Exploring Osquery, Fleet, and Elastic Stack as an Open-source solution to Endpoint Detection and Response

Endpoint Detection and Response (EDR) capabilities are rapidly evolving as a method of identifying threats to an organization's computing environment. Global research and advisory company, Gartner defines EDR as: 'Solutions that record and store endpoint-system-level behaviors, use various data analytics techniques to detect suspicious system behavior, provide contextual information, block malicious activity, and provide remediation suggestions to restore affected systems' (Gartner, 2019). This paper explores the feasibility and difficulty of using open-source tools as a practical alternative to commercial EDR solutions. A business with sufficiently mature Incident Response (IR) processes might find that building an EDR solution 'in house' with open-source tools provides both the knowledge and the technical capability to detect and investigate security incidents. The required skill level to begin using and gaining value from these tools is relatively low and can be acquired during the build process through problem deconstruction and solution engineering.