Endpoint Monitoring with Osquery and Kolide Fleet

BSidesLV 2018

Presented by: Felipe Espósito (Pr0teus), Rodrigo Montoro (Sp0oKeR)
Date: Wednesday August 08, 2018
Time: 14:00 - 17:55
Location: Training Ground

Deep down we all know that perimeter defenses aren’t enough to keep the bad guys from your assets. As soon as an outsider compromises one endpoint, they effectively become an insider. Having a power-tool to monitor endpoints is key for incident detection and an organization’s overall security posture.

But how should you query and monitor your infrastructure? How should you deal with so many different operating systems and environments? To help meet this challenge, the Facebook Security team created Osquery, which is under active development by Facebook and the open source community. Osquery is actively used by many companies to collect data from hosts and proactively hunt for abnormalities.

Osquery makes it easy to ask targeted or broad questions about a heterogeneous infrastructure. Besides being open source, osquery is multi-platform (Windows, Linux, Mac, and FreeBSD), powerful and provides countless query possibilities with hundreds of tables with thousands of fields in a simple SQL query syntax.

In this training you will learn about osquery internals, how to understand queries, how to deploy a interface to manage and gain visibility to improve detection and threat hunting, and more.

Rodrigo Montoro

Felipe Espósito


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats