March 30, 2022

Last Updated on January 14, 2024

Open source software has long ago earned the respect of the developer community. But for business users it’s widely viewed as a bit like “dinner on the hoof”—created by coders for coders. If you don’t speak Python, what value does it have for your company?

When it comes to security software and especially device management, open source advantages like transparency and flexibility might rate a second look.

To share the business and security value propositions for open source device management, Mike McNeil, CEO at Fleet Device Management, joined a recent episode of The Virtual CISO Podcast. The show’s host is Pivot Point Security CISO and Managing Partner, John Verry.

What is osquery?

One of the top open source device management solutions is osquery. It was originally created to reduce the need to write and maintain multiple, operating system specific scripts to gather data about servers and laptops.

By allowing you to interrogate any device it’s installed on using SQL queries—as if the device were a database—osquery standardizes the query process and makes it system-agnostic. You can find out anything from battery health to fan speed to process events on Windows, Linux or MacOS systems (and soon Android and eventually iOS) with the same query.

So, what do you need Fleet for?

You can think of Fleet as a way to really get the most utility from osquery. The primary pain point that Fleet addresses is that osquery can only interrogate one device at a time. There’s no way with the “vanilla” osquery to send a query to multiple devices at the same time and collect all the answers it gets back. Further, osquery doesn’t offer much in the way of a UI to streamline management of a “fleet” of devices.

Enter Fleet. It gives you a query console where you can type and auto-complete your SQL. You can see in the Fleet sidebar all the roughly 400 built-in tables that exist in osquery. So, you can more easily search for and author queries through the UI. You can also save queries in Fleet, as well as share them with other people on your team, manage which queries are scheduled to collect data from which devices, and more.

Top Fleet use cases

Currently there are over 1.65 million endpoints under management with Fleet, many of which are servers. The use cases center around device visibility first and foremost, as well as incident response.

“We’ve found that people are using Fleet for, number one, the idea that they can pop in a quick, live query. It’s the peace of mind of knowing that, “Okay, I’ve got my 20,000 servers and laptops enrolled and I want to find out right away if there’s a Log4j vulnerability on any of these devices.”

The incident response use case involves collecting data with various query possibilities in mind, and then putting the data into Splunk or another tool for historical analysis. Then, if there’s a potential incident, you have a record of interesting data that you can query or alert against. Since Fleet resides on the endpoint, it’s able to gather more and different data versus a remote query tool.

Even just knowing the inventory of installed software, or what USB devices are plugged in, can be highly valuable. The “core” osquery code is read-only. But various extensions open up other possibilities.

Fleet and the osquery developer community are hard at work adding new use cases. One is vulnerability management; that is, the ability to automatically create tickets when new vulnerabilities (CVEs) match devices on your fleet. Another is support for policy enforcement. Say you decide no one can have Zoom installed. With Fleet, you can create a policy that says, “Zoom is not installed.” Then, if that ends up not being true, Fleet can create a ticket and the IT team can take it from there.

What’s next?

To hear the podcast with Mike McNeil from Fleet Device Management end-to-end, click here.

Concerned about the security and legal implications of leveraging free open source software (FOSS)? Check out this blog post: Free Open Source Software (FOSS) Risks