My advice is to not compare osquery to EDR or XDR ...
# macost
theopolis
09/26/2020, 3:21 PM
My advice is to not compare osquery to EDR or XDR solutions. Osquery is just a small tool, it has a lot of features, but it is not an EDR.
➕ 4
👍 1
m
MaxosxOsquery
09/26/2020, 7:06 PMThanks for the advice. But ppl are assuming that osquery can do everything.. So thought of getting some suggestions from this group.. Now I'm clear
f
fritz
09/27/2020, 3:25 PMA hammer can do a lot given context and intent; it can frame a house, pry open a door, or smash a person's head in.
I think the questions that need to be asked when approaching osquery cannot begin with something akin to:
"What can a hammer do compared to a wrench?"
but rather:
"I am trying to accomplish a specific task (eg. pull rusty nails out of a board), is it possible to do this with a hammer?"
For example, if you ask something like:
"Can osquery detect when a file in a specific directory has been modified?", you will receive much more productive responses.
Broad comparative or open-ended questions, necessitating exhaustive hypotheticals, accompanied by complex feature matrices and Venn diagrams are unlikely to be answered to any satisfying extent.
t
theopolis
09/27/2020, 4:03 PM
But fritz, specifically osquery is not a product, it does not have concepts like user management, multi-host aggregation, visualization, etc. So I think it's fair to say osquery is not an EDR but rather a component of an EDR.
I think it is fair to ask questions like "compare and contrast these EDR solutions" outside the context of osquery.
s
seph
09/27/2020, 4:43 PM
TBH I think you’re both right.
seph
09/27/2020, 4:44 PM
Sticking with fritz’s analogy… I think it’s reasonable to talk about how one might do X with a hammer.
And it’s reasonable to compare contractors.
But it’s hard to say “How does this hammer compare to what that contractor can do?”
f
fritz
09/27/2020, 7:56 PM@theopolis that is a fair point, osquery in and of itself is definitely not a 'product' and distancing it from that classification does alleviate some of the lure of comparing it to other full-fledged products.
m
MaxosxOsquery
09/28/2020, 8:04 AM@fritz thats a gr8 analogy .. I have seen some companies has both EDR and osquery and they end-up doing the same task using both the tools . it would be nice to identify the osquery capabilities that is missing in the EDR and make use of it effectively ... example use cases like "Identify Malicious browser extension", " Apps that has bypassed defence like xprotect, codesign, LSQuarantine ", Apps with bundle malicious packs, vulnerable apps for the hosts, Identify the origin of the file downloaded etc...
d
Derek W
09/28/2020, 4:28 PMIn my experience typically EDR combines some sort of cloud-based data aggregation and analyzing product that also pulls in some form(s) of basic threat intelligence and cross-references the data from the EDR sensors with those data
Derek W
09/28/2020, 4:29 PMThese data that are pulled could come from anything clientside, even a copy of osquery baked into the EDR
Derek W
09/28/2020, 4:30 PMAnd without this cloud product (which is often very very expensive) the EDR simply does not work at all, whereas osquery sensors can operate standalone
Derek W
09/28/2020, 4:31 PMEDRs in my experience also like to use kernel extensions to hook into process or system level events which can have huge stability or performance concerns; in macOS 11 Big Sur kexts go away so a lot of EDRs may lose a lot of functionality
Derek W
09/28/2020, 4:31 PMOSQ is user space so ❤️
7 Views