OSQuery

It’s always refreshing when you find a new way of looking at a problem. Someone this morning pointed out a product that I’d never heard of before by the team at Facebook – OSQuery. Working in the security field there’s no shortage of me too products out there that fundamentally do the same thing – you’ve seen one AV scanner or firewall and you’ve pretty much seen them all – and most of the innovation is typically focused on bolting on new functions with very narrow featuresets. OSQuery piqued my interest as it appears to be a super focus tool that takes a novel approach to the security question- I know the thing I’m looking for (bad process, high CPU) but how do I get that data out of the system quickly.

“Search” is a popular term in IT (AI is working hard to catch up these days though!) but rarely do I hear the “life story” explaining why search is necessary. Prior to google, I’d argue that searching was commonly used with a negative con nation – suggesting something was lost and requiring to be found again. OSQuery, at least to me, makes the case for a useful model of “Investigation” – a case of knowing roughly what you’re looking for and just needing the tool to get it.

It makes me wonder if an Investigation engine might be the thing that can overthrow the Googles of the world- instead of hunting based on words we throw down and occasionally extending our query or rephrasing, an investigation engine would perhaps start out wide and narrow by means of asking you questions back. Chat bots and the AI brigade are headed in this direction, but freeform text or voice entry, for me, is still a UI challenge (if you don’t know what to say next the conversation is effectively over) but imagine a next generation system that, instead of pausing for further instructions, suggests a next step in your search- more advanced than simply autocomplete, it could offer tangential queries, or revised queries based on time of day or previous searches – all through GUI choices rather than a protracted conversation.

Anyway, I will have to try OSQuery out – and see if it’s useful new way to approaching the investigation question in security…

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s