Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Osquery, He Knows Me

Bea Hughes
May 31, 2018
Technology
0
490

Osquery, He Knows Me

This talk, aimed at everyone, highlights the journey from before Osquery in my time with the Etsy security team, and some of the tooling and problems we faced. The wrong decisions I've made, so you can learn from my foolish hubris. To a number of thousand deployment of Osquery (and fleet and some not so fleet) at Stripe.

Bea Hughes

May 31, 2018
Tweet

More Decks by Bea Hughes

See All by Bea Hughes
"Is security even important?" and other clickbait titles
barnbarn
1
310
Layer 2 person spoofing and impostor syndrome
barnbarn
2
730
MacOS security, hardening and forensics 101 workshop
barnbarn
2
1.5k
How you a actually get hacked!
barnbarn
7
4.9k
Why won’t my DevOps team talk to my Security team?
barnbarn
3
330
Impostor Syndrome in tech
barnbarn
4
520
SecDevOps: Creating cultural change to bridge between security and DevOps?
barnbarn
3
540
Security for non-Unicorns!
barnbarn
5
1.5k
Security for non-Unicorns. SecTor 2015
barnbarn
2
290

Other Decks in Technology

See All in Technology
モノリスからの脱却に向けた 物流システムリプレイスの概要紹介 / Towards Decentralized Logistics System Replacement from Monolithic Structure
yumayabe
0
260
「エンジニアリングで運用を改善する」ためのAmazon CloudWatch活用
mitsuaki96
1
760
時系列データをChatGPTで読み解いてみる【IoT-Tech Meetup】
soracom
PRO
0
680
SWEBOK V3からV4への改訂に見るソフトウェアエンジニアリングの発展とソフトウェア保守・進化
washizaki
0
370
AI完全初心者でも最新の生成AIの仕組がわかった気になれるプレゼン
shimap_sampo
5
1.6k
「Go Style Guide」から学んだ可読性の高いコードの書き方
andpad
5
2.4k
Google I:O 2023 Androidの自動テストアップデートまとめ / Google I:O 2023 Android Testing Update Recap
tkmnzm
0
190
Impressions of the Ruby Kaigi
suzukahr
1
5k
高速な深層学習モデルアーキテクチャ2023
yu4u
2
1.2k
全AWSエンジニアに捧ぐ、CloudWatch 設計・運用 虎の巻 / CloudWatch design and operation bible
iselegant
27
10k
ハンズオンで学ぶ! Instana基礎
daihiraoka
1
130
高さ比べじゃない、キャリアは歩んできた道
dzeyelid
0
220

Featured

See All Featured
What’s in a name? Adding method to the madness
productmarketing
PRO
14
2.1k
Infographics Made Easy
chrislema
236
17k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
3.7k
How New CSS Is Changing Everything About Graphic Design on the Web
jensimmons
214
12k
Building Better People: How to give real-time feedback that sticks.
wjessup
346
18k
How STYLIGHT went responsive
nonsquared
89
4.3k
Mobile First: as difficult as doing things right
swwweet
213
8k
Facilitating Awesome Meetings
lara
35
4.8k
Into the Great Unknown - MozCon
thekraken
6
480
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
33
21k
GitHub's CSS Performance
jonrohan
1022
430k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
16
1.3k

Transcript

  1. @benjammingh for QueryCon 2018 1

    View Slide

  2. Who's this clown? 2
    • Security Engineer at Stripe.
    • Infrastructure security at Etsy.
    • Now has a commit in osquery, be afraid.
    • Once wore Mike Arpaia's pants to work, because he leC them in
    the office.
    2 h$ps:/
    /twi$er.com/skullmandible/status/411281851131523072
    @benjammingh for QueryCon 2018 2

    View Slide

  3. What have the organisers unleashed?!
    • A lot of Genesis / Phil Collins references.
    • Some talk of osquery, probably.
    • Endpoint visibility And you may ask yourself, "Well... how did I
    get here?"
    @benjammingh for QueryCon 2018 3

    View Slide

  4. Actually Mac visibility
    @benjammingh for QueryCon 2018 4

    View Slide

  5. Enter BigMac
    2012 Facebook talk of Big Mac
    "Checks most basic persistence op2ons"
    @benjammingh for QueryCon 2018 5

    View Slide

  6. View Slide

  7. ENHANCE!
    Huh? This looks familiar...
    @benjammingh for QueryCon 2018 7

    View Slide

  8. Meanwhile, back at stately Wayne Manor
    @benjammingh for QueryCon 2018 8

    View Slide

  9. Etsy security team
    • Roll on early 2013
    • Etsy looking to make our own version
    • Standard development prac=ces apply
    @benjammingh for QueryCon 2018 9

    View Slide

  10. View Slide

  11. is born
    • Python based (system python)
    • modular
    • persistent datastore (sqlite)
    • logs to disk, which then goes to splunk
    @benjammingh for QueryCon 2018 11

    View Slide

  12. Scroll forward to December 2013
    @benjammingh for QueryCon 2018 12

    View Slide

  13. Which then got released publicly (and /ever so slightly/ nerfed) as
    MIDAS, to rave reviews on HackerNews
    Also, a(er looking at the code, it's barely useful.
    — [deleted] 22 points 4 years ago
    @benjammingh for QueryCon 2018 13

    View Slide

  14. Mike -> Facebook
    Zane -> Signal Sciences
    @benjammingh for QueryCon 2018 14

    View Slide

  15. 2014
    • Rich Smith adds a proper build system...
    • "Stealth mode" of no binaries on disk, by using pyinstaller (yes I
    know they're [email protected] on disk)
    • I became the [email protected] maintainer of it.
    @benjammingh for QueryCon 2018 15

    View Slide

  16. Etsy security

    Facebook security
    @benjammingh for QueryCon 2018 16

    View Slide

  17. Mike Arpaia
    @benjammingh for QueryCon 2018 17

    View Slide

  18. View Slide

  19. "640K ought to be because of architectural
    limita6on of the IBM XT"
    • "Facebook has a whole floor of analysts, we have none, so
    Python is be9er than SQL for us."
    • "I want to be alerted when someone compromises something,
    not when I go looking for it."
    • "We already have something that works, lets just keep
    maintaining that."
    @benjammingh for QueryCon 2018 19

    View Slide

  20. So what happened?
    @benjammingh for QueryCon 2018 20

    View Slide

  21. @benjammingh for QueryCon 2018 21

    View Slide

  22. View Slide

  23. "I was completely and u2erly wrong
    on every level"
    — Me
    @benjammingh for QueryCon 2018 23

    View Slide

  24. So why are we even
    listening to you again?
    @benjammingh for QueryCon 2018 24

    View Slide

  25. You don't have to always be right,
    but it's helpful to admit when you're wrong
    @benjammingh for QueryCon 2018 25

    View Slide

  26. Don't Get A*ached To Your Code
    @benjammingh for QueryCon 2018 26

    View Slide

  27. being proud of code you write is
    different to being beholden to it
    @benjammingh for QueryCon 2018 27

    View Slide

  28. and that was the only catharsis that they could find
    without violence...
    @benjammingh for QueryCon 2018 28

    View Slide

  29. @benjammingh for QueryCon 2018 29

    View Slide

  30. Osquery
    @benjammingh for QueryCon 2018 30

    View Slide

  31. If leaving me is Etsy
    @benjammingh for QueryCon 2018 31

    View Slide

  32. We had osquery
    % osqueryi --version
    osqueryi version 2.2.3
    @benjammingh for QueryCon 2018 32

    View Slide

  33. @benjammingh for QueryCon 2018 33

    View Slide

  34. Doorman
    • rad, useful, easy to get going!
    • has a backing persistent storage, so queries get hunted down.
    • from looking at it, looked a solid architecture and in python
    @benjammingh for QueryCon 2018 34

    View Slide

  35. Doorman cont.
    • from looking at it, argh my eyes, burning... (okay, its very
    func9onal but not pre;y)
    • like everything at Stripe, customised forked version
    • which you could only access over SSH port forwarding
    @benjammingh for QueryCon 2018 35

    View Slide

  36. kolide/fleet
    Was just kolide back then, commercial offering
    @benjammingh for QueryCon 2018 36

    View Slide

  37. How does fleet work?
    @benjammingh for QueryCon 2018 37

    View Slide

  38. View Slide

  39. View Slide

  40. logs

    View Slide

  41. {
    "cake": "eccles",
    "coffee": "long black",
    "serialisation": "ASN1"
    }
    @benjammingh for QueryCon 2018 41

    View Slide

  42. ELK
    @benjammingh for QueryCon 2018 42

    View Slide

  43. @benjammingh for QueryCon 2018 43

    View Slide

  44. @benjammingh for QueryCon 2018 44

    View Slide

  45. Fleet at Stripe
    • 1000s of endpoints.
    • mul2ple pla4orms.
    • phased roll out thanks to Munki
    • lots of exci2ng interes2ng queries!
    @benjammingh for QueryCon 2018 45

    View Slide

  46. Ben, it's lunch soon, wrap this up!
    — everyone
    @benjammingh for QueryCon 2018 46

    View Slide

  47. Fine, lets Neal Stephenson this slide
    show!
    — me
    @benjammingh for QueryCon 2018 47

    View Slide

  48. Security and opera/ons and everything
    in between, be careful with that pride
    @benjammingh for QueryCon 2018 48

    View Slide

  49. Just because you own the code,
    don't let the code own you
    @benjammingh for QueryCon 2018 49

    View Slide

  50. Community
    @benjammingh for QueryCon 2018 50

    View Slide

  51. Lunch!
    @benjammingh for QueryCon 2018 51

    View Slide

  52. • Twidder: @benjammingh
    • LinkedIn: lnkdin.me/p/benyeah
    • SpeakerDeck: speakerdeck.com/barnbarn
    • Stripe: Careers <--- Engineering blog
    @benjammingh for QueryCon 2018 52

    View Slide