Open Source Security Agents Promise Greater Simplicity, Flexibility

A smattering of security startups are building ecosystems around the open source security agent osquery as a way to allow companies to reduce their reliance on proprietary software and to customize the IT monitoring and security tool to their needs.

On Oct. 17, endpoint management firm Fleet updated its lightweight osquery agent with the capability to execute scripts on managed hosts, allowing the agents to not only monitor systems, but to manage them and respond to incidents as well. Enterprises have seen a proliferation of agents over time, with separate agents to manage antivirus, firewalls, logging, data security, and configuration now common, to name a few.

The result has been complexity creeping into IT management and security operations, says Mike McNeil, co-founder and CEO of Fleet.

"On one hand, you've got people that are buying these giant monolithic things, and then on the other hand, you've got the people that are stringing together a bunch of open source tools, and you end up with these architectural diagrams that are a big — frankly, kind of a big mess," he says. "I think that people are looking for a consistent interface to everything, something that's a little bit more modular."

Many companies are fighting back against the creep of complexity by using osquery as the universal endpoint agent, says Santiago Bassett, founder and CEO of Wazuh. Facebook originally developed osquery for internal use and then open-sourced it in 2014. The osquery agent monitors the operating system's state, saves it in an SQL database, and allows administrators to query the agent to receive information about the system, such as log analysis, compliance state, configuration management, and results of security checks.

"That's the trend, where users are consolidating different agents that have very specific purposes, and now they have [fewer] agents that are more comprehensive, more horizontal, that deliver more capabilities," he says. "I wouldn't be surprised if there are more initiatives to say — this specific capability that everybody is actually using relies on the same source code, which is open source, so let’' all agree on using that same [agent]."

Osquery, the Universal Endpoint Agent?

The idea of using osquery as a universal endpoint monitoring agent is one at least as old as the open source agent itself. Other open source tools, such as Sysdig and OSSec, have some overlap in functionality with osquery but different focuses. Sysdig allows the low-level instrumentation of the kernel, which makes it a popular way to monitor containerized applications in the cloud, while OSSec is focused on host-based intrusion detection (HID) and compliance on Linux and Windows systems.

A variety of companies have based their technology on osquery, which works on Windows, MacOS, and Linux systems. In addition to Fleet, open security platform Wazuh, zero-trust solution provider Kolide, open source Apple device manager Zentral, and cloud and endpoint management firm Uptycs all use osquery or integrate with systems already running the agent.

Security and IT management vendors have differentiated their offerings, but much of that differentiation can be accomplished in how the information provided by osquery is operationalized. The basic functionality of instrumenting the endpoint should not be that point of differentiation, says Wazuh's Santiago.

"Vendors are always going to have some interest in differentiating, of course, from other vendors that say, 'Oh, we add value here, we have value there,' but there are things that are already solved in the industry that we all do," he says. "There's really no way to add value to how I collect logs from a Windows system — I just read those logs."

From Passive Monitoring to Active Response

But companies do not just want visibility and monitoring, which is why Fleet added the ability to execute scripts using the osquery agent. Using the capabilities, which other providers have as well, helps turn the agent into a tool for managing endpoints as well. Companies can now push patches to remote devices and shut down specific features, such as USB ports, to better secure systems and reduce their attack surface area, says Fleet's McNeil.

The goal is not to replace endpoint detection and response, but to give companies the ability to have greater visibility and, if they detect something odd, to do something about it, he says.

"The idea of self remediation — being able to detect malware with Yara and automatically you'll run a script to remove it or isolate the computer on the network — now you can kind of own all those tools and build that yourself any way you want," he says. "So the more we can simplify this and open it up, the better."