Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Turn on the lights

143a2600e408b5a2edbb00c3631ed5f5?s=47 Mike McNeil
February 04, 2021

Turn on the lights

Learn how to tap into what your employer sees using Postman + osquery, an open source API for asking questions about devices like laptops, servers, and Docker containers.

> Note from Mike:
> To try out the "Is it any good?" demo for yourself, head over to:
> https://fleetdm.com

143a2600e408b5a2edbb00c3631ed5f5?s=128

Mike McNeil

February 04, 2021
Tweet

Transcript

  1. Postman Galaxy, 2021 Turn on the lights ✨ Mike McNeil

  2. Nothing to hide

  3. Your servers.

  4. Your work laptop.

  5. Your smartphone.

  6. What can your employer see? Nothing to hide • Vulnerable

    packages, ex fi ltrated Google docs • Installed apps, running processes • Screen lock status, hours spent online • Files on your desktop? 🤷 • Browser history? 🤷 • Every keystroke? 🤷
  7. Keyloggers c. 2001

  8. Keyloggers c. 2001 • Run an .exe to generate an

    agent. • Trick someone into installing the agent on their device. • Every 30m, receive an email with everything they've typed. • Everything.
  9. Keyloggers c. 2001 • So easy to get someone to

    run an .exe fi le.
  10. Keyloggers c. 2001 • Uh oh.

  11. 20 years later Not much has changed

  12. Device management agents c. 2021 • Run software to generate

    agents. • Install the agents on all your servers and employee devices. • Every 30m, IT/Sec receives an email with everything you've typed..? • What are these agents doing? • How do we know? • Aren't we supposed to be pursuing "Zero Trust"?
  13. Transparency

  14. Transparency How do we get there? • Start with the

    agent
  15. Building a better agent Priorities • Ubiquitous • Lightweight 🐾

    • Open 🖨
  16. None
  17. Zach Wasserman CTO

  18. Zach Wasserman Co-creator

  19. None
  20. None
  21. osquery One agent to rule them all • Lightweight 🐾

    • Open 🖨 • Ubiquitous
  22. osquery (cont.) Key innovation: SQL • 50 years of maturity

    • SQLite (query planner + SQL parser) • Virtual tables that describe devices
  23. Beyond the agent

  24. What else do we need? • Manageability • Interoperability •

    Trust Certainty Beyond the agent
  25. None
  26. None
  27. Open source

  28. Mike McNeil Creator & BDFL

  29. Open core

  30. Any log destination

  31. None
  32. Interoperability

  33. - Brendan Shaklovitz "I use Fleet to manage thousands of

    hosts, develop better queries, and get the most out of osquery logs."
  34. Roadmap H1 2021 • Teams (RBAC) • Auto-updates • Vulnerability

    management • Baseline queries available out of the box • Shareable compliance reporting & goal tracking • Query performance monitoring
  35. Roadmap (cont.) H1 2021 • More fl exible con fi

    g (startup fl ags, etc) • Search • Deep links • Activity feed • Easier, faster deployments
  36. • Fleet Device API (chromebooks, etc) • Standard library (Fleet's

    recommended queries) • Tickets (ServiceNow GRC, JIRA) • gRPC Roadmap (cont.) H1 2021
  37. • Custom osquery extension deployment ("R"»»"EDR") • Fleet Desktop (turn

    on self-remediation, scope & audit transparency) Roadmap (cont.) H2 2021
  38. Is it any good?

  39. Read more: fl eetdm.com Twitter: @ fl eetctl Contribute: fl

    eetdm/ fl eet