Benny Czarny, CEO at OPSWAT, presents at an OPSWAT Cyber Security Seminar in DC on February 9th. This presentation covers the benefits of multi-scanning and how organizations can receive protection from both known and unknown threats through leveraging OPSWAT's technology.
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Preventing Known and Unknown Threats
1. Preventing Known and Unknown Threats
Benny Czarny
CEO & Founder
OPSWAT
benny@opswat.com
February 9, 2016
2. Preventing Known and Unknown Threats
Agenda
How much malware is out there
How to measure the quality of anti-malware products
The value of multi-scanning
Threat prevention
3. How much malware is out there?
Known threats
Unknown threats
Targeted attack
Outbreak
5. How much malware is out there?
How many known threats are we up against?
0
100,000,000
200,000,000
300,000,000
400,000,000
500,000,000
600,000,000
2010 2011 2012 2013 2014 2015
Differences in Reporting the Total Amount
of Threats
AV-Test McAfee
6. How much malware is out there?
How many new known threats are we up against?
0
20,000,000
40,000,000
60,000,000
80,000,000
100,000,000
120,000,000
140,000,000
160,000,000
180,000,000
200,000,000
2010 2011 2012 2013 2014 2015
Differences in Detection Rates for New
Malware
AV-Test McAfee
7. How much malware is out there?
Why are different measurements being used?
Different detection logic
Different engines
Different data sources
Different market share
Different honeypots
10. Detection coverage
Response time for an outbreak
Amount of False Positives
Product quality and stability
Product Vulnerabilities
Operating system compatibility
Other metrics
How to Measure the Quality of Anti-malware Products
11. How to Measure the Quality of Anti-malware Products
Engine Name AV -Comparatives
Performance Rating
AV-Test Performance
Rating
Avira 90% 100%
AVG 85% 70%
Avast 83% 80%
Panda 80% 90%
McAfee 80% 80%
Threat Track 80% 40%
Trend Micro 78% 90%
Sources:
1. AV-Test
2. AV- Comparatives
Comparing AV-Test to AV-Comparatives
12. How to Measure the Quality of Anti-malware Products
Measuring the quality of anti-malware engines – from AV-Comparatives
AV Name Mar 2013 Sep 2013 Mar 2014 Sep 2014 Mar 2015 Sep 2015
Avira 99.6% 99.7% 99.2% 99.9% 99.9% 99.8%
F-Secure 99.5% 99.7% 99.6% 99.6% 99.8% 99.7%
Bitdefender 99.3% 99.5% 99.5% 99.6% 99.7% 99.8%
Kaspersky 99.2% 99.0% 99.8% 99.7% 99.9% 99.5%
Fortinet 98.6% 98.2% 99.6% 97.9% 99.6% 98.8%
Trend Micro 98.4% 98.3% 99.0% 99.5% 95.1% 95.5%
AVG 98.4% N/A 97.5% 98.4% 98.1% 93.4%
McAfee 98.0% 98.2% 99.3% 99.8% 99.7% 97.5%
Sophos 98.0% 96.5% 98.3% 98.2% 98.1% 97.2%
Avast 97.8% 97.1% 97.7% 98.6% 99.4% 99.2%
ESET 97.5% 97.1% 98.8% 98.7% 98.6% 99.2%
AhnLab 92.0% 90.6% 89.0% 93.7% N/A N/A
Microsoft 92.0% 90.1% 90.0% 90.2% 86.3% 91.4%
13. How to Measure the Quality of Anti-malware Products
Individual Engine Vulnerabilities
0
2
4
6
8
10
12
14
Engine Vulnerabilities Over Last 4 Years
2015 2014 2013 2012
Source: National Vulnerability Database
14. Do not know exactly how much malware is out there
No accurate/standard measure on quality of anti-
malware engines
Quality of anti-malware engines changes from year to
year
Anti-malware engines suffer from vulnerabilities
Well known vendors miss over 10% of known threats
How to Measure the Quality of Anti-malware Products
Conclusions
15. Advantages
Detect both known and
unknown threats
Some engines detect over 80% of
known threats
How to Measure the Quality of Anti-malware Products
The value of a single anti-malware solution
Disadvantages
Single point of failure
Vulnerabilities
Misdetection
Detection of outbreaks
may be slower/delayed
17. Advantages
Improved malware detection
Decreased detection time for a
new outbreak
Flexible patching for anti-
malware engine vulnerabilities
The Value of Multi-scanning
Multi-scanning
Disadvantages
More false positives
Decreased performance
Higher costs
more vulnerabilities
18. The Value of Multi-scanning
Advantage 1 - Improved malware detection
Antivirus 1
X1%
Detection Rate:
100%
Antivirus 2
X2%
Detection Rate:P(A ∪ B) = P(A) + P(B) - P(A ∩ B)
19. The Value of Multi-scanning
Advantage 2 – Decreased detection time for an outbreak
https://www.metadefender.com/#!/results/file/5268027b71414692b64649318619e33f/history
20. The Value of Multi-scanning
Advantage 2 – Decreased detection time for an outbreak
*Simulated time
22. The Value of Multi-scanning
Disadvantage 2 – decreased performance
23. The Value of Multi-scanning
Disadvantage 2 – decreased performance reality
24. The Value of Multi-scanning
Disadvantage 3 – more costly
Hardware requirements
Additional IT training
Licensing cost
Bandwidth consumption
Other costs
25. The Value of Multi-scanning
Reduce the risk of malware that is targeting specific engines
0
2
4
6
8
10
12
14
Avira Kaspersky Avast Windows
Defender
ESET BitdefenderTrend Micro
Engine Vulnerabilities Over Last 4 Years
2015 2014 2013 2012
Source: National Vulnerability Database
26. Advantages
Improved malware detection
Decreased detection time for a
new outbreak
Flexible patching for anti-
malware engine vulnerabilities
The Value of Multi-scanning
Multi-scanning
Disadvantages
More False Positives
Decreased performance
Higher costs
more vulnerabilities
27. The Value of Multi-scanning
Known Threats Unknown Threats
28. The value of multi-scanning
Known Threats Unknown Threats
When we look at the threat landscape we see known threats to the industry and unknown threats
2 example Advanced threats or targeted attacks
For example stuxnet started as a targeted attack and now it is a known threat
An outbreak sometimes start as unknown to the industry and end up as
So how much known threat is out there ?
Look at 2 reputable sources with a research team
Av-test
Mcafee
Both publish their research online and share data
When we examined the rate of accumulation we astill etting very different results