Keeping Your Data From Getting Swiped Right Away: Security Analytics at Tinder

Transcript

1. Keeping Your Data From Getting Swiped Right Away: Security Analytics

   at Tinder Patrick Albert, Director of Operations | Tinder 1

2. Our  Mission • Friends,  dates,  relationships,  and  everything  in  

   between.   • Tinder  wants  to  empower  users  around  the   world  to  create  new  connections.     • We  build  products  that  bring  people  together.
3. None
4. None

5. Current(ish)  Interesting  Metrics • 1.4  billion  swipes  per  day  

   • 26  million  matches  per  day   • Over  9  billion  matches  made  to  date   • Represented  in  196  countries  to  date

6. Startup  Life. • Scaling  is  one  of  the  most  challenging

    things  to   do.   • With  rapid  scale,  comes  problems.   • Forced  to  make  choices/sacrifices.   • Scaling  amplifies  good,  and  bad.  
7. None

8. This  is  when  things  get  hard. • How  do  I

    build  for  the  future?   • Automate   • Start  making  decisions  based  on  data   • Inputs  and  Outputs  to  drive  roadmap

9. It Gets Worse When You Think About Security…. (Things to

   keep in mind - AKA: Things that will keep us all up at night) • Server  compromise  which  could  expose  the  org  to  ridicule/ embarrassment   • Server  compromise  that  may  expose  private  customer  data   • Angry  employee  who  leaves  malicious  code/logic  bomb  behind   • Easily  convinced  employees  who  are  socially  engineered  (conned)   into  giving  away  trade  secrets,  or  system  access   • Attacker  who  finds  evidence  to  provide  ammunition  for  blackmail

10. Are you freaking out yet?

11. Traditional  SIEM   • Incident  Detection,  Agent  Based   •

    Reactive   • Alert-­‐Centric,  Alert  Driven   • Similar  methodology  to  systems  monitoring   • Operational  Overhead   • SOC  Overhead  

12. ELK  to  the  rescue.

13. ELK  Security  Analytics • Big  Data   • Proactive  

    • Context  Driven,  Full  Picture  Available   • Alerting  available,  or  can  be  created   • Data  Analysis  and  Engineering  Overhead   • SOC  will  never  go  away  

14. Lets  Build  ELK!

15. ELK  Example  Architecture

16. A  Different/New  Way  

17. Or Something Simple!

18. Metrics  To  Collect • All  of  them?     •

    Some  of  them?     • Most  exposed  surfaces?   • Start  there.  

19. Lets  use  Beats!

20. FileBeat • An  open  source  log  shipper   • The

     next  generation  of  log  forwarding   • Easily  push  logs  into  ELK  with  a  simple  config  

21. filebeat:      #  List  of  prospectors  to  fetch  data.

         prospectors:          -­‐              paths:                  -­‐  /var/log/syslog                  -­‐  /var/log/auth.log              document_type:  syslog              input_type:  log          -­‐              paths:                  -­‐  /var/log/nginx/access.log              document_type:  nginx_access              input_type:  log          -­‐              paths:                  -­‐  /var/log/nginx/error.log              document_type:  nginx_error              input_type:  log

22. TopBeat • Easily  collect  process  and  system  data!   •

    No  more  hacking  ntop,  collectl  etc…  to  get  information   into  ELK   • Example  config  usage  

23. input:      period:  10      procs:  [".*"]  

       stats:          system:  true          proc:  true          filesystem:  true

24. PacketBeat   • Allows  for  the  easy  collection  of  network

     based  traffic   and  other  data.     • Traffic  collected  by  default  includes  mongo,  redis,   postgres,  memcache  etc…   • Can  use  pcap,  af_packet,  and  pf_ring   • We  stuck  with  pcap  (for  now)  

25. interfaces: device: any protocols: dns: ports: [53] include_authorities: true include_additionals:

    true http: ports: [80, 8080] pgsql: ports: [5432] redis: ports: [6379] mongodb: ports: [27017]

26. 26 1. FileBeat 2. PacketBeat 3. TopBeat 4. ????? 5.

    Profit

27. What  can  you  achieve  in  a  short  period  of  time?

    • Instantly begin to see trends in data • Easily track authentication attempts • Easily visualize and report on web based scans or attacks • Easily understand trends in traffic at the packet level • Integrate with traditional HIDS/NIDS

28. What  can  you  achieve  in  a  Long  period  of  time?