Osquery Security Solutions: Build or Buy?

Late last week, Chris Sanders (@chrissanders88), a former FireEye colleague, posted an interesting “lunchtime poll”:

See the full Twitter thread here or click on the tweet image above.

While this is a great thought exercise, “Security Twitter” (myself included) couldn’t help but interject practical reality considerations into the conversation. After observing some discussion, I felt that there were some takeaways to discuss at a later point in time which I shared in the thread:

I’d like to have some of that further discussion on those points now. These are all with my current biases, so your experience may diverge a little, or greatly.

At Uptycs, we see the first debate around build or buy all of the time. It’s often why customers (from security teams of 1 to upwards of 20+) come to us — they began pursuing osquery because it is open-source, and really easy to do an initial trial on a laptop and see how flexible and functional it is. Therefore, a lot of people perceive it as a “low cost” solution to their problems, and dig in on trying to do something with it. 

Don’t get me wrong, in many ways, feature for feature, osquery-based solutions are often far cheaper than aggregating several commercial solutions that do similar things. But “Building” can have a hidden resource cost that counters the saving of $$$. The entity who tried out osquery works with it enough to see how immensely powerful it can be when deployed (Read more...)