Linux Server Security at Scale

Customer

This Uptycs customer is a major, multinational financial services company.

Summary

The customer operates a vast fleet of Linux servers across geographically distributed data centers and public cloud providers. Operating at a scale of well over 100,000 servers, they were looking into a comprehensive solution to provide security visibility at scale. After a six-month production pilot with Uptycs, the modules and functionality provided by the Uptycs Security Analytics Platform well exceeded the success criteria for the pilot to provide unprecedented visibility for multiple CSIRT use cases, including intrusion detection, FIM, asset inventory, vulnerability detection and incident investigation.

Challenge

The customer operates a well-established financial transactions Internet site that is highly targeted by attackers. They have had a multitude of security challenges stemming from the rapid growth and scaling of their Linux infrastructure over the last decade.  The Linux server security posture was reliant on system logs, system auditing and various scripts used to scrape and forward data into a log-aggregation-based SIEM.  The SOC and CSIRT team were reliant on visibility confined to what the SIEM could collect. Due to the unstructured nature of log collection, the storage and compute costs were high. Also, getting an accurate picture of the asset inventory for basic security hygiene was a complex task. Finally, the impact on the production servers had to be minimal and the solution had to be hybrid-ready (i.e., on-prem and public cloud).

Solution

The customer worked with Uptycs to first establish the endpoint performance and coverage requirements. With deep osquery engineering expertise, Uptycs provided an enterprise-grade osquery agent with a low resource footprint on the production servers, highly performant behavior, and portability across multiple versions of the Linux distribution. Armed with the requirement of low-production impact and high-visibility telemetry, the customer then worked with Uptycs to deploy the Uptycs scalable osquery-powered security analytics platform. The Uptycs Core module provided the scale to connect, manage and ingest data from many thousands of Linux server endpoints. The Uptycs Detection and Uptycs FIM modules were configured to provide foundational blocks for intrusion and malicious activity detection. The Uptycs Flight Recorder and Uptycs Investigation modules provided instant/ad-hoc visibility along with the ability to rewind history to get visibility into the state of thousands of servers at any arbitrary time in the past. Uptycs Flight Recorder and its API-first capabilities streamlined SIEM usage and provided valuable context to speedup investigations.

Impact and Results

Nothing speaks like a large enterprise decision to go into production at scale within six-months of a pilot. Uptycs was able to establish immediate value by providing security visibility at scale and empowering the customer SOC and CSIRT teams to focus on security rather than the associated data aggregation, storage, and analysis.