Title
#general
t

theresa

06/15/2020, 5:05 PM
i'm currently a master student looking for an interesting thesis topic to write about. my initial approach was to write about endpoint visibility because in times of DoH and DoT, solutions that honor the enduser's privacy, it becomes a lot more difficult for blue teams to detect suspicious behaviour over the wire. therefore i would like to focus on the endpoint, and what is possible to detect there. i have heard a lot good things about osquery, it helps a lot in regards to IT-Operations. But what would be the main Security use-cases for osquery to help blue teams detect threats in their environment/network? can you maybe point me in the right direction other than https://osquery.io/schema to help me get an idea on what is possible? many thanks in advance, cheers theresa
h

Haam3r

06/15/2020, 5:09 PM
Hey. Palantir has some really good articles and repos about using osquery security. Guess you can start from this one: https://medium.com/palantir/osquery-across-the-enterprise-3c3c9d13ec55
5:10 PM
and the github repo that goes together with the article: https://github.com/palantir/osquery-configuration
5:12 PM
And Chris Long also has a nice blog post about it: https://medium.com/@clong/osquery-for-security-b66fffdf2daf
r

Ryan

06/15/2020, 5:12 PM
I was just about to link to the Palanatir GitHub page 😄
h

Haam3r

06/15/2020, 5:13 PM
Great minds think alike 😛
5:13 PM
And I mean, Palantirs stuff is just pure gold 🙂
t

theresa

06/15/2020, 5:15 PM
Wow, just wow! Thank you from the bottom of my heart @Haam3r I did google before, and found a lot of stuff in regards to SysOp/IT Ops but just not focused on Security. Somehow this Palantir stuff must have slipped through. Thanks a lot 🙂
r

Ryan

06/15/2020, 5:39 PM
Yeah it’s a good resource because they open sourced a lot of the config and then wrote the articles to explain why they are collecting those things with more practical examples of what they’re looking for.
t

theresa

06/15/2020, 5:51 PM
Cool, thanks for the explanation, @Ryan Any idea, why most tutorials or write-ups focus heavily on threats for MacOS?
r

Ryan

06/15/2020, 5:54 PM
I think it might be to do with Kolide’s work on “user focused security”? https://blog.kolide.com/kolide-user-focused-security-for-teams-that-slack-ec9646a0ce0e
5:54 PM
A much nicer approach to making sure your employee’s devices are secure without all the usual frustrating management software you tend to find at corporations.
t

theresa

06/15/2020, 5:57 PM
exactly, I've even seen companies enrolling their company-notebooks into MDM solutions (not just phones or tablets, but also notebooks) usually that's what a proper cmdb is for, to keep track of those devices and its patch-level.
r

Ryan

06/15/2020, 5:57 PM
yeah
5:58 PM
and these days there are a lot more macOS and Linux machines in the Enterprise than there used to be