March 22, 2022
Reading Time: 26 minute(s)
EP#81 – Mike McNeil – Is Open Source the Future of Endpoint Security?
Open source is a transparency issue. Being able to see what code is running on your computer — as well as what’s being monitored — gives you practically SaaS-level visibility across data, apps, and usage.
In this episode, former open source developer Mike McNeil, CEO at Fleet Device Management, an open source company, talks with me about why open source is so imperative.
Join us as we discuss:
- The business impact of open source
- Why open source grants such necessary visibility
- How the open source community removes friction
- Vulnerability management and automation
- What’s next for Mike and Fleet
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player
Mike McNeil (00:00):
And automation helps, right? I mean, you can do a lot of this stuff in your continuous integration pipeline that runs when people are trying to make changes, but there’s inevitably human quality checks that you’re going to want to apply.
You’re listening to The Virtual CISO Podcast, a frank discussion providing the best information security advice, and insights for security, IT, and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.
John Verry (00:37):
Hey there, and welcome to yet. Another episode of The Virtual CISO Podcast. With you, as always, John Verry, your host. And with me today is Mike McNeil. Hey Mike, how are you today?
Mike McNeil (00:48):
Hey, John. I’m great. How are you?
John Verry (00:50):
Good, good. I’m looking forward to our chat. I appreciate you coming on. I always like to start super simple. Tell us a little bit about who you are and what is it that you do every day?
Mike McNeil (01:02):
Yeah, so I’m originally an open source developer. Now I’m a CEO, and I spend all day figuring out how to do that, usually. So that involves talking to customers, helping support our product development, and figuring out what we need to build next and operate the company.
John Verry (01:20):
Yeah. So I think one of these days I’ll probably really have to have a podcast that focuses on that transition from, “One day I’m a tech guy, to the next day I’m the CEO of a company,” because it’s definitely in a little bit of an adjustment, isn’t it.
Mike McNeil (01:33):
John Verry (01:35):
Talking about a bunch of crap you never thought you’d care about, right?
Mike McNeil (01:40):
John Verry (01:41):
All right. We have a tradition here. Before we get done to business, I always ask what’s your drink of choice?
Mike McNeil (01:46):
Ooh, I’m pretty variable. But right now I think I would go for something with matcha and some rum or vodka, something like that.
John Verry (01:56):
Matcha and rum or vodka. Where do you live that you can go to a place and get a drink that sounds that way? Or are you making this in your kitchen? Are you like the mad scientist, drinkologist, mixologist, right? Where do you go, hang out at hip bars as a mixologist?
Mike McNeil (02:11):
It all started when I was four years old in the bathtub. Nah. I usually just tinker, and yeah, there’s some really great Japanese restaurants around that do some stuff like that have been inspiring.
John Verry (02:24):
Well, I’ve never done that, and now I will be out looking for that because I like matcha, right? The only problem with matcha, I have some matcha here at the office, and the only problem I have with the matcha is that it’s hard to get it froth right. They sell these little bamboo mixers and stuff of that nature. But no matter what I do, I always end up with like a thick green film at the bottom of the cup. Yeah, yeah.
Mike McNeil (02:47):
That’s the best part.
John Verry (02:50):
Exactly. So yeah, I’m going to have to go for that now. And it’s funny, though. They do it with a vodka instead of doing it with a sake?
Mike McNeil (02:55):
I’ve seen it with both.
John Verry (02:57):
All right. Yeah. Because when my kids were young, we used to always used to do the hibachi steakhouse places. And of course, I would have to go sake if you were going to a Japanese steakhouse, right? It would be an appropriate task for anything else. So I actually do enjoy a good sake if you get one.
John Verry (03:15):
All right. So let’s get down to business. To frame this conversation, it’s an interesting conversation for me because at one point, open source was this conversation that you had all the time with people, and you debated open source and all that kind of fun stuff. So it’s definitely an old concept, right? It goes all the way back to, I think, Netscape Navigator was probably one of the first major open source projects, and it gets a lot less attention than it used to. So I know you are a former open source developer and you are an open source company. Why is open source, from your perspective, so important?
Mike McNeil (03:48):
So in the world of device management, in particular, you’ve got pretty much all the same things you normally have with open source. You want to be able to see the code, as someone using it. You want to be able to modify it, even, fork it, potentially, so you’re not locked in. But especially with code that monitors our computers, it’s really nice to think that, “Hey, we can actually see …” Much like if you use signal for text messaging, right? The idea that anybody along the chain can take a look and see what code is actually running on their computer and what’s being monitored about them is pretty valuable.
