How osquery can lift your security team's game

Peering into an organization's IT infrastructure in real time is essential to security analysts searching for malicious activity. One tool that does just that—and that's gaining popularity among DevSecOps practitioners: osquery.

Osquery (pronounced OS-kwery) was developed by Facebook to make low-level operating system monitoring on endpoints and servers easier for its security team. Facebook made the tool an open-source project in 2014.

Osquery lets you collect operating system information, such as network, memory, service, process activity, and configurations on a scheduled basis, or you can query in real-time with the widely used Structured Query Language (SQL).

An osquery agent needs to be deployed on your organization's endpoints and servers, and some back-end modifications are required. But once that's done, you can make SQL queries to your endpoints.

Fernando Montenegro, a senior analyst with 451 Research, sums up the value to security teams:

"Conceptually, it's very simple, but it's very powerful because it takes care of all the plumbing you need to connect to the agent and do authentication."
Fernando Montenegro

Here's how osquery can benefit your security team.

State of Security Operations 2018: Go Inside World SOCs

A cloud-native security tool

Osquery was born out of the need for a security solution that addressed the demands of companies with cloud-native environments. Most of their servers were running on Linux in public and private clouds, and most of their developers were on Macs.

The existing commercial security market was aimed at—and still mostly is—Windows and traditional enterprise infrastructure, said Doug Wilson, director of security for Uptycs, which makes an osquery-based security platform.

"Most security companies that now offer Mac and Linux are doing it in a checkbox fashion and have only a tiny fraction of the resources devoted to these new operating systems, compared to the vast engineering teams they have working on Windows products."
Doug Wilson

Since osquery was designed for companies with newer types of infrastructure, and because it offers an array of benefitsnd those companies find enticing, it is being embraced by businesses that work at scale, including Lyft, Neflix, Etsy, Salesforce, and others.

Cross-platform support

An especially attractive aspect of osquery is that it works across platforms. "You can provide one primary interface via SQL for system-level information for multiple operating systems," said Alexander Hoole, head of software security research at Micro Focus. That means you can use an SQL query fashioned for osquery to collect data from Linux, macOS, and Windows.

Osquery was originally created for macOS and Linux, with Windows support added later, and that has created complications for Windows users. "There are still a lot things that are easier on Mac and Linux than they are on Windows," 451's Montenegro said.

Tables that support SQL queries in osquery can be operation-specific, which can make them operating system-specific, too. Take, for example, a query written to find kernel-loadable modules. "You are only going to be able to find out the kernel modules loaded on a Linux box because the notion of a kernel-loadable module doesn't exist in macOS," Hoole explained.

Customization comes easy

Osquery fans also like the tool's breadth of functionality and ease of customization. "If a developer wants to add new functionality that is not easily added to the osquery core code, they can write and test an extension, and deploy that new functionality alongside osquery in a fraction of the time it would take to get a feature added into a traditional security product," Uptycs' Wilson said.

"Although osquery will never do everything that a security team needs, it gets about 80% of what you need for endpoint insight in one package."
—Doug Wilson

What's more, there's the added benefit that SQL can be used instead of dozens of esoteric system commands with different syntaxes, command switches, and types of output. "Instead of having to learn a custom API or custom interface, you can just write SQL queries against tables to retrieve information about systems," Micro Focus' Hoole said.

For instance, a query could be written to flag servers with a root login within a certain time frame. You can use access to that kind of user session data to see where and when specific logins are occurring within your organization's infrastructure. This is important when performing an audit of a system or investigating a breach.

You can also write queries for discovering primary disks that are unencrypted on a system or processes running without a binary on disk. The encryption query could reveal information that should be encrypted and isn't, an important consideration for compliance. The process query could reveal a system breach, as attackers often run a malicious process after destroying its binary on disk.

Less friction a factor

Osquery can also give security teams a deep, rich set of endpoint data that they can process for security purposes. For example, you can use osquery to see what's happening on endpoints by logging multiple types of events.

That information, in turn, could be forwarded to a SIEM or other correlation system for analysis. "If security teams didn't have osquery, they would have to find a way to manually go into each endpoint and gather data, or buy a third-party tool to do that for them," 451's Montenegro said.

Osquery is also a "polite" tool. "It is less invasive on the endpoint than many security technologies, so there is often less friction to deploying it," Uptycs' Wilson said.

In addition to being a cross-platform tool, osquery works across virtual platforms, too. "It can be easily deployed across the large majority of modern environments, and retrieve rich data across this entire spectrum," Wilson said. You can answer questions that drive compliance and vulnerability management, the foundation and starting point of many security programs.

"In turn this allows security teams to address a wide variety of concerns with the same tool." 
—Doug Wilson

At the same time, more mature security organizations can conduct some parts of incident response investigations and hunting operations without having to install a bunch of different software, Wilson added.

Count on continuous improvement 

The osquery community is continuing to improve the technology by making it work better with Windows and by working on ways to keep the osquery agent from becoming a resource hog.

And while some endpoint security providers may see osquery as a threat to their livelihood, it doesn't have to be that way. "It can be an opportunity for vendors to use osquery within their own tools and agents," Montenegro said. "We're starting to see some of that bubbling up through endpoint security vendors now."

Organizations comfortable with DevOps and automation, though, will benefit the most from osquery. "In some cases, they may be able to make osquery a big part of their endpoint security architecture," Montenegro said.

Image: Flickr

Topics: Security