As Uptycs prepares to embark on Osquery@scale 2022 in full force, we took some time with one of our Sr. Sales Engineer Pablo Armas to see what he’s most excited about for the event.
Leveraging the Uptycs Platform to Threat Hunt with osquery
Understanding how others are using the technology. Since it’s open source I would be interested to know if they have modified the tool in any shape or form that might make it more usable. What kind of problems are other people solving currently? Is there a creative spin to it? Just talking about osquery and seeing how other organizations have benefitted from that technology is very interesting.
Learn about what enhancements people have made into the tool that we could benefit from. Since it's open source, anyone can change it.
Scalability. The power of getting all that detailed information at scale, companies now have all these assets that are getting spun up and shut down dynamically because of the cloud and we now have the option of having the same quality telemetry from everywhere regardless of them being short lived. Though they may have a short lifespan we are still able to capture everything that happens. So scalability is key, and the largest benefit.
There are a lot of people who aren’t aware of OSquery, so getting the word out there about what’s going on and how this technology is being leveraged is huge. In addition to that, seeing what people that are more experienced with osquery are actually doing and accomplishing and how they are either saving time or money through osquery would be fantastic. Awareness and understanding the level of impact others have achieved.
Building more adoption. So we can see it implemented in more creative ways and of course being at Uptycs, we would like everyone to use Uptycs for their analytics, but from a pure osquery standpoint I think it would be interesting to see osquery being implemented in other form factors as well to continue covering more and more threat vectors.
Saasquery, that’s exciting. Whenever we get to the point where we can actually perform queries on those specific parts of the infrastructure that we cannot own, that are somewhere else, as similar to public cloud but now through an application that is being delivered to us as a service (like Salesforce or Dropbox) being able to query through those applications would be massive because of the adoption saas applications have nowadays. So for me, the future is just continuing to shape osquery in a way that it continues to be able to consume data from other threat vectors, like SAAS, and Identity, and so on.
I think the cool thing specifically to os query is how can you adapt osquery to cover those use cases - saas and identity, because the magic of os query is bringing all this data and normalizing it into a relational database so you have data that has been structured in a way that you can just throw sql queries at it. So continuing to do that to follow the same lines on other areas that we are not covering yet like I mentioned SAAS but who knows what else could be out there that we could continue to use osquery to cover - that's what I think is exciting.
It would mean that you as an IT security person at your company can throw an SQL query that says, show me everything within Dropbox that is exposed without a password and boom, you have visibility. Or show me anything that has a social security number in it and boom - you can get it.