John Verry (04:25):
So from your perspective, it’s a transparency issue. In the security world, we obviously want to definitively understand the information that we’re getting and be able to validate its authenticity and that it was appropriately captured. That’s the value prop?
Mike McNeil (04:42):
I think that’s the visceral emotional value prop for me that gets me excited in the morning. I think it gets a lot of our customers and users excited. But at the end of the day, from a business perspective, it’s really that freedom and flexibility of knowing what’s in the code and being able to change it.
John Verry (04:58):
And now you’re black magic, right? What you live and work with every day is Osquery. What is Osquery, and what does it do?
Mike McNeil (05:06):
Yeah. So Osquery started at Facebook a few years back, 2016. Mike Arpaia and Zach, my co-founder, created Osquery to solve a problem that they were having, which is they were trying to write and run shells scripts for Mac and PowerShell scripts for Windows and then scripts for Linux to be able to harvest information out of their servers and their laptops. And Osquery is a way to do that in a standardized way. So you don’t have to write a script for Linux and a separate script for Windows. You can just write a sequel query, and then query the devices as if they were a database. And they’ll just respond the same way a database would.
John Verry (05:48):
So back in the day, I coded at one point in my career. It’s been a long time ago. Visual Basic 6.0 is when I got out. That tells you how long ago it was. So it sounds a lot to me like the same idea of ODBC, right? You had this layer of abstraction, so it really wouldn’t matter. You could write code once, and it wouldn’t matter if you weren’t against Oracle or SQL or some other database. Same idea, really. So in other words, I can send the same request and I don’t have to worry about what operating system is running on that endpoint device.
Mike McNeil (06:19):
A hundred percent. And this is even just going one step further and saying, “Instead of it being just data in a B tree somewhere, we’re talking about real physical computers.”
John Verry (06:28):
Yeah. So when you talk about endpoints what would you define in today’s … And this is an interesting question, right? It’s like, how do you define IOT, and what’s an IOT device? You get very different answers. You’d think we’d get the same answer. So I’ll ask you that question. What would you define these days as being an endpoint?
Mike McNeil (06:45):
So what we can handle with Osquery, I’ll start there, is Mac, Linux, and Windows. So whether it’s a server or a laptop, or really any kind of hardware running one of those operating systems, you can query it. But I would say that it’s fair to say that iOS and Android are still endpoints. They’re just not supported by Osquery today.
John Verry (07:06):
Gotcha. And just out of curiosity, you’re obviously integral to the Osquery world. What’s the likelihood that they’re going to continue adoption onto other … I mean, is that already a planned issue where you’ll be able to do this on other types of endpoints?
Mike McNeil (07:22):
Android is something that a few steps have been taken towards already, and I know there’s some active interest now, and some folks that are working on making it happen. iOS is probably a little further in the future.
John Verry (07:33):
Gotcha. All right. So Osquery is an agent or a piece of software, like a daemon, a process that’s going to run on … So you need to install this on each of these endpoints, right?
Mike McNeil (07:44):
John Verry (07:45):
And then you, through SQL, are going to be able to gather just a crap-load of information, almost as if you were sitting on the device as an admin, correct?
Mike McNeil (07:54):
Totally. Everything from battery health to fan speed to process events, eBPF, which is just another way to monitor. It’s an alternative to the audit framework for monitoring what’s going on, on a device.
John Verry (08:07):
Gotcha. So you started a company called FleetDM, and like I was reading, or no, I actually saw you on a TV program or internet program. I don’t know you call them these days. I sound like an old man suddenly. I was watching the internet thing and I saw on TV program.
Mike McNeil (08:26):
[crosstalk 00:08:26] Yeah.
John Verry (08:30):
Yeah. You weren’t on Netflix. I knew that. You weren’t on Netflix. So you made a comment that I found shocking, and know how long ago this was, but you said something like in the last like year and a half or two years, you’ve gotten to a point where you’ve got 1.65 million devices that you’re actually under management with FleetDM. I find that a shocking and amazing, and be jealous. You’re a good CEO. Congratulations. It’s probably why you’ve done very well with some funding, and there’s a lot of people excited about working with you guys.
