Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keeping Your Data From Getting Swiped Right Away: Security Analytics at Tinder

Dd9d954997353b37b4c2684f478192d3?s=47 Elastic Co
December 01, 2015

Keeping Your Data From Getting Swiped Right Away: Security Analytics at Tinder

Patrick Albert, Director of Operations | Elastic{ON} Tour Los Angeles | December 1, 2015

Dd9d954997353b37b4c2684f478192d3?s=128

Elastic Co

December 01, 2015
Tweet

More Decks by Elastic Co

Other Decks in Technology

Transcript

  1. Keeping Your Data From Getting Swiped Right Away: Security Analytics

    at Tinder Patrick Albert, Director of Operations | Tinder 1
  2. Our  Mission • Friends,  dates,  relationships,  and  everything  in  

    between.   • Tinder  wants  to  empower  users  around  the   world  to  create  new  connections.     • We  build  products  that  bring  people  together.
  3. None
  4. None
  5. Current(ish)  Interesting  Metrics • 1.4  billion  swipes  per  day  

    • 26  million  matches  per  day   • Over  9  billion  matches  made  to  date   • Represented  in  196  countries  to  date
  6. Startup  Life. • Scaling  is  one  of  the  most  challenging

     things  to   do.   • With  rapid  scale,  comes  problems.   • Forced  to  make  choices/sacrifices.   • Scaling  amplifies  good,  and  bad.  
  7. None
  8. This  is  when  things  get  hard. • How  do  I

     build  for  the  future?   • Automate   • Start  making  decisions  based  on  data   • Inputs  and  Outputs  to  drive  roadmap
  9. It Gets Worse When You Think About Security…. (Things to

    keep in mind - AKA: Things that will keep us all up at night) • Server  compromise  which  could  expose  the  org  to  ridicule/ embarrassment   • Server  compromise  that  may  expose  private  customer  data   • Angry  employee  who  leaves  malicious  code/logic  bomb  behind   • Easily  convinced  employees  who  are  socially  engineered  (conned)   into  giving  away  trade  secrets,  or  system  access   • Attacker  who  finds  evidence  to  provide  ammunition  for  blackmail
  10. Are you freaking out yet?

  11. Traditional  SIEM   • Incident  Detection,  Agent  Based   •

    Reactive   • Alert-­‐Centric,  Alert  Driven   • Similar  methodology  to  systems  monitoring   • Operational  Overhead   • SOC  Overhead  
  12. ELK  to  the  rescue.

  13. ELK  Security  Analytics • Big  Data   • Proactive  

    • Context  Driven,  Full  Picture  Available   • Alerting  available,  or  can  be  created   • Data  Analysis  and  Engineering  Overhead   • SOC  will  never  go  away  
  14. Lets  Build  ELK!

  15. ELK  Example  Architecture

  16. A  Different/New  Way  

  17. Or Something Simple!

  18. Metrics  To  Collect • All  of  them?     •

    Some  of  them?     • Most  exposed  surfaces?   • Start  there.  
  19. Lets  use  Beats!

  20. FileBeat • An  open  source  log  shipper   • The

     next  generation  of  log  forwarding   • Easily  push  logs  into  ELK  with  a  simple  config  
  21. filebeat:      #  List  of  prospectors  to  fetch  data.

         prospectors:          -­‐              paths:                  -­‐  /var/log/syslog                  -­‐  /var/log/auth.log              document_type:  syslog              input_type:  log          -­‐              paths:                  -­‐  /var/log/nginx/access.log              document_type:  nginx_access              input_type:  log          -­‐              paths:                  -­‐  /var/log/nginx/error.log              document_type:  nginx_error              input_type:  log
  22. TopBeat • Easily  collect  process  and  system  data!   •

    No  more  hacking  ntop,  collectl  etc…  to  get  information   into  ELK   • Example  config  usage  
  23. input:      period:  10      procs:  [".*"]  

       stats:          system:  true          proc:  true          filesystem:  true
  24. PacketBeat   • Allows  for  the  easy  collection  of  network

     based  traffic   and  other  data.     • Traffic  collected  by  default  includes  mongo,  redis,   postgres,  memcache  etc…   • Can  use  pcap,  af_packet,  and  pf_ring   • We  stuck  with  pcap  (for  now)  
  25. interfaces: device: any protocols: dns: ports: [53] include_authorities: true include_additionals:

    true http: ports: [80, 8080] pgsql: ports: [5432] redis: ports: [6379] mongodb: ports: [27017]
  26. 26 1. FileBeat 2. PacketBeat 3. TopBeat 4. ????? 5.

    Profit
  27. What  can  you  achieve  in  a  short  period  of  time?

    • Instantly begin to see trends in data • Easily track authentication attempts • Easily visualize and report on web based scans or attacks • Easily understand trends in traffic at the packet level • Integrate with traditional HIDS/NIDS
  28. What  can  you  achieve  in  a  Long  period  of  time?