The Power of Osquery for Financial Technology

For the unfamiliar, osquery is an efficient, scalable agent that collects a vast amount of telemetry from macOS, Linux, Windows, and container workloads. The folks at Uptycs explain how it can be used in the financial sector.

Aug 30th, 2022 10:00am by Jeremy Colvin

Featued image for: The Power of Osquery for Financial Technology

Jeremy Colvin

Jeremy Colvin is a Technical Product Marketing Manager at Uptycs and enjoys learning the bits and bytes of what makes good security. Prior to Uptycs, Jeremy spent two years at Deloitte helping clients architect, configure, and implement secure systems. He graduated from Princeton with an AB in Public and International Affairs, focusing on policy around privacy and information security.

FinTech security teams are tasked with a big job: defending the ever-evolving attack surface that comes from using technology as a differentiator in the world of investment and consumer banking, cryptocurrency, and more… all while remaining compliant with multiple federal and state regulations.

FinTech organizations are always looking to innovate, and that carries over into their security teams as well. The notable shift to cloud native environments has spurred these security teams towards solutions that provide reliable, flexible, and in-depth coverage as they scale up.

To protect their IT ecosystem, security teams not only implement traditional security controls for on-prem solutions, but they’re also focused on new threats looming in their cloud native infrastructure. In this blog we’re going to dig into what’s become a hidden super-power for FinTech security teams and some real-world examples of how they’re using it. Let’s break down why security teams are turning to osquery as a key security solution.

Osquery: The Differentiator for FinTech Security Teams

So, how are they making cloud native security at scale happen? It all starts with good people and processes, of course. The first technical step for any team is to understand your environment and the assets you are protecting. In this stage you will look to get rich visibility into your assets, giving you that clear foundation to perform best practices like proactively hardening your assets or detecting anomalies across your environment. To achieve that foundation of deep visibility, teams are using the osquery universe to support a strong analytics-centric security program.

For the unfamiliar, osquery is an efficient, scalable agent that collects a vast amount of telemetry from macOS, Linux, Windows, and container workloads. The lightweight agent normalizes data into readily queried sql tables, making it easy to ask questions of your assets, track compliance configurations, detect anomalies or malicious signatures, and understand in-depth the real-time state of your security posture.

Through two extensions developed by Uptycs (kubequery and cloudquery), osquery’s concept of structured security analytics has been extended to support Kubernetes and cloud service providers like Amazon Web Services, Google Cloud Platform, and Azure. When thoughtfully deployed, this tooling supports a unified endpoint and cloud native application protection program to comprehensively cover your asset fleet.

Robust, osquery-powered security analytics can drive support for nearly limitless use cases: proactive (audit and compliance, software asset management), reactive (detection and investigation), and protective (blocking, remediation, governance).

If you’d like to start learning about the osquery universe from ground-zero, here is where you can get started:

Osquery at Work with FinTech Security Teams

One of the great things about the osquery universe is the support and knowledge sharing in the user community. Uptycs helps usher this along through the annual osquery@scale conference that brings together stories from organizations that are building industry-leading security programs with osquery as a core part of their IT ecosystem.

Here is a look at two past presentations that highlight the benefits using osquery:

Detections at Stripe

Financial services platform Stripe prioritizes proactive, hands-on security observability across all their deployments, with the goal of automating threat detection and response workflows. This presentation, from Stripe Security Engineer Russ Nolen, digs into their methodology for optimizing osquery to support the following :

● Security observability at scale

● Ability to analyze behavioral changes or anomalies

● Detection-as-code automation

Stripe has generously shared more content about their experiences with osquery and why they feel confident deploying the lightweight osquery agent to critical production servers. You can learn more about the steps taken to ensure low resource utilization here.

DevOps and Container Security at Ethos

Ethos is a fast-growing Insurance technology organization dealing with the typical challenges of a cloud native environment. Most productivity endpoints across the organization are macOS where developers are building on their local IDE and then pushing them through a CI/CD pipeline which ends up in a 100% containerized production workload, running in Kubernetes clusters. In order to confidently and securely deliver their applications, this approach calls for strong end-to-end security observability throughout the entire DevOps process.

In the video below, Ethos’s Vice President of Security, Ody Lupescu, talks about using osquery telemetry to analyze DevOps processes and how to improve the experience for engineers working with their local IDE. The second half of the talk talks about tracing workloads in the CI/CD pipeline from start to finish from an engineer’s local IDE all the way through being pushed into production. Lupescu helps bring to light how osquery can help reduce friction for his DevOps teams, as well as bring secure tracking to how every one of their workloads is developed, staged, and deployed.