Facebook successfully ported its SQL-powered detection tool, osquery, to Windows this week, giving users a free and open source method to monitor networks and diagnose problems.
The framework, which converts operating systems to relational databases, allows users to write SQL-based queries to detect intrusions and other types of malicious activity across networks.
Facebook debuted the open source tool in 2014 as cross-platform, but for the last two years it was only supported on Ubuntu, CentOS, and Mac OS X operating systems. Facebook isn’t the biggest Windows shop, but the company confirmed in March that because so many users were asking for it, it was building a version of the tool for Windows 10.
The tool reimagines running processes – concepts such as loaded kernel modules and open network connections – as SQL tables to better assist in visualizing data. Nick Anderson, a security engineer at Facebook who announced the news on Tuesday, said the security team regularly uses the framework to gather information on browser extensions used on its corporate network. The tool makes it easier for them to single out and remove malicious extensions.
“As adoption for osquery grew, a strong and active community emerged in support of a more open approach to security,” Anderson wrote, “We saw the long-held misconception of ‘security by obscurity’ fall away as people started sharing tooling and experiences with other members of the community.”
Mike Arpaia, a former Facebook engineer who worked on osquery’s development team announced initial plans for the Windows osquery version in March and promised it would have cross-platform support, a monitoring daemon, and an active development system. Arpaia left Facebook this summer and co-founded Kolide, a Boston-based startup that uses osquery to help companies better monitor their infrastructure.
source: threatpost