Transcript Document

OPSWAT Presentation
for XXX
Month Date, Year
OPSWAT & ____________
Agenda
 Overview of OPSWAT
 Multi-scanning with Metascan
 Controlling Data Workflow with Metadefender
 Questions
OPSWAT at a Glance
Company
 Established 2002
 Private, profitable and growing
 Head office in San Francisco, California
Products
 Multi-scanning – Metascan® and Metadefender®
 Security Application Manageability – OESIS® & AppRemover
 Secure Virtual Desktop Isolation Technology
 GEARS – Network Manageability
Customers
 Governments, CERTs, Finance, Utilities, [esp. Nuclear], Military
 OEM s – SSL VPN, NAC Management services, Support Tools
Customer Verticals
Network
Compliance and
Vulnerability
Assessment
Support
Tools
SSL VPN and NAC
Government
Managed
Services
Higher Ed and
Corporations
Metascan
Scan Files with Multiple
Antivirus Engines
Why Multi-scanning?
Too much malware, insufficient
detection
The Reality
Insufficient detection by any one AV product
Metascan
Multiple engine malware scanning technology
Over 220,000 new malware
variants appear every day
The rapid growth in the amount of malware
continues to accelerate
No AV vendor can keep up with the number of new
malware variants
http://www.av-test.org/en/statistics/malware/
“Cyber attacks on
America’s critical
infrastructure
increased 17-fold
between 2009 and
2011.”
http://www.csmonitor.com/Commentary/Opini
on/2012/0808/Help-wanted-Geek-squads-forUS-cybersecurity
Measuring Antivirus Capabilities
Much variation between different anti-malware engines
Detection Rate vs. False Positives for 19 Engines
100.00%
40
99.00%
35
98.00%
30
97.00%
25
96.00%
20
Detection Rate
False Positives
95.00%
15
94.00%
10
93.00%
5
92.00%
91.00%
0
1
2
3
4
5
6
7
8
9 10 11 12 13 14 15 16 17 18 19
Source: AV Comparatives
September 2012
Illustrating The Decreased Outbreak
Detection Time
This graph shows the time
between malware outbreak and
AV detection by six AV engines
for 75 outbreaks.
No Vendor detects every
outbreak.
Only by combining six engines
in a multiscanning solution
are outbreaks detected
quickly.
By adding additional engines,
Zero hour detection
zero
hour detection rates
5 min to 5 days
increase
further.
No detection at 5 days
Geographic Distribution of Antivirus Engines
Performance by the numbers
The scan time is much shorter than
the sum of the individual scans
Presumed Scan Time
1 engine
3 engines
8 engines
PDF
EXE
JPG
OTHER
What is Metascan?
Multi-scanning engine
A server application with a local and
network programming interface that allows
customers to incorporate multiple antimalware engine scanning technologies into
their security architecture
 Supports 0
to 30 anti-malware engines [and
growing!]
 Simultaneously scans files with all engines
 Scan directories, files, archives, buffers, and
boot sector
 Automatic online definition updates or manual
offline updates
Metascan vs Traditional Antivirus Engines
 Metascan integrates multiple engines that are optimized to work together on the same
system
 Metascan does not provide Real Time Protection (RTP) like many traditional antivirus
engines, all scanning is done on demand
What is Metascan?
Multi-scanning engine
 Flexible and scalable API driven solution
 Many programming Interfaces –
C++
Java
PHP
C#/ASP.NET
RESTful (Web API)/HTTP
CLI[command line interface]
ICAP
 Analyzes files locally on a single server
or remotely from Windows or Linux systems
Metascan
Who uses Metascan?
 Analysts




who research threats
in binaries
CERTs (Computer Emergency Response/Readiness Teams)
Government agencies
Federal and State Law enforcement agencies
Computer forensic analysts
 IT security managers who seek to control data flow
 Files from public facing sharing/upload sites
 Data moving across internal security domains
 Detect infected attachments
 Independent software vendors seeking to identify
threats in their binaries
 False positives
 Accidental infections
Metascan Features
 Manual (Offline) Updates – ZIP file
Engine Definition updates
 Download the package (.zip) from an Internet connected system
 Transfer the file to a system in the offline network and use the Metascan Management Console or the
Metascan Management Station to “push” to multiple servers
Metascan
Standard packages
In addition to our
standard offerings, the
engines listed below may
be added to create
custom packages
Metadefender
Securing Data Flows into/out of
Organizations
Why Metadefender?
Peripheral media cannot be trusted
Why Metadefender?
Peripheral media is an easy attack vector
 Surveys show that 10% to 25% of malware is spread
via USB (Sources: ESET & Panda)
 Autorun viruses are easy to create
 Instructions to create a virus are easily found
online
 The US Department of Defense banned peripherals
entirely in 2008 after an outbreak of the SillyFDC
worm which was spread by removable media
Why Metadefender?
Metadefender use cases
 USBs are the most effective way to deliver malware
into a company

USBs bypass network security and deliver malware
directly to the endpoint

Contractors and visiting vendors accidentally bring
in malware on USB

Software updates and upgrades brought into secure
networks on DVDs have contained malware

Banks and other financial institutions are attacked
with USBs dropped in parking lots that employees pick
up and insert in their work computers. (human
curiosity?)

