Using CrowdStrike to Eradicate Malware with Cloud Storage Security

AWS-managed storage services such as Amazon Simple Storage Service (Amazon S3) and Amazon Elastic Block Store (Amazon EBS) are often the data store of choice for applications and data ingestion workflows.  

According to the AWS Shared Responsibility Model, the organization using the storage service is responsible for data security. This responsibility includes ensuring data cleanliness through malware scanning, which is also mandated in frameworks such as SOC 2, HIPAA, ISO 27001, and PCI DSS. 

One way to reduce risk and work toward data security is to use Antivirus for Amazon S3 (AVS3) by Cloud Storage Security (CSS), which leverages the power of the unified, cloud-native CrowdStrike Falcon^® security platform to identify ransomware, viruses, trojans, and worms, protecting businesses from advanced attacks.

Through an original equipment manufacturer (OEM) partnership with CrowdStrike, CSS provides customers with the CrowdStrike File Analyzer Software Development Kit (SDK) scanning engine, which uses market-leading machine learning technology and CrowdStrike’s massive corpus of malware samples to scan for malicious code. CrowdStrike’s File Analyzer SDK is a proven component of the CrowdStrike Falcon platform, which is powered by the CrowdStrike Security Cloud and world-class artificial intelligence (AI). The OEM partnership between CrowdStrike and CSS is, in part, what makes AVS3 stand out from other solutions and a do-it-yourself development.

In this article, we discuss the advantages of using CrowdStrike within AVS3 to detect problem files and keep customers, partners, and employees safe.

Catch Threats Other Engines Miss

Machine learning (ML) is a subset of AI and refers to the process of teaching algorithms to learn patterns from existing data to predict answers on new data. This technology can analyze file behavior, identify patterns, and use these insights to improve detection of novel and unidentified malware. ML is able to quickly analyze large volumes of historical and dynamic intelligence, enabling teams to operationalize data from various sources in near real-time. This approach differs from signature-based detection, which uses known digital indicators of malware to identify suspicious behavior; instead, indicators of compromise, often maintained in a database, can be used to more accurately identify a breach. 

CrowdStrike Falcon is a leading enterprise threat protection platform, leveraging advanced artificial intelligence and machine learning. It’s ML models are trained on CrowdStrike's unparalleled intelligence and security expertise to identify both known and zero-day malware, delivering hyper-accurate detections. Powered by world-class AI, the CrowdStrike File Analyzer SDK delivers best-in-class protection capabilities to detect the most advanced threats while minimizing false positives.  

Figure 1: CrowdStrike File Analyzer Engine Technical Specifications

How the Integration Works

AVS3 is an AWS Fargate, container-based solution that is deployed directly from AWS Marketplace into the customer’s own AWS infrastructure so data never leaves the customer’s environment. It’s a highly scalable solution that scans multiple files simultaneously and offers multiple scanning models, all of which will be able to use the CrowdStrike File Analyzer engine. Scanning models include:

• Event – scan new objects in near real time when they are dropped into storage
• Retro – scan existing objects on demand or via schedule
• API – scan objects before they are written from within or outside of AWS via API

Figure 2: High-level architecture depicting CrowdStrike File Analyzer antimalware engine integration

CrowdStrike within AVS3 ensures protection against malware with industry-trusted antivirus and threat protection, providing security assurance and additional intelligence. The CrowdStrike File Analyzer capabilities, powered by advanced AI/ML capabilities, automatically help prevent threats in real time with accuracy and speed.

When a scan is initiated, the CrowdStrike File Analyzer SDK scans and tags the files as clean, infected, or problem. Once the scan completes, real-time scan result notifications are sent to an Amazon Simple Notification Service (Amazon SNS) notification topic and listed in the CSS console. Notifications are also easily integrated into the user’s SecOps process for incident response.

Figure 3: Problem Files report in CSS Console

Infected or problem files are quarantined. If it’s determined that the file flagged as potentially malicious is a false positive, it can be moved back into the source bucket. If it is not a false positive, it can be deleted or detonated. Optionally, users can subscribe to an AWS Lambda function that is triggered by clean scan results to copy or move clean files from a staging bucket to a destination bucket.

Figure 4: Event Scanning depicting CrowdStrike File Analyzer integration and quarantine using two bucket document flow

Existing AVS3 users who want to leverage the CrowdStrike File Analyzer SDK engine will need to go to “Scan Settings” under “Configuration” in the main menu of the CSS console. In the drop-down menu labeled “Engine,” select “CrowdStrike.”

Figure 5: Selecting the CrowdStrike File Analyzer scanning engine in the CSS console

New users will need to sign up for a free trial of Antivirus for Amazon S3 via AWS Marketplace (learn how to subscribe here). From there, follow the How to Deploy section of CSS Help Docs to get set up and running in as little as 15 minutes. Then select the CrowdStrike engine. 

The CSS and CrowdStrike OEM partnership eliminates the complexity associated with deploying and managing malicious code scanning for any application or data ingestion workflow using AWS storage services. Now, any organization can benefit from CrowdStrike’s advanced malware prevention, advanced AI/ML capabilities, and exceptional performance within their own AWS environment.

Cloud Storage Security is an AWS Public Sector Partner with AWS Security Competency, an AWS Qualified Software offering, and an AWS Authority to Operate designation. Antivirus for Amazon S3 is available in AWS Marketplace – scan 500 GB in 30 days for free with a fully featured trial.