Slide 1

Slide 1 text

@benjammingh for QueryCon 2018 1

Slide 2

Slide 2 text

Who's this clown? 2 • Security Engineer at Stripe. • Infrastructure security at Etsy. • Now has a commit in osquery, be afraid. • Once wore Mike Arpaia's pants to work, because he leC them in the office. 2 h$ps:/ /twi$er.com/skullmandible/status/411281851131523072 @benjammingh for QueryCon 2018 2

Slide 3

Slide 3 text

What have the organisers unleashed?! • A lot of Genesis / Phil Collins references. • Some talk of osquery, probably. • Endpoint visibility And you may ask yourself, "Well... how did I get here?" @benjammingh for QueryCon 2018 3

Slide 4

Slide 4 text

Actually Mac visibility @benjammingh for QueryCon 2018 4

Slide 5

Slide 5 text

Enter BigMac 2012 Facebook talk of Big Mac "Checks most basic persistence op2ons" @benjammingh for QueryCon 2018 5

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

ENHANCE! Huh? This looks familiar... @benjammingh for QueryCon 2018 7

Slide 8

Slide 8 text

Meanwhile, back at stately Wayne Manor @benjammingh for QueryCon 2018 8

Slide 9

Slide 9 text

Etsy security team • Roll on early 2013 • Etsy looking to make our own version • Standard development prac=ces apply @benjammingh for QueryCon 2018 9

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

is born • Python based (system python) • modular • persistent datastore (sqlite) • logs to disk, which then goes to splunk @benjammingh for QueryCon 2018 11

Slide 12

Slide 12 text

Scroll forward to December 2013 @benjammingh for QueryCon 2018 12

Slide 13

Slide 13 text

Which then got released publicly (and /ever so slightly/ nerfed) as MIDAS, to rave reviews on HackerNews Also, a(er looking at the code, it's barely useful. — [deleted] 22 points 4 years ago @benjammingh for QueryCon 2018 13

Slide 14

Slide 14 text

Mike -> Facebook Zane -> Signal Sciences @benjammingh for QueryCon 2018 14

Slide 15

Slide 15 text

2014 • Rich Smith adds a proper build system... • "Stealth mode" of no binaries on disk, by using pyinstaller (yes I know they're s@ll on disk) • I became the overprotec@ve maintainer of it. @benjammingh for QueryCon 2018 15

Slide 16

Slide 16 text

Etsy security ❤ Facebook security @benjammingh for QueryCon 2018 16

Slide 17

Slide 17 text

Mike Arpaia @benjammingh for QueryCon 2018 17

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

"640K ought to be because of architectural limita6on of the IBM XT" • "Facebook has a whole floor of analysts, we have none, so Python is be9er than SQL for us." • "I want to be alerted when someone compromises something, not when I go looking for it." • "We already have something that works, lets just keep maintaining that." @benjammingh for QueryCon 2018 19

Slide 20

Slide 20 text

So what happened? @benjammingh for QueryCon 2018 20

Slide 21

Slide 21 text

@benjammingh for QueryCon 2018 21

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

"I was completely and u2erly wrong on every level" — Me @benjammingh for QueryCon 2018 23

Slide 24

Slide 24 text

So why are we even listening to you again? @benjammingh for QueryCon 2018 24

Slide 25

Slide 25 text

You don't have to always be right, but it's helpful to admit when you're wrong @benjammingh for QueryCon 2018 25

Slide 26

Slide 26 text

Don't Get A*ached To Your Code @benjammingh for QueryCon 2018 26

Slide 27

Slide 27 text

being proud of code you write is different to being beholden to it @benjammingh for QueryCon 2018 27

Slide 28

Slide 28 text

and that was the only catharsis that they could find without violence... @benjammingh for QueryCon 2018 28

Slide 29

Slide 29 text

@benjammingh for QueryCon 2018 29

Slide 30

Slide 30 text

Osquery @benjammingh for QueryCon 2018 30

Slide 31

Slide 31 text

If leaving me is Etsy @benjammingh for QueryCon 2018 31

Slide 32

Slide 32 text

We had osquery % osqueryi --version osqueryi version 2.2.3 @benjammingh for QueryCon 2018 32

Slide 33

Slide 33 text

@benjammingh for QueryCon 2018 33

Slide 34

Slide 34 text

Doorman • rad, useful, easy to get going! • has a backing persistent storage, so queries get hunted down. • from looking at it, looked a solid architecture and in python @benjammingh for QueryCon 2018 34

Slide 35

Slide 35 text

Doorman cont. • from looking at it, argh my eyes, burning... (okay, its very func9onal but not pre;y) • like everything at Stripe, customised forked version • which you could only access over SSH port forwarding @benjammingh for QueryCon 2018 35

Slide 36

Slide 36 text

kolide/fleet Was just kolide back then, commercial offering @benjammingh for QueryCon 2018 36

Slide 37

Slide 37 text

How does fleet work? @benjammingh for QueryCon 2018 37

Slide 38

Slide 38 text

No content

Slide 39

Slide 39 text

No content

Slide 40

Slide 40 text

logs

Slide 41

Slide 41 text

{ "cake": "eccles", "coffee": "long black", "serialisation": "ASN1" } @benjammingh for QueryCon 2018 41

Slide 42

Slide 42 text

ELK @benjammingh for QueryCon 2018 42

Slide 43

Slide 43 text

@benjammingh for QueryCon 2018 43

Slide 44

Slide 44 text

@benjammingh for QueryCon 2018 44

Slide 45

Slide 45 text

Fleet at Stripe • 1000s of endpoints. • mul2ple pla4orms. • phased roll out thanks to Munki • lots of exci2ng interes2ng queries! @benjammingh for QueryCon 2018 45

Slide 46

Slide 46 text

Ben, it's lunch soon, wrap this up! — everyone @benjammingh for QueryCon 2018 46

Slide 47

Slide 47 text

Fine, lets Neal Stephenson this slide show! — me @benjammingh for QueryCon 2018 47

Slide 48

Slide 48 text

Security and opera/ons and everything in between, be careful with that pride @benjammingh for QueryCon 2018 48

Slide 49

Slide 49 text

Just because you own the code, don't let the code own you @benjammingh for QueryCon 2018 49

Slide 50

Slide 50 text

Community @benjammingh for QueryCon 2018 50

Slide 51

Slide 51 text

Lunch! @benjammingh for QueryCon 2018 51

Slide 52

Slide 52 text

• Twidder: @benjammingh • LinkedIn: lnkdin.me/p/benyeah • SpeakerDeck: speakerdeck.com/barnbarn • Stripe: Careers <--- Engineering blog @benjammingh for QueryCon 2018 52