Sessions

Monitoring Millions of Workloads in AWS on the Cheap: How Netflix uses Osquery

• Nabil Schear - Netflix - Staff Security Engineer

​

Netflix operates one of the largest AWS deployments in the world to power our streaming service, studio, and other business operations.  This complex deployment spans thousands of microservice and data processing applications running on a mix of EC2 instances and containers running on the Titus platform.  Since 2019, we’ve used Osquery to help us understand our large environment, respond to security incidents, and unlock cost savings.  In this talk, we’ll explain how we deployed Osquery while minimizing the burden of operating it on a large scale.  This will include how we re-used existing Netflix systems to avoid standing up new infrastructure, tuned our query packs, and provided parity between monitoring EC2 and containers.  We’ll discuss some of the trade-offs we made in this minimal design and how those choices have aged over time (spoilers: some came back to bite us!).  We’ll wrap up with some examples of the breadth of different challenges that we’ve been able to solve using Osquery and how we’re thinking about it in the future.

Security Visibility is Key

• Andrew Mease - Comcast - Sr. Principal Security Engineer

Let's talk about visibility in our environment and how osquery has helped the Comcast security team solve some key issues in recent months by enhancing that visibility. Hopefully when I’m done you will agree that visibility is key and you’ll be able to see if osquery can help you improve as well no matter what your current posture might be.

Using Endpoint Telemetry to Quantify Your Security Operations Risk

• Steve Shedlock - SEIC - Incident Response Team Lead

Threat actors quantify the time and expense required to attack your organization. Security Operations teams ought to be able to do the same through threat modeling and appropriate controls. This session will explain how SEI quantified the value of its security operations thanks to osquery-powered visibility. The SEI team uses osquery at scale to assess what threats they have faced in the past, are facing, and are likely to face in the future. Osquery also plays an important role in helping the SEI team to develop controls for those threats.

​

Ew, don't touch me with that laptop! Using osquery to implement zero-trust controls

• Uma Unni - Stripe - Software Engineer

​

Your application developers work with your company's most valuable intellectual property and have access to your most sensitive systems. What's the expectation of how their laptops are configured, and how can you ensure that your developers' machines are securely configured before they access critical resources. In this session, Uma Unni will explain how Stripe uses osquery to validate the secure configurations on developers' machines in real time before granting them access to sensitive resources.

The Scientific Method For Picking Apart A Detection

• Raja Jasper - Financial Institution - Sr. Manager Incident Response Team

​

As organizations mature they begin to look at enhancing their detection space. In this presentation we will compare and contrast traditional alerting practices vs behavior threat detections. We'll discuss the use of the scientific method when building detections. Cybersecurity detection engineers occasionally love to build without thinking about the downstream impacts that can occur. We love to dig through new data sources as they are introduced but are not always sure about what we want to build. Using a sound repeatable process allows a team to base their work on hypotheses. Which means having a goal and then going back to the log/data source to see if the right data is presented, which will then lead to an effective detection.

​

​

Vulnerability Management at Scale With Osquery

• Zach Wasserman - Fleet - Co-Founder & CTO

​

Consolidating agents has long been a promise of osquery. This talk shows how osquery data can enable vulnerability detection when combined with public data from NIST’s NVD and OVAL repositories. Osquery becomes a more fully-featured replacement for the traditional vulnerability scanner!

​

​

Visible by Default with a Short TTL - A strategy for maintaining visibility and forcing attackers to get loud

• Ben Pruce - HashiCorp - Manager, Threat Detection and Response

​

The foundation of a successful Threat Detection and Response program, on-prem or in the cloud,  starts with attaining good visibility across your workloads. While many of the control plane activities of cloud providers can be configured via native delivery mechanisms, (Cloudtrail → S3 etc..) there is still a need to solve for host visibility. But even after collecting infrastructure layers of log data how do we simplify the detection process to improve our chances of catching malicious activity? After all, the most skilled attackers, given enough time,  will look no different than your sysadmins on a host, so we need a strategy to force attackers to get loud and make mistakes trying to move fast. In this talk I will present an approach for maintaining visibility by default for all your host builds, collecting your data in a simple, scalable pattern for long term storage, and a strategy in your infra process to force attackers to move fast and risk making mistakes.

​

Container Security with eBPF/osquery

• Christopher Stanley - Aerospace Company

​

And more to come....