LINE's Omnidirectional Cyber Security Efforts and Challenges

Transcript

1. None

2. 自己紹介 名前： 市原 尚久 所属： サイバーセキュリティ室 役職： 室長 業務： ・サイバーセキュリティ室

   チーム統括 ・LINEアカウントセキュリティ（App Sec） ・日本及び海外の不正対策の対応（Trust & Safety） ・インシデント対応（CSIRT） ・標準化活動 FIDO Board Member、FIDO Japan WG 副座長 ・イベントコーディネート 社内 Trust & Safety Meetup 社外 LINE x Intertrust Security Summit

3. Agenda › LINE’s Omnidirectional Cyber Security › Technology › Culture

   › People › Summary

4. LINE’s Omnidirectional Cyber Security LINE Service with Safety Enjoy with

   Trustworthy Users

5. LINE’s Omnidirectional Cyber Security LINE Service with Safety Enjoy with

   Trustworthy Users LINE Security Development Automation & Orchestration Research Security Branding Secure- by-Design Proactive Defending Quick & Safe Openness Security Skill Development External Communication

6. LINE’s Omnidirectional Cyber Security LINE Service with Safety Enjoy with

   Trustworthy Users LINE Security Development Automation & Orchestration Research Security Branding Secure- by-Design Proactive Defending Quick & Safe Openness Security Skill Development External Communication Technology Culture People

7. LINE’s Omnidirectional Cyber Security LINE Service with Safety Enjoy with

   Trustworthy Users LINE Security Development Automation & Orchestration Research Security Branding Secure- by-Design Proactive Defending Quick & Safe Openness Security Skill Development External Communication Culture People Technology

8. LINE’s Omnidirectional Cyber Security LINE Service with Safety Enjoy with

   Trustworthy Users LINE Security Development Automation & Orchestration Research Security Branding Secure- by-Design Proactive Defending Quick & Safe Openness Security Skill Development External Communication People Technology Culture

9. LINE’s Omnidirectional Cyber Security LINE Service with Safety Enjoy with

   Trustworthy Users LINE Security Development Automation & Orchestration Research Security Branding Secure- by-Design Proactive Defending Quick & Safe Openness Security Skill Development External Communication Technology Culture People

10. LINE’s Omnidirectional Cyber Security LINE LINE Security Development Automation &

    Orchestration Research Security Branding Secure- by-Design Proactive Defending Quick & Safe Openness Security Skill Development External Communication Technology Culture People Why “Omnidirectional”?

11. LINE’s Omnidirectional Cyber Security LINE LINE Security Development Automation &

    Orchestration Research Security Branding Secure- by-Design Proactive Defending Quick & Safe Openness Security Skill Development External Communication Technology Culture People (1) Trends of Cyber Security Defend First Why “Omnidirectional”?

12. LINE’s Omnidirectional Cyber Security LINE LINE Security Development Automation &

    Orchestration Research Security Branding Secure- by-Design Proactive Defending Quick & Safe Openness Security Skill Development External Communication Technology Culture People (1) Trends of Cyber Security Defend First ↓ Resilience Why “Omnidirectional”?

13. LINE’s Omnidirectional Cyber Security LINE LINE Security Development Automation &

    Orchestration Research Security Branding Secure- by-Design Proactive Defending Quick & Safe Openness Security Skill Development External Communication Technology Culture People (1) Trends of Cyber Security (2) LINE’s standing point Resilience Defend First ↓ Responsibility Why “Omnidirectional”?

14. LINE Security Development Automation & Orchestration Research Security Branding Secure-

    by-Design Proactive Defending Quick & Safe Openness Security Skill Development External Communication Technology Culture People Technology 〜 Pursue the value of technology, understand fragility, and eliminate threats 〜

15. E2EE / Key Management Technology (1) Security Development Anti-Abuse “Passwordless”

    Login (FIDO) LINE App Client-side Security (White Box Encryption, FIDO, ..)

