Cloud Hosting

In the pantheon of semi-obscure open source tools, osquery is one that deserves a closer look from most security professionals. Its easy to see why this old Facebook tool that was originally used to query operating system data has flown under the radar. Initially, it was used to improve the usability of Facebook across different platforms; there were a few individuals, mainly on the west coast of the U.S., who saw a hidden superpower in osquery that could upend the way security is managed. Because osquery lets you query nearly all of an operating systems data like a database with rich, standardized telemetry, it effectively creates an insanely powerful EDR tool. One that gives you broad visibility into exactly what is going on with an OS and ask questions about your security posture. It essentially lets a team with the right know-how perform outsized threat hunting, faster detection and remediation, implement YARA rules and more.

These superpowers created a small but very dedicated user base who were either active users or intrigued by what osquery could do.

But for all of osquerys might, there was a catch that prevented wider adoption. The open source version of osquery required knowledge of SQL and wasnt necessarily that easy to implement as part of a security stack. Also, in an increasingly cloud-native world, the open source version was at first limited to endpoints and was difficult to scale to cloud use. Theres now a version from Uptycs that doesnt require knowledge of SQL, and it is a very powerful tool for securing laptops and other endpoints, Linux servers and more. However, we now live in a cloud-first and cloud-native world. So is osquery still relevant?

Something that will become almost immediately apparent to any adept user of osquery is that it is almost infinitely scalable and flexible. That flexibility means that osquery is free to break out of its traditional domain of laptop endpoints, on-premises Linux servers and data centers and to secure the cloud. At the end of the day, osquery is just a way to query data points in an operating system. With some tinkering, it can be used in cloud environments like AWS, Azure or GCP, in container environments like Kubernetes or even, in theory, with identity providers or SaaS tools.

This flexibility effectively means that this open source tool can be used by organizations to monitor everything from developer laptops to the identity authenticator devs use to sign in to services. It can get structured telemetry from SaaS apps and container instances where code is built and tested and from cloud services where the code is ultimately deployed and run. This can all be done from a single platform using a single tool.

Take a moment to think about how radical of a departure this is for the security community. Were used to buying single-use tools for each environment that each operate in their own silo, and has its own data model and own set of rules. We then try to assimilate them into a stack and use an aggregator like a SIEM to try and pull all of the information together into a single source of truth. If a vendor of one of those products branches into another space, say an EDR vendor that moves into cloud workload, its usually done with a bolt-on acquisition of another company or technology that is often poorly integrated and implemented, and the data is often difficult to access or piece together into a unified picture. Not surprisingly, this way of doing things has led to gaps in visibility, alert fatigue and frustration. This presents obvious challenges when todays high-growth companies are relying on a complex innovation supply chain to produce the code that powers their technology.

The transition to the cloud is only accelerating, but with the industry attention focused on addressing the cloud threats that have been dominating the news, traditional endpoints are getting left behind. No matter how well streamlined your cloud security platform is, if its not including endpoints like developer laptops or on-premises Linux servers, you are giving up crucial visibility into your innovation life cycle. With reduced visibility comes risk.

For many security leaders, osquery flies under the radaror, in some cases, it is not even on the mapas a solution to these problems. But it shouldnt be. The ability of osquery to ingest and structure data so that its almost infinitely queryable is a superpower that can enable security teams to secure their entire ecosystem and future-proof their security stack. No matter what environments or operating systems your organization uses, osquery can help your security teams quickly and efficiently find the questions to almost any security, posture or configuration question. If youre worried about the posture of endpoints, osquery can answer those questions. But it can also answer questions about lateral movement in container pods or misconfigurations in AWS too.

Osquery is an open source tool that has the power to transform how we secure the cloud and makes a strong case for itself as one of the most powerful and flexible security solutions ever created.

Recent Articles By Author

Continue reading here:
Is a 10-Year-Old Facebook Technology the Future of Cloud Security? - Security Boulevard