Turn on the lights

Transcript

1. Postman Galaxy, 2021 Turn on the lights ✨ Mike McNeil

2. Nothing to hide

3. Your servers.

4. Your work laptop.

5. Your smartphone.

6. What can your employer see? Nothing to hide • Vulnerable

   packages, ex fi ltrated Google docs • Installed apps, running processes • Screen lock status, hours spent online • Files on your desktop? 🤷 • Browser history? 🤷 • Every keystroke? 🤷

7. Keyloggers c. 2001

8. Keyloggers c. 2001 • Run an .exe to generate an

   agent. • Trick someone into installing the agent on their device. • Every 30m, receive an email with everything they've typed. • Everything.

9. Keyloggers c. 2001 • So easy to get someone to

   run an .exe fi le.

10. Keyloggers c. 2001 • Uh oh.

11. 20 years later Not much has changed

12. Device management agents c. 2021 • Run software to generate

    agents. • Install the agents on all your servers and employee devices. • Every 30m, IT/Sec receives an email with everything you've typed..? • What are these agents doing? • How do we know? • Aren't we supposed to be pursuing "Zero Trust"?

13. Transparency

14. Transparency How do we get there? • Start with the

    agent

15. Building a better agent Priorities • Ubiquitous • Lightweight 🐾

    • Open 🖨
16. None

17. Zach Wasserman CTO

18. Zach Wasserman Co-creator

19. None
20. None

21. osquery One agent to rule them all • Lightweight 🐾

    • Open 🖨 • Ubiquitous

22. osquery (cont.) Key innovation: SQL • 50 years of maturity

    • SQLite (query planner + SQL parser) • Virtual tables that describe devices

23. Beyond the agent

24. What else do we need? • Manageability • Interoperability •

    Trust Certainty Beyond the agent
25. None
26. None

27. Open source

28. Mike McNeil Creator & BDFL

29. Open core

30. Any log destination

31. None

32. Interoperability

33. - Brendan Shaklovitz "I use Fleet to manage thousands of

    hosts, develop better queries, and get the most out of osquery logs."

34. Roadmap H1 2021 • Teams (RBAC) • Auto-updates • Vulnerability

    management • Baseline queries available out of the box • Shareable compliance reporting & goal tracking • Query performance monitoring

35. Roadmap (cont.) H1 2021 • More fl exible con fi

    g (startup fl ags, etc) • Search • Deep links • Activity feed • Easier, faster deployments

36. • Fleet Device API (chromebooks, etc) • Standard library (Fleet's

    recommended queries) • Tickets (ServiceNow GRC, JIRA) • gRPC Roadmap (cont.) H1 2021

37. • Custom osquery extension deployment ("R"»»"EDR") • Fleet Desktop (turn

    on self-remediation, scope & audit transparency) Roadmap (cont.) H2 2021

38. Is it any good?

39. Read more: fl eetdm.com Twitter: @ fl eetctl Contribute: fl

    eetdm/ fl eet