Osquery has become a popular tooling for endpoint-based security analytics. The user community is thriving and vibrant as reflected in GitHub security showcase and osquery slack channel activity. There are many organizations, large and small, who are using it for a wide-variety of use cases. There are anecdotal references to organizations such as Facebook, Google and others using it at very large scale to get security visibility.
While there are no published accounts of the actual number of osquery-based endpoints in production, arguably it is one of the most widely deployed universal agents out there. Its universality and appeal stems from its open source roots, portability across Linux, Windows and MacOS, standardized SQL interface to access telemetry and performant behavior. The lightweight osquery agent can act as a sensor to stream telemetry for real-time analytics or act as an agent for interpreting ad-hoc questions and providing responses. All of these characteristics have made it a foundational tooling for visibility across many IT organizations.
Since its debut a few years ago, while there are has been wide-spread deployment and many organizations contributing back to the osquery code base, relatively little has been covered about the operational use cases of osquery and especially about osquery deployments at scale. At any meaningful scale, one will encounter the challenge of deploying and managing the agent, aggregating the data, and applying analytics on the aggregated data. Many organizations have tackled and solved the challenge to varying degrees. While the analytics provide the ultimate (Read more...)
*** This is a Security Bloggers Network syndicated blog from Uptycs Blog authored by Ganesh Pai. Read the original post at: https://www.uptycs.com/blog/announcing-the-osqueryscale-conference