Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keeping Your Data From Getting Swiped Right Awa...

Avatar for Elastic Co Elastic Co
December 01, 2015

Keeping Your Data From Getting Swiped Right Away: Security Analytics at Tinder

Patrick Albert, Director of Operations | Elastic{ON} Tour Los Angeles | December 1, 2015

Avatar for Elastic Co

Elastic Co

December 01, 2015
Tweet

More Decks by Elastic Co

Other Decks in Technology

Transcript

  1. Keeping Your Data From Getting Swiped Right Away: Security Analytics

    at Tinder Patrick Albert, Director of Operations | Tinder 1
  2. Our  Mission • Friends,  dates,  relationships,  and  everything  in  

    between.   • Tinder  wants  to  empower  users  around  the   world  to  create  new  connections.     • We  build  products  that  bring  people  together.
  3. Current(ish)  Interesting  Metrics • 1.4  billion  swipes  per  day  

    • 26  million  matches  per  day   • Over  9  billion  matches  made  to  date   • Represented  in  196  countries  to  date
  4. Startup  Life. • Scaling  is  one  of  the  most  challenging

     things  to   do.   • With  rapid  scale,  comes  problems.   • Forced  to  make  choices/sacrifices.   • Scaling  amplifies  good,  and  bad.  
  5. This  is  when  things  get  hard. • How  do  I

     build  for  the  future?   • Automate   • Start  making  decisions  based  on  data   • Inputs  and  Outputs  to  drive  roadmap
  6. It Gets Worse When You Think About Security…. (Things to

    keep in mind - AKA: Things that will keep us all up at night) • Server  compromise  which  could  expose  the  org  to  ridicule/ embarrassment   • Server  compromise  that  may  expose  private  customer  data   • Angry  employee  who  leaves  malicious  code/logic  bomb  behind   • Easily  convinced  employees  who  are  socially  engineered  (conned)   into  giving  away  trade  secrets,  or  system  access   • Attacker  who  finds  evidence  to  provide  ammunition  for  blackmail
  7. Traditional  SIEM   • Incident  Detection,  Agent  Based   •

    Reactive   • Alert-­‐Centric,  Alert  Driven   • Similar  methodology  to  systems  monitoring   • Operational  Overhead   • SOC  Overhead  
  8. ELK  Security  Analytics • Big  Data   • Proactive  

    • Context  Driven,  Full  Picture  Available   • Alerting  available,  or  can  be  created   • Data  Analysis  and  Engineering  Overhead   • SOC  will  never  go  away  
  9. Metrics  To  Collect • All  of  them?     •

    Some  of  them?     • Most  exposed  surfaces?   • Start  there.  
  10. FileBeat • An  open  source  log  shipper   • The

     next  generation  of  log  forwarding   • Easily  push  logs  into  ELK  with  a  simple  config  
  11. filebeat:      #  List  of  prospectors  to  fetch  data.

         prospectors:          -­‐              paths:                  -­‐  /var/log/syslog                  -­‐  /var/log/auth.log              document_type:  syslog              input_type:  log          -­‐              paths:                  -­‐  /var/log/nginx/access.log              document_type:  nginx_access              input_type:  log          -­‐              paths:                  -­‐  /var/log/nginx/error.log              document_type:  nginx_error              input_type:  log
  12. TopBeat • Easily  collect  process  and  system  data!   •

    No  more  hacking  ntop,  collectl  etc…  to  get  information   into  ELK   • Example  config  usage  
  13. input:      period:  10      procs:  [".*"]  

       stats:          system:  true          proc:  true          filesystem:  true
  14. PacketBeat   • Allows  for  the  easy  collection  of  network

     based  traffic   and  other  data.     • Traffic  collected  by  default  includes  mongo,  redis,   postgres,  memcache  etc…   • Can  use  pcap,  af_packet,  and  pf_ring   • We  stuck  with  pcap  (for  now)  
  15. interfaces: device: any protocols: dns: ports: [53] include_authorities: true include_additionals:

    true http: ports: [80, 8080] pgsql: ports: [5432] redis: ports: [6379] mongodb: ports: [27017]
  16. What  can  you  achieve  in  a  short  period  of  time?

    • Instantly begin to see trends in data • Easily track authentication attempts • Easily visualize and report on web based scans or attacks • Easily understand trends in traffic at the packet level • Integrate with traditional HIDS/NIDS