Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Turn on the lights

Mike McNeil
February 04, 2021

Turn on the lights

Learn how to tap into what your employer sees using Postman + osquery, an open source API for asking questions about devices like laptops, servers, and Docker containers.

> Note from Mike:
> To try out the "Is it any good?" demo for yourself, head over to:
> https://fleetdm.com

Mike McNeil

February 04, 2021
Tweet

More Decks by Mike McNeil

Other Decks in Technology

Transcript

  1. Postman Galaxy, 2021
    Turn on the lights ✨
    Mike McNeil


    View Slide

  2. Nothing to hide

    View Slide

  3. Your servers.

    View Slide

  4. Your work laptop.

    View Slide

  5. Your smartphone.

    View Slide

  6. What can your employer see?
    Nothing to hide
    • Vulnerable packages, ex
    fi
    ltrated Google docs


    • Installed apps, running processes


    • Screen lock status, hours spent online


    • Files on your desktop? 🤷


    • Browser history? 🤷


    • Every keystroke? 🤷

    View Slide

  7. Keyloggers
    c. 2001

    View Slide

  8. Keyloggers
    c. 2001
    • Run an .exe to generate an agent.


    • Trick someone into installing the agent on their device.


    • Every 30m, receive an email with everything they've typed.


    • Everything.

    View Slide

  9. Keyloggers
    c. 2001
    • So easy to get someone to run an .exe
    fi
    le.

    View Slide

  10. Keyloggers
    c. 2001
    • Uh oh.

    View Slide

  11. 20 years later
    Not much has changed

    View Slide

  12. Device management agents
    c. 2021
    • Run software to generate agents.


    • Install the agents on all your servers and employee devices.


    • Every 30m, IT/Sec receives an email with everything you've typed..?


    • What are these agents doing?


    • How do we know?


    • Aren't we supposed to be pursuing "Zero Trust"?

    View Slide

  13. Transparency

    View Slide

  14. Transparency
    How do we get there?
    • Start with the agent

    View Slide

  15. Building a better agent
    Priorities
    • Ubiquitous


    • Lightweight 🐾


    • Open 🖨

    View Slide

  16. View Slide

  17. Zach Wasserman
    CTO


    View Slide

  18. Zach Wasserman
    Co-creator


    View Slide

  19. View Slide

  20. View Slide

  21. osquery
    One agent to rule them all
    • Lightweight 🐾


    • Open 🖨


    • Ubiquitous

    View Slide

  22. osquery (cont.)
    Key innovation: SQL
    • 50 years of maturity


    • SQLite (query planner + SQL parser)


    • Virtual tables that describe devices

    View Slide

  23. Beyond the agent

    View Slide

  24. What else do we need?
    • Manageability


    • Interoperability


    • Trust Certainty
    Beyond the agent

    View Slide

  25. View Slide

  26. View Slide

  27. Open source

    View Slide

  28. Mike McNeil
    Creator & BDFL


    View Slide

  29. Open core

    View Slide

  30. Any log destination

    View Slide

  31. View Slide

  32. Interoperability

    View Slide

  33. - Brendan Shaklovitz
    "I use Fleet to manage thousands of hosts,
    develop better queries, and get the most out
    of osquery logs."

    View Slide

  34. Roadmap
    H1 2021
    • Teams (RBAC)


    • Auto-updates


    • Vulnerability management


    • Baseline queries available out of the box


    • Shareable compliance reporting & goal tracking


    • Query performance monitoring

    View Slide

  35. Roadmap (cont.)
    H1 2021
    • More
    fl
    exible con
    fi
    g (startup
    fl
    ags, etc)


    • Search


    • Deep links


    • Activity feed


    • Easier, faster deployments

    View Slide

  36. • Fleet Device API (chromebooks, etc)


    • Standard library (Fleet's recommended queries)


    • Tickets (ServiceNow GRC, JIRA)


    • gRPC
    Roadmap (cont.)
    H1 2021

    View Slide

  37. • Custom osquery extension deployment ("R"»»"EDR")


    • Fleet Desktop (turn on self-remediation, scope & audit transparency)
    Roadmap (cont.)
    H2 2021

    View Slide

  38. Is it any good?

    View Slide

  39. Read more:
    fl
    eetdm.com


    Twitter: @
    fl
    eetctl


    Contribute:
    fl
    eetdm/
    fl
    eet

    View Slide