and updates are applied to the kiosks via the Management Station.
ProsEasier to deploy than standalone systems with no network connectivityConsRequires network connectivity between each kiosk and the Management StationDefinition updates need to be transferred over the networkRequires an additional system for the Management Station
![Page 23: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/23.jpg)
Common Security Architectures
Distributed Systems (Metascan Server Offline)
In a distributed system, kiosks have only a client installed. The scanning server is installed on a dedicated system. In this deployment option, the server does not have access to the Internet, and the kiosks have network connection to the scanning server only. Virus definition updates are downloaded on a system with connection to the Internet and manually transferred and applied to the scanning server.
ProsOnly requires deploying virus definition updates to a single scanning serverThe server can be higher powered to allow for higher scan throughputConsRequires network connectivity between each kiosk and the scanning serverAll files being scanned will be transferred over the network
![Page 24: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/24.jpg)
Common Security Architectures
Distributed Systems (Metascan Server Online)
In a distributed system, kiosks have only a client installed. The scanning server is installed on a dedicated system. In this deployment option, the scanning server has access to the Internet, and the kiosks have network connectivity to the scanning server only. Because of Internet connectivity, virus definitions automatically update on the scanning server.
ProsVirus definition updates are applied automatically to the scanning serverThe server can be higher powered to allow for higher scan throughputConsRequires network connectivity between each kiosk and the scanning serverAll files being scanned will be transferred over the networkRequires Internet connection for the scanning server
![Page 25: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/25.jpg)
What’s AllowedDefining Acceptable Media Types and Files
![Page 26: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/26.jpg)
Defining Acceptable Media Types and FilesTypes of Portable Media
Many Types of Media
USB Flash Drives
USB Hard Drives
CD/DVDs
SD Cards
Mobile Phones
Etc
Characteristics more important Read/Write
Encrypted
Multiple Partitions
![Page 27: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/27.jpg)
Defining Acceptable Media Types and FilesTypes of Files
General Classes of Files
Office Documents
Archives
Executables
Text
Characteristics more important Encrypted
Embedded Objects
Digitally Signed
![Page 28: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/28.jpg)
Defining Acceptable Media Types and FilesMethods of Control
Blacklisting/Whitelisting
Specific Types of files
Specific types of sources
Specific sources (based on serial number, etc)
![Page 29: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/29.jpg)
Data Security WorkflowsHow to Supplement Multi-Scanning
![Page 30: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/30.jpg)
Supplementing Multi-ScanningWhy Scanning with Multiple Antivirus Engines Sometimes isn’t
Enough Zero Day Attacks
Embedded Objects
HostFile
Data
New Header
Virus
Code
![Page 31: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/31.jpg)
Supplementing Multi-ScanningWays to Supplement
User Authentication Set different policies for different users
Source Blacklisting/Whitelisting
File Type Filtering
File Type Conversion Remove embedded objects from files not detected by antivirus engines
Digital Signatures Validate all executables are digitally signed by a trusted source
Digitally sign all files after scanning to verify they have not been changed after scanning
Periodic Re-scanning
Dynamic analysis Sandbox solutions such as FireEye, Bluecoat, ThreatTrack, others
Human inspection and reverse engineering
![Page 32: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/32.jpg)
Supplementing Multi-ScanningExample
![Page 33: Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022081413/5476ddb2b4af9fae028b47c1/html5/thumbnails/33.jpg)
Further Resources
My contact information Tony Berning [email protected]
White Paper: “Protecting Critical Infrastructure from Threats”
Demo Metascan Server and Metadefender installations available at https://my.opswat.com (requires creation of a free OPSWAT Portal account)
For further questions on Metascan or Metadefender contact [email protected]