John Verry (09:04):
But to get to that level of success is amazing in that short period of time. So what are the specific, whether it’s verticals, whether it’s use cases, that are driving it? Is it around just visibility? Is it around incident detection, incident response, some combination of both? Are people saying, “Hey, I’m not going to use SentinelOne or Carbon Black. I’m going to use Osquery. How did you get that big that fast?
Mike McNeil (09:27):
So a few companies are saying that, which is brave and exciting for the future of open source security. Most folks are still using their Carbon Black or their endpoint detection response tool, their EDR. And it’s both incident response and visibility. It’s more visibility right now. And I would say a lot of that device count is actually servers. So we’re not necessarily saying there’s 1.65 million laptops enrolled, right? Because that would be even more exciting, but some of those are laptops, some of them are servers, and a lot of them are servers. We can’t say exactly what kind of Linux device we’re looking at, but when we see a Linux device in anonymous statistics, we tend to assume it’s probably a server, statistically speaking.
John Verry (10:13):
Gotcha. Obviously, you give them this dashboard that helps them manage and peruse, view, surf the data. From that, what can you infer about why they’re using this? Are they using it more like traditional network visibility where they’re just wanting to understand the where the device are, or are they using it more like patch configuration management? Can you tell when they’re using it for some type of incident response? Can you see them run certain types of processes that give you some sense of what they’re actually using it for? Do you know what the use case is? I mean, you know these agents are sitting somewhere. What are they doing with it all the time?
Mike McNeil (10:54):
Yeah. Well, all this to alleviate anyone listening who’s worried about what we can see. So this is a self-managed solution, right? So we collect anonymous usage analytics, which you can turn off, but we don’t have that kind of SaaS level visibility into how people are using the tool, and the user interface is open source. Literally, all of the code is source available. So in terms of what we can see about a user journey through the app, we get a lot of what we learn from talking to people and just hearing what they tell us. But what we’ve found that people are using Fleet for, number one, is this idea that they can pop in into a quick live query. So the peace of mind and knowing that, “Okay, I’ve got my 20,000 servers enrolled and I want to find out where is Log4j on any of these servers in these laptops. Could be on any of my computing infrastructure, and wherever it is I want to know right away.”
Mike McNeil (11:52):
Then there’s the other part of it, which is like, “Hey, let’s collect the data, maybe on an hourly basis, maybe the frequency varies on which query we’re talking about, but let’s start actually putting this data into Splunk or one of our other tools where we can have it sit there for a while, at least, for historical analysis. So if something does happen, we have a record of all of the interesting data about these devices that we can go query, or we can set up alerts for on that side.”
John Verry (12:20):
That’s interesting. So if somebody was using something more like SolarWinds or a Nagios or something that nature, collecting that data is usually done using SNMP, simple network management protocol, and walk in the mid tree, I think they used to call it, right? So they’re actually using this as an alternative to a conventional network management, network monitoring solution of that nature?
Mike McNeil (12:45):
Yeah. Because being on the endpoint, you can get a little bit more information, and you’re not necessarily fighting with the same protocols and encryption that you might on the network. There can be a lot of data on the endpoint that might be hard to get on the network. So even just knowing the inventory of installed software, for example, or the USB devices that are plugged in.
John Verry (13:06):
Gotcha. Now you mentioned, you mentioned Log4j before.
Mike McNeil (13:09):
John Verry (13:10):
Right. So that’s a case of where we have a zero day or we have a known security issue of note, so they’ll use the tool at that point to do a very, very quick inventory, understand why they have an issue so that they can get those systems patched quickly.
Mike McNeil (13:28):
Exactly. I mean, I talked to a friend of mine that works at a hospital, actually. And he normally doesn’t even get involved in security. He’s an app developer, but there was when Log4j happened, there was a few servers that he owns, apps that he owns, and even in his line of work, he suddenly found himself following through on that security use case and just trying to see, “Okay, where do we even have Java running? Where is this jar that could be potentially an issue?”
John Verry (13:54):
Gotcha. And then in terms of I’m not familiar with exactly how far I can go with Osquery, I mean, does Osquery support the ability to write and make changes on a device as well? And maybe Osquery does or doesn’t support this, but with additional capabilities, would you be able to automate patching based on that data, or pushing of a patch?
