Since the very first release back in 2014, osquery has offered strong support for Ubuntu and CentOS. This ushered in instant value for teams responsible for securing cloud-based Linux workloads.
And even though it's not exactly a turnkey tool, osquery is highly extensible and offers so much data. This has led to many clever use cases and extensions to support the cloud-native security needs of organizations that were early adopters of osquery. One of my favorite examples of this is Airbnbs’ Streamalert: a serverless, real-time data analysis framework that can leverage osquery to better secure environments at cloud scale and complexity.
As fellow early adopters, we recognized this and wanted to create a forum where participants can share their stories of innovation. That’s when osquery@scale was conceived and finally brought into production in 2020. Since then we’ve been graced with several presentations that represent the best-of cloud security tooling.
Cloud Incident Response
Incident response in the cloud borrows some, not all, controls from traditional IR. And although familiar techniques are in play, the cloud IR tooling is largely different. Used to look through account-level events? Now you’re combing Cloudtrail logs. Browsing NetFlow records? Better get familiar with VPCflow logs.
This presentation “Making Incident Response in the Cloud Less Painful” orients the audience around a cloud IR scenario where native AWS security tools would be used during the investigation process. Ryan Nollete, co-author of AWS Detective, SANS Instructor, and Lead Nacho Historian, then demonstrates how osquery can be used to expedite that very same IR scenario.
Not only is Ryan able to successfully triage the event on his host, he’s able to expand the scope beyond a single asset and immediately triage his entire environment for associated IOCs.
Video 1: Making incident response in the cloud less painful with osquery
This workflow might ring a bell: developers building on their local IDEs, pushing through a CI/CD pipeline into a containerized workload running in Kubernetes clusters.
For Ethos and their VP of Security, Ody Lupescu, that’s the norm. As such, they developed a growing need to improve container observability and empower developer productivity.
This presentation showcases how osquery plays a hand in supporting their Security, DevOps, IT, and developer teams in two key ways:
Tracing containers/workloads from developer workstations to staging to production and everywhere else in the environment
Troubleshooting performance issues on local developer workstations, and alleviating pain points around the development pipeline
Video 2:Understanding events: How we're building end-to-end contextual observability with osquery
osquery@scale: Risk Reduction for Modern Defenders
The third annual osquery@scale is just around the corner and with last year's releases of kuberquery and cloudquery, we're excited about the potential for even more osquery engineering marvels of cloud security.
It’s going to be a packed two days, so regardless of where you are on your osquery journey there will be something for both security practitioners and leadership. As an added bonus, this year’s event will feature even more workshops and networking opportunities. So, mark your calendars for September 14th and 15th and meet us in San Francisco on the water at The Exploratorium.
Tickets are still available. Hope to see you there.