In 2014, Facebook released osquery, a platform that turns operating system information into a format that can be queried using standard SQL-based statements, an invaluable tool for performing incident response, diagnosing systems operations problems, ensuring baseline security settings, and more. The tool was a boon for server environments running MacOS X or a popular enterprise Linux distribution such as Ubuntu or CentOS.
If you were running a Windows environment, you were out of luck. To gather similar information, you’d have to cobble together a manual solution, or pay for a commercial product, which would be expensive, force reliance on a vendor, and lock your organization into using a proprietary -and potentially buggy- agent. Since most of these services are cloud-based, you’d also risk exposing potentially sensitive data.
We’ve changed that. Facebook commissioned us to port osquery to Windows. Now, the power of osquery is available to Windows users. Now that osquery runs on all three major desktop/server platforms, the open-source community can supplant proprietary, closed, commercial security and monitoring systems with free, community-supported alternatives. We’re excited about the potential this has to disrupt several aspects of the endpoint security market.
First, since osquery is cross platform, network administrators will be able to monitor complex operating system states across their entire infrastructure. For those already running an osquery deployment, they’ll be able to seamlessly integrate their Windows machines, allowing for far greater efficiency in their work.
Next, we envision startups launching without the need to develop agents that collect this rich set of data first. We’re excited to see what they build from there.
Finally, more vulnerable organizations -groups that can’t afford the ‘Apple premium,’ or don’t use Linux- will be able to secure their systems to a degree that wasn’t possible before.