Facebook Debuts Open Source Detection Tool for Windows

Facebook finished porting its SQL-powered detection tool, osquery, to Windows this week.

Facebook successfully ported its SQL-powered detection tool, osquery, to Windows this week, giving users a free and open source method to monitor networks and diagnose problems.

The framework, which converts operating systems to relational databases, allows users to write SQL-based queries to detect intrusions and other types of malicious activity across networks.

Facebook debuted the open source tool in 2014 as cross-platform, but for the last two years it was only supported on Ubuntu, CentOS, and Mac OS X operating systems. Facebook isn’t the biggest Windows shop, but the company confirmed in March that because so many users were asking for it, it was building a version of the tool for Windows 10.

The tool reimagines running processes – concepts such as loaded kernel modules and open network connections – as SQL tables to better assist in visualizing data. Nick Anderson, a security engineer at Facebook who announced the news on Tuesday, said the security team regularly uses the framework to gather information on browser extensions used on its corporate network. The tool makes it easier for them to single out and remove malicious extensions.

“As adoption for osquery grew, a strong and active community emerged in support of a more open approach to security,” Anderson wrote, “We saw the long-held misconception of ‘security by obscurity’ fall away as people started sharing tooling and experiences with other members of the community.”

Mike Arpaia, a former Facebook engineer who worked on osquery’s development team announced initial plans for the Windows osquery version in March and promised it would have cross-platform support, a monitoring daemon, and an active development system. Arpaia left Facebook this summer and co-founded Kolide, a Boston-based startup that uses osquery to help companies better monitor their infrastructure.

Developers from the computer security firm Trail of Bits, who collaborated with Facebook to oversee the platform, said that porting osquery to Windows wasn’t without its troubles.

Functionality for some attributes had to be recreated, bugs needed to be fixed, and substitutions had to be made, according to Artem Dinaburg, one of the developers on Tuesday. To ensure it could be effective at intrusion detection, the company had to completely re-engineer tables that were integral to osquery’s core. Since osquery is essentially a daemon that runs in the background, developers were forced to give it a special script and add service functionality to help tables retrieve information from running processes on the system.

Like the Unix version, Dinaburg points out that osquery for Windows has support for TLS remote endpoints and certificate validation. That means that administrators can use existing osquery fleet management tools like Doorman, which lets users remotely manage configurations retrieved by nodes, on the Windows version as well.

Now that the tool runs on all major desktop configurations, it should make it much easier for network administrators to monitor systems, Dan Guido, Trail of Bits’ CEO, said Tuesday.

“Since osquery is cross platform, network administrators will be able to monitor complex operating system states across their entire infrastructure,” Dinaburg wrote, “For those already running an osquery deployment, they’ll be able to seamlessly integrate their Windows machines, allowing for far greater efficiency in their work.”

Both Trail of Bits and Facebook are hoping organizations that aren’t on Mac OS X or Linux systems will look into osquery, modify its code base and use it to secure their systems.

Suggested articles

Discussion

  • Mark on

    Sounds awesome! Who comes up with these ideas? Took me a good 5 minutes to get my head around using SQL to query for system events. Never the less, very cool.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.