Osquery has become a popular tooling for endpoint-based security analytics. The user community is thriving and vibrant as reflected in GitHub security showcase and osquery slack channel activity. There are many organizations, large and small, who are using it for a wide-variety of use cases. There are anecdotal references to organizations such as Facebook, Google and others using it at very large scale to get security visibility.
While there are no published accounts of the actual number of osquery-based endpoints in production, arguably it is one of the most widely deployed universal agents out there. Its universality and appeal stems from its open source roots, portability across Linux, Windows and MacOS, standardized SQL interface to access telemetry and performant behavior. The lightweight osquery agent can act as a sensor to stream telemetry for real-time analytics or act as an agent for interpreting ad-hoc questions and providing responses. All of these characteristics have made it a foundational tooling for visibility across many IT organizations.
Since its debut a few years ago, while there has been wide-spread deployment and many organizations contributing back to the osquery code base, relatively little has been covered about the operational use cases of osquery and especially about osquery deployments at scale. At any meaningful scale, one will encounter the challenge of deploying and managing the agent, aggregating the data, and applying analytics on the aggregated data. Many organizations have tackled and solved the challenge to varying degrees. While the analytics provide the ultimate value to improve and strengthen the security posture of an organization, equally important are the data pipeline and engineering challenges of operationalizing osquery agents and aggregating the telemetry at scale. We at Uptycs have had the fortune of collaborating with multiple large organizations on their journey deploying osquery at very large scale and helping them with reaping the benefits of advanced security analytics from the deployment.
After learning from our own challenges of operationalizing osquery and hearing from our customers and many in the community about their large-scale security operations, we at Uptycs felt the urgency and need to provide a gathering for people to share their experience.
The osquery@scale conference was born to address this need. The team at Uptycs is excited to host the very first osquery@scale conference in San Francisco on January 22 and 23 at Dogpatch WineWorks, and I’m thrilled to share that we have had resounding positive feedback and participation confirmation from some of the very best security operations teams.