16. from “LINE DEVELOPER DAY 2019” Anti-Abuse for LINE (2012~) Technology

    (1) Security Development

17. E2EE “Passwordless” Login (FIDO) LINE App Client-side Security (White Box

    Encryption, FIDO, ..) Technology (1) Security Development Anti-Abuse

18. E2EE (End-to-end Encryption) “Letter Sealing” (2015~) LINE Encryption White Paper:

    https://d.line-scdn.net/stf/linecorp/en/csr/line-encryption-whitepaper-ver2.0.pdf AES GCM-based Application Data Encryption ECDH-based Hand-shake Protocol Technology (1) Security Development

19. Technology (1) Security Development E2EE Anti-Abuse “Passwordless” Login (FIDO) LINE

    App Client-side Security (White Box Encryption, FIDO, ..)

20. Technology (1) Security Development

21. “Passwordles Login” iPad (2020 Nov.~) Mac (2021~) Windows (2021~) iOS

    Android Push Success Authentication Login 2ndary LINE App Primary LINE App Technology (1) Security Development

22. FIDO Registration FIDO Server LINE App FIDO Authentication Login Auth

    Server 2ndary LINE App Technology (1) Security Development

23. LINE FIDO2 Combo Architecture Uses Touch ID and Face ID

    as UV and leverages WBC (Whitebox cryptography) for attestation RP App (View) LINE FIDO2 Combo (FIDO2 Client, Authenticator Logic) LTSM (LINE Trusted Security Module) WAL (Whitebox Abstraction Layer) KAL (KeyChain Abstraction Layer) RP App (Activity) LINE FIDO2 Glue Layer (Abstraction) LINE Authenticator FIDO2 GMS Core Native Authenticator External Authenticator Single API entry point FIDO Play service API CTAP2 LTSM Abstraction layer supporting both Android native authenticator and LINE authenticator Technology (1) Security Development

24. DAY 1 13:30-14:10 “Cross-platform Mobile Security at LINE” DAY1 15:10-15:20

    “Secure LINE Login with biometric key replacing password Technology (1) Security Development E2EE Anti-Abuse “Passwordless” Login (FIDO) LINE App Client-side Security (White Box Encryption, FIDO, ..)

25. Plan Develop QA Release PIA Security Consulting Technology (2) Secure-By-Design

26. Risk Assessment Plan Develop QA Release Security Consulting Source Code

    Check Security Development Technology (2) Secure-By-Design

27. Self Patrol Inspection Identify Plan Develop QA Release Bug Bounty

    Program Vulnerability Filtering External Vulnerability DB Fix by Security Team External Engineers Bug Report Incident Handling / Response (if needed) Technology (3) Proactive Defending

28. DAY1 15:00-15:20 “Manage SSL certificates with secure, reliable system” DAY1

    16:10-16:50 “Security architecture design for Hybrid Multi-cloud” DAY1 16:50-17:20 “Host level security with HIDS agents on 20,000+ hosts” Public Cloud Security Private Cloud Security Network Security Defending, Monitoring, Privileged IDM / Cert&Key Mgt, .. Plan Develop QA Release Technology (3) Proactive Defending

29. Plan Develop QA Release PIA Risk Asssessment Security Consulting Source

    Code Check Security Development Self Patrol Inspection Identify Bug Bounty Program Vulnerability Filtering Fix by Security Team Incident Handling/Reponse (if needed) Consistent Ticket Management Security Test Automation DAY1 15:20-16:00 “Meta-learning for bug finding” SOAR (Security Orchestration, Automation and Response) Technology (4) Automation & Orchestration

30. LINE Security Development Automation & Orchestration Research Security Branding Secure-

    by-Design Proactive Defending Quick & Safe Openness Security Skill Development External Communication Technology Culture People Culture ~ Something underlying for aiming for safety and trust ~

31. (case of LINE) Threat Detection / Risk Identification Investigation /

    Develop Decision Making Deploy to fix Threat Detection / Risk Identification Delegate to engineers Quick Decision Making as culture Deploy to fix General case of Risk handling / Incident Response Investigation / Develop Culture (5) Quick & Safe

32. Investigation Prep. “Should We reset these PW?” à Determined instantly

    Reset Done Sep. 9th 10th 11th 12th Found! Culture (5) Quick & Safe

33. Quick Decision making for Safety Feb. 14th,2020 Start of introducing

    Remote-Work for all LINE employees Feb. 26th,2020 Launching Zero-Trust for VPN support desk 社内のダッシュボードの図です Culture (5) Quick & Safe

34. Culture (6) External Communication

35. https://www.cyber-bousai.jp/ Culture (6) External Communication

36. https://linecorp.com/en/security/transparency/ Culture (7) Openness

37. Culture (8) Security Branding

38. LINEの写真班が撮った写真です Culture (8) Security Branding

39. LINE Security Development Automation & Orchestration Research Security Branding Secure-

    by-Design Proactive Defending Quick & Safe Openness Security Skill Development External Communication Technology Culture People People ~ Toward an organization where engineers who challenge and grow gather ~

40. Security Education for all security engineers & all software engineers

    in LINE group companies People (9) Security Skill Development

41. People (9) Security Skill Development

42. Infra Security Hands-on Training People (9) Security Skill Development

43. People (10) Research

44. People • +POH)P 4IJO
    
    l$SPTTEPNBJO
    NFUBMFBSOJOH
    GPS
    CVH
    GJOEJOH
    JO
    UIF
    TPVSDF
    DPEFT
    XJUI
    B
    TNBMM
    EBUBTFUz
    &*$$
     • +PZ
    )P
    7JD
    )VBOH
    l1SJWBDZ
    QSPUFDUJPO
    BOE
    %BUB
    CSFBDI
    JODJEFOU
    SFTQPOTF
    SFHVMBUJPO
    JO
    &BTU
    "TJB
    BOE
    

    &VSPQF
    $0%&
    #-6&
    
    5PLZP
    
    • )FVOH4PP ,BOH
    l%JTDSFUJPO
    JO
    "15
    SFDFOU
    "15
    BUUBDL
    PO
    DSZQUP
    FYDIBOHF
    FNQMPZFFTz
    7JSVT
    #VMMFUJO
     &OHMBOE • )FVOH4PP ,BOH
    l3FDFOU
    "15
    BUUBDL
    PO
    DSZQUP
    FYDIBOHF
    FNQMPZFFTz
    $0%&#-6&
    
    
    5PLZP
    
    
    $ZCFSXFFL  "SBC
    &NJSBUFT • 4BOHIXBO "IO
    l,FZ
    SFDPWFSZ
    BUUBDLT
    BHBJOTU
    DPNNFSDJBM
    XIJUFCPY
    DSZQUPHSBQIZ
    JNQMFNFOUBUJPOTz
    -*/&
    $PSQPSBUJPO
    $0%&
    #-6&
    
    5PLZP
    
    (10) Research

45. Summary LINE Service with Safety Enjoy with Trustworthy Users LINE

    Security Development Automation & Orchestration Research Security Branding Secure- by-Design Proactive Defending Quick & Safe Openness Security Skill Development External Communication Technology Culture People

46. Summary LINE LINE Security Development Automation & Orchestration Research Secure-

    by-Design Proactive Defending Quick & Safe Openness Security Skill Development External Communication Security Branding Omnidirectional Cyber Security › Challenges in our omnidirectional cyber security are; › Catching up our Business speed › Following State-of-the-art › Being Transparent › Improving our team for Security engineers › Keeping on such Challenge would enable us , › not only to provide Safety in services, › but also obtain Trustworthy from users. Technology Culture People

47. Thank you