Open Source Compliance, Endpoint and Vulnerability Management with Fleet

by

At its core, JupiterOne is a robust data platform dedicated to managing and securing customer data. Ensuring the security of this data is critical to earning and maintaining the trust we have established with our customers. Our commitment to data security is the foundation of all our efforts, reflecting our dedication to protecting the integrity and confidentiality of our customers' information. Although we call Raleigh, NC home we have a significant number of employees that are remote, myself included. As the Deputy CISO, managing and securing devices and endpoints is critical in today’s dynamic threat landscape. One of the ways we do this is by leveraging open source solutions like Fleet to enhance and strengthen our endpoint management and compliance capabilities. Here’s how Fleet integrates with JupiterOne to gain comprehensive insights and enhance the security in our environment. 

Tracking Endpoints and Codifying Policies

One of the core features of Fleet is the ability to codify policies, track endpoints and their compliance with those policies. For example, we might set a policy checking that laptops are encrypted, password protected, or are running a browser with a specific version or newer. With the power of Fleet policies and the extensive osquery schema, there are close to 300 tables with data that can be used for policies, meaning the main limit is your imagination.

Integrating Fleet with JupiterOne adds more depth and insight to your security program. Fleet provides insight on which user is using which device and what device is violating a policy, JupiterOne enhances the insight by mapping how users and devices relate to the rest of your environment.

At JupiterOne, we set up an alert in the platform to alert us when an employee is running an outdated browser, violating our security policy. JupiterOne contextualizes this information for our security analyst by quickly visualizing that this employee’s device connects to a critical and sensitive company database. This unified view increases the speed to identify and address policy violations for our security team and provides a broader view of security risk within our environment. 

  1. All Fleet alerts are centralized in JupiterOne providing a unified view. We can see policy violations from Fleet and other tools, and correlate with other alerts for a better understanding of our security posture.
  2. Get a deeper understanding of the importance of violations. For example, you can find all devices violating a policy, with the desired level of detail using this query:
FIND fleetdm_policy AS p
 THAT VIOLATES<< user_endpoint AS ue
 THAT HAS<< fleetdm_instance AS f
RETURN
 p.displayName AS Policy,
 f.displayName AS FleetDMInstance,
 ue.displayName AS Device,
 ue.macAddress AS MacAddress,
 ue.osVersion AS OSVersion

Once you have the results, you can then use the graph to identify which ones lead to a critical asset. It’s one thing for a device to not be encrypted, but it’s more critical if that same device is used by a doctor with access to medical data!

In this exmaple, we see a single host is violating a single policy, and that this policy is tied to a JupiterOne alert. We’re in good shape! This allows you to easily visualize all of your policies, what machines they are assigned to and if they’re failing those checks.
Since Fleet is equally useful on servers and workstations, you can also identify Fleet violations that affect sensitive data stores and handle those first.

Software Inventory

Fleet has powerful software inventory capabilities. This data is ingested by JupiterOne, then normalized, allowing you to query and search for applications, no matter what data source informs the graph. 

As you can see, looking for an Application returns software detected by Fleet, categorized as fleetdm_software. This is particularly helpful when building policies for allow listing, or for looking for a known vulnerable piece of software in your organization. In the case of user endpoints, MDM tools provide much less granular information than Fleet with osquery, so it is a great addition.

And again, since it’s part of the graph, all of these applications can be easily tied to the devices they’re installed on, as well as what those devices can access, allowing you to prioritize remediation to get the best coverage and efficiency when knocking down those vulnerabilities.
Details on the JupiterOne integration with Fleet can be found on JupiterOne Docs.

Cyber Defense Matrix (CDM) and Fleet

It comes as no surprise that there is a large overlap between people interested in osquery, Fleet, and JupiterOne. Those who understand the power of data value easy access to it and leverage it to better understand their security environment.

JupiterOne published the Cyber Defense Matrix book with Sounil Yu and continues to use CDM as a framework to navigate the cybersecurity landscape. We were excited to see Fleet add Mobile Device Management (MDM) functionality, which means they now address both Identify and Protect functions within the Cyber Defense Matrix

1. Identify: Comprehensive Endpoint Information

With Fleet we can collect extensive data on each endpoint including software and hardware inventories. We have a complete view of the software running across all devices including software versions, unauthorized applications and ability to ensure compliance with software policies. Fleet also includes vulnerability identification for installed software packages and OSes. That’s right, endpoint instrumentation, MDM and vulnerability identification in the same open source package, with great data you can bring into your security data to empower your security program.

2. Protect: Centralized Device Management

Security administrators can now centrally and remotely manage security profiles to each device ensuring they comply with JupiterOnes security policy including password, encryption and networking settings.

We’re great fans of osquery and Fleet, as well as open-source security tools in general. Integrating Fleet with JupiterOne empowers you to gain comprehensive insights and enhance the security of your environment.

Guillaume Ross
Guillaume Ross

Guillaume has been a security practitioner for well over a decade, building on prior experience working in enterprise IT. He also produces technical training content as a hobby, as a way of staying sharp with recent tools and techniques. With experience in multiple cybersecurity companies, he's also worked on the blue-team side for large organizations and startups, and really enjoys challenging preconceived ideas. Why do something because everyone else is, or because we've always done it this way? Let's prove it's useful first!

Keep Reading

Prioritizing Exploitable Vulnerabilities to Protect Your Business Critical Assets | JupiterOne
October 16, 2024
Blog
Prioritizing Exploitable Vulnerabilities to Protect Your Business Critical Assets

Vulnerability scanners flood teams with alerts, but CTEM helps prioritize based on exploitability and business impact, ensuring focus on the most critical threats.

How CTEM Prioritizes Critical Threats and Safeguards Your Most Valuable Assets | JupiterOne
October 9, 2024
Blog
How CTEM Prioritizes Critical Threats and Safeguards Your Most Valuable Assets

Learn how CTEM helps organizations reduce their attack surface, protect valuable assets, and stay ahead of attackers. Download our white paper to get started with CTE

Cybersecurity Awareness Month: Fix Your Flaws Before You Celebrate
October 3, 2024
Blog
Marketing wouldn't let me call this "Before Preaching, Stop Punching Yourself"

It’s Cybersecurity Awareness Month, but before you send out those animated videos and "helpful" phishing tips, take a hard look at your own practices.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.