Advanced attacks mail infected USBs to employees as
gifts
What is Metadefender?
Metadefender allows customers to define data security policies for their users to prevent the
introduction of malware to a corporate network through portable media
 Define multiple policies for different users or groups of users
 Process files to determine if they are a threat
 Take the appropriate actions on both allowed and blocked files
 Optionally include Multi-scanning by Metascan
Metadefender
Features
 Multi-Step Process to Secure Network





User Authentication
File Type Filtering
Scanning with Metascan
Scan look up by SHA256 hash value
File Type Conversions
 Including embedded object removal
 Enhanced Post-Processing
 Metadefender System Restore after each session
to ensure system integrity
Metadefender and Metascan
The Metascan multi-scanning server can be integrated as part of the Metadefender security
workflow
 Metascan can be installed on the same system as Metadefender or can be on its own dedicated
system
 Multiple Metadefender systems can use a single Metascan for multi-scanning
Metadefender
Who uses Metadefender?
 Highly Secure facilities that host outside
visitors/contractors
 Government Agencies
 Power Plants / Nuclear Facilities
 IT security managers who seek to control
physical media
 Banks
 Investment companies
 Any company concerned about physical
media-based malware infections
How Metadefender is commonly used
Data workflow controls
 Create a process ( workflow ) to control
data coming into and out of your
organization.
 Example:
 Scan the contents of peripherals using multiple
AV engines
 Require visitors to put all content onto a
provided USB – then scan the content for
malware with multiple AV engines
 Convert selected data types
 Convert files to jpeg or png to eliminate
threats in original file
 Block selected file types
Metadefender
Metadefender is delivered in two formats:
Delivery
 Software to deploy on any system that meets
Metadefender’s requirements
 Kiosk with Metadefender pre-installed and configured
Metadefender Deployment
Choosing the bestOptions
for your
security needs
Product Deployment Options
Standalone Systems with no Network connectivity
In this deployment option, Metadefender kiosks have both the
Metascan server and the Metadefender client installed and have no
network connection. Virus definition updates are downloaded from a
system connected to the Internet and copied to physical media to
be transferred to each Metadefender kiosk.
Pros
No network connection required
Cons
Updating virus definitions requires physically bringing media (USB
drive/DVD/CD) to each kiosk and applying the update on each one
Product Deployment Options
Standalone Systems with Metascan Management Station
In this deployment option, a Metascan Management Station is installed on a
dedicated system that has network connection to each Metadefender kiosk.
The Metadefender kiosks have both the Metascan server and the Metadefender
client installed and have network connection to Metascan Management Station
only. Virus definition updates are downloaded on the system with the
Metascan Management Station installed, and updates are applied to the
Metadefender kiosks via the Metascan Management Station.
Pros
Easier to deploy than standalone systems with no network connectivity
Cons
Requires network connectivity between each kiosk and the Metascan
Management Station
Definition updates need to be transferred over the network
Requires an additional system for the Metascan Management Station
Product Deployment Options
Distributed Systems (Metascan Server Offline)
In a distributed system, Metadefender kiosks have only the Metadefender
client installed. The Metascan server is installed on a dedicated system.
In this deployment option, the Metascan server does not have access to the
Internet, and Metadefender kiosks have network connection to the Metascan
server only. Virus definition updates are downloaded on a system with
connection to the Internet and manually transferred and applied to the
Metascan server.
Pros
Only requires deploying virus definition updates to a single Metascan
server
The Metascan server can be higher powered to allow for higher scan
throughput
Cons
Requires network connectivity between each kiosk and the Metascan server
All files being scanned will be transferred over the network
Product Deployment Options
Distributed Systems (Metascan Server Online)
In a distributed system, Metadefender kiosks have only the Metadefender
client installed. The Metascan server is installed on a dedicated system.
In this deployment option, the Metascan server has access to the Internet,
and Metadefender kiosks have network connection to the Metascan server
only. Because of Internet connectivity, virus definitions automatically
update on the Metascan server.
Pros
Virus definition updates are applied automatically to the Metascan server
The Metascan server can be higher powered to allow for higher scan
throughput
Cons
Requires network connectivity between each kiosk and the Metascan server
All files being scanned will be transferred over the network
Requires Internet connection for the Metascan server
Support
 OPSWAT provides three levels of support
 Basic Support - Free
 Premium Support – 18% of license cost
 Platinum Support – 25% of license cost
Support
Premium Support
 What is covered by Premium support?
 Phone support, 9 am to 6 pm PST Monday – Friday
 Support Account Manager
 Quarterly Conference call
reviews
 For details of what is covered by each
level of support see the Support page on
the OPSWAT website
Support
Platinum Support
 What is covered by Platinum support?
 (Everything in Premium support)
 24/7 Phone support
 Quarterly Meetings with Engineering and Product
Management
 Prioritized enhancement requests
 For details of what is covered by each
level of support see the Support page on
the OPSWAT website
Questions?