Mike McNeil (14:18):
So today, Osquery is all … I say today. In Osquery core, official Osquery, all you can do is select star or select whatever from. So you have that aspect of SQL. You don’t have insert into apps. There are Osquery extensions that support that today made by folks, smart folks, like Trail of Bits, and other Osquery engineers. So that is possible. And something that’s really, really interesting for the future, but yeah, today, Osquery is 100% read only.
John Verry (14:47):
Cool. So it would seem to me that, so you talked about transparency being a really significant advantage to open source. Cost, obviously, would be to open source. Is this community, development community … Those extensions you just talked about, right? That would be another major advantage to an open source platform, right? Because as somebody says, “Wow, it would be cool if I could do this,” Mike doesn’t have to do it all, or FleetDM doesn’t have to do it all. You’ve got this group of people that are consistently working to make this a better product?
Mike McNeil (15:21):
Yeah. I would say it has all the challenges and all the opportunities of any products development process. The difference is just that it’s all out in the open. So if we get a request, someone’s like, “Hey, a customer wants to put file carving, for example, the result of grabbing files from the system and stuff that into min.io, instead of sticking it into Amazon S3,” in the past, maybe there would be a closed source, and that would be a phone call, if it ever even happened, because now you’ve got to get a developer on the phone. Does anybody really want to pick up the phone and call me on Zoom? Right? I just want to make a quick little PR. And then maybe we have this feature request and it gets prioritized and it takes three weeks.
Mike McNeil (16:04):
But with open source, you can just do all the same kind of stuff. Either someone just actually writes a first pass at the code, or they create an issue and just ask for the feature themselves. And then it becomes apparent that it’s a use case. It removes the friction of having to run that whole thing through a prioritization process, having a customer success manager take it, note it down, file it away. All that stuff just gets put into the open, and people can just jump on it whenever they want because everybody can see it. It’s public.
John Verry (16:34):
Yeah. So does that mean you wake up in the morning and grab your coffee and look on Git and say, “I wonder if anyone added something cool last night,” and start looking at the code to say, “Oh crap, this is pretty cool. We can do some stuff with this”?
Mike McNeil (16:47):
Oh, man. I wish. I’ve heard people talking about the idea of just auto merging PRs, right? But what I learned from my-
John Verry (16:57):
I’m sorry. So real quick, real quick. PR?
Mike McNeil (16:58):
Pull requests. Sorry. or merge requests, MR.
John Verry (17:01):
Yeah. Okay. Thank you.
Mike McNeil (17:04):
Yeah. And when in the past where I’ve done that before on open source projects, it’s really easy to feel guilty and start just merging code because people want it, they’re waiting on it. What I’ve learned is putting it out in the open doesn’t mean you can skip quality. So you still have to do all the things you need to do to merge that into your coding conventions. You’re going to have to maintain it forever, for the lifetime of the project, so it doesn’t necessarily mean that code gets merged faster. It just removes the barrier to entry to people suggesting or showing what they actually want to happen.
John Verry (17:37):
Right. And I’m assuming, like with any code, because I screw around occasionally in Python, and I’ll always go and see if I can find sample code that I can base something off of. But it’s never quite exactly what I want. It’s always something that I’ve got to work on a little bit and tune a little bit. So I’m assuming that you would find the same thing. “Hey, this is pretty cool. This guy’s allowing this to happen, but we’d also like to do it this way and this way.” And then, of course, you can’t trust that they’ve run it through the your process for static code analysis and things of that nature. So that’s where you have to look at that, figure out what you can do, and then make sure you’ve taken it through your processes?
Mike McNeil (18:14):
Right. And automation helps. I mean, you can do a lot of this stuff in your continuous integration pipeline that runs when people are trying to make changes, but there’s inevitably human quality checks that you’re going to want to apply.
John Verry (18:27):
Yeah. You can’t get around people.
Mike McNeil (18:29):
John Verry (18:30):
So I’m assuming that here you are, you’re this open source developer, and you’re looking at all this potential goodness of Osquery, and you wake up one day and say, “Wow, folks are going to need something more than just Osquery to really take advantage of Osquery.” Is that where you got the idea for FleetDM? And talk a little bit about what FleetDM brings to the equation, right? Osquery is this wonderful open source project. I can go get that stuff myself. Why do I need FleetDM, right? What’s the value prop?
