Upgrade to Pro — share decks privately, control downloads, hide ads and more …

User Focused Security at Netflix: Stethoscope

Jesse Kriss
January 14, 2017
Technology
2
24k

User Focused Security at Netflix: Stethoscope

Presented by Andrew White and Jesse Kriss at ShmooCon 2017.
Netflix Tech Blog post: http://techblog.netflix.com/2017/02/introducing-netflix-stethoscope.html

GitHub repo: https://github.com/Netflix/Stethoscope

User Focused Security is an approach we are using to address employee information security at Netflix. If we provide employees with the right information and low-friction tools, we believe they can get their devices into a more secure state without heavy-handed policy enforcement.

Letting people retain control over their devices means that they can maintain flexibility and productivity and address security recommendations as appropriate to their levels of access. This approach will only be successful, though, if we can provide clear and specific action, and make it easy to do the right thing.

Stethoscope is a web-based tool that gives Netflix employees a view into the security state of their devices, with specific recommendations regarding disk encryption, firewalls, and other device settings. The website, in conjunction with email alerts, gives Netflix employees a straightforward way to see what actions they should take to remain safe.

Andrew White and Jesse Kriss are both members of the Information Security team at Netflix, where they work on designing and building software tools that help people make good decisions around corporate security.

Andrew holds a PhD in Computer Science from the University of North Carolina at Chapel Hill and a B.S. in Computer Science and B.A. in Mathematics from the University of Richmond.

Jesse (@jkriss) holds a Master’s in Human-Computer Interaction from Carnegie Mellon University and B.A. in Music from Carleton College. Prior to Netflix, he worked at NASA/JPL, Obama 2012, Figure 53, and IBM Research.

Jesse Kriss

January 14, 2017
Tweet

More Decks by Jesse Kriss

See All by Jesse Kriss
Successes and Failures of Visualization on the Obama Campaign
jkriss
1
220

Other Decks in Technology

See All in Technology
PHPカンファレンス小田原2024
ysknsid25
3
660
DevOpsDays History and my DevOps story
kawaguti
PRO
8
1.6k
Hands-on / Kaname Frusawa / Cloud Compare Users Meetup 2024 at University of Tokyo on April 17
paraworld
2
470
社内勉強会運営のコツ
senoo
6
1.1k
Databricks:『生成AI World Cup』のご案内
databricksjapan
2
150
長期間TiDBを使ってきた話 @ 私たちはなぜNewSQLを使うのかTiDB選定5社が語る選定理由と活用LT / Experiences with TiDB Over Time
chibiegg
2
710
Vertex AI を中心に 生成AIのアップデートを共有します
kaz1437
0
140
インシデントレスポンスのライフサイクルを廻すポイントってなに / Pinpoints of Incidentresponse Lifecycle for Operation
sakaitakeshi
1
300
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
14
35k
小さな開発会社がWebサービスを作る理由
polidog
PRO
1
160
ここが嬉しいABAC ここが辛いよABAC #再解説+補足編
masahirokawahara
0
220
Janus
bkuhlmann
1
490

Featured

See All Featured
Atom: Resistance is Futile
akmur
258
25k
4 Signs Your Business is Dying
shpigford
175
21k
Ruby is Unlike a Banana
tanoku
96
10k
Creatively Recalculating Your Daily Design Routine
revolveconf
209
11k
Producing Creativity
orderedlist
PRO
336
39k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
29
6k
Stop Working from a Prison Cell
hatefulcrawdad
266
19k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
356
22k
Web development in the modern age
philhawksworth
202
10k
Unsuck your backbone
ammeep
662
57k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
60
14k
Building Your Own Lightsaber
phodgson
98
5.7k

Transcript

  1. User Focused Security at Netflix: Stethoscope SHMOOCON 2017 JAN 14

  2. • PhD from UNC in Fall 2015 • Researched side

    channels in encrypted network traffic • Software engineer at Netflix Andrew White

  3. • Masters in HCI from Carnegie Mellon • User experience

    • Web development • Information visualization • Formerly: IBM Research, Figure 53, Obama 2012, NASA/JPL Jesse Kriss
  4. None
  5. None

  6. ...but no security background.

