Defending against malware remains one of the most pressing tasks for any
security team, but modern
malware is sophisticated enough to evade detection based on a file hash or
metadata. YARA rules
offer an expressive language for describing entire families of malware, but
there isn't an easy way
to integrate them into an organization's environment.
This will be the official public launch of YARA-as-a-Service (YaaS), a newly
developed open-source
serverless AWS pipeline where any file uploaded to an S3 bucket is immediately
scanned with a
configurable set of YARA rules. An alert will fire as soon as any match is
found, giving an incident
response team the ability to quickly contain the threat before it spreads.
The serverless design leads to strong security, automatic scalability, and
very low cost. The YARA
ruleset can be updated at any time, triggering a re-analysis of the entire
bucket and alerting if
any new matches are found. YaaS is fully managed with Terraform configuration
files; its
entire infrastructure can be deployed in minutes with a single command.
This talk will review the flexibility and popularity of YARA rules, explain
the YaaS architecture
and its integration with StreamAlert, and present a full live demo
(starting from only an empty AWS account).