Mike McNeil (18:58):
Yeah. Well, I want to just call out, give some props to the folks who actually created Fleet, because I’m about a year and a half into this company, right? But Fleet, the project actually existed for years before. So in 2017 it was created with the folks at Collide. Zach, my co-founder, was actually also a co-founder there. And when Collide shifted to building a different product in 2019 that was a hosted product rebuilding everything, Zach ended up leaving and going and consulting on top of Osquery and focusing on that and focusing on Fleet.
Mike McNeil (19:39):
So the original pain point that Fleet was solving is Osquery is great, right? I can install it on all these devices and I can talk to them one at a time, but there’s no way for me to send a query 1,000 devices at the same time and collect all those answers or do any of the UI stuff that I might want to do on top of all these devices. So Fleet, it solves that problem, right? It gives you a query console where you can actually type and auto-complete your SQL. You can just see in the sidebar all of your or tables that exist in Osquery, which there’s like 300 or 400. So you can search, and then you can author your queries there. You can save them. You can share them with other people on your team, manage which queries are scheduled to collect data from which devices, and then you can also manage …
Mike McNeil (20:29):
More recently we’ve started adding a lot more use cases like vulnerability management, the ability to automatically create tickets when new CVEs, which are vulnerabilities, when they match devices on your fleet. And the same thing for policies, like Zoom, right? Let’s say that you decide no one can have Zoom installed. Now with Fleet, you can create a policy that says Zoom is not installed, and then if that actually ends up not being true, it’ll create a ticket and your IT team can jump in and deal with it.
John Verry (21:00):
Oh, that’s cool. So let’s talk about, you said something very interesting there. You said that vulnerability and management is a use case. How does that work? So most organizations we work with have some type of a vulnerability scanning tool, whether it be Qualys, whether it be [inaudible 00:21:16] Rapid7, whether it be Tenable, Nessus, OpenVAS, something. Any device I have an endpoint on, could I use Osquery in a way to supplant or augment my vulnerability scanning tool?
Mike McNeil (21:31):
Yeah. And today I would say supplant. I would say try it, or I would say not supplant, rather. I would say try it and see because everybody has a different level of freshness they need. Our data source is the National Vulnerability Database, or NVD. So let’s say that are using Rapid7 and getting a lot of value from that, but maybe your security team is really focused there. Maybe you have some other related use cases.
Mike McNeil (21:56):
You just want to know a little bit sooner, and you want to get the ticket in the hands of the right person, or you want a little bit more programmability, like you want to be able to use the API a little bit more or you want to be to loop in your IT team and maybe involve Monkey, that would be a great fit to check out the vulnerable detection in Fleet. So we’re not going to let you actually patch in Fleet today, at least. That’s not something that’s possible, but you can see a report of all of the devices on your fleet that have have a problem. And then you can, if you want, even go a little bit further and automate the ticket creation based on that.
John Verry (22:35):
That’s cool. So in other words, you send out this query to 100 or 1,000 devices. Doesn’t really matter. The devices give you back the information. You run a process by which you’re looking that up against the vuln database, and anywhere where you see something that looks significant, you could then set a rule up that would say, “If the vulnerability is above a CVSS level X, automatically open a ticket in Jira.”
Mike McNeil (23:03):
Today, it’s just any CV at all. But that is something we are working with, actually, right now with a company in the health tech space. And we’re working on building risk scoring into Fleet this year.
John Verry (23:18):
Yeah. That would be cool because you don’t want it for every … because, I mean, there’s going to be some stuff you really don’t … All right, that’s not significant enough that I need a ticket, but I would want to keep that habit somewhere and know about that data. And I’m just curious, how much does Fleet provide any dashboarding, or is that not really what its intention is? The expectation is that Fleet becomes the middle man and then the dashboarding would be on either a GRC platform, or it would be on a development platform? Is that what the expectation is? What parts does Fleet do and what parts should Fleet not be doing?
Mike McNeil (23:51):
Yeah. So we’re in the middle today. If you’re using a dashboard like [SAL 00:23:56] for Monkey, and maybe you’re more on the IT side and you’re trying, or you’re trying to see some really, really high level stats on, “Okay, what’s our MDM enrollment like, for example, across our fleet of devices?” You’re not going to be able to see today the performance of your vulnerability management team in Fleet, like how long were vulns on the system before they got patched? But what Fleet has is all of that data. So if you do want to have like a Grafana dashboard that you’re building somewhere else, and you want to be able to pull that data in, Fleet is providing that for a lot of our users. And then we’re also providing a really simple set of dashboards that are convention over configuration and available out-of-the-box.
