Facebook Enhances Osquery Security Analysis Platform

Facebook is adding query packs to the open-source osquery security framework that group together common sets of use cases for data analysis.

Facebook osquery

Facebook is enhancing its open-source osquery security framework with new features that make it easier for users to organize and gain insight from operating system information.

Osquery, which Facebook announced in October 2014, makes OS information look like a standard SQL database that can be queried to gain operational and security insight.

Since the first osquery public release, Facebook added new tables that enable additional capabilities and features, including an extension API and snapshot queries, said Javier Marcos, security engineer at Facebook.

"All of these new features make osquery users more effective at intrusion detection, incident response, vulnerability management, compliance and much more," Marcos told eWEEK.

Facebook is now adding query packs to osquery, grouping together common sets of use cases for data analysis. Among the new query packs is one for security incident response that is based on approaches used within Facebook's own infrastructure.

"Attacks have a lifecycle, and in order to achieve their objectives, attackers will commonly persist on a host via malware, establish a communication channel, move laterally across the network, and identify and steal their desired data," Marcos said. "We use the incident-response query pack to collect data relevant to each of these phases."

For example, for logging persistence, Facebook logs binary metadata and collects files that are registered to run at system boot; for lateral movement, Facebook logs firewall exceptions and logged in users, Marcos explained.

"We send these logs to our SIEM [security information and event management], where additional processing and alerting occurs," Marcos said.

The incident-response query pack can also potentially help organizations identify privilege-escalation attacks. Marcos noted that, in order to escalate privileges, one has to perform actions or commands.

"In addition, one usually escalates privileges in order to perform privileged actions," Marcos said. "Osquery helps you monitor actions taken on a host."

Facebook is also making a Mac OS X-attacks query pack available to help enable Apple users to identify potentially malicious activities. The Facebook OS X query pack is complementary with existing OS X security tools, including the popular Little Snitch application, Marcos said. Little Snitch is a widely deployed tool for OS X that provides network monitoring and blocking capabilities.

"The OS X-attacks query pack contains queries that identify known-bad malware on your computer," Marcos said. "If you're interested in logging, but not blocking network connections, you can also use some of osquery's tables like 'listening_ports' or 'process_open_sockets.'"

In addition to the OS X-attacks and incident-response query packs, Faceook is also releasing query packs for IT compliance and vulnerability management. The IT compliance query pack collects information that can help organizations understand the current status of IT infrastructure, while the vulnerability management pack is about identifying outdated software.

Looking forward, the plan is to continue to expand the osquery packs with even more options to help users identify security risks. Osquery and the query packs are open-source efforts that are freely available from Facebook's osquery project page with full source code available on Github.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.