Product

Perks of Sigma and YARA rules in an EDR

Sigma and YARA are rule formats for detecting threats - malicious behaviors and files (or binaries) respectively. What are the advantages of these formats, and how are these rules integrated into HarfangLab's EDR?
6 min

Sigma: definition 

Sigma is a standard detection rule format, widely used by the cyber community. It enables detection rules to be written to identify malicious behavior. 

YARA: definition 

YARA is a tool that enables analysts and researchers to identify and classify malicious files. YARA also enables the creation of malware family descriptions based on textual or binary models. It’s an open format and also widely used in the cyber community. 
 

Why analysts prefer Sigma and YARA rules

HarfangLab’s EDR is based on the Sigma and YARA standard formats, among others, because they offer several advantages: 

  • The formats are familiar to cybersecurity experts, making them easy to learn;  
  • If they are not already familiar with Sigma and YARA, analysts can train and capitalize on these skills, which will be useful on many security tools;  
  • Sigma and YARA facilitate interconnection with the existing security stack;  
  • These rules are accessible, they can be customized, and the fact that their formats are known makes them simple to understand and exploit. 

These rules can come from : 

  • public sources, accessible via public repositories, such as Github,   
  • external sources, such as public organizations dedicated to cybersecurity, 
  • the CTI teams of the security solution vendor,  
  • sources such as an organization’s cyber-attack watch center… 

“The choice of standard Yara and Sigma formats, and the ability to modify these rules to customize them, are real assets for our teams, who also appreciate the whitelist system.” 
Cybersecurity Manager – Industrial Group 

 
And for HarfangLab EDR, where do these Sigma and YARA rules come from? 

Sigma and YARA: open source rules vs. rules written by a CTI team

Public repositories contain thousands of rules that can be used by security solutions, but an analyst’s job requires more than simply monitoring public repositories to retrieve all the rules they contain.  

This is why HarfangLab EDR chooses to rely on over 2,000 rules designed by its Cyber Threat Intelligence (CTI) team, rather than on thousands of rules from public repositories. Why not? In the interests of quality 

Although public rules can be used as a basis for work, the HarfangLab teams don’t simply push rules en masse into the various detection engines.  

These rules are worked on over the long term, so that they live and evolve according to the context.   

Thus, a complete process of writing, qualification, testing (in particular, to limit the number of false positives) and monitoring the lifecycle of Sigma and YARA rules guides the work of our CTI teams.  

Among other things, it is this continuous R&D work on detection rules that contributes to the value of EDR, beyond the tool itself!   

In fact, users can see for themselves the relevance of our rules by means of “Out of the box” tests. These tests consist of installing different solutions to evaluate their performance before the detection customization layer (rules, IOCs, exception handling, etc.). Subsequently, customization by adding rules and setting up whitelists enables detection to be further refined, and this customization is facilitated by the availability of standard formats.  

These rules can be displayed and modified directly in the EDR console, to help analysts understand alerts and manage the lifecycle of existing rules. 

Displayed rules: an advantage for attackers?

“HarfangLab EDR gives access to its detection rules, and displays Sigma and YARA rules to enable analysts to understand what triggered an alert.  

Contrary to popular belief, displaying these rules doesn’t make attackers’ work any easier, just as hiding them doesn’t protect against attempts to bypass protection tools. In fact, there are two types of attack: cybercrime and advanced attacks or APTs. 

In the case of cybercrime, attackers are not really trying to be discreet, and generally the only way to stay under the radar is to disable any security tools present on the workstation. 
For advanced attacks, attackers prepare their actions more meticulously, and whether or not a tool displays these rules will make little difference to them. 
All in all, the fact that a tool is transparent when it comes to rules is therefore a real advantage for users, but it would be wrong to think that this amounts to leaving the door open to attackers.” 

Emeric Boit, Lead CTI – HarfangLab

To go a step further, let’s take a look at some of the benefits of Sigma rules for optimizing IT protection.  

Why focus on Sigma rules?  
As we have seen, Sigma rules identify malicious behavior, while YARA rules focus on binaries… and a SIEM collects information on events linked to actions in an Information System (and not on files)!

Managing Sigma rules between an EDR and a SIEM 

A SIEM generally offers longer data retention period compared to an EDR, and this allows for hunting by capitalizing on the Sigma rules derived from the EDR, which can complement those of the SIEM.  

Since a SIEM can also retrieve logs from other sources (firewalls, routers, mail servers…), analysts can correlate them and push investigations further 

Finally, a SIEM manages detection in retrospect, whereas an EDR enables blocking or remediation actions to be taken in real time. For this reason, it may be more interesting to put certain rules directly into the EDR.  

And since we know how precious time is when dealing with threats, detection is carried out directly at the level of the agent deployed on the workstation. 

Why does HarfangLab EDR integrate Sigma and YARA rules directly into agents? 

Integrating Sigma and YARA rules directly into agents guarantees blocking as close as possible to the threat 

Indeed, as we have seen, a SIEM processes data in retrospect, unlike an EDR which can apply blocking measures or actions in due course (preventing the loading of a driver, the launch of a process…) – which is not the role of a SIEM.  

Finally, by placing rules in agents, an EDR can operate autonomously. If it is disconnected from the network, it can remain operational, unlike a SIEM, which has no visibility of the Information System when the network is cut (data no longer returns).   

As agents are placed directly on endpoints, even in the event of a network outage, the EDR continues to see what’s going on. 


Want to know more about how our EDR works?