How LINE Does Enterprise Security

How LINE Does Enterprise Security

by Beist @LINE TECHPULSE 2019 https://techpulse.line.me/

2102a6b8760bd6f57f672805723dd83a?s=128

line_developers_tw

December 04, 2019
Tweet

Transcript

  1. None
  2. How LINE does enterprise security > SeungJin Lee / GrayLab

    Lead
  3. Agenda > Why enterprise security is hard > How LINE

    security team does • Hands-on • Community activities
  4. About Me @beist Previous Hacker Career > Speaking at popular

    information security conferences including BLACKHAT USA > Conference review board member (BLACKHAT, CODEBLUE) > First asian who passed the Defcon CTF qual Lead of GrayLab Security Team at LINE > Code review, penetration testing, security consulting > Community activities > Worked since 2000 (Penetration testing company) > Researcher at Korea Army > Founder of information security company called GRAYHASH in Korea
  5. Why Enterprise Security Is Hard > You have too many

    attack things to protect at big firms • Not only servers, laptops, mobiles • But also, the big number of employees • 3rd parties (products, services, even contractors) • Big infrastructure
  6. Why Enterprise Security Is Hard > Development side • -

    I can’t code on a laptop not connected to the internet • However, not everyone knows how to protect oneself • - I want to surf the internet on my laptop • And people easily go to malicious websites without notice • Developers usually have sensitive information • Also, hacking engineers is much easier than hacking servers
  7. Why Enterprise Security Is Hard > Infrastructure side • -

    I want to access the wiki, mail, git server at home • - I also need to access to the live SSH server so that I can work at home • .. And, once any single employee gets hacked, huge risks come • VPN, 2FA don’t perfectly save your computers
  8. Why Enterprise Security Is Hard > Other problems • Spaghetti

    business services: Complexity could go too far • Vulnerable 3rd party products: • What if your company VPN is vulnerable • Think about Orange’s finding
  9. Why Security Matters > Security is not only part of

    Internet but also real life > People spend their time on our services - Life with LINE > What challenges we’ve faced
  10. Service Release Process Release Implementation Requirements Verification Design Training

  11. Service Release Process Release Implementation Requirements Verification Design Training

  12. Service Release Process Release Implementation Requirements Verification Design Training

  13. Service Release Process Release Implementation Requirements Verification Design Training

  14. Service Release Process Release Implementation Requirements Verification Design Training

  15. Service Release Process Release Implementation Requirements Verification Design Training

  16. Security Education Platform > We internally develop a Security Education

    Platform for employees • For both non-engineers and engineers > For non-engineers • Security 101, APT attack recognition, “Protect yourself” > For engineers • Secure code, cryptography, “How to make secure code”
  17. Security Education Platform

  18. Security Education Platform

  19. Security Education Platform > Wargame • Not only lesson •

    Hands-on style hacking • Developers can understand
 much better by solving
 hacking challenges
  20. Risk Management > When new service is planned, all related

    teams are in a same room • Assign role and responsibility • Discuss on attack surface and risk management > Security and privacy risk management • Privacy by design
  21. During Implementation > Security team checks • White-box testing (To

    find insecure code by static analysis) • Tools and libraries (If insecure ones or old version used) > Strict dev environment: isolation for alpha, beta, release • Important for not having real data in dev mode and for future security test > Challenges: dependency issues, often vulnerable functions used
  22. Verification > Manual code auditing, Fuzzing testing • Injection, Broken

    Authentication, XXE, Insecure Deserialization, so on > Services can’t be released until the security team approves • All major issues have to be fixed before release • Even they can’t have public IP addresses > Spending most of time on communicating with the dev-teams
  23. After Release > Always-on fuzz testing • Not common, but

    not informed update • Testing all of API and comparing to previous results > Incident response plan executed • LINE has dedicated teams for data breaches, abuses, any incident • Always connected with the development team
  24. Machine Learning Machine Learning for Information Security Is Not Easy

  25. Machine Learning > Machine Learning for defense • Account hijacking

    attack detection • Anti spam filter • Malicious network connection detection
  26. Machine Learning 0

  27. Machine Learning Total Suspicious Filter for Suspicious Logs

  28. Machine Learning > ML for offense (Very early stage at

    LINE, yet) • To find vulnerabilities in our code > Collecting LINE code to modeling • Luckily, JAVA is most used at work • Also, there are many services meaning many code generated everyday
  29. Machine Learning > At current stage, ML has fundamental problems

    when defense • Could work well on specific data sets but not other • Not robust even when only detecting - false positive > But, LINE security team tries to put ML everywhere as much as possible • For both defense and offense • Because It can save our time and we have limited resource > To have an actual helpful ML system: Tuning your code everyday Lessons learned
  30. Tooling > In-house tooling is what we spend much time

    • Blackbox web security bug scanners (XSS, SQLi) • API fuzzing test • Monitoring suspicious behaviors • 3rd party cloud service monitoring (Check if sensitive assets uploaded) • Copyright checker > Continuous running it at scale
  31. BECKS > We value information security community • Thus, we

    run local security meet ups in Taiwan, Japan, and Korea • Once per every two month > Connecting people and sharing knowledge • Students, developers, security engineers, non-engineers • Also, good chance to meet talented engineers (Hiring?) > Website: https://becks.io
  32. BECKS BECKS In Taiwan BECKS in Japan Talks and Free

    Beer and Snacks
  33. Bug Bounty Program > LINE has run public bug bounty

    program since 2015 • To collaborate with 3rd party hackers to make the company secure > We have security team but It’s important to have different point of view • We’ve rewarded hackers for security issues, more than 200 bugs > More bounty programs on the way • Hint: threat bounty > Website: https://hackerone.com/line
  34. Note > Enterprise security is a challenge for every company

    • Limited resource, but many services and fast development • Everything is super connected for some reason which bring risks • Even cutting-edge can’t solve most of problems that we’re facing > Our job is not to find problems, but to fix them in an efficient way • We think most important thing is to know how to work with other teams • Thus, good communication is a mandatory required skill at LINE > Keywords to win: Good process, tooling, tuning and communication
  35. QnA > https://twitter.com/beist > s.j.lee@linecorp.com

  36. Thank You