Title
#general
n

niels

06/17/2020, 5:54 AM
Hi! A startup is looking at implementing security monitoring (baseline/settings, endpoint protection) for their windows+macos machines. Is anyone doing this solely using OSS products? e.g. I see that Kolide Fleet + Wazuh is an option, but curious how others are using osquery for this purpose.
s

seph

06/17/2020, 12:52 PM
There are folks doing that with open source. I a bit about the fleet installs. I'm less familiar with other OSS products.
n

niels

06/17/2020, 12:56 PM
@seph I loved the Kolide approach, but I missed vulnerability scanning.
s

seph

06/17/2020, 12:59 PM
Thanks! Not everything is going to be right thing for everyone.
n

niels

06/17/2020, 12:59 PM
Well it worked very well, just so you know. ๐Ÿ™‚ I suppose vulnerability detection can be easily implemented on your SaaS backend since you can extract any installed apps & os, just need to import the NVD.
s

seph

06/17/2020, 1:00 PM
For broader ecosystem things.... there are both commercial and OSS offerings, as well as rolling your own. As always, I think the trade offs are in your time.
1:00 PM
Glad it worked well!
n

niels

06/17/2020, 1:01 PM
Yeah, I proposed osquery/fleet/wazuh, but they donโ€™t have that time to invest in it, so looking at commercial offerings now. Not having an MDM also makes it harder.
s

seph

06/17/2020, 1:04 PM
I think we have some blog posts somewhere, but I think there's bang per buck in fixing basic security issues, than tracking NVD. But it's obviously a lot of belt and suspenders.
j

Jason W

06/17/2020, 3:26 PM
FYI, Uptycs is commercial osquery fleet manager that does vulnerability scanning with osquery.
3:26 PM
Not cheap, but appears to be very good (I have not used it personally)
defensivedepth

defensivedepth

06/17/2020, 7:36 PM
So the next major version of Security Onion (code named Hybrid Hunter) includes full integration of Zeek / Suricata / Kolide Fleet + Launcher / Wazuh / Elastic Stack / TheHive / Sigma (through Playbook) - 100% open source - Beta 3 dropped today. https://blog.securityonion.net/2020/06/security-onion-hybrid-hunter-140-beta-3.html