Hi! A startup is looking at implementing security monitoring (baseline/settings, endpoint protection) for their windows+macos machines. Is anyone doing this solely using OSS products? e.g. I see that Kolide Fleet + Wazuh is an option, but curious how others are using osquery for this purpose.

There are folks doing that with open source. I a bit about the fleet installs. I'm less familiar with other OSS products.

@seph I loved the Kolide approach, but I missed vulnerability scanning.

Thanks! Not everything is going to be right thing for everyone.

Well it worked very well, just so you know. 🙂 I suppose vulnerability detection can be easily implemented on your SaaS backend since you can extract any installed apps & os, just need to import the NVD.

For broader ecosystem things.... there are both commercial and OSS offerings, as well as rolling your own. As always, I think the trade offs are in your time.

Yeah, I proposed osquery/fleet/wazuh, but they don’t have that time to invest in it, so looking at commercial offerings now. Not having an MDM also makes it harder.

I think we have some blog posts somewhere, but I think there's bang per buck in fixing basic security issues, than tracking NVD. But it's obviously a lot of belt and suspenders.

FYI, Uptycs is commercial osquery fleet manager that does vulnerability scanning with osquery.

So the next major version of Security Onion (code named Hybrid Hunter) includes full integration of Zeek / Suricata / Kolide Fleet + Launcher / Wazuh / Elastic Stack / TheHive / Sigma (through Playbook) - 100% open source - Beta 3 dropped today. https://blog.securityonion.net/2020/06/security-onion-hybrid-hunter-140-beta-3.html