Osquery, He Knows Me

Transcript

1. @benjammingh for QueryCon 2018 1

2. Who's this clown? 2 • Security Engineer at Stripe. •

   Infrastructure security at Etsy. • Now has a commit in osquery, be afraid. • Once wore Mike Arpaia's pants to work, because he leC them in the office. 2 h$ps:/ /twi$er.com/skullmandible/status/411281851131523072 @benjammingh for QueryCon 2018 2

3. What have the organisers unleashed?! • A lot of Genesis

   / Phil Collins references. • Some talk of osquery, probably. • Endpoint visibility And you may ask yourself, "Well... how did I get here?" @benjammingh for QueryCon 2018 3

4. Actually Mac visibility @benjammingh for QueryCon 2018 4

5. Enter BigMac 2012 Facebook talk of Big Mac "Checks most

   basic persistence op2ons" @benjammingh for QueryCon 2018 5
6. None

7. ENHANCE! Huh? This looks familiar... @benjammingh for QueryCon 2018 7

8. Meanwhile, back at stately Wayne Manor @benjammingh for QueryCon 2018

   8

9. Etsy security team • Roll on early 2013 • Etsy

   looking to make our own version • Standard development prac=ces apply @benjammingh for QueryCon 2018 9
10. None

11. <projectname> is born • Python based (system python) • modular

    • persistent datastore (sqlite) • logs to disk, which then goes to splunk @benjammingh for QueryCon 2018 11

12. Scroll forward to December 2013 @benjammingh for QueryCon 2018 12

13. Which then got released publicly (and /ever so slightly/ nerfed)

    as MIDAS, to rave reviews on HackerNews Also, a(er looking at the code, it's barely useful. — [deleted] 22 points 4 years ago @benjammingh for QueryCon 2018 13

14. Mike -> Facebook Zane -> Signal Sciences @benjammingh for QueryCon

    2018 14

15. 2014 • Rich Smith adds a proper build system... •

    "Stealth mode" of no binaries on disk, by using pyinstaller (yes I know they're s@ll on disk) • I became the overprotec@ve maintainer of it. @benjammingh for QueryCon 2018 15

16. Etsy security ❤ Facebook security @benjammingh for QueryCon 2018 16

17. Mike Arpaia @benjammingh for QueryCon 2018 17

18. None

19. "640K ought to be because of architectural limita6on of the

    IBM XT" • "Facebook has a whole floor of analysts, we have none, so Python is be9er than SQL for us." • "I want to be alerted when someone compromises something, not when I go looking for it." • "We already have something that works, lets just keep maintaining that." @benjammingh for QueryCon 2018 19

20. So what happened? @benjammingh for QueryCon 2018 20

21. @benjammingh for QueryCon 2018 21

22. None

23. "I was completely and u2erly wrong on every level" —

    Me @benjammingh for QueryCon 2018 23

24. So why are we even listening to you again? @benjammingh

    for QueryCon 2018 24

25. You don't have to always be right, but it's helpful

    to admit when you're wrong @benjammingh for QueryCon 2018 25

26. Don't Get A*ached To Your Code @benjammingh for QueryCon 2018

    26

27. being proud of code you write is different to being

    beholden to it @benjammingh for QueryCon 2018 27

28. and that was the only catharsis that they could find

    without violence... @benjammingh for QueryCon 2018 28

29. @benjammingh for QueryCon 2018 29

30. Osquery @benjammingh for QueryCon 2018 30

31. If leaving me is Etsy @benjammingh for QueryCon 2018 31

32. We had osquery % osqueryi --version osqueryi version 2.2.3 @benjammingh

    for QueryCon 2018 32

33. @benjammingh for QueryCon 2018 33

34. Doorman • rad, useful, easy to get going! • has

    a backing persistent storage, so queries get hunted down. • from looking at it, looked a solid architecture and in python @benjammingh for QueryCon 2018 34

35. Doorman cont. • from looking at it, argh my eyes,

    burning... (okay, its very func9onal but not pre;y) • like everything at Stripe, customised forked version • which you could only access over SSH port forwarding @benjammingh for QueryCon 2018 35

36. kolide/fleet Was just kolide back then, commercial offering @benjammingh for

    QueryCon 2018 36

37. How does fleet work? @benjammingh for QueryCon 2018 37

38. None
39. None

40. logs

41. { "cake": "eccles", "coffee": "long black", "serialisation": "ASN1" } @benjammingh

    for QueryCon 2018 41

42. ELK @benjammingh for QueryCon 2018 42

43. @benjammingh for QueryCon 2018 43

44. @benjammingh for QueryCon 2018 44

45. Fleet at Stripe • 1000s of endpoints. • mul2ple pla4orms.

    • phased roll out thanks to Munki • lots of exci2ng interes2ng queries! @benjammingh for QueryCon 2018 45

46. Ben, it's lunch soon, wrap this up! — everyone @benjammingh

    for QueryCon 2018 46

47. Fine, lets Neal Stephenson this slide show! — me @benjammingh

    for QueryCon 2018 47

48. Security and opera/ons and everything in between, be careful with

    that pride @benjammingh for QueryCon 2018 48

49. Just because you own the code, don't let the code

    own you @benjammingh for QueryCon 2018 49

50. Community @benjammingh for QueryCon 2018 50

51. Lunch! @benjammingh for QueryCon 2018 51

52. • Twidder: @benjammingh • LinkedIn: lnkdin.me/p/benyeah • SpeakerDeck: speakerdeck.com/barnbarn •

    Stripe: Careers <--- Engineering blog @benjammingh for QueryCon 2018 52