How LINE Does Enterprise Security

Transcript

1. None

2. How LINE does enterprise security > SeungJin Lee / GrayLab

   Lead

3. Agenda > Why enterprise security is hard > How LINE

   security team does • Hands-on • Community activities

4. About Me @beist Previous Hacker Career > Speaking at popular

   information security conferences including BLACKHAT USA > Conference review board member (BLACKHAT, CODEBLUE) > First asian who passed the Defcon CTF qual Lead of GrayLab Security Team at LINE > Code review, penetration testing, security consulting > Community activities > Worked since 2000 (Penetration testing company) > Researcher at Korea Army > Founder of information security company called GRAYHASH in Korea

5. Why Enterprise Security Is Hard > You have too many

   attack things to protect at big firms • Not only servers, laptops, mobiles • But also, the big number of employees • 3rd parties (products, services, even contractors) • Big infrastructure

6. Why Enterprise Security Is Hard > Development side • -

   I can’t code on a laptop not connected to the internet • However, not everyone knows how to protect oneself • - I want to surf the internet on my laptop • And people easily go to malicious websites without notice • Developers usually have sensitive information • Also, hacking engineers is much easier than hacking servers

7. Why Enterprise Security Is Hard > Infrastructure side • -

   I want to access the wiki, mail, git server at home • - I also need to access to the live SSH server so that I can work at home • .. And, once any single employee gets hacked, huge risks come • VPN, 2FA don’t perfectly save your computers

8. Why Enterprise Security Is Hard > Other problems • Spaghetti

   business services: Complexity could go too far • Vulnerable 3rd party products: • What if your company VPN is vulnerable • Think about Orange’s finding

9. Why Security Matters > Security is not only part of

   Internet but also real life > People spend their time on our services - Life with LINE > What challenges we’ve faced

10. Service Release Process Release Implementation Requirements Verification Design Training

11. Service Release Process Release Implementation Requirements Verification Design Training

12. Service Release Process Release Implementation Requirements Verification Design Training

13. Service Release Process Release Implementation Requirements Verification Design Training

14. Service Release Process Release Implementation Requirements Verification Design Training

15. Service Release Process Release Implementation Requirements Verification Design Training

16. Security Education Platform > We internally develop a Security Education

    Platform for employees • For both non-engineers and engineers > For non-engineers • Security 101, APT attack recognition, “Protect yourself” > For engineers • Secure code, cryptography, “How to make secure code”

17. Security Education Platform

18. Security Education Platform

19. Security Education Platform > Wargame • Not only lesson •

    Hands-on style hacking • Developers can understand
 much better by solving
 hacking challenges

20. Risk Management > When new service is planned, all related

    teams are in a same room • Assign role and responsibility • Discuss on attack surface and risk management > Security and privacy risk management • Privacy by design

21. During Implementation > Security team checks • White-box testing (To

    find insecure code by static analysis) • Tools and libraries (If insecure ones or old version used) > Strict dev environment: isolation for alpha, beta, release • Important for not having real data in dev mode and for future security test > Challenges: dependency issues, often vulnerable functions used

22. Verification > Manual code auditing, Fuzzing testing • Injection, Broken

    Authentication, XXE, Insecure Deserialization, so on > Services can’t be released until the security team approves • All major issues have to be fixed before release • Even they can’t have public IP addresses > Spending most of time on communicating with the dev-teams

23. After Release > Always-on fuzz testing • Not common, but

    not informed update • Testing all of API and comparing to previous results > Incident response plan executed • LINE has dedicated teams for data breaches, abuses, any incident • Always connected with the development team

24. Machine Learning Machine Learning for Information Security Is Not Easy

25. Machine Learning > Machine Learning for defense • Account hijacking

    attack detection • Anti spam filter • Malicious network connection detection

26. Machine Learning 0

27. Machine Learning Total Suspicious Filter for Suspicious Logs

28. Machine Learning > ML for offense (Very early stage at

    LINE, yet) • To find vulnerabilities in our code > Collecting LINE code to modeling • Luckily, JAVA is most used at work • Also, there are many services meaning many code generated everyday

29. Machine Learning > At current stage, ML has fundamental problems

    when defense • Could work well on specific data sets but not other • Not robust even when only detecting - false positive > But, LINE security team tries to put ML everywhere as much as possible • For both defense and offense • Because It can save our time and we have limited resource > To have an actual helpful ML system: Tuning your code everyday Lessons learned

30. Tooling > In-house tooling is what we spend much time

    • Blackbox web security bug scanners (XSS, SQLi) • API fuzzing test • Monitoring suspicious behaviors • 3rd party cloud service monitoring (Check if sensitive assets uploaded) • Copyright checker > Continuous running it at scale

31. BECKS > We value information security community • Thus, we

    run local security meet ups in Taiwan, Japan, and Korea • Once per every two month > Connecting people and sharing knowledge • Students, developers, security engineers, non-engineers • Also, good chance to meet talented engineers (Hiring?) > Website: https://becks.io

32. BECKS BECKS In Taiwan BECKS in Japan Talks and Free

    Beer and Snacks

33. Bug Bounty Program > LINE has run public bug bounty

    program since 2015 • To collaborate with 3rd party hackers to make the company secure > We have security team but It’s important to have different point of view • We’ve rewarded hackers for security issues, more than 200 bugs > More bounty programs on the way • Hint: threat bounty > Website: https://hackerone.com/line

34. Note > Enterprise security is a challenge for every company

    • Limited resource, but many services and fast development • Everything is super connected for some reason which bring risks • Even cutting-edge can’t solve most of problems that we’re facing > Our job is not to find problems, but to fix them in an efficient way • We think most important thing is to know how to work with other teams • Thus, good communication is a mandatory required skill at LINE > Keywords to win: Good process, tooling, tuning and communication

35. QnA > https://twitter.com/beist > [email protected]

36. Thank You