Threat Detection on Linux Systems Using OSquery

Abstract

We have made an EDR tool for Linux Systems using Facebook open-source project OSquery. Making our own EDR tool rather than using a commercial EDR tool helps us gain knowledge about the platform and the security aspect of the platform and gives us the capabilities to detect and investigate security events. In our method, we are collecting the logs on the central server and then we are using these logs to generate the correlation between events which are happening on different Linux endpoints. These events are different events which are taking place in the Linux system like file events, socket events, process events, etc. These events are automatically detected and categorized into different attack vectors to remediate in future. Due to continuous monitoring, we get these events after a specific interval which makes the detection real-time. Users can provide on-the-fly configuration which makes the tool more responsive and accurate and does not collect the garbage data which are not required. We are also providing container security which is a new feature in the open-source tools. In our method, we have designed a system in such a way that we can scale the system and add a scalable amount of nodes in a single deployment.