In the pantheon of semi-obscure open source tools, osquery is one that deserves a closer look from most security professionals. It’s easy to see why this old Facebook tool that was originally used to query operating system data has flown under the radar. Initially, it was used to improve the usability of Facebook across different platforms; there were a few individuals, mainly on the west coast of the U.S., who saw a hidden superpower in osquery that could upend the way security is managed. Because osquery lets you query nearly all of an operating system’s data like a database with rich, standardized telemetry, it effectively creates an insanely powerful EDR tool. One that gives you broad visibility into exactly what is going on with an OS and ask questions about your security posture. It essentially lets a team with the right know-how perform outsized threat hunting, faster detection and remediation, implement YARA rules and more.
These superpowers created a small but very dedicated user base who were either active users or intrigued by what osquery could do.
But for all of osquery’s might, there was a catch that prevented wider adoption. The open source version of osquery required knowledge of SQL and wasn’t necessarily that easy to implement as part of a security stack. Also, in an increasingly cloud-native world, the open source version was at first limited to endpoints and was difficult to scale to cloud use. There’s now a version from Uptycs that doesn’t require knowledge of SQL, and it is a very powerful tool for securing laptops and other endpoints, Linux servers and more. However, we now live in a cloud-first and cloud-native world. So is osquery still relevant?
Is Osquery the Future of Cloud Security?
Something that will become almost immediately apparent to any adept user of osquery is that it is almost infinitely scalable and flexible. That flexibility means that osquery is free to break out of its traditional domain of laptop endpoints, on-premises Linux servers and data centers and to secure the cloud. At the end of the day, osquery is just a way to query data points in an operating system. With some tinkering, it can be used in cloud environments like AWS, Azure or GCP, in container environments like Kubernetes or even, in theory, with identity providers or SaaS tools.
This flexibility effectively means that this open source tool can be used by organizations to monitor everything from developer laptops to the identity authenticator devs use to sign in to services. It can get structured telemetry from SaaS apps and container instances where code is built and tested and from cloud services where the code is ultimately deployed and run. This can all be done from a single platform using a single tool.
Take a moment to think about how radical of a departure this is for the security community. We’re used to buying single-use tools for each environment that each operate in their own silo, and has its own data model and own set of rules. We then try to assimilate them into a stack and use an aggregator like a SIEM to try and pull all of the information together into a single source of truth. If a vendor of one of those products branches into another space, say an EDR vendor that moves into cloud workload, it’s usually done with a bolt-on acquisition of another company or technology that is often poorly integrated and implemented, and the data is often difficult to access or piece together into a unified picture. Not surprisingly, this way of doing things has led to gaps in visibility, alert fatigue and frustration. This presents obvious challenges when today’s high-growth companies are relying on a complex innovation supply chain to produce the code that powers their technology.
The Future Looks Cloudy
The transition to the cloud is only accelerating, but with the industry attention focused on addressing the cloud threats that have been dominating the news, traditional endpoints are getting left behind. No matter how well streamlined your cloud security platform is, if it’s not including endpoints like developer laptops or on-premises Linux servers, you are giving up crucial visibility into your innovation life cycle. With reduced visibility comes risk.
For many security leaders, osquery flies under the radar–or, in some cases, it is not even on the map–as a solution to these problems. But it shouldn’t be. The ability of osquery to ingest and structure data so that it’s almost infinitely queryable is a superpower that can enable security teams to secure their entire ecosystem and future-proof their security stack. No matter what environments or operating systems your organization uses, osquery can help your security teams quickly and efficiently find the questions to almost any security, posture or configuration question. If you’re worried about the posture of endpoints, osquery can answer those questions. But it can also answer questions about lateral movement in container pods or misconfigurations in AWS too.
Osquery is an open source tool that has the power to transform how we secure the cloud and makes a strong case for itself as one of the most powerful and flexible security solutions ever created.