An Open Source Triple Feature

Editor’s note: The following three experts shared their industry insight at OpenSec2017.

Jen Andre, founder and CEO of Komand.

At Komand, Jen empowers security teams to focus on efficient incident response and decision making by offering the automation of manual tasks, and a space to share this automation and knowhow with the wider security community. Prior to founding Komand, Jen co-founded Threat Stack, and worked at Mandiant and Symantec. She is very involved in the cybersecurity space, authoring multiple articles and speaking at conferences around the country.

What got you interested in the cybersecurity space?

Hanging out with computer hackers in the 90s – early 2000.

What advice do you have for people moving up or into the cybersecurity space?

Find some great, friendly mentors, stay curious, and question the status quo.

What are some product or solutions spaces you are watching or excited to see grow?

Machine learning effectively applied to cybersecurity (promised, but yet to be delivered), productivity improvements for SecOps teams (in workflows, deployment of security stack), and better policy and technical deterrents to cyber-related crime.

Brian Carrier, VP of Digital Forensics at Basis Technology in Cambridge, MA.

In this role, Brian builds incident response software, open source software, and custom software to enhance digital investigations, having largely developed open source projects The Sleuth Kit, Autopsy 1 and 2, mac-robber, and TCTUTILs. Additionally, Brian chairs the annual Open Source Digital Forensics Conference (OSDFCon), which examines the latest open source tools and techniques.

How did you start in Cybersecurity? What initially pulled you in?

I was an intern in the mid-90’s when the company got their first internet connection. I got involved with setting up their Linux-based firewall. I then got interested in forensics when the first open source tools started to be released in 2000ish (The Coroner’s Toolkit) and started to expand on them because I wanted to learn more. I was working at @stake at the time and we needed incident response tools for our work, so we built them and released them out as open source. I’ve been maintaining and involved with The Sleuth Kit and Autopsy ever since.

What are some products or solution spaces you’re watching and exciting to see grow?

I focus a lot of my time on easy to use products that help companies do their own basic incident response and forensics. The basic idea being that as companies get more security maturity, they need to be able to respond to incidents, but most won’t have forensics experts on staff.

Many companies will respond to a SIEM alert by looking at antivirus logs. If the antivirus is happy, then they are happy and that is all they can do. We want to enable companies to go a bit deeper and help them analyze additional data, which is why we’ve been building our Cyber Triage product.

I think this is a growing space because more companies need to do basic investigations, but don’t have the skills or resources to do it.

What do you think makes open source different?

I like open source because it allows for a community to be built around the software. We organize an annual Open Source Digital Forensics (OSDFCon) conference each year (http://www.osdfcon.org) that attracts over 400 people and it’s great to see the developers and users all get together. They are both passionate about the software and what it can do.

From a digital forensics perspective, there is also the benefit of the software being reviewable when entering digital evidence into a court trial. Anyone can verify how it works and you do not need to rely on a software vendor to testify.

Jason Meller, Co-founder and CEO at Kolide.

At Kolide, Jason and his team are harnessing the power of Osquery to solve cyber security issues using accurate, timely, and queryable data. Prior to founding Kolide, Jason started as a member of GE’s elite computer incident response team, before moving to the Mandiant corporation and FireEye following Mandiant’s acquisition.

How are you related to Osquery and what do you think is so powerful about it?

My co-founder Mark Arpaia created Osquery while he was at Facebook. I started Kolide because I am a fan of Osquery. It just so happened that we were able to recruit him on the team. From my perspective, Osquery is just really exciting. It’s the first open source solution that really resonates with people who want to pull accurate and timely data from their endpoints. I think the fact that it is open source, and that there is so much community support behind it is exciting for many reasons. The first is that the existing proprietary software vendors have their own agents, which are these closed source, black box things. The future of host instrumentation is going to become a commodity. There are finite things you can pull from a host that are going to be interesting. Eventually, someone will produce and agent that will pull all of those things as performantly as possible. I think that solution will be an open source one. I think Osquery is in the best position to do that. As far as building a business, we believe that this thing is going to be a commodity, so the value is in what we do with that data, what insight and value are we driving from the data that Osquery collects. That’s what Kolide is all about – making a big bet on Osquery. We really want to grow that community. We think it is an awesome piece of technology, and that the future of the business isn’t necessarily the collection of the data, but what value can you get from it, which provides insight and lets you make competent security decision, DevOps decisions – or any decision where you need accurate and timely data from the host.

Why do you think Osquery is so popular on GitHub?

We kind of talk about the number of stars it has in relation to other security projects, but I think at the end of the day it’s because it’s so useful that it actually transcends the very narrow use case of cybersecurity. It basically allows you to ask any question you can conceive of the to endpoint and get an accurate answer as quickly as possible. The raw utility of that goes far beyond security. Getting good, accurate information as quickly as possible is an amazing capability to have to solve security problems, but it also solves a lot of other problems. One thing that I was really surprised about when we started Kolide was the number of people that cared about the security aspect, but they also use Kolide to get basic data from what’s going on on the Macs that their employees use: the configuration, is the firewall enabled, is it running these rules etc. These are very basic things that are hard to collect, because no one is really focusing on Mac and Linux from an agent perspective. Osquery treats those as first class citizens.

What will people learn by attending your talk at OpenSec?

I’m going to be talking a lot about Osquery itself. We’re not going to make this a commercial pitch for the product. We want people to get excited about Osquery. If you have never used Osquery before, and want to figure out what it is all about, how to install it, and ways that it can solve some problems out of the box you should attend the talk. We are going to walk you through every important facet of Osquery, and give you the materials you need to consider it seriously for your own use cases at your organization. If you are looking for a nice primer for dealing with Osquery this is the talk to you want to attend. You will get a lot of perspective. We know a lot of the sharp edges, and things to avoid that the documentation doesn’t necessarily state explicitly. It should be a fun talk for people who are psyched about Osquery, but also using open source solutions to deal with security issues surrounding endpoints at small or large organizations.

Originally posted at hacksecure.org/