January 19, 2023
SIEM Tools: Which Vendors Should Be on Your List?
Blog
Data: Your Security Advantage
Read More
Top Three Reasons You Should Use an Endpoint Agent
SIEM, visibility, investigations, threat hunting, cyberthreats, security visibility, endpoint agent, endpoint security, osquery, endpoint visibility
Reading Time : 3min read
To better understand your security posture, your security team needs visibility into your environment and infrastructure. But to achieve more granular visibility, they also need an effective and efficient way to collect data from company endpoints. Deploying an agent provides your security team with an efficient way to collect endpoint data in a scalable manner. It also better positions your organization to implement use cases such as security monitoring, IT health monitoring, performance monitoring, threat hunting, and compliance. Choosing an agent that leverages osquery — such as Devo Endpoint Agent — is even more effective.
There are three key benefits to using a security agent such as Devo Endpoint Agent, including the ability to:
1. Leverage the power of osquery and its open-source community.
2. Ingest data and monitor performance metrics for full endpoint visibility.
3. Obtain actionable insights from your data with customizable queries.
Let’s take a deeper dive into each benefit.
Benefit #1: Leverage the power of osquery and its open-source community.
Developed by Facebook in 2014, osquery is an instrumentation framework for operating systems. Today, it is a growing open-source project on GitHub. It was designed to expose an operating system as a high-performance relational database and enables your security team to write standard query language-based (SQL) queries to explore system data.
The open-source community actively shares information, answers questions, and solves challenges together. The osquery GitHub project is reviewed constantly and vetted by these dedicated individuals to ensure it is impervious to the latest cyberthreats. More eyes are always better, which is why osquery is highly effective from a security perspective.
Benefit #2: Ingest data and monitor performance metrics for full endpoint visibility.
Osquery normalizes data from different operating systems and shows information as a SQL table. This enables your security team to ask and receive the same questions and answers from their data across operating systems.
Not every agent-based solution can do this. Instead, security teams often need to write and maintain scripts to extract information, which is not really all that scalable. Devo Endpoint Agent, however, uses osquery to monitor every aspect of the endpoint, including performance metrics such as CPU utilization, disk usage, and interface utilization. This simplifies how security teams collect data from endpoints and analyze it for malicious activity. For example, your security team could observe that the CPU utilization of a server increased, indicating potential suspicious activity they may want to investigate further.
Benefit #3: Obtain actionable insights from your data with customizable queries.
By using queries and query packs, there are many ways your security team can obtain actionable insights from an osquery-based security agent. A query pack is a group of queries designed to accomplish a specific task, and they can be used strategically for multiple use cases. And with Devo, you can easily create your own query packs for incident response, vulnerability management and more. Using query packs, your security team can answer questions about your fleet of machines to support investigations. There is an always-growing number of tables available in the osquery schema that empower security teams to obtain insights on their endpoints.
Devo Endpoint Agent also leverages extensions developed in house to obtain data from flat log files, enabling third-party software data collection and improving security visibility. These extensions were developed to provide tables outside of the osquery schema so they can be queried within a pack. The extension framework enables Devo to create new tables that are not in the osquery core so security teams can attack new use cases that may not be fulfilled by osquery out of the box.
By deploying an osquery-based agent such as Devo Endpoint Agent, your security team can capitalize on all the benefits of osquery. This also will make it easier for your security team to achieve total visibility across a diverse set of endpoints by bringing data securely into your SIEM for correlation, investigation and threat hunting. All of this can be easily provisioned in the Devo Endpoint Agent Manager.
Read our documentation to learn how to use Devo Endpoint Agent to monitor your endpoints and send data to the Devo Platform.
