Upgrade to Pro — share decks privately, control downloads, hide ads and more …

LINE's Omnidirectional Cyber Security Efforts and Challenges

LINE's Omnidirectional Cyber Security Efforts and Challenges

Eebedc2ee7ff95ffb9d9102c6d4a065c?s=128

LINE DevDay 2020

November 25, 2020
Tweet

Transcript

  1. None
  2. 自己紹介 名前: 市原 尚久 所属: サイバーセキュリティ室 役職: 室長 業務: ・サイバーセキュリティ室

    チーム統括 ・LINEアカウントセキュリティ(App Sec) ・日本及び海外の不正対策の対応(Trust & Safety) ・インシデント対応(CSIRT) ・標準化活動 FIDO Board Member、FIDO Japan WG 副座長 ・イベントコーディネート 社内 Trust & Safety Meetup 社外 LINE x Intertrust Security Summit
  3. Agenda › LINE’s Omnidirectional Cyber Security › Technology › Culture

    › People › Summary
  4. LINE’s Omnidirectional Cyber Security LINE Service with Safety Enjoy with

    Trustworthy Users
  5. LINE’s Omnidirectional Cyber Security LINE Service with Safety Enjoy with

    Trustworthy Users LINE Security Development Automation & Orchestration Research Security Branding Secure- by-Design Proactive Defending Quick & Safe Openness Security Skill Development External Communication
  6. LINE’s Omnidirectional Cyber Security LINE Service with Safety Enjoy with

    Trustworthy Users LINE Security Development Automation & Orchestration Research Security Branding Secure- by-Design Proactive Defending Quick & Safe Openness Security Skill Development External Communication Technology Culture People
  7. LINE’s Omnidirectional Cyber Security LINE Service with Safety Enjoy with

    Trustworthy Users LINE Security Development Automation & Orchestration Research Security Branding Secure- by-Design Proactive Defending Quick & Safe Openness Security Skill Development External Communication Culture People Technology
  8. LINE’s Omnidirectional Cyber Security LINE Service with Safety Enjoy with

    Trustworthy Users LINE Security Development Automation & Orchestration Research Security Branding Secure- by-Design Proactive Defending Quick & Safe Openness Security Skill Development External Communication People Technology Culture
  9. LINE’s Omnidirectional Cyber Security LINE Service with Safety Enjoy with

    Trustworthy Users LINE Security Development Automation & Orchestration Research Security Branding Secure- by-Design Proactive Defending Quick & Safe Openness Security Skill Development External Communication Technology Culture People
  10. LINE’s Omnidirectional Cyber Security LINE LINE Security Development Automation &

    Orchestration Research Security Branding Secure- by-Design Proactive Defending Quick & Safe Openness Security Skill Development External Communication Technology Culture People Why “Omnidirectional”?
  11. LINE’s Omnidirectional Cyber Security LINE LINE Security Development Automation &

    Orchestration Research Security Branding Secure- by-Design Proactive Defending Quick & Safe Openness Security Skill Development External Communication Technology Culture People (1) Trends of Cyber Security Defend First Why “Omnidirectional”?
  12. LINE’s Omnidirectional Cyber Security LINE LINE Security Development Automation &

    Orchestration Research Security Branding Secure- by-Design Proactive Defending Quick & Safe Openness Security Skill Development External Communication Technology Culture People (1) Trends of Cyber Security Defend First ↓ Resilience Why “Omnidirectional”?
  13. LINE’s Omnidirectional Cyber Security LINE LINE Security Development Automation &

    Orchestration Research Security Branding Secure- by-Design Proactive Defending Quick & Safe Openness Security Skill Development External Communication Technology Culture People (1) Trends of Cyber Security (2) LINE’s standing point Resilience Defend First ↓ Responsibility Why “Omnidirectional”?
  14. LINE Security Development Automation & Orchestration Research Security Branding Secure-

    by-Design Proactive Defending Quick & Safe Openness Security Skill Development External Communication Technology Culture People Technology 〜 Pursue the value of technology, understand fragility, and eliminate threats 〜
  15. E2EE / Key Management Technology (1) Security Development Anti-Abuse “Passwordless”

