Most companies used Chef or Puppet to deploy, configure, and manage osquery installations on their endpoints. Runaway queries on production fleets was a major concern for all companies interviewed though no production performance incidents were reported. However, one of these companies reported having installed osquery on production machines but rarely querying these endpoints due to concerns about osquery’s reliability and scalability. Three out of the five companies we interviewed had osquery deployed on production servers. Other companies had osquery deployed on most or all endpoints in their fleets, including one team who reported plans to roll out to 17,500 machines. One company reported being at the phase of testing and setting up infrastructure. Deployment Maturityĭeployment maturity for osquery varied widely. Carbon Black, Tripwire, Red Cloak), in favor of the current osquery build or upon addition of new features. Most of the companies interviewed expected to phase out some paid services, especially costly suites (e.g. One innovative team built incident alerting with osquery by piping log data into ElasticSearch and auto-generated Jira tickets through ElastAlert upon anomaly detection. Some used collection and aggregation services such as Splunk to mine data collected by osquery. Many teams used osquery in conjunction with other open source and commercial technologies. Interviewees expressed particular interest in just-in-time incident response including initial malware detection and identifying propagation. Current UseĪll the companies surveyed leveraged osquery for high performance and flexible monitoring of their fleets. Each of these developments has spurred more organizations with unique data and infrastructure needs to use osquery, sometimes in favor of competing commercial products. process auditing and file integrity monitoring) has further enhanced its utility for incident response. Multiple supplementary tools, such as Doorman, Kolide, and Uptycs, have emerged to help users deploy and manage the technology. Since contributors like Trail of Bits and Facebook have transformed osquery to support more operating systems ( Windows and FreeBSD), a broader number of organizations are now able to install osquery on a greater portion of their endpoints. Users have increased due to a number of recent developments. In August, osquery developers at Facebook began offering bi-weekly office hours to discuss issues, new features, and design direction. Since its debut in October, 2014, over 1,000 users from more than 70 companies have engaged with the development community through its Slack channel and GitHub repo. Osquery’s affordability, flexibility, and cross-platform compatibility has quickly established its place in the endpoint monitoring toolkits of top tech firms. How are companies using osquery today? Market Penetration This post will focus on current use of osquery and its benefits. What new features would you most like to see added?.What have been your biggest pain points about using osquery?.How is osquery deployed and used currently?.Hopefully, the series will help those of you who are sitting on the fence decide if and how to deploy the platform in your companies.įor our research, we interviewed teams of osquery users at five major tech firms. This marks the start of a four-part blog series that sheds light on the current state of osquery, its shortcomings and opportunities for improvement. That’s why we sought to take the pulse of the osquery community – to help current and potential users know what to expect. Their choice and subsequent satisfaction fuels others’ curiosity about making the switch.īut deploying new software to your company’s entire fleet is not a decision to be made lightly. Many large and leading tech firms have deployed osquery to do totally customizable and cost-effective endpoint monitoring. In fact, it recently received the 2017 O’Reilly Defender Award for best project. In the year since we ported osquery to Windows, the operating system instrumentation and endpoint monitoring agent has attracted a great deal of attention in the open-source community and beyond.
0 Comments
Leave a Reply. |