OPSWAT CEO, Benny Czarny discusses the data security challenge. How can organizations determine whether data is helpful or harmful? How can they create good security policies based on this information? How can this be accomplished while making sure all users can access the tools and information they need to accomplish their goals?
3. Agenda
• The data security challenge
• The data sources configuration challenge
• The user permission challenge
• Secure data workflow
• Q&A
4. Known threats
The Data Security Challenge
Type of threats
Threats that already exist and are known by the security
community
Key loggers
Rootkits
Backdoors
“In the wild”
Unknown threats
Zero Day – Spread because they are not detected by any security
system
Targeted attacks - designed to attack a specific organization
5. Different data types have different risks
Documents - embedded objects and macros
Executables – viruses posing as other applications
Image files - buffer overflows
Archive files - archive bombs
The Data Security Challenge
Different data types represent different risks
.m4a .png .docx
.exe .xls .mp4 .mp3 .pdf .txt
6. The Data Source Configuration Challenge
Threats can come from any source where data enters
Email
Web Traffic
Managed File Transfer
File Uploads
Portable Media
USB Drives
CD/DVDs
SD Cards
Mobile Phones
7. The Data Source Configuration Challenge
Many different management consoles
8. Sourcing resources with the expertise to administrate systems
Initial Setup
Maintenance
Adding users
Changing users
Moving users between teams
Changing organization security policies
Auditing
The Data Source Configuration Challenge
Many steps required to secure all types of sources
9. Different users have different needs and present different
Should the front desk or
The User Permission Challenge
accounting have access to
executables ?
Should the whole IT team
have access to executables ?
Should the sales team have
access to presentations and
word documents ?
How can a guest user deposit
data to the organization ?
risks
11. Known threats
Secure Data Workflow
Protecting against known threats
Scan with as many security engines as you can
100%
Anti-malware 2
Detection Rate:
Detection Rate:
12. Secure Data Workflow
Protecting Against Unknown Threats
Antimalware heuristics is effective
detecting unknown threats :
This graph shows the time between
malware outbreak and AV detection by six
AV engines for 75 outbreaks.
It emphasize that the heuristics algorithms
at multiple engines is different and together
effective to detect unknown threats
13. Secure Data Workflow
Protecting Against Unknown Threats
Data sanitization
Convert files from their original to a temporary format and
ack format to sterile the data and prevent unknown threats
14. Blacklisting/whitelisting
File type filtering
Data sanitization
Secure Data Workflow
Protecting Against Unknown Threats
Micro Workflow Elements
Remove embedded objects and macros from document files
Convert images to another format
Digital signatures
Validate all executables are digitally signed by a trusted source
Digitally sign all files after scanning to verify they have not been changed
after scanning
Static analysis
Scanning with multiple antivirus engines
Checking PE headers
Periodic re-scanning
Dynamic analysis
Sandbox solutions such as FireEye, Bluecoat, ThreatTrack, others
15. Secure Data Workflow
Addressing the user permission challenge
Create multiple groups and assign different data security policies for
each group
IT
Can receive executable files
Every executable needs to be scanned by 20 anti-malware engines
Accounting
Can’t receive executable files
Every document needs to be sanitized and scanned by 20 anti-malware engines
16. Secure Data Workflow
Addressing the data source configuration challenge
1) Connect every data source to a centralized solution
2) Create security policies from this solution
3) Manage security policies from this solution
18. Thank you!
Benny Czarny
CEO and Founder
OPSWAT
www.opswat.com
Thank you
Editor's Notes
Hello Everybody, my name is Benny Czarny and I am the CEO of OPSWAT, manufacturer of Metascan, Metadefender, OESIS and GEARS.
