Defending against malware remains one of the most pressing tasks for any
security team, but modern
malware is sophisticated enough to evade detection based on a file hash or
metadata. YARA rules
offer an expressive language for describing entire families of malware, but
there isn't an easy way
to integrate them into an organization's environment.
This will be the official public launch of YARA-as-a-Service (YaaS), a newly
developed open-source
serverless AWS pipeline where any file uploaded to an S3 bucket is immediately
scanned with a
configurable set of YARA rules. An alert will fire as soon as any match is
found, giving an incident
response team the ability to quickly contain the threat before it spreads.
The serverless design leads to strong security, automatic scalability, and
very low cost. The YARA
ruleset can be updated at any time, triggering a re-analysis of the entire
bucket and alerting if
any new matches are found. YaaS is fully managed with Terraform configuration
files; its
entire infrastructure can be deployed in minutes with a single command.
This talk will review the flexibility and popularity of YARA rules, explain
the YaaS architecture
and its integration with StreamAlert, and present a full live demo
(starting from only an empty AWS account).
I joined Airbnb in 2016 as a software engineer on the security team. Since then, I've been working on Airbnb's encryption services and incident response tools, including Cipher and the open-source StreamAlert project, respectively. Prior to my professional work, I was the University of Chicago's first graduate student to study computer security. My research focused on building a foundation for client-side web transparency by automatically classifying JavaScript changes according to the scope of their impact (comparing ASTs). My interests include cryptography, machine learning, data analysis and visualization, distributed systems, Python, and of course security. Also music (singing bass, playing trumpet or piano), hiking, and cats!