  7. OPEN SOURCE USER-FOCUSED SECURITY Stethoscope

  8. None

  9. Infosec at Netflix

  10. Keep Netflix employees and information safe Thousands of employees. Even

    more devices. Lots of people with access. Worldwide offices.

  11. BYOD 3,000 users 8,000 devices

  12. All cloud everything Streaming infrastructure is 100% cloud > 100,000

    EC2 instances > 700 internal cloud applications
  13. None

  14. Responsible people thrive on freedom, and are worthy of freedom.”

  15. Bad processes creep in. We try to get rid of

    rules when we can, to reinforce the point.” “

  16. Screenshot by Chris Gansen

  17. Values are embedded in and communicated by systems, tools, and

    procedures, not just people.

  18. Only at Netflix?

  19. 1. Education, not just automatic enforcement

  20. Photo by #WOCinTech Chat

  21. None

  22. Work with your colleagues, not against them. 2.

  23. None

  24. The timing seems right for a renewal of interest in

    synthesizing usability and security.” Mary Ellen Zurko “ , 1996

  25. BY HUMANS FOR HUMANS User Focused Security

  26. OPEN SOURCE USER-FOCUSED SECURITY Stethoscope

  27. • Education • Self service • Personalized • One place

    to go • Actionable • Complete the feedback loop The approach.

  28. • Forced updates • Company-wide emails • Information overload •

    “This probably doesn’t apply to me...” And avoiding...
  29. None
  30. None
  31. None
  32. None
  33. None
  34. None
  35. None
  36. None

  37. • Stickers! How do we get people to see it?

  38. None

  39. • Stickers! • New employee “training” • Targeted email campaigns

    How do we get people to see it?

  40. One place to go What about other security alerts?

  41. None
  42. None

  43. HOW THE THING IS BUILT Technical architecture

  44. • Back-end ◦ Python using Twisted + Klein ◦ Plugin

    architecture • Front-end: React • Nginx ◦ Serves static files ◦ Proxies requests to API server • No persistence layer required Technology stack

  45. • Windows: LANDESK • Mac: JAMF • Linux: OSquery (coming

    soon) • Mobile: Google MDM Device data sources

  46. • Authentication logs (BYOD) ◦ Wireless ◦ VPN • bitFit

    (owned devices) Ownership attribution

  47. Device data retrieval

  48. Security practices • Disk encryption • Firewall • Automatic updates

    • Up-to-date OS/software • Screen lock • Not jailbroken/rooted • Security software stack (e.g., Carbon Black)

  49. Status determination

  50. • Events ◦ Google, Duo auth logs ◦ Import from

    Elasticsearch ◦ Augment with, e.g., geolocation data • Accounts: Google • Alerts/feedback: Elasticsearch/REST Other information

  51. • Logging ◦ Accesses: to Elasticsearch ◦ Errors: to Atlas

    • Auth: OpenID Connect • Batch: to Elasticsearch/REST Utilities

  52. SHARING IS CARING Open-source

  53. • Giving back to the community • Knowledge sharing •

    Collaboration Why open-source?

  54. • Front-end source ◦ React-scripts for simple setup, builds, test,

    etc. ◦ Static resources • Back-end source ◦ Plugins previously mentioned ◦ Tests, example configuration, etc. • Nginx configuration • Docker development configuration What’s included

  55. • Primary device data source • [Ownership attribution] • Authentication

    provider What do you need?

  56. THE BIG PICTURE Aggregated data

  57. • Visualization at manager, organization level • Identifies groups for

    targeted efforts Individuals to organizations

  58. • Nightly batch retrieval allows tracking trends over time •

    Identifies practices which need particular attention Are we making progress?

  59. LESSONS SO FAR What we’ve learned

  60. • Inventory needs to be up-to-date and accurate • Data

    sources can have different representations for identifiers • Don’t always get a unique identifier for a device Data quality

  61. • Different users need/want different levels of context • “Make

    it turn green” works well for many people Context

  62. • Additional notification channels • Continuing user research (interviews, surveys)

    • Measure long-term effectiveness Future work

  63. • Open sourcing very soon • We are hiring! Want

    to help us?

  64. COME SAY HI GET IN TOUCH Thank you! netflix.github.io techblog.netflix.com

    @NetflixOSS Andrew White [email protected] Jesse Kriss [email protected] Brooks Evans [email protected]