Windows Defender for Linux

[Grubbslinger]

Hey everyone! I was wondering if anyone has any experience with Windows Defender for Linux on a Red Hat server? Or really any EDR solution for Red Hat? Thanks!

[Florian]

I implemented it for a customer. 

For the supported os it works fine. On unsupported not really 😉 

Depending on the application on it, it could have a performance impact but this is as on windows. 

Deployment is easy peasy if you are well prepared 😛

If you implement it, pls send me your experiences

Greez Flo

[j91321]

Out of curiosity does anybody know if Windows Defender for Linux require OMI to be installed? I know this is required for a bunch of Azure features, couldn't find an answer if Defender also utilizes it.

20 hours ago, Grubbslinger said:

Or really any EDR solution for Red Hat

I think Elastic EDR works well on Linux. While I don't have much hands-on experience with their agent, but I know they bought cmd.com and I was evaluating that (~two years ago I think) it worked well, the only thing missing was a more robust ruleset. Back then their ruleset was pretty much just cover every Atomic Red Team test 😁. I'm sure that changed since then.

Also have some friends that run Palo Alto Cortex in production and they are not complaining. Cortex has also a version specifically for Kubernetes hosts which is rare and seems to be a selling point for them.

[Elched]

I've tried Defender for Enpoint on both Debian/Ubuntu and RHEL and (as long as you are on a supported version of the OS) it works fine.

It lacks a few features that are available on Windows (such as being able to isolate the machine) but apart from that it did a good job during our detection tests. It seems to work both as an antivirus and an EDR (while only being an EDR on Windows), provides you with the list of installed software package (and associated vulnerabilities) and the capability to view the timeline (same as Windows - maybe a bit less detailed).

My understanding is that it does not use OMI (although I am 100% sure about it). Basically you install an agent (mdatp) via a standard apt/yum command and then run a Python script to onboard the device. If OMI is used then it is buried somewhere inside the MDATP package.

 

I've never tried it on MacOS or on mobile devices though. Anyone has experience on that ?

[Florian]

1 hour ago, Elched said:

It lacks a few features that are available on Windows (such as being able to isolate the machine) but apart from that it did a good job during our detection tests. It seems to work both as an antivirus and an EDR (while only being an EDR on Windows), provides you with the list of installed software package (and associated vulnerabilities) and the capability to view the timeline (same as Windows - maybe a bit less detailed). 

Yeah but it is pretty new and always evolving. As MS Partner i get regularly asked what they should develope

[CosmicGravy]

Re: any other EDR for Red Hat: I don't have experience with Red Hat in particular, but plenty with Amazon Linux. I'm a bit vague on whether or not those are rougly the same platform. If they are not then my apoligies because this may not be relevant 🙂

We've had good experiences using osquery/Uptycs. Osquery[1] being the open source agent that let's you get answers from your fleet in SQL form, Uptycs[2] being a commercial provider that builds on top of osquery to aggregate the data. Uptycs are a bit rough around the edges still, but pleasant to work with and priced much more reasonably than the big players, in my experience.

On osquery itself: the concept of using SQL to query your fleet and write rules still feels awesome to me. It comes much more natural to me than any other custom query language, and is a lot less daunting. Especially if you want to open it up to other teams outside of security, which you might end up doing considering how useful it is for asset management and getting answers to questions like "what kernel versions do we use across the fleet", or "how many instances do we have with an uptime of more than two weeks", which your devops/platform teams might appreciate.

If you want to use osquery but not Uptycs, I can recommend looking at Fleet[3], an open source osquery platform.

We previously used Twistlock, but we ran away from them once they were bought by Palo Alto and turned into Prisma. The pricing went (way) up and the user experience went (way) down, for us at least.

Edit: my inline links seem to have dissapeared, so I'll add them separately:
- [1]: https://www.osquery.io/
- [2]: https://www.uptycs.com/
- [3]: https://fleetdm.com/

Edited November 25, 2022 by CosmicGravy

[j91321]

9 hours ago, CosmicGravy said:

We've had good experiences using osquery/Uptycs. Osquery[1] being the open source agent that let's you get answers from your fleet in SQL form, Uptycs[2] being a commercial provider that builds on top of osquery to aggregate the data. Uptycs are a bit rough around the edges still, but pleasant to work with and priced much more reasonably than the big players, in my experience

I always forget about osquery since I think about it as ED without the R 😁I agree it's definitely worth looking into.  There are quite a few security solutions that incorporate it adding the response part. Elastic provides osquery manager under it's free license, it used to be a bit clunky, but it much more stable recently. Other commercial products that also utilize osquery in some way are CarbonBlack, rapid7 InsightIDR and Trend Micro (not sure if Vision One or the legacy EDR, remember seeing it in the documentation, but can't find it now)

[CosmicGravy]

On 11/25/2022 at 6:57 PM, j91321 said:

I always forget about osquery since I think about it as ED without the R 😁I agree it's definitely worth looking into.  There are quite a few security solutions that incorporate it adding the response part. Elastic provides osquery manager under it's free license, it used to be a bit clunky, but it much more stable recently. Other commercial products that also utilize osquery in some way are CarbonBlack, rapid7 InsightIDR and Trend Micro (not sure if Vision One or the legacy EDR, remember seeing it in the documentation, but can't find it now)

I didn't realise that those providers use it under the hood as well, cool! Fwiw, Uptycs does provide the R, but osquery by itself definitely doesn't, I should have mentioned that. Thanks!

[lurto]

On 11/22/2022 at 9:53 PM, Grubbslinger said:

any EDR solution for Red Hat?

I have used CrowdStrike for RHEL/CentOS and other Linux distros. The CrowdStrike agent only needs the good linux kernel. When the kernel is supported it works pretty good. From network containment, connection to the host from the web(if you are off site) and of course pretty good detection rate.

The detection it is really good too. I had some  webshell detections from web servers. The agent even can look into containers. So, if you have a docker deployment this can be a big plus. I had also detections that were made from containers, so I can confirm that it works.

Microsoft Defendre for endpoint, I really only used for Windows host. So, I can't really compare them but with the budget Microsoft is putting into it. MS D4E could become really good in the near future.

Edited November 27, 2022 by lurto