Performant Osquery – Enterprise-grade Osquery at Scale Considerations

In this blog post I’ll cover osquery’s ability to provide performant behavior and its capabilities to excel at enterprise grade requirements. Many observations covered in this blog will highlight various capabilities of osquery that should aid in your journey toward an enterprise-grade osquery deployment.

As discussed in another blog post, the osquery agent provides a rich and structured source of telemetry. The open-source project is well documented and there are numerous osquery tutorials to get you started. In this blog post I’ll introduce some key topics for consideration in enterprise-wide deployments:

  • Osquery HTTP/TLS-based deployment
  • Osquery vs other script-based data collection options

Osquery HTTP/TLS-based deployment

There are multiple ways to configure and deploy osquery in production. Some of the more popular approaches are summarized in the table below:

Common osquery configuration and deployment models.

 

Option 1 is the simplest to implement, however, you are then reliant on your config management tool for control plane management and by default your config management tools will lack an understanding of controlling osquery. Additionally, you will need a separate solution for log forwarding and ingestion to a destination.

Option 2 has greater complexity than Option 1, as you need to deploy a fleet manager and ensure log forwarding is in place.

Option 3 is a more modern approach to osquery control and data plane management and can scale extremely well, as it is based on HTTP/TLS techniques for web scale deployments. This option can provide deterministic performance by place shifting complex detection analytics to a backend.

In this blog (Read more...)

*** This is a Security Bloggers Network syndicated blog from Uptycs Blog authored by Ganesh Pai. Read the original post at: https://www.uptycs.com/blog/performant-osquery-enterprise-grade-osquery-at-scale-considerations