John Verry (24:44):
Yeah, I gotcha. Yeah. And if you were to think about it, I wouldn’t think that your long-term goal would be … I mean, that’s the realm of a GRC platform or something of that nature, something which is going to attract compliance, something which is going to attract security. I’m assuming that what your goal is to have all this wonderful data and then to be able to provide the APIs necessary for someone to get it to the system of record.
Mike McNeil (25:06):
Right. We, right now, at Fleet are what I think is the best way to collect data from all of these devices. And one of the things you can do with it is just stream it off to Splunk or your data platform, your SIM, right? But another thing you can do with it is while it’s on its way through, you can add all of this extra value, giving you access to the inventory of the software, for example. Since we’re passing that data through anyways, we might as well go ahead and inventory that for you and enable some of the IT use cases that you have.
John Verry (25:39):
When you say inventory software, are we talking about inventorying the components of a software application.
Mike McNeil (25:46):
No, that would be really cool. But no more so-
John Verry (25:50):
I always started thinking to myself, “Wow.” But logically … Wow, yeah. Now we’re getting into another hole because now you’re going down the SBOM, the software bill of materials, which is a big, hot issue right now with the new SSDF from the government. And I was thinking you were heading in that direction. When you’re saying software, you’re talking about the applications that are running on an endpoint?
Mike McNeil (26:10):
Exactly. The actual installed stuff. So I’m talking Chrome extensions, Firefox plugins, Mac apps, Windows programs, any packages, like open SSL.
John Verry (26:19):
Okay. So if we don’t want certain packages on a device, if we don’t want Zoom on a device, you have the ability to tell me if they put it on. Again, let’s look out a little bit. With some of the changes that you talked about with people giving right access, if you will, to Osquery, and that might be the wrong term, but conceptually, if it’s SQL, I think of it as being read versus write, could you prevent that? I mean, can we go from being a detective control to a preventative control where you could literally prevent someone from installing that?
Mike McNeil (26:52):
Yeah. You can think of what policies in Fleet are today as motion detectors, right? You define a perimeter of acceptable use for your work stations and for your servers, even, and then you are collecting data about that, whatever. But those motion sensors, if you wanted to turn that into a big giant fence, it gets more complicated. So you need to use the MDM protocol, for example, if you want to limit config on a Mac OS. Windows actually has something similar. Linux has a big gaping hole here. And there’s some differences between Ubuntu and other flavors.
Mike McNeil (27:31):
What we’ve learned is it’s not quite as simple as just build an Osquery extension and be able to lock down devices, but what you can do with an Osquery extension, which is pretty cool, and we’ve seen folks doing it, is you can actually enable queries to have side effects. So it’s possible to actually do writing on devices, using Osquery extensions. There’s some different philosophies around that. Not everybody is super cool with writes because they chose Osquery, because it was read only. So we’re trying not to cram anything down people’s throats there.
John Verry (28:02):
Yeah. Just out of curiosity, because the Osquery agent can be forked, you could have an Osquery agent that has no write capability, or you could have an Osquery agent that has write capability, and a user could pick whatever they wanted, right? So it’s not as if they would be vulnerable, per se, to someone writing unintentionally. They can prevent that from happening, and they’re in control of that destiny. Correct?
Mike McNeil (28:29):
Absolutely. But I will call out, especially, when folks think about the future of Osquery, Zach, my co-founder, helped create Osquery at Facebook. So want to make it clear that we aren’t going to fork Osquery. Fleet will never fork a-
John Verry (28:45):
Yeah. I apologize. Fork might have been the wrong term. I am not an open source developer. What I just meant is that they don’t have to have that capability in the agent that they’re putting onto their machine if they don’t want it.
Mike McNeil (28:56):
Oh yeah, totally. So you don’t have to install any Osquery extensions. And if you don’t-
John Verry (29:00):
Oh, okay. Sorry. Fork was the wrong word. I apologize. Okay. So you mentioned vulnerabilities, which is cool, because you’ve got such detailed information about the configuration of a device, is there any reason why you couldn’t do you know what I’m going to call instead of vulnerability management, configuration management? So let’s say that I had a CIS benchmark or I had a DISA STIG, or I wanted to make sure my device was conformed with HIPAA requirements. If I gave a standard, if you will, like, “Hey, this is what I expect to see on the device,” is there any reason you couldn’t tell me that this device is in conformance, and this device isn’t?
Mike McNeil (29:40):
Yeah. That is something that folks are doing today with Osquery. And you can actually accomplish that with policies in Fleet. So if you want to have a yes, no … Policies are basically a yes or no question with a yes or no answer. So as long as you can express that in Osquery SQL, for example, HIPAA, I can’t tell you whether anybody has a key card that can make it into the data center or whatever. I can’t give you physical access information because that’s not endpoint data. But if it’s something you can express in SQL with Osquery, then that’s something that you can handle in Fleet. So CIS level one and level two, I’ve heard of good results. And there’s actually Osquery queries out there, open source, which is the cool thing about this, is you can copy paste.
John Verry (30:29):
Yeah, yeah. That makes sense. And I’m assuming then that you have these policies, and then a group of policies together would be a configuration, right? Because I have a policy that says that I expect passwords to look like this, system audit to look like this, this level of access control. And then I group those policies together, label them with a new label. Well, let’s call this CIS benchmark, Windows benchmark, and then it’s going to look at all those together and report on that together?
Mike McNeil (30:54):
Yeah. And we just added tags in the standard query library to help facilitate that.
John Verry (30:58):
Oh, that’s really cool because then a policy could be automatically added to different … What do you call the groups of policies? You know what I mean? So I could tag this particular control as relevant to CIS, HIPAA, and ISO or something of that nature. And this one over here is level to this, and then it could group them together automatically to run that?
Mike McNeil (31:19):
That’s the thinking, yeah. What you can do today, just to make it clear for folks who maybe want to try this out, is you can just go fleetdm.com, grab Fleet, install it locally, or you can run the server locally on your laptop. It’ll enroll yourself automatically, but the data is staying there. It’s not going anywhere. And then what you can do is you can define teams. So if you have, let’s say, 200 servers and 1,000 laptops, you might have a team called workstations and a team called servers. And then your policies on your workstation team, that would be where you would build your CIS policies, right? As far as being able to import an existing list of policies, that’s something you have to do with YAML today, which is, yeah, you would run the Fleet control import command, I think. Off the top of my head, I need to look up the actual syntax. But-
John Verry (32:10):
Yeah, yeah, yeah. YAML is an interesting data structure, I guess, would be the right way to say it. You see that a lot in a lot of the cloud configurations. Okay-
Mike McNeil (32:24):
People like that because they can check it in and they can version it themselves. So if they want to do their own pull requests internally to make sure that they’re editing and the right people are approving these changes, they can do all that in YAML, in their repo.
John Verry (32:37):
Gotcha. So we talked about a lot of things here, So we talked about the idea of replacing commercial EDR, and you said, “Mm, maybe not yet, but it might happen. It really depends. You’ve got to look at what you’re trying to accomplish.” We talked a lot about where you think Osquery is going. Is there anything that we haven’t talked yet that you think is in the future or specifically about where FleetDM might be going as well?
Mike McNeil (33:05):
Yeah. I mean, right now we’re working on Fleet Desktop. So that’s going to ship this quarter, and that’s basically a menu bar icon that will give you the ability … Imagine you’re an engineer working at Uber or you’re in human resources at Atlassian. And then let’s say that those folks roll out new version of Fleet and they decide to roll out Fleet Desktop. Well, now you’ll have a menu bar icon in the corner of your screen that’ll show you, “My device.” And it’ll also show you the transparency page so you can see, “Okay, what is Atlassian monitoring about me?” With Osquery, at least, right? Or if you go to look at “My Device,” you can see, “Here’s exactly what my device looks like in Fleet, and here’s the software I have installed. Oh, maybe it’s even faster than going to the apple menu.”
Mike McNeil (33:57):
I can see my disc space, how much is left on my hard drive. And I guess probably most important of all, I can see where I’m failing or passing the organization policies. So if I’m supposed to have antivirus turned on my Mac, and it’s not on, I see that I’m failing a policy, I can fix it myself with some remediation steps, and then I can hit a re-fetch button to then see that get automatically updated and see, “Ah, now I am passing the policy. All good.”
John Verry (34:26):
Okay. So that has two pieces of goodness, right? Yeah. I guess that first one is it seems to me like you are very much into transparency, and having people know exactly what someone is monitoring on their machine and what they can see is part of your mission there. And then the second part, like you said, is it gives them the ability to actually fix something yourself, which is great from an IT perspective. Anytime we can shorten the time to closure, we don’t have to find a time when we can reboot the machine or we can connect to the machine without disrupting a user.
