Articles / Cloud-Scale Endpoint Interrogation

on 27 Nov 2017

Until just a few days ago, I had never heard of OSQuery – and perhaps this is the first time you’ve heard it referenced. Now, I know that it’s impossible to keep track of everything in cyber security, but you’d think that an open source, Facebook-developed, container-ready toolkit for endpoint visibility, testing, and telemetry collection – including for cyber security, would have crossed my desk at some point. Oh, well. Duh, me.

I was introduced to OSQuery last week by Ganesh Pai and Milan Shah from Waltham-based cyber start-up Uptycs. During a technical review, we covered a range of different capabilities in their cloud-ready endpoint security solution. It was during that discussion that they explained to me the power of OSQuery, and how the open source toolkit was used as the basis for their solution. After the meeting, I went off and did some homework. Here’s what I learned:

Just a few short years ago, endpoint security always meant endpoint security – including signature, behavioral, and learning-based protection for PCs, laptops, servers, mobile devices, and even IoT devices. The most common marketing differentiators for endpoint security tended to focus (and still focuses) on ease of deployment, speed of query response, accuracy of variant detection, integration with SOC hunt tools, and so on.

But the hybrid cloud must support virtualized, dynamic endpoint computing, including the provisioning, use, and retirement of containers with a lifecycle more rapid and agile than most security tools can keep up with. The open source toolkit OSQuery was introduced to deal with this challenge – namely to provide structured insight and visibility in such environments, and to perform continuous monitoring for common issues such as resource leakage, configuration audits, and software asset inventory. 

“Endpoint security buyers are experiencing solution fatigue,” Ganesh explained to me during our meeting. “Our approach has been to build upon a universal open source agent that supports virtually every computing platform including Mac OSX, CoreOS, Windows, FreeBSD, and Linux, and that allows for improved endpoint and container visibility by security and IT analysts through a dynamic interface for performing queries.”

Specific cyber security capabilities supported in the Uptycs platform include endpoint detection and response, incident investigation, file integrity monitoring, and support for audit and compliance. The solution is also deployed in the context of a novel data collection and aggregation infrastructure fashioned after the Akamai Query System. (The principals have backgrounds with Akamai, and Andy Ellis, Akamai CISO, serves on the Technical Advisory Board.)

“Our Endpoint Detection Network is a CDN-like system pioneered at Akamai that allows our solution to scale,” Ganesh said. “We deploy our agents in a distributed manner across hybrid cloud, and then we collect the data into an SQL accessible storage similar to the type of top-level aggregators that Akamai Query uses to keep track of their hundreds of thousands of servers. We believe that the modern hybrid cloud requires this level of scale for proper protection.”

I hope this all sounds exciting to you – and I sincerely hope that you will decide to reach out and contact the Uptycs team for more information and a demo. But I must warn you: OSQuery and Uptycs are non-trivial technologies to understand. I’ve spent a lifetime in front of Unix CLIs, and I had trouble keeping up. So, this is turbo-charged stuff that will require that you eat your Wheaties before the meeting. But I think it’s well worth the time.

Let us all know how you make out.