Agenda
Osquery@scale will feature a single-track schedule to allow attendees to join every session. Sessions will be approximately 30-minutes long with time for Q&A. Breakfast, lunch, and free flowing coffee will be provided for all attendees.
​
Join security leaders and practitioners from Financial Services, Telco, SaaS, Hi-Tech, and a variety of other industries as they share their experiences of managing risk reduction at scale.
​
Here is a glance at our schedule:
​
Wednesday, September 14 (PST)
9:30am - 11:30am: Reserved workshop
11:30am - 1pm: Lunch, networking, and check-in
1pm - 5pm: Speaker sessions ​
5pm - 6pm: Networking and entertainment
6pm - 9pm: Reception
​
Thursday, September 15 (PST)
10am - 12:30pm: Speaker sessions​
12:30pm - 1:30pm: Lunch
1:30pm - 6pm: Speaker sessions​
6pm - 10pm: O@S After Dark​​
​
Speakers
Check back often as the agenda and speaking roster will be updated frequently. Here are just a few of the great speakers we already have on board:
​
-
Steve Shedlock - SEIC - Incident Response Team Lead
-
Raja Jasper - Financial Institution - Sr. Manager Incident Response Team
-
Zach Wasserman - Fleet - Co-Founder & CTO
-
Ben Pruce - HashiCorp - Manager, Threat Detection and Response
-
Nabil Schear - Netflix - Staff Security Engineer
- Ryan Mack - Uptycs - VP, Head of Infrastructure Engineering
-
Christopher Stanley - Aviation and Aerospace - Manager, Security Engineering
-
Andrew Mease - Comcast - Sr. Principal Security Engineer
Sessions
Monitoring Millions of Workloads in AWS on the Cheap: How Netflix uses Osquery
-
Nabil Schear - Netflix - Staff Security Engineer
​
Netflix operates one of the largest AWS deployments in the world to power our streaming service, studio, and other business operations. This complex deployment spans thousands of microservice and data processing applications running on a mix of EC2 instances and containers running on the Titus platform. Since 2019, we’ve used Osquery to help us understand our large environment, respond to security incidents, and unlock cost savings. In this talk, we’ll explain how we deployed Osquery while minimizing the burden of operating it on a large scale. This will include how we re-used existing Netflix systems to avoid standing up new infrastructure, tuned our query packs, and provided parity between monitoring EC2 and containers. We’ll discuss some of the trade-offs we made in this minimal design and how those choices have aged over time (spoilers: some came back to bite us!). We’ll wrap up with some examples of the breadth of different challenges that we’ve been able to solve using Osquery and how we’re thinking about it in the future.
Security Visibility is Key
-
Andrew Mease - Comcast - Sr. Principal Security Engineer
Let's talk about visibility in our environment and how osquery has helped the Comcast security team solve some key issues in recent months by enhancing that visibility. Hopefully when I’m done you will agree that visibility is key and you’ll be able to see if osquery can help you improve as well no matter what your current posture might be.
Using Endpoint Telemetry to Quantify Your Security Operations Risk
-
Steve Shedlock - SEIC - Incident Response Team Lead
Threat actors quantify the time and expense required to attack your organization. Security Operations teams ought to be able to do the same through threat modeling and appropriate controls. This session will explain how SEI quantified the value of its security operations thanks to osquery-powered visibility. The SEI team uses osquery at scale to assess what threats they have faced in the past, are facing, and are likely to face in the future. Osquery also plays an important role in helping the SEI team to develop controls for those threats.
​
Ew, don't touch me with that laptop! Using osquery to implement zero-trust controls
-
Uma Unni - Stripe - Software Engineer
​
Your application developers work with your company's most valuable intellectual property and have access to your most sensitive systems. What's the expectation of how their laptops are configured, and how can you ensure that your developers' machines are securely configured before they access critical resources. In this session, Uma Unni will explain how Stripe uses osquery to validate the secure configurations on developers' machines in real time before granting them access to sensitive resources.
The Scientific Method For Picking Apart A Detection
-
Raja Jasper - Financial Institution - Sr. Manager Incident Response Team
​
As organizations mature they begin to look at enhancing their detection space. In this presentation we will compare and contrast traditional alerting practices vs behavior threat detections. We'll discuss the use of the scientific method when building detections. Cybersecurity detection engineers occasionally love to build without thinking about the downstream impacts that can occur. We love to dig through new data sources as they are introduced but are not always sure about what we want to build. Using a sound repeatable process allows a team to base their work on hypotheses. Which means having a goal and then going back to the log/data source to see if the right data is presented, which will then lead to an effective detection.
​
​
Vulnerability Management at Scale With Osquery
-
Zach Wasserman - Fleet - Co-Founder & CTO
​
Consolidating agents has long been a promise of osquery. This talk shows how osquery data can enable vulnerability detection when combined with public data from NIST’s NVD and OVAL repositories. Osquery becomes a more fully-featured replacement for the traditional vulnerability scanner!
​
​
Visible by Default with a Short TTL - A strategy for maintaining visibility and forcing attackers to get loud
-
Ben Pruce - HashiCorp - Manager, Threat Detection and Response
​
The foundation of a successful Threat Detection and Response program, on-prem or in the cloud, starts with attaining good visibility across your workloads. While many of the control plane activities of cloud providers can be configured via native delivery mechanisms, (Cloudtrail → S3 etc..) there is still a need to solve for host visibility. But even after collecting infrastructure layers of log data how do we simplify the detection process to improve our chances of catching malicious activity? After all, the most skilled attackers, given enough time, will look no different than your sysadmins on a host, so we need a strategy to force attackers to get loud and make mistakes trying to move fast. In this talk I will present an approach for maintaining visibility by default for all your host builds, collecting your data in a simple, scalable pattern for long term storage, and a strategy in your infra process to force attackers to move fast and risk making mistakes.
​
Container Security with eBPF/osquery
-
Christopher Stanley - Aerospace Company
​
And more to come....
About osquery@scale
osquery@scale is a forum where attendees can network and explore how osquery is powering what’s next in security innovation.
The theme year is “how can osquery aid in risk reduction?”. Most notably how does osquery help reduce risk from vulnerabilities and threats? You can expect great educational content based on security best practices that will help manage, scale, and improve osquery-powered risk reduction in your organization.
Attendees can also expect fun networking opportunities in the innovative zero-emission Exploratorium, complete with interactive exhibits that showcase the power of observation. Oh, and great food.
Past Sessions
Matthew Kemelhar and Russ Nolen, Stripe
"Actioning the osquery API at Scale"
Erin Palmer and Abubakar Yousafzai, Comcast
"Linux Efficacy @Scale"
Grant Kahn, Lookout
"How osquery's comprehensive visibility enables customer assurance and risk management at Lookout"
Ryan Nolette, Postman
"I'm not crying, you're crying: Making incident response in the cloud less painful with osquery"
When
Wednesday, September 14 - Thursday, September 15, 2022
Where
The Exploratorium
Pier 15 (Embarcadero @ Green St.)
San Francisco, CA 94111
​
Accommodations @ Omni San Francisco Hotel. See here for the negotiated room rate. Book by 8/29.