Starting, growing, and scaling your host intrusion detection efforts

Presented at LocoMocoSec 2018, April 5, 2018, 11 a.m. (40 minutes).

Osquery is a lightweight host intrusion detection tool that organizations can use to monitor extremely large production environments as well as smaller corporate environments. In this talk, we will discuss how to get started with osquery and how the way that you manage osquery may change as your organization and objectives evolve. Starting small with an initial PoC, it's important to exhibit a full detection pipeline as quickly and simply as possible. Over time, as you instrument more environments at your organization, the tools that are available for device configuration and communication will likely change. With many environments to monitor, we will be able to take advantage of more osquery features that allow us to succinctly and dynamically reason about attack surface based on system state. As we talk through this evolution, we will discuss proven strategies and common pitfalls.


Presenters:

  • Mike Arpaia - Kolide.co
    Mike Arpaia is the CTO and Co-Founder of Kolide and the original creator of osquery, which he created, open-sourced, and widely deployed while working at Facebook. While at Facebook, he then went on to lead the company's intrusion detection efforts, where he was responsible for all infrastructure and network instrumentation. Before his time at Facebook, Mike worked at Etsy, on a custom host intrusion detection product, which he deployed and managed across Etsy's corporate infrastructure. Mike is excited to continue working on open source technologies in the operating system instrumentation and analytics domain, which continues to be a passion area for him.

Links:

Similar Presentations: