3. Partner at Apfelwerk since 2 years
Systems Engineer, Consultant
Focus on Mac, automation, managed services
Previously systems engineer in enterprise
and broadcast
Whoami
Henry Stamerjohann
Apfelwerk GmbH & Co. KG, based in Hamburg / Germany
@head_min
@henry #macadmins
4. Common experience ?
You have Mac based inventory
You use client management tools !
You learned your thread scenario !!
You work to improve security policies !!!
How do you manage all that ?
5. Detection = endpoint monitoring
Analysis = research events, root cause
Remediation = block execution, quarantine endpoints
Incident Management
10. Zentral
Open-source project (OSS)
Event-Driven monitoring solution
Connect inventory and events
Integrate Endpoint security tools
Probes (Filters, Actions)
Bridge technology in one place
11. Inventory
Complement existing management tools (JAMF, Munki)*
Inventory aggregation and change events
Connect multiple inventory sources simultaneously
JAMF Pro (Inventory, JSS API, JAMF WebHooks)
Munki (Inventory, install/uninstall events)
* General support via REST API connection
12. Probes are Sensors for events (Filters, Rules, Actions)
Different Probe Models (Events, Osquery, Santa, Munki)
Tailored Filters for data (Inventory, Metadata, Payload)
Rules for "if this, then that" (Actions on various events)
Trigger Actions (Tags, Notifications, REST API calls)
Probes
13. Unified server for osquery & Google Santa (TLS)
Deploy and manage configurations (dynamic)
Aggregate query results / events from endpoints
Santa and osquery do the hard work
Zentral operates agent-less (less issues)
Zentral TLS Server
Santa
osquery
15. osquery
Ask questions about infrastructure (Linux, macOS)
Query system state with simple SQL syntax (tables)
Not hidden (like other tools)
No restrictions on users or system
Great community
Multi platform support
select name, uid, version
from safari_extensions;
select * from sip_config;
16. Osquery Probes
Events
view in Zentral,
link to Elasticsearch/Kibana 1
1
2
Osquery
Multiple queries
3
3
Filters
BU, Tags, Platform,
Device type, EventAttribute
2
2
17. Osquery Probes
Events
view in Zentral,
link to Elasticsearch/Kibana 1
1
2
Osquery
Multiple queries
3
3
Filters
BU, Tags, Platform,
Device type, EventAttribute
2
2
Actions
Notify, Email, set Tags,
create tickets
4
4
21. Google Santa
A binary whitelisting/blacklisting system
Event logging to sync server (API)
Keeps track of binaries in macOS
(naughty and nice)
Kernel Extension and daemon
MONITOR and LOCKDOWN (default deny)
31. SIEM* Options
Control binary black/whitelisting
Intrusion detection, change detection
Automated Remediation
Custom IR for your thread scenario
Integrate with tools already in place
Transparency and visibility
*Security Incident and Event Management
32. Deployment
AWS AMI based Zentral all in one (Simple)
Search for "Zentral all in one"
(AWS Regions: US, EU, Australia)
Docker-Compose (flexible)
i.e. Docker for Mac
33. Time-series metrics, indexed, full-text search DB (ES)
Discover and visualize data over time (Kibana 5)
ElasticSearch / Kibana (ELK)
https://www.elastic.co/
34. INTRO TO ZENTRAL
COORDINATE OPEN SOURCE SECURITY TOOLS
FOR THE MAC
HENRY STAMERJOHANN
Take Control with Osquery,
Google Santa and Zentral.
Bundle exciting open source
Endpoint Security tools
specifically tailored for macOS.
Ressources / Tutorials
+20 Tutorial Videos
https://goo.gl/qsIVkl
Documentation on Github
https://github.com/zentralopensource/docs
eBook (work in progress)
https://leanpub.com/zentral