Uptycs provides a SaaS and on-prem osquery-powered security analytics platform for security engineers, site reliability engineers, incident response teams and IT professionals to secure and monitor their endpoint fleets (MacOS, Windows) and server workloads (Linux, containers). The Uptycs Security Analytics Platform leverages the open-source Facebook osquery agent as a universal agent and combines it with novel methods to provide security analytics using a purpose-built data processing pipeline optimized for security.

One can think of this data processing pipeline as the “Trifecta” of scalable security, combing the very best elements of a world-class security solution. To implement the Trifecta of Security @ Scale, the Uptycs Security Analytics Platform data processing pipeline is decomposed into Collect, Aggregate, and Analyze stages.Screen Shot 2019-09-03 at 11.07.36 AM
of data at scale that provides the right context is key to any analytics solution. To that end, Uptycs leverages osquery as a universal open source agent. It converts the OS runtime and configured state into a series of virtualized tables that can be queried using SQL. Osquery is among the top rated open source projects in the security showcase on GitHub. It also allows for ad-hoc investigation and capture of OS-based behavioral telemetry as relational tables. This lays a clean and solid foundation for collecting contextual data for multiple use cases, making it an ideal universal open source agent.

Trifecta_CollectWith deep OS and security engineering expertise, Uptycs is dedicated to making osquery enterprise-grade by hardening the implementation and adding the necessary features. Some of the key contributions from Uptycs include submitting 15 new tables for Docker-container visibility, support for AWS introspection, enhancing secure TLS transport, and leveraging HTTP2.0 for efficient management and data aggregation. Uptycs has additionally hardened the implementation to ensure that it can capture the system behavior and transport captured events in real time. With the hardening and enterprise-grade capabilities, osquery-powered telemetry collection is the first component of the Uptycs Security @ Scale trifecta.

Aggregation is a key requirement for any streaming analytics solution. While osquery provides rich contextual telemetry for multiple security use cases, by default, it does not generate telemetry unless configured and, when it does generate telemetry, you have to implement a scalable mechanism to transmit the telemetry back to the analytics platform. An interesting trait of osquery is that its control and data planes can be implemented over HTTP/TLS. In other words, osquery can be configured to behave like a web browser and, as a result, its connectivity and behavior are firewall friendly. Leveraging osquery TLS/HTTP connectivity, Uptycs has built a scale-out backend for EDR, modeled after Content Delivery Networks (CDNs) and aptly called an Endpoint Detection Network (EDN).

Trifecta_AggregateUptycs EDN aggregation scales similar to how web-scale companies securely deliver content, email and other services over the Internet using standards-based protocols like HTTP/TLS/DNS. These aggregation techniques along with IP from Uptycs allow users to issue ad-hoc queries to get better visibility and understanding of their vulnerability posture. By aggregating the data using streaming and applying in-stream processing analytics provided by Uptycs, security teams are able to generate high-fidelity alerts with rich context to speed up investigations for SOC and CSIRT functions. HTTP/TLS-based aggregation support is the second component of the Uptycs Security @ Scale trifecta. 

Analysis at scale entails having instant access to information and the ability to do rapid correlation and provide high-fidelity analytics. Uptycs has standardized its platform on SQL to leverage the proven ability and ubiquity of SQL. From the source (osquery) to the sink (data lake), everything in the pipeline is structured. Leveraging the structured nature of the data processing pipeline, Uptycs has developed a purpose-built security analytics platform. Following TLS-based aggregation at scale, the platform decouples ingestion and analytics to apply its IP to massively compress the data and simultaneously format it for rapid analytics and ad-hoc querying using SQL. Decoupling the ingestion, compression and storage of massive amounts of structured telemetry using time-based indexing allows Uptycs to provide flight recorder analytics at unprecedented scale. The analytics on the platform is then performed via a specialized distributed SQL-engine to provide aggregate SQL and historical data analytics. In other words, Uptycs has built a specialized osquery data lake.  The SQL-powered osquery data lake for high-fidelity security analytics is the third component of the Uptycs Security @ Scale trifecta. 

Trifecta_AnalyzeSummary Uptycs provides an osquery-powered security analytics platform that is built for scale and visibility. Its capabilities are built on proven techniques in real-time decision analytics and SQL-powered aggregate analytics. The solution is offered as SaaS for any organization and is deployable on-prem for large enterprises. Security and IT professionals embrace and appreciate the correlation and standardization around SQL. The ability to go into production at scale from one to over 10,000 assets in matter of hours is unprecedented and meets the mandate of demanding workloads, especially in the cloud. The three key foundational components of the Uptycs data processing pipeline, Collect, Aggregate, and Analyze, are the Trifecta of Security @ Scale.

Trifecta of Security @ Scale

Screen Shot 2019-09-03 at 11.07.36 AM

Screen Shot 2019-09-03 at 11.16.04 AM