Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Osquery, He Knows Me

Osquery, He Knows Me

This talk, aimed at everyone, highlights the journey from before Osquery in my time with the Etsy security team, and some of the tooling and problems we faced. The wrong decisions I've made, so you can learn from my foolish hubris. To a number of thousand deployment of Osquery (and fleet and some not so fleet) at Stripe.

Bea Hughes

May 31, 2018

More Decks by Bea Hughes

Other Decks in Technology


  1. Who's this clown? 2 • Security Engineer at Stripe. •

    Infrastructure security at Etsy. • Now has a commit in osquery, be afraid. • Once wore Mike Arpaia's pants to work, because he leC them in the office. 2 h$ps:/ /twi$er.com/skullmandible/status/411281851131523072 @benjammingh for QueryCon 2018 2
  2. What have the organisers unleashed?! • A lot of Genesis

    / Phil Collins references. • Some talk of osquery, probably. • Endpoint visibility And you may ask yourself, "Well... how did I get here?" @benjammingh for QueryCon 2018 3
  3. Enter BigMac 2012 Facebook talk of Big Mac "Checks most

    basic persistence op2ons" @benjammingh for QueryCon 2018 5
  4. Etsy security team • Roll on early 2013 • Etsy

    looking to make our own version • Standard development prac=ces apply @benjammingh for QueryCon 2018 9
  5. <projectname> is born • Python based (system python) • modular

    • persistent datastore (sqlite) • logs to disk, which then goes to splunk @benjammingh for QueryCon 2018 11
  6. Which then got released publicly (and /ever so slightly/ nerfed)

    as MIDAS, to rave reviews on HackerNews Also, a(er looking at the code, it's barely useful. — [deleted] 22 points 4 years ago @benjammingh for QueryCon 2018 13
  7. 2014 • Rich Smith adds a proper build system... •

    "Stealth mode" of no binaries on disk, by using pyinstaller (yes I know they're s@ll on disk) • I became the overprotec@ve maintainer of it. @benjammingh for QueryCon 2018 15
  8. "640K ought to be because of architectural limita6on of the

    IBM XT" • "Facebook has a whole floor of analysts, we have none, so Python is be9er than SQL for us." • "I want to be alerted when someone compromises something, not when I go looking for it." • "We already have something that works, lets just keep maintaining that." @benjammingh for QueryCon 2018 19
  9. "I was completely and u2erly wrong on every level" —

    Me @benjammingh for QueryCon 2018 23
  10. You don't have to always be right, but it's helpful

    to admit when you're wrong @benjammingh for QueryCon 2018 25
  11. being proud of code you write is different to being

    beholden to it @benjammingh for QueryCon 2018 27
  12. and that was the only catharsis that they could find

    without violence... @benjammingh for QueryCon 2018 28
  13. Doorman • rad, useful, easy to get going! • has

    a backing persistent storage, so queries get hunted down. • from looking at it, looked a solid architecture and in python @benjammingh for QueryCon 2018 34
  14. Doorman cont. • from looking at it, argh my eyes,

    burning... (okay, its very func9onal but not pre;y) • like everything at Stripe, customised forked version • which you could only access over SSH port forwarding @benjammingh for QueryCon 2018 35
  15. Fleet at Stripe • 1000s of endpoints. • mul2ple pla4orms.

    • phased roll out thanks to Munki • lots of exci2ng interes2ng queries! @benjammingh for QueryCon 2018 45
  16. Security and opera/ons and everything in between, be careful with

    that pride @benjammingh for QueryCon 2018 48
  17. Just because you own the code, don't let the code

    own you @benjammingh for QueryCon 2018 49
  18. • Twidder: @benjammingh • LinkedIn: lnkdin.me/p/benyeah • SpeakerDeck: speakerdeck.com/barnbarn •

    Stripe: Careers <--- Engineering blog @benjammingh for QueryCon 2018 52