Multiscanning: Making Sense of the Numbers
Did you know that a false positive can provide threat intelligence? Let me show you a case study. But first a bit of an introduction to what we’ll be discussing.
We are all familiar with a variety of multi-scanning services, but when we talk about multi-scanning most people think of submitting files to a webserver. The files may be suspicious or perhaps the system is used to check new files before they are installed. These are both great uses for a multiscanning system, however this presentation is about the benefits of integrating a multiscanning system into an enterprise network. To be clear, multiscanning does not replace real-time protection on endpoints and servers.
An integrated multiscanning system leverages the strengths of several antimalware vendor’s offerings. This includes technological approaches, geographical diversity, sensor nodes, and time-to-detect. The use of multiple scanning engines can also help in evaluating potential false positives.
Granted, an increase of false positives is one of the legitimate concerns one should have if they are evaluating the real-time use of the technology. Cost is also going to be a consideration. There are costs associated with licensing, and additional resources. Latency is also a concern.
As is the case with any effective security technology there will be pros and cons. It is therefore incumbent on any multiscanning, or other security solution, to demonstrate the ability to impactfully increase the customer’s security posture.
November 7 at 16:40 - 17:00, Stage A
Randy Abrams joined the antivirus community in 1997, long before it was called antimalware. While working at Microsoft, Randy designed and administered the multiscanning system that Microsoft required to stop the release of infected products. Randy administered the systems for seven years, and trained Microsoft employees in the US, Europe and in Asia on multiscanning fundamentals, process design, maintenance, and administration. Microsoft’s multiscanning system now handles in excess of five billion files per month.
While at Microsoft, Randy worked relentlessly to get Microsoft to share critical information that the AV industry required to better protect Microsoft’s customers. After leaving Microsoft in 2005, Randy went to work at ESET as the Director of Technical Education. Following ESET he worked as a Research Director for NSS Labs, and then as a Senior Security Analyst at Webroot. Randy joined OPSWAT as a Senior Security Analyst in June of 2019.
Randy has served on the board of directors of AVAR for almost two decades, has presented at dozens of security conferences throughout the world, and has been quoted hundreds of times in the media.