Mike McNeil (34:54):
John Verry (34:54):
That’s cool. That’s very cool. Anything else that’s that’s on your mind that you think you want to share in terms of things that are coming down the pike, you think?
Mike McNeil (35:02):
Well, we talked a little bit about risk scoring. So we’re doing a lot of work on the vulnerability features to try to make them just more complete, more useful. We’ve also been working on the quality, right? Because you have to match these version numbers from the National Vulnerability Database to the data that’s coming back from Osquery. So that’s led us to prioritizing, “Okay, what are the most important apps and packages that people are going to have installed?” and making sure that we can provide the most accurate possible detection there. So that’s where a lot of our focus is going to be in the next few months.
John Verry (35:34):
Yeah. I think that gets really interesting because one of the challenges, my wife works for a Fortune 100 company, and her machine crawls. I mean she’s got an engineering level, a laptop, and the damn thing crawls because they got DLP tools on there, they got three EDR type. I mean, it’s amazing how many different agents are running on this machine. And half the time, stuff just doesn’t want to work right. And you call up the help desk, and it’s just like, “Oh, try to reboot it,” and that’s their solution to everything. So, I mean, I think if you can get to a point where somebody can use Osquery or some singular application and reduce this glut of apps that we see on devices, I think that’s going to be to everyone’s advantage, right? Simplifying management of endpoints, right?
Mike McNeil (36:20):
One agent to rule them all.
John Verry (36:24):
Oh, I like that. Is that your logo?
Mike McNeil (36:26):
It’s an informal slogan we throw around.
John Verry (36:28):
Yeah. It should be. See, now you’re showing me you’ve got CEO chops. Now you’ve got marketing chops. Is there anything you don’t do, Mike?
Mike McNeil (36:35):
Oh, so much. So much.
John Verry (36:38):
All right. We beat this up pretty good. Anything else we missed or you want to discuss?
Mike McNeil (36:44):
No. I mean, there’s a lot of things we could talk about, but I know you’ve got other things to do today.
John Verry (36:49):
Right. Yeah. Really, my life’s not nearly as exciting as you might think. I have really nothing to do, Mike. So you’re going to be sorry you said that because I’ll probably keep you here another 45 minutes chatting about inane. subjects. No, I won’t do that to you. All right. So we’re going to find out if Mike prepared. This is the moment that everyone waits for, Mike. This is the make or break part of the part of the podcast. Give me a fictional character, real person you think would make an amazing or horrible CISO and why.
Mike McNeil (37:16):
Okay. So I’d forgotten until a few minutes before record, the big record today, but it came to me quickly, and that is I think I would say Perdita or Pongo from 101 Dalmatians.
John Verry (37:30):
Okay. Wait, wait, which one is Perdita and Pongo? Are they the dogs or are they-
Mike McNeil (37:34):
Yeah. The dogs.
John Verry (37:35):
Mike McNeil (37:35):
John Verry (37:35):
Okay. All right. All right. Why?
Mike McNeil (37:39):
I’m thinking mostly the incident response, right? The puppies go missing. Pongo and Perdita, immediately, they’re dogs, but they take on literally a higher species. That’s like if we had alien invaders come, right? And then they compromise your infrastructure, and then you’re going to go take on literally a different species to save your team. And so that seems like what I’d want from my CISO.
John Verry (38:06):
I’m always amazed by the answers I get to that question. All right. So this has been a lot of fun. If folks wanted to get in touch with you, if they were interested in learning more about FleetDM and Osquery, how would they do that?
Mike McNeil (38:18):
Great way, so Twitter, the LinkedIn, we’re on all the things. But fleetdm.com is a great way to get a high level of what’s going on, and you can join the Slack community from there, which is just the same as the Osquery Slack community. We’re also in Mac Admin Slack, if you are a Mac admin.
John Verry (38:35):
Cool. All right, man. This has been fun. Thank you.
Mike McNeil (38:38):
Thanks, John. Likewise.
You’ve been listening to The Virtual CISO podcast. As you’ve probably figured out, we really enjoy information security. So if there’s a question we haven’t yet answered, or you need some help, you can reach us at [email protected] And to ensure sure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.