Instrumenting Dynamic Environments with Source Control, Peer Review, and Decentralized Intelligence Distribution


Osquery configurations often start simple and static, but, as the complexity of an osquery deployment grows, the level of dynamicism grows to where a complex server installation is required to group sets of hosts together and target them for analytics and threat hunting.

This talk introduces some lessons learned from Kubernetes, a container orchestration platform, on how to effectively decouple and manage configurations of interrelated components.

We will discuss how to reason about higher level instrumentation objectives and share components as decentralized, atomically distributable intelligence.

Finally, the open-source ecosystem and established best practices will be explored so that attendees can begin implementing this way of managing and sharing host instrumentation capabilities and see immediate improvements to their instrumentation capabilities.

San Francisco, CA