    Login (FIDO) LINE App Client-side Security (White Box Encryption, FIDO, ..)
  16. from “LINE DEVELOPER DAY 2019” Anti-Abuse for LINE (2012~) Technology

    (1) Security Development
  17. E2EE “Passwordless” Login (FIDO) LINE App Client-side Security (White Box

    Encryption, FIDO, ..) Technology (1) Security Development Anti-Abuse
  18. E2EE (End-to-end Encryption) “Letter Sealing” (2015~) LINE Encryption White Paper:

    https://d.line-scdn.net/stf/linecorp/en/csr/line-encryption-whitepaper-ver2.0.pdf AES GCM-based Application Data Encryption ECDH-based Hand-shake Protocol Technology (1) Security Development
  19. Technology (1) Security Development E2EE Anti-Abuse “Passwordless” Login (FIDO) LINE

    App Client-side Security (White Box Encryption, FIDO, ..)
  20. Technology (1) Security Development

  21. “Passwordles Login” iPad (2020 Nov.~) Mac (2021~) Windows (2021~) iOS

    Android Push Success Authentication Login 2ndary LINE App Primary LINE App Technology (1) Security Development
  22. FIDO Registration FIDO Server LINE App FIDO Authentication Login Auth

    Server 2ndary LINE App Technology (1) Security Development
  23. LINE FIDO2 Combo Architecture Uses Touch ID and Face ID

    as UV and leverages WBC (Whitebox cryptography) for attestation RP App (View) LINE FIDO2 Combo (FIDO2 Client, Authenticator Logic) LTSM (LINE Trusted Security Module) WAL (Whitebox Abstraction Layer) KAL (KeyChain Abstraction Layer) RP App (Activity) LINE FIDO2 Glue Layer (Abstraction) LINE Authenticator FIDO2 GMS Core Native Authenticator External Authenticator Single API entry point FIDO Play service API CTAP2 LTSM Abstraction layer supporting both Android native authenticator and LINE authenticator Technology (1) Security Development
  24. DAY 1 13:30-14:10 “Cross-platform Mobile Security at LINE” DAY1 15:10-15:20

    “Secure LINE Login with biometric key replacing password Technology (1) Security Development E2EE Anti-Abuse “Passwordless” Login (FIDO) LINE App Client-side Security (White Box Encryption, FIDO, ..)
  25. Plan Develop QA Release PIA Security Consulting Technology (2) Secure-By-Design

  26. Risk Assessment Plan Develop QA Release Security Consulting Source Code

    Check Security Development Technology (2) Secure-By-Design
  27. Self Patrol Inspection Identify Plan Develop QA Release Bug Bounty

    Program Vulnerability Filtering External Vulnerability DB Fix by Security Team External Engineers Bug Report Incident Handling / Response (if needed) Technology (3) Proactive Defending
  28. DAY1 15:00-15:20 “Manage SSL certificates with secure, reliable system” DAY1

    16:10-16:50 “Security architecture design for Hybrid Multi-cloud” DAY1 16:50-17:20 “Host level security with HIDS agents on 20,000+ hosts” Public Cloud Security Private Cloud Security Network Security Defending, Monitoring, Privileged IDM / Cert&Key Mgt, .. Plan Develop QA Release Technology (3) Proactive Defending
  29. Plan Develop QA Release PIA Risk Asssessment Security Consulting Source

