No content

How LINE does enterprise security > SeungJin Lee / GrayLab Lead 

Agenda > Why enterprise security is hard > How LINE security team does • Hands-on • Community activities 

About Me @beist Previous Hacker Career > Speaking at popular information security conferences including BLACKHAT USA > Conference review board member (BLACKHAT, CODEBLUE) > First asian who passed the Defcon CTF qual Lead of GrayLab Security Team at LINE > Code review, penetration testing, security consulting > Community activities > Worked since 2000 (Penetration testing company) > Researcher at Korea Army > Founder of information security company called GRAYHASH in Korea 

Why Enterprise Security Is Hard > You have too many attack things to protect at big firms • Not only servers, laptops, mobiles • But also, the big number of employees • 3rd parties (products, services, even contractors) • Big infrastructure 

Why Enterprise Security Is Hard > Development side • - I can’t code on a laptop not connected to the internet • However, not everyone knows how to protect oneself • - I want to surf the internet on my laptop • And people easily go to malicious websites without notice • Developers usually have sensitive information • Also, hacking engineers is much easier than hacking servers 

Why Enterprise Security Is Hard > Infrastructure side • - I want to access the wiki, mail, git server at home • - I also need to access to the live SSH server so that I can work at home • .. And, once any single employee gets hacked, huge risks come • VPN, 2FA don’t perfectly save your computers 

Why Enterprise Security Is Hard > Other problems • Spaghetti business services: Complexity could go too far • Vulnerable 3rd party products: • What if your company VPN is vulnerable • Think about Orange’s finding 

Why Security Matters > Security is not only part of Internet but also real life > People spend their time on our services - Life with LINE > What challenges we’ve faced 

Service Release Process Release Implementation Requirements Verification Design Training 

Service Release Process Release Implementation Requirements Verification Design Training 

Service Release Process Release Implementation Requirements Verification Design Training 

Service Release Process Release Implementation Requirements Verification Design Training 

Service Release Process Release Implementation Requirements Verification Design Training 

Service Release Process Release Implementation Requirements Verification Design Training 

Security Education Platform > We internally develop a Security Education Platform for employees • For both non-engineers and engineers > For non-engineers • Security 101, APT attack recognition, “Protect yourself” > For engineers • Secure code, cryptography, “How to make secure code” 

Security Education Platform 

Security Education Platform 

Security Education Platform > Wargame • Not only lesson • Hands-on style hacking • Developers can understand
 much better by solving
 hacking challenges 

Risk Management > When new service is planned, all related teams are in a same room • Assign role and responsibility • Discuss on attack surface and risk management > Security and privacy risk management • Privacy by design 

During Implementation > Security team checks • White-box testing (To find insecure code by static analysis) • Tools and libraries (If insecure ones or old version used) > Strict dev environment: isolation for alpha, beta, release • Important for not having real data in dev mode and for future security test > Challenges: dependency issues, often vulnerable functions used 

Verification > Manual code auditing, Fuzzing testing • Injection, Broken Authentication, XXE, Insecure Deserialization, so on > Services can’t be released until the security team approves • All major issues have to be fixed before release • Even they can’t have public IP addresses > Spending most of time on communicating with the dev-teams 

After Release > Always-on fuzz testing • Not common, but not informed update • Testing all of API and comparing to previous results > Incident response plan executed • LINE has dedicated teams for data breaches, abuses, any incident • Always connected with the development team 

Machine Learning Machine Learning for Information Security Is Not Easy 

Machine Learning > Machine Learning for defense • Account hijacking attack detection • Anti spam filter • Malicious network connection detection 

Machine Learning 0 

Machine Learning Total Suspicious Filter for Suspicious Logs 

Machine Learning > ML for offense (Very early stage at LINE, yet) • To find vulnerabilities in our code > Collecting LINE code to modeling • Luckily, JAVA is most used at work • Also, there are many services meaning many code generated everyday 

Machine Learning > At current stage, ML has fundamental problems when defense • Could work well on specific data sets but not other • Not robust even when only detecting - false positive > But, LINE security team tries to put ML everywhere as much as possible • For both defense and offense • Because It can save our time and we have limited resource > To have an actual helpful ML system: Tuning your code everyday Lessons learned 

Tooling > In-house tooling is what we spend much time • Blackbox web security bug scanners (XSS, SQLi) • API fuzzing test • Monitoring suspicious behaviors • 3rd party cloud service monitoring (Check if sensitive assets uploaded) • Copyright checker > Continuous running it at scale 

BECKS > We value information security community • Thus, we run local security meet ups in Taiwan, Japan, and Korea • Once per every two month > Connecting people and sharing knowledge • Students, developers, security engineers, non-engineers • Also, good chance to meet talented engineers (Hiring?) > Website: https://becks.io 

BECKS BECKS In Taiwan BECKS in Japan Talks and Free Beer and Snacks 

Bug Bounty Program > LINE has run public bug bounty program since 2015 • To collaborate with 3rd party hackers to make the company secure > We have security team but It’s important to have different point of view • We’ve rewarded hackers for security issues, more than 200 bugs > More bounty programs on the way • Hint: threat bounty > Website: https://hackerone.com/line 

Note > Enterprise security is a challenge for every company • Limited resource, but many services and fast development • Everything is super connected for some reason which bring risks • Even cutting-edge can’t solve most of problems that we’re facing > Our job is not to find problems, but to fix them in an efficient way • We think most important thing is to know how to work with other teams • Thus, good communication is a mandatory required skill at LINE > Keywords to win: Good process, tooling, tuning and communication 

QnA > https://twitter.com/beist > [email protected] 

Thank You