m‎ > ‎

i

12:02 pm ET
Jul 17, 2015

Security

Facebook, a Big User of Apple Machines, Writes and Open Sources Its Own Mac OS Security Software

  • Article
  • Comments (3)
  • APPLE

  • CYBERSECURITY

  • FACEBOOK

  • MAC

  • MIKE ARPAIA

  • OPEN SOURCE

  • OSQUERY

  • TED REED

  • By
  • Rachael King

When Facebook Inc. engineers needed security software to monitor the thousands of Apple Inc. Mac laptops, they couldn’t find what they needed. So they built their own and made it freely available to other companies as an open source project called osquery.

In most companies, the number of computers running Windows vastly outnumbers those running the Mac operating system. At Facebook, though, that paradigm is flipped. The company has 16,000 Mac laptops and a much smaller number of Windows machines. “We live in a Windows-centric world,” said Ted Reed, security engineer at Facebook. On the Windows side, it’s fairly easy to buy a security network appliance and install it. But it was a problem for Mac OS X, he said, speaking Wednesday at the Mac IT conference in Silicon Valley.

Facebook security engineer Ted Reed, left, and software engineer Mike Arpaia developed open source security software for the company’s 16,000 Mac computers.
Rachael King/WSJ

Monitoring security on Mac laptops is incredibly important at Facebook. “These laptops that everyone uses are the highest risk at Facebook as a company,” said Mr. Reed. Employees are constantly browsing to websites that the company doesn’t control and are installing apps and running many different network protocols, he said. The laptops are appealing to attackers for a number of reasons. They contain information about the company’s developers and provide a springboard to Facebook’s production infrastructure as well as all of the company’s code. “You can put all those things together and that’s how we calculate that these laptops are our highest risk,” he said.

The lack of Mac OS X tools made it difficult for the company to do the types of things they could do to protect Windows machines. “We realized we had a bit of a problem with regards to our ability to detect and respond to compromise on OS X assets,” said Mike Arpaia, a software engineer at Facebook who developed osquery. “We had a disparity in our capabilities of things we weren’t able to do that we really needed to be able to do,” he added.

So, about 18 months ago, Mr. Arpaia and other Facebook developers on the intrusion detection team set out to write their own software. The idea behind osquery software is that it can give the security team real-time insight into the current state of the operating systems on those laptops. It monitors low-level functions such as which processes are currently running on a particular machine or the open network connections. Within months, Facebook began to test the software on employee machines and, on Oct. 29, 2014, the company made the code available to others as an open source project.

At a very basic level, when a computer is hacked, something changes in the software. For example, a computer infected with a virus might run very slowly because the malicious software is performing many tasks and running extra processes. The idea behind the osquery framework is to give Facebook and others the tools to automatically discover if something has changed.

  • Sign up here for The Morning Download, a free daily roundup of business technology news delivered to your inbox.

This is similar, in a way, to how Netflix Inc. has created tools such as Security Monkey to monitor its Amazon Web Services infrastructure for changes to configurations and to notify the security team when something significant has changed. “There’s a continuum of changes and some of those changes are benign and happen all the time and then there’s a small percentage of those changes that we need to look at more closely and have a human get involved,” Netflix cloud security architect Jason Chan told CIO Journal recently.

One of Facebook’s security tools, called osqueryi, makes it possible to explore the operating system using Structured Query Language, which is the language used to retrieve data from relational databases. It essentially lets security experts retrieve data from the computer’s operating system, much as if it were a database. This tool is useful for diagnosing a systems operations problem or troubleshooting a performance issue, said Mr. Reed. It works on both Mac OS and Linux.

Another tool, called osqueryd, is what’s known as a daemon, a computer program that runs as a background process. This tool monitors the operating system and lets Facebook schedule queries across its infrastructure. Osqueryd takes care of aggregating the query results over time and generates logs which indicate changes in the infrastructure. “It automagically lets you know how something changes and when it changes,” said Mr. Arpaia. “It’s persistent across reboots and it’s super fast,” he said.

Both Mr. Reed and Mr. Arpaia acknowledge that it’s still early days for osquery but the project has attracted other companies which they declined to name. Osquery has drawn at least 52 people who have contributed to the project. To be sure, some of those contributors are from Facebook, but small contributions have come from developers from Box Inc. and Slack Technologies Inc. , according to GitHub, the site where the osquery open source project is hosted.

By getting other companies interested and contributing to osquery, Facebook can essentially multiply its security forces. “We have 200 people working on security from our enterprise networks all the way to our production networks,” said Mr. Reed. “We have 49 positions open this year,” he added, saying that the social network probably won’t be able to fill all those positions because of a shortage of cybersecurity workers. Automating security is one way to effectively marshal resources.

Write to rachael.king@wsj.com

#auto

Subpages (6): 1 2 l o s u
Comments