Late last week cybersecurity company Red Canary published an article revealing a new strain of macOS malware they discovered. Looking at data provided by Malwarebytes they determined that this new malware, which they dubbed “Silver Sparrow,” had already infected nearly 30,000 macOS endpoints around the world.
The following is adapted from Ryan Mack’s talk “Containers and osquery,” presented at osquery@scale ‘21. Ryan’s full presentation is available at the end of this piece.
We need as much visibility as possible into everything going on in our containers to effectively detect security problems in container-based environments. We also need to apply the unique properties of containers to create high-fidelity detection rules.
Osquery can meet both of these needs.
With the shift toward cloud computing, many organizations have at least some footprint in the cloud. Thus it becomes important to secure both your on-prem and cloud infrastructure.
Cloudquery, which runs as an extension of osquery, simplifies the visualization and monitoring of all your cloud resources. It creates a seamless integration of cloud telemetry with the rest of your osquery-powered telemetry.
Osquery has made a tremendous positive impact in the fields of operating system observability and security analytics. It is widely used for fleet management, incident response, real-time monitoring, and for numerous other cases. While osquery became a de facto standard for IT and security teams in many organizations, Kubernetes (K8s) was emerging as a popular platform for containerized application orchestration and deployment.
Osquery has grown in popularity because of its broad applicability in enterprise environments. What’s next for the open source project?
Organizations should transition EC2 instances to use Instance Metadata Service Version 2 (IMDSv2) because IMDSv1 is susceptible to server-side request forgery (SSRF) attacks. Uptycs customers should be cautious about enabling the curl table in osquery. Uptycs has updated our version of osquery to work with IMDSv2, and we’ve implemented a rule to help customers identify EC2 instances using the vulnerable metadata service.