Thank you ITpro EXPO 2014 team for the opportunity to sponsor the event together with NextIT and Toshio sun put into making this presentation happen
Today, I am going to talk about challenges we have to protecting data flow to an from organizations , ways and concepts to solve this challenges
To elaborate what I am talking about I put togather a diagram
To help identify the challenges
In this diagram you see common data workflow
So lets go left to right and start with the data – we have challenge to detect what is good and what is or bad data
Then we go to the data entry points , first there are many and they need to be configure , set them up
And finally we need to connect the users to the data we confront challenges linking related to creating different data security policies to different users types
So what we’ll go over is
So What I will cover in this presentation are:
The data security challenge – what are the challenges to determining if the file or data is good or bad to my organization and inspire how to create a good security policy
The data sources configuration – what are challenge, to configure multiple data sources t
The user permission challenge, - what are tha challenges to connect data to users with their rolls and inspire how to create a good security policy
Then I’ll talk about how to create an effective secure data workflows policy an to address any question you may have
so lets start with the data security challenge
When we try to create a data security policy - one way we can look in to this is creating a policy for known threat and a policy of unknown threat
Known threats are threats that are known to the industry – there are many , millions and are still a very difficult to detect effectively and here we can differentiate between
known threats to a specific security solution
known threats and shared among security vendors e.g “in the wild “
Unknown threats – these could be extremely difficult as threats they are unknown because they are either
Still hidden and spread out e.g 0 day attack
specifically targeted to your organization so you can trust only your security solutions to detect it and should not
Another thing we need to consider creating a data security policy is the type of data as different data types bring different threats
Different file types introduce different risks for example
Documents may contain embedded objects or macro scripts
Executables are one of the most risker file formants we may want to detect and may be completely prevent
image files introduce buffer overflow and other risks
And archives has their own issues such as archive bombs and other risks related to archive
When we need to go a head and enforce the Data security and the user security policy we will most likely face another challenge
Which is how to effectively enforce this across many systems
Files can be attached to e-mail
Employees can download files from the Internet
Files can be uploaded through a Managed File Transfer server or other file upload systems
Files can also be brought in on guest devices or on physical media that employees or guests are bringing into a facility
How can we effectively configure different policies in multiple sources to have the same data security policy for a give users weather it is an exchange , proxy , and usb security
What you see here are multiple management consoles w e need to configure in order to effectively track and manage security policies
To do it right how many security certification we’ll need our staff to pass
Some of the difficulties in correctly configuring all of these sources are that there are many steps in setting up the correct policies, which means there are many potential points of failure.
Some of these steps are
Initial setup of the system
Ongoing maintenance of the system, including adding and remove users, moving users between teams
Changing configuration to match changes in the organization’s security policy
Regular audits of the system to review exceptions and ensure compliance
Creating a user permission policy is another big challenge as it differ between organization and here we need to ask our self
What is the function of the user and what is the best security policy we can get to these users without compromising their productivity
Should the front desk or accounting have access to executables ?
Should the whole IT team have access to executables or security patches ?
How can we balance between security and productivity how can we still enable productivity while we are managing security ?
So lets talk about effective ways to create a secure data workflow
One way to To address the risk of known threats, the best approach is to scan files with as many different security engines as possible.
This is a simple diagram that shows how using multiple anti-malware engines increases the overall detection rate, even when there is a large overlap between the engines.
In this test we tested 75 outbreaks against 6 different antimalware application and the detection ended up decent
Another way to prevent unknow threats is Data Sanitization where
The most comprehensive approach is to combine multiple protection methods into a single data security policy, which greatly reduces the likelihood that any threat will make it past all of the different protection methods.
Some of the different layers that can be used are the following
Blacklist known threats and whitelist known trusted files
Filter files based on their type to eliminate any file types that are too risky to allow into the organization
Use data sanitization to remove embedded objects from files that are otherwise not detected by antivirus engines
Validate all digital signatures, and optionally digitally sign files so that they can be verified as clean when they are checked later
Use static analysis to examine files, including scanning with multiple antivirus engines
Periodically rescan files that were previously identified as clean, so that any threats that are identified after initially scanned can be remediated
Use dynamic analysis tools, such as sandboxes, that use different methods to identify threats
To address the user permission challenge, it is best to create multiple user groups and then assign the appropriate security policy to each group.
For example:
Anyone in the IT group is allowed to bring in executables, however those executables are required to be scanned by 20 different anti-malware engines
Anyone in Accounting, on the other hand, would not be allowed to bring in executables, and any documents they bring in must be sanitized and scanned by 20 different anti-malware engines
The data source configuration challenge is best addressed by managing data security policies from a central location.
By making sure that all data entering an organization, whether through e-mail, a web proxy, or by physical media, is handled by the appropriate security policy, the number of potential points of failure is greatly reduced.
All management and definition of the security policies can then be handled from a single location, so there is less chance that inconsistencies introduce vulnerabilities.
This is never perfect htough
To come back to the diagram we covered earlier in the presentation, having a centralized solution like Metadefender, where multi-layer security policies can be centrally defined and managed, helps organizations to protect themselves against potential threats, regardless of the source of the file and who is both bringing the file into and using the file within the organization.
This is the vision of OPSWAT – today we cover elements of this secure data workflow what covers kiosk , proxy and email either via metascan metadefender or via a technology partner
We are the leader in the space and have Next IT that represent us in Japan for deployment opportunities
Thank you for your time. If you would like to find out more about designing secure data workflows and how OPSWAT can help you protect your organization from threats you can visit our website, at www.opswat.com.