    Code Check Security Development Self Patrol Inspection Identify Bug Bounty Program Vulnerability Filtering Fix by Security Team Incident Handling/Reponse (if needed) Consistent Ticket Management Security Test Automation DAY1 15:20-16:00 “Meta-learning for bug finding” SOAR (Security Orchestration, Automation and Response) Technology (4) Automation & Orchestration
  30. LINE Security Development Automation & Orchestration Research Security Branding Secure-

    by-Design Proactive Defending Quick & Safe Openness Security Skill Development External Communication Technology Culture People Culture ~ Something underlying for aiming for safety and trust ~
  31. (case of LINE) Threat Detection / Risk Identification Investigation /

    Develop Decision Making Deploy to fix Threat Detection / Risk Identification Delegate to engineers Quick Decision Making as culture Deploy to fix General case of Risk handling / Incident Response Investigation / Develop Culture (5) Quick & Safe
  32. Investigation Prep. “Should We reset these PW?” à Determined instantly

    Reset Done Sep. 9th 10th 11th 12th Found! Culture (5) Quick & Safe
  33. Quick Decision making for Safety Feb. 14th,2020 Start of introducing

    Remote-Work for all LINE employees Feb. 26th,2020 Launching Zero-Trust for VPN support desk 社内のダッシュボードの図です Culture (5) Quick & Safe
  34. Culture (6) External Communication

  35. https://www.cyber-bousai.jp/ Culture (6) External Communication

  36. https://linecorp.com/en/security/transparency/ Culture (7) Openness

  37. Culture (8) Security Branding

  38. LINEの写真班が撮った写真です Culture (8) Security Branding

  39. LINE Security Development Automation & Orchestration Research Security Branding Secure-

    by-Design Proactive Defending Quick & Safe Openness Security Skill Development External Communication Technology Culture People People ~ Toward an organization where engineers who challenge and grow gather ~
  40. Security Education for all security engineers & all software engineers

    in LINE group companies People (9) Security Skill Development
  41. People (9) Security Skill Development

  42. Infra Security Hands-on Training People (9) Security Skill Development

  43. People (10) Research

  44. People • +POH)P 4IJO l$SPTTEPNBJONFUBMFBSOJOHGPSCVHGJOEJOHJOUIFTPVSDFDPEFTXJUIBTNBMM EBUBTFUz &*$$ • +PZ)P 7JD)VBOHl1SJWBDZQSPUFDUJPOBOE%BUBCSFBDIJODJEFOUSFTQPOTFSFHVMBUJPOJO&BTU"TJBBOE

    &VSPQF $0%&#-6& 5PLZP  • )FVOH4PP ,BOH l%JTDSFUJPOJO"15SFDFOU"15BUUBDLPODSZQUPFYDIBOHFFNQMPZFFTz  7JSVT#VMMFUJO &OHMBOE • )FVOH4PP ,BOH l3FDFOU"15BUUBDLPODSZQUPFYDIBOHFFNQMPZFFTz $0%&#-6& 5PLZP  $ZCFSXFFL  "SBC&NJSBUFT • 4BOHIXBO "IO l,FZSFDPWFSZBUUBDLTBHBJOTUDPNNFSDJBMXIJUFCPYDSZQUPHSBQIZJNQMFNFOUBUJPOTz  -*/&$PSQPSBUJPO $0%&#-6& 5PLZP  (10) Research
  45. Summary LINE Service with Safety Enjoy with Trustworthy Users LINE

    Security Development Automation & Orchestration Research Security Branding Secure- by-Design Proactive Defending Quick & Safe Openness Security Skill Development External Communication Technology Culture People
  46. Summary LINE LINE Security Development Automation & Orchestration Research Secure-

    by-Design Proactive Defending Quick & Safe Openness Security Skill Development External Communication Security Branding Omnidirectional Cyber Security › Challenges in our omnidirectional cyber security are; › Catching up our Business speed › Following State-of-the-art › Being Transparent › Improving our team for Security engineers › Keeping on such Challenge would enable us , › not only to provide Safety in services, › but also obtain Trustworthy from users. Technology